Splunk für Security
•
1 like•692 views
Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Splunk für Security
Similar to Splunk für Security (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Splunk für Security
- 1. Copyright © 2017 Splunk Inc. Splunk für Security Best Practices für Ihre Security Strategie Udo Götzen, CISSP Sr. Sales Engineer
- 2. 2 Agenda • Cyber Security Landscape (2m) • Splunk’s Data Driven Security Offering (10m) • Demo Time (Rest) • Next Steps / Q&A
- 3. 3 3 TRADITIONAL DEFENSES ARE NO LONGER EFFICENT ENOUGH
- 4. The Ever-Changing Threat Landscape 53% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
- 5. Source: Verizon DBR Attacks often start with an email: 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS
- 6. 6 True Story: State of Michigan (SOM) – User account spoofing • Phishing Mail: Mailbox reached storage limit... • Outlook Web Access Portal custom design of SOM was rebuilt by attacker • Provide E-Mail, Username, Password and Date of Birth... To how many Users was the mail delivered? How many clicked? How many filled out? • Delivered to 2800 Employees before being blocked • 155 Employees clicked the link • 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
- 7. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication All Machine Data is Security Relevant Traditional SIEM
- 8. Structured RDBMS SQL Search Schema at Write Schema at Read Traditional Splunk Splunk Approach to Machine Data Copyright © 2014 Splunk Inc. ETL Universal Indexing Volume Velocity Variety Unstructured
- 9. 9 Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Internet of Things and Industrial Data
- 10. SECURITY USE CASES In SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
- 11. 11 Products for Security and Compliance Splunk Enterprise Security 390+ Security Apps Splunk User Behavior Analytics Palo Alto Networks FireEye Symantec DShield DNS OSSEC NetFlow Logic Cisco Security Suite F5 Security PCI Compliance Active Directory Blue Coat Proxy SG
- 12. COLLECT STORE AD-HOC SEARCH REPORT INVESTIGATE CORRELATION INCIDENT RESPONSE MANAGEMENT SECURITY OPERATIONS DASHBOARDS MACHINE LEARNING HIDDEN THREATS ANOMALIES BEHAVIOR ANALYSIS PEER GROUP ANALYSIS VISUALIZE INDEX LOG PRE-BUILT & NEW CONTENT DETECT UNKNOWN THREATS
- 13. 13 API SDKs UI Network Traffic Analysis Identity & Access Control Perimeter Defense Email Payload Analysis Endpoint Behavior Analysis Endpoint Change Tracking DLP Security Analytics Threat Intelligence Cloud Security Security & Compliance Landscape
- 14. Splunk Core ZeuS Live Demo
- 15. 15 APT Transaction Flow Across Data Sources http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment
- 16. Enterprise Security ZeuS Live Demo
- 17. What is Enterprise Security? 1 A collection of Frameworks Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
- 18. 18 Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and CriticalCapabilities for Security Informationand Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is availableupon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Four Years in a Row as a Leader Furthest overall in Completeness of Vision Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases
- 19. Splunk and the SANS CIS Critical Security Controls The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20 controls that can be used to minimize security risks to enterprise systems and the critical data they maintain. These controls are derived from and “cross-walked” to controls in NIST Special Publication 800-53. They are also known as the Consensus Audit Guidelines (CAG). Formerly managed by SANS and the Council on CyberSecurity, the CIS CSC are currently governed by the Center for Internet Security (CIS) and are considered the “de facto yardstick by which corporate security programs can be measured,” according to the Cybersecurity Law Institute. Read the e-book: http://www.splunk.com/web_assets/pdfs/secure/Splunk-and-the-SANS-Top-20-Critical-Security-Controls.pdf Download the free App: https://splunkbase.splunk.com/app/3064/
- 20. Splunk Security Essentials App Over 50 Search examples for use cases off the following domains: • Access Domain • Data Domain • Network Domain • Threat Domain • Endpoint Domain • Data Sources Used Download the free App: https://splunkbase.splunk.com/app/3435/
- 21. Source: Verizon DBR IF IT HAPPENS TODAY? HOW LONG DOES IT TAKE YOU TO ANSWER UPCOMING QUESTIONS? 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR
- 22. 22 Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification against your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification
- 23. Explore: How Travis Perkins built a SOC in the Cloud http://blogs.splunk.com/2016/09/14/trust- and-resilience-at-the-speed-of-business- how-travis-perkins-built-a-lean-soc-with- splunk-in-the-cloud/ Join: Our Community with Apps, Ask Questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Enterprise Security in our Sandbox with 50+ Data Sources https://www.splunk.com/getsplunk/es_sandbox Q&A Thank you
Editor's Notes
- A fundamental change is going on in the threat landscape. Traditional defenses are no longer enough. While the User Interface might look nice a fundamental shift is undergoing. With more and more cloud and software as a service perimeter security is more and more challenged. Also with the digital transformation new services need to be protected and just protecting systems is no longer enough. Identity becomes the new perimeter that needs to be protected.
