Operationalizing a Cyber Security Operations Center (SOC) using Splunk
1. 8/11/2016
Operationalizing a cyber Security Operations
Center (SOC) using a Security Information
and Event Management (SIEM) solution.
Final Project T411 Wireless networking: George Brown College, Toronto, ON,
Canada. August, 2016
Rangan Grama-Yoga 101017090
Ankit Divyesh Pandya 100984504
Lakshay Chamoli 101026076
Zhou Lu 101015405
7. 6
the infrastructure. It consumes network traffic and app server logs and tracks hypervisors and
GPS, as well as social media activity. It even absorbs PBX and IP telephony data. Splunk does this
without requiring costly connectors or agents. It does not need to filter or parse the data to load
it into a database. By providing users an index of all the machine data generated by all systems
and infrastructure, Splunk enables users to ask any question and find answers quickly to the most
simple or strategic propositions.
Splunk was born to help IT manage and monitor the datacenter. System
administrators were sniffing out security threats, server inefficiencies, network outages, and
bandwidth bottlenecks, not looking for business insights. But along the way, that’s exactly what
they discovered in the wealth of machine-generated data that is driving operational intelligence.
Analysts can have a conversation with the data and gradually uncover the structure and
relationships between elements. They can create custom applications, dashboards, and reports
that don’t just present information, but allow for deep drill-downs into the data to answer
questions. Splunk also offers prebuilt integrations to common data stores, such as Hadoop and
traditional relational databases.
PROBLEM/OPPORTUNITY ASSESSMENT
Various attacks (Brute Force, DDOS, Multiple access, etc..): we would show various attacks that
can occur and how these attacks would be spotted and raised as events
A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt
any encrypted data (except for data encrypted in an information-theoretically secure manner).
Such an attack might be used when it is not possible to take advantage of other weaknesses in
an encryption system (if any exist) that would make the task easier
False Alarm: User interaction with server against an external threat, this would raise a lot of false
alarms and segregation of events.
DDOS - A distributed denial-of-service (DDoS) is where the attack source is more than one, often
thousands of unique IP addresses. It is analogous to a group of people crowding the entry door
or gate to a shop or business, and not letting legitimate parties enter into the shop or business,
disrupting normal operations. The scale of DDoS attacks has continued to rise over recent years,
even reaching over 400Gbit/s.
Event Logging: All events that occur on a server is logged and the dataflow is presented.
Authentication tracking and account compromise detection; admin and user tracking.
8. 7
Compromised- and infected-system tracking: malware detection by using outbound firewall
logs, NIPS alerts and Web proxy logs, as well as internal connectivity logs, network flows, etc.
Validating intrusion detection system/intrusion prevention system (IDS/IPS): Alerts by using
vulnerability data and other context data about the assets collected in the SIEM
Monitoring for suspicious outbound connectivity and data transfers: By using firewall logs, Web
proxy logs and network flows; detecting exfiltration and other suspicious external connectivity
Tracking system changes and other administrative actions: Across internal systems and
matching them to allowed policy; detecting violations of various internal policies, etc.
Tracking of Web application attacks and their consequences by using Web server: WAF and
application server logs; detecting attempts to compromise and abuse web applications by
combining logs from different components.
Key Deliverables to be produced by students:
Log management: Various events flagged by SIEM software to me mapped and logged.
Windows Events: Windows application, security and system event logs, Detect problems with
business critical applications, security information and usage patterns.
Wire Data: DNS lookups and records, protocol level information including headers, content and
flow records. Proactively monitor the performance and availability of applications, end-user
experiences, incident investigations, networks, threat detection, monitoring and compliance.
OUR PROJECT
We created a test environment and implemented Splunk on DMZ where the Servers were
located. The following Schematics is the network design of our implementation.
10. 9
FIGURE 3: ADDING DATA SOURCES
SEARCHING DATA
As soon a the sources were added to monitor, events from every source was gathered
immidietly. This data that we gathered was collected and analysed for event management
purposes. For the sake of testing purposes, we only implemented Multiple login using Active
directory services. And finding the data was extremely easy with the search service.-
14. 13
FIGURE 8: ALERT DASHBOARD
We saved the dash board as ‘Brute force’, as we used Passware to break into network
authentication on the Active Directory server using brute force attack. These events were
monitored and accounted for. The above image shows various vlans created on the network and
login attempts using the same login credentials. The failed login show how many times the Active
Directory service was blocked.
