Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SplunkLive! Amsterdam 2015 - Analytics based security breakout

449 views

Published on

Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.

Published in: Technology
  • Be the first to comment

SplunkLive! Amsterdam 2015 - Analytics based security breakout

  1. 1. Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security  –  AKA   Analy>c  based  security   Dominique  Dessy,  CISSP   Niklas  Blomquist,  Security  SME  
  2. 2. 2   Today’s  Specials   •  Advanced  Threats  are  hard  to  find   •  How  to  use  Splunk  for  Security?   •  Add  value  to  exis>ng  data   •  Detect  new  threats   •  Splunk  Enterprise  Security  4.0   •  User  Behavior  Analy>cs   15   October  
  3. 3. 3   Advanced  Threats  Are  Hard  to  Find   Cyber  Criminals     Na>on  States     Insider  Threats     Source:  Mandiant  M-­‐Trends  Report   100%    Valid  creden>als  were  used   40     Average  #  of  systems  accessed   205   Median  #  of  days  before  detec>on   67%   Of  vic>ms  were  no>fied  by   external  en>ty  
  4. 4. 4   Tradi>onal  approaches  are  not  good  enough   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Gather  all  data  in  one  place   •  Enrich  data  with  context   •  Make  it  easy  to  search  in  the  data   •  Make  it  easy  to  do  advanced  analy>cs   4  
  5. 5. 5   SPLUNK FOR SECURITY “Connects People and Data with Context and Extended Intelligence”
  6. 6. 6   Monitoring,   Correla>ons,   Alerts   Ad  Hoc     Search  &   Inves>gate   Custom     Dashboards   And  Reports   Analy>cs  And   Visualiza>on   Developer   PlaQorm   All  SOC  Needs  &  Personnel   Security  Intelligence  Pla]orm   6       Real-­‐>me   Machine  Data   Cloud     Apps   Servers   Email   Web   Network   Flows   DHCP/  DNS   Custom   Apps   Badges   Intrusion     Detec>on   Firewall   Data  Loss   Preven>on   An>-­‐Malware   Vulnerability   Scans   Authen>ca>on   Storage   Industrial   Control   Mobile   Security  Intelligence  PlaQorm   Threat   Feeds   Asset     Info   Employee   Info   Data   Stores   Applica>ons   External  Lookups  /  Enrichment  
  7. 7. 7   Enables  Many  Security  Use  Cases     SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECTING     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Security  Intelligence  PlaQorm   7  
  8. 8. 8   Is  there  a  real  danger?   Adding  Value  to  exis>ng  Data  
  9. 9. 9   Adding  context   BBQ  vs  house  on  fire  
  10. 10. 10   Context  =  Knowledge  around  the  Data   "   Is  this  a  bad  known  ip/domain/e-­‐mail?   "   Should  user  access  the  SQL  server?   "   Should  server  communicate  X?     "   Importance  of  assets  and  iden>>es   "   Make  data  easier  to  understand  
  11. 11. 11   Data  from  An>-­‐Virus/An>-­‐Malware   "   No  need  to  act  if  removed   "   But  what  if;   –  The  hosts  are  re-­‐infected?   –  Mul>ple  hosts  are  infected  in  short  >me   –  If  the  CEO/CFO/CSIO  computer  are  infected?   –  Hosts  are  the  web  shop/e-­‐bank/important  system   –  Other  sources  alert  within  short  >meframe     11  
  12. 12. 12  
  13. 13. 13   Alerts  on  most  cri>cal  events  
  14. 14. 14   Inves>gate  the  incident  
  15. 15. 15   Visual  Inves>ga>ons  for  All  Users  
  16. 16. Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   16   How  to  find  new  Threats  ?   WEB   Conduct   Business   Create  addi>onal   environment   Gain  Access     to  system  Transac>on   MAIL   .pdf   Svchost.exe  Calc.exe   Events  that     contain  link  to  file   Proxy  log   C2  communica>on     to  blacklist   How  was     process  started?   What  created  the   program/process?   Process  making   C2  traffic   Web   Portal  .pdf  
  17. 17. Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   Command  &  Control  Exploita>on  &  Installa>on  Delivery   MAIL   WEB   WEB   FW   Accomplish  Mission       Start  Anywhere,     Analyze  Up-­‐Down-­‐Across-­‐Backwards-­‐Forward   phishing   Download   from   infected  site   1   2   5   6   7   8   3   4   Iden>ty,  Roles,  Privileges,  Loca>on,  Behavior,  Risk,  Audit  scope,  Classifica>on,  etc.     •  Third-­‐Party  Threat  Intel   •  Open  source  blacklist   •  Internal  threat  intelligence   •  Firewall   •  IDS  /  IPS   •  Vulnerability  scanners   •  Web  Proxy   •  NetFlow   •  Network   •  Endpoint  (AV/IPS/FW)   •  Malware  detec>on   •  PCLM   •  DHCP   •  OS  logs   •  Patching   •  Ac>ve  Directory   •  LDAP   •  CMDB   •  Opera>ng  System   •  Database   •  VPN,  AAA,  SSO  
  18. 18. 18   New  Features  in  Enterprise  Security  4.0   Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION   COLLABORATION   •  Inves>gator  Journal   •  Aoack  &  Inves>ga>on  Timeline   •  Open  Solu>ons  Framework   •  Framework  App  :  PCI  