- There are three numbers in the cyber security statistics that prove this trend, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
- At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials. If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
- Looking at the typical data sources used by legacy SIEMs is not enough. It would be like boxing yourself into a tight space and having to fight against your attackers and defend against your threats from that position. You need to be able to see outside the box, go beyond your traditional security solutions and gain security insight from all your data – for example e-mail tracking logs to know who got the e-mails, web log to know who
- The rise of big data has forced IT organizations to transition from a focus on structured, relational data, to accommodate unstructured data, driven by the volume, velocity and variety of today’s applications and systems. As the data has changed from structured data to unstructured data, the technology approach needs to change as well. When you don’t know what data types you’ll need to analyze tomorrow or what questions you need to ask in a week, flexibility becomes a key component of your technology decisions. The ability to index any data type, search across silos and avoid being locked into a rigid schema opens a new world of analytics and business insights to your organization. Schema at Read – Enables you ask any question of the deal Search – Enables rapid, iterative exploration of the data along with advanced analytics Universal Indexing – Enables you to ingest any type of machine data Horizontal scaling over commodity hardware enables big data analytics
- Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. The insights gained from machine data support a number of use cases and can drive value across your organization. Today we will focus on Security.
- If we talk about Security there are different categories where you can map your use cases and requirements to. The quickest win is to start with building capabilities for incident investigation and forensics – so in case something goes wrong in your environment you can ask questions how an attacker got in, what data was accessed and you can properly scope breaches and security incidents. You can also start hunting for threats in case you assume you’re already breached. Then you can go into the pro-active step with monitoring your security controls and policies through compliance monitoring. This can be external compliance regulations like PCI, GDPR, ISO2700X or even tracking your Internal IT Policy. Then you can do real-time monitoring of known threats – every of your security solutions like IPS, IDS, Vulnerability Manager, Firewall, AntiVirus, VPN Servers and more have all their own dashboards and events – you want to have a centralized security posture to be able to ask: Which security walls in my organization did a specific user or system hit. This allows you also to measure the efficiency of your security tools for example. Then you can use the data to do own powerful correlations with our powerful splunk search language to detect unknown threats and combine security events and non security events like activity data. You can enrich data with threat intelligence and apply risk scores for aggregating notable activity. Last but not least you can also analyze and detect insider threat. This can be on one side malicious insiders who might leave the company and take personal data with them as well as hapless users who had been tricked by social engineering or phishing and their account was taken over by an external attacker which then use the credentials for their attacks and accessing your networks, e-mail mailboxes etc.
- The Spunk Security Intelligence Platforms consists of multiple components. Foundational to the platform is Splunk Enterprise, our core product. Every Splunk deployment includes this for indexing and storage. Using this alone, customers can perform searches and easily build reports/dashboards from their data. A variety of applications can be installed on top of the Splunk Enterprise, ranging from 3rd party vendor apps, community developed apps and Splunk Apps. You can build apps on top for your use or to share within your company. Apps are a collection of reports, dashboards, and searches purpose-built for a specific use. Our premium security app is the Splunk Enterprise Security. It provides out-of-the-box security workflow, dashboards, reports, correlation rules that bring together security and infrastructure technologies across your company. Any of the apps can be mixed-and-matched to achieve the desired level of functionality.
- To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos. The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
- One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider. The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
- Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
- Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
- We at Splunk not just have great Software. We want to ensure customer success in all we do with your organization. We know how amazing our dashboards look like and there are no limits yet we have experienced on the technical side with our strong platform foundation. However no limits and not putting you in a pre-definied box can from time to time be challenging – so knowing your security use cases is key. What is the final goal of the solution you’re looking for? Your use case will lead that you get more then nice dashboards – the use case ensures that you have actionable information and findings. The better the use case the more successful you will be! We can help and guide you to the journey to collect your use cases. We have a use case discovery workshop available as well as many inspirational customer stories to share! We can map them out together with you, apply them to your organization, scope the volume and costs as well as organizational processes to establish – then we can prioritize them and start our joint Journey!
- The best part is that Splunk is really easy to try and deploy. We have multiple options for getting started: - Try out Splunk Enterprise, Splunk Cloud, or light with our free downloads or online trials. - Or try our free software download. The free Splunk Enterprise download is the same product that scales to ingest petabytes of data per day. - Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.