LOG DATA FILE
The log Data File has been attached in this for your reference:
Event_Log_for_mult
ile_Access.csv
16. 15
Below is the correlation search (SPL) that is created in Splunk against Win:Security logs to monitor
real time login attempts. In this search, brute force criteria get matched with two failure
attempts.
sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT
(User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by
Account_Name | where count > 2
Note: EventCode: 4625 is used in new versions of the Windows family like Win 7. In older
versions, the event code for invalid login attempts is 675, 529.
After this, I log off my machine, and entered the password incorrectly three times in attempt to
impersonate a brute force attack.
Since these activities gets logged in Win: Security, which in turn is feeding Splunk in real time, an
alert will be created in Splunk, giving analysts an incident to investigate and take responsive
actions, like changing the firewall policy to blacklist that IP.
USE CASE 2
DETECTION OF INSIDER THREAT
Reportedly, more than 30 percent of attacks are from malicious insiders in any organization.
Therefore, every organization must keep the same level of security policies for insiders also.
ACCEPTABLE USE MONITORING (AUP)
Acceptable Use Monitoring covers a basic questions, i.e. what resource is being accessed by
whom and when. Organizations generally publish policies for users to understand how they can
use the organization’s resources in the best way. Organizations should develop a baseline
document to set up threshold limits, critical resources information, user roles, and policies, and
use that baseline document to monitor user activity, even after business hours, with the help of
the SIEM solution.
19. 18
solutions, application logs, WAF, etc. into the SIEM solution to detect a potential insider threat.
Organizations can develop the below use cases in the SIEM solution under AUP
• Top malicious DNS requests from user
• Incidents from users reported at DLP, spam filtering, web proxy, etc
• Transmission of sensitive data in plain text
• 3rd
party users network resource access
• Resource access outside business hours
• Sensitive resource access failure by user
• Privileged user access by resource criticality, access failure, etc
USE CASE 3
APPLICATION DEFENSE CHECK
Besides network, perimeter, and end point security, organizations must develop security
measures to protect applications. With attacks like SQL injection, Cross site scripting (XSS), Buffer
overflow, and insecure direct object references, organizations have adopted security measures
like secure coding practices, use of Web Application Firewall (WAF) which can inspect traffic at
layer 7 (Application layer) against a signature, pattern based rules, etc. Along with the log of
applications, organizations must also feed SIEM with logs of technologies such as WAF, which can
correlate among various security incidents to detect a potential web application attack. One of
the very important points to check for in a sensitive application is that the application should
encrypt the sensitive information like PII in the logs as well, as these logs will be fed into SIEM,
and if unencrypted, sensitive information could be exposed in SIEM.
Organizations must also develop a strategy to secure the operating system (OS) platform onto
which the application is hosted. OS as well as application performance logging features must also
be enabled. Below are some of the use cases that can be implemented in SIEM to check
Application defense.
• Top Web application Attacks per server
• Malicious SQL commands issued by administrator
• Applications suspicious performance indicator, resource utilization vector
23. 22
CREDITS
Role Individual Profile LinkedIn
Course Instructor Shaukat Mulla
Course Instructor,
George Brown College
https://ca.linkedin.com/in/smulla
Project Designer Wayne Ward
Network Security
Implementation
Lecturer, George
Brown College
https://ca.linkedin.com/in/wayneward1
Mentor and
project execution
vision
Ali Khan
Senior Manager, Cyber
Risk Advisory, Deloitte
LLP.
https://ca.linkedin.com/in/khanuali
Project Lead
Rangan Grama-
Yoga
Student, George
Brown College
https://ca.linkedin.com/in/ranganiyengar
Project Team
Member
Ankit Pandya
Student, George
Brown College
https://ca.linkedin.com/in/ankit-pandya-
98316a4b
Project Team
Member
Lakshay Chamoli
Student, George
Brown College
https://ca.linkedin.com/in/lakshay-
chamoli-48b319118
Project Team
Member
Zhou Lu
Student, George
Brown College
https://ca.linkedin.com/in/zhou-lu-
28512a122
A total of 300 man hours was put into the execution of this project.
All the Use cases and the data were sourced from various sources using the
internet.