  19. 19. 19   Aoack  &  Inves>ga>on  Timeline   Same  events  can  have  different  security  meanings,  based  on  sequence:   Track Actions 1" 3"2" Analyst / Investigator Event 1 … 13:01:21 Event 2 … 13:42:17 Action 3 Note “Windows event” What happened? If event 1, then event 2, then… Ah – ha, that’s how they got in. Now what infected the host? Brute  Force   = Exfiltration Login  Failure   Proxy  Event   Brute  Force   = Recon, Lateral Movement Login  Failure   Login  Failure   Brute  Force   = Forgotten Password
  20. 20. 20   Aoack  &  Inves>ga>on  Timeline   Methods  to  add  contents  into  >meline  :   Action History Actions : •  Search Run •  Dashboard Viewed •  Panel Filtered •  Notable Status Change •  Notable Event Suppressed Investigator Memo Notes: Investigator’s notes inserted in timeline Track Actions 1" 3"2" Incident Review Incident : Notable events from Incident Review Analyst / Investigator
  21. 21. 21   Aoack  &  Inves>ga>on  Timeline   Allows  collabora>on  between  mul>ple  analysts   UI Action History : Search UI Action History : Viewed Dashboard Edit Entry : Analyst’s Memo Collaborator entry Tier 1 Tier 2 Analyst Tier 2 Analyst Collaborate One Holistic view from Collective Knowledge
  22. 22. PLAY  DEMO   22  
  23. 23. 23   Open  Solu>ons  Framework   Supports critical security related management framework features Enterprise Security Framework •  Notable Events Framework •  Thereat Intelligence Framework •  Risk Scoring Framework •  Identity & Asset Framework Customer Apps APPs / Contents Partner Apps APPs / Contents Splunk Apps APPs / Contents •  Export •  Import •  Share Collaborate •  Summarization Framework •  Alerting & Scheduling •  Visualization Framework •  Application Framework External" Instance
  24. 24. 24   Extensible  Analy>cs  &  Collabora>on   Open Solutions Framework •  Create, access and extend ES functionality –  Notable event framework –  Risk framework –  Threat intelligence framework –  Identity & asset framework •  Apps and content can be imported and exported at any time 24   Collaborate
  25. 25. PLAY  DEMO   25  
  26. 26. Copyright  ©  2015  Splunk  Inc.   Splunk  User   Behavior  Analy>cs   (UBA)     Powered  by  Caspida  
  27. 27. DATA-­‐SCIENCE  DRIVEN   BEHAVIORAL  ANALYTICS   BIG  DATA     DRIVEN   SECURITY   ANALYTICS   MACHINE   LEARNING   A  NEW  PARADIGM  
  28. 28. MAPPING  RATs     TO       ACTIONABLE  KILL-­‐CHAIN   A W N O M A L I E S H R E A T
  29. 29. 29   CYBER  ATTACK   29   USER ACTIVITIES! RISK/THREAT DETECTION AREAS! Mark and Fred access a malicious website. A backdoor gets installed on their computers! Malicious Domain (AGD)! Unusual Browser Header!Nov 15! Unusual Machine Access for Mark! (lateral movement; individual + peer group)!Dec 10!The attacker logs on to Domain Controller via VPN with Mark’s stolen credentials from 1.0.63.14 ! Unusual Browser Header for Mark and Fred!Nov 16! The attacker uses Mark and Fred's backdoors to download and execute WCE to crack their password! Nov 16! Beacons for Mark and Fred to www.byeigs.ddns.com! Mark and Fred's machines are communicating with www.byeigs.ddns.info! Unusual Machine Access for Fred! Unusual File Access for Fred ! (individual + peer group))! Dec 10! The attacker logs in as Fred and accesses all excel and negotiations docs on the BizDev shares! Unusual Activity Sequence of Admin for Fred (AD/DC Privilege Escalation)!Dec 10! The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Fred.! Excessive Data Transmission for Mark" Unusual VPN session duration!Jan 14!The attacker VPNs as Mark, copies the docs to an external staging IP and then logs out after 3 hours.!
  30. 30. 30   Splunk  User  Behavior  Analy>cs  (formerly  Caspida)   Advanced  Security  Analy0cs   UBA  SPLUNK   Data  Science  &   Decision  Engine   Automated  Threat   Detec>on   AD,  SSO   App,  DB  logs   Firewall,  IPS,   DLP   Ne]low,   PCAP   Threat  Feeds   UBA  threat  results  fed  into  Splunk  ES   Security  Analy>cs  &   Event  Repository  
  31. 31. 31  
  32. 32. 32  
  33. 33. 33   UBA  vs  ES  4.0   UBA  Enterprise  Security   •  Keep  all  data   •  Will  require  tuning   •  Easy  to  create  new  searches,   dashboards,  correla>ons  etc   •  Will  require  analy>c  resources  to   map  events  to  threats   •  Possible  to  further  inves>gate     •  Only  keep  data  around  anomaly   •  Automa>cally  baseline   •  Not  possible  to  customize  in  the  same   way  as  Enterprise  Security   •  Will  map  anomalies  to  threats   •  Limited  possibility  to  do  further   inves>ga>on   33  
  34. 34. 34   Key  takeaways   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Splunk  can  help   –  Faster   –  Easier   –  More   –  Less  labor   34  
  35. 35. Thank  You  

×