2. 2
About Me
2
Brian Fennimore – Manager of Security
Operations at Virtustream
– Now EMC
– Now Dell
14 years of experience in IT and Security
6 year Splunk user
My favorite Splunk T Shirt
– “See your world. Maybe wish you hadn’t.”
3. 3
About Virtustream
3
Enterprise-class cloud software and services provider
Strong focus in delivering on security, compliance,
performance and efficiency requirements
Service catalog includes SAP, ERP, CRM, complex
mission-critical enterprise applications
Multiple industries serviced including Enterprise, Service
Provider, Government, Financial Services, Healthcare
4. 4
How Virtustream Uses Splunk
- “Source of truth” for centrally indexing log / event data
- Single pane of glass for tracking metrics, KPIs (MTTR, e.g.)
- Automation of compliance reporting – internal and regulatory
- Security – service and internal, including enrichment via threat data
5. 5
Threat Data
Information that identifies a threat in a specific and usable manner
• E.g. IP address | Malicious URL | etc…
• Sometimes called “Threat Intelligence” “Threat Feeds”
• Tons of sources (free and pay)
• Quality > Quantity
– Both can be handy
– Prevention > Detection (do both | AND detect the preventions)
• Make your own
– Honeypots | Log inspection | etc…
• Where does it fit in?
6. 6
Prime Directive
All/Most of our efforts should associate to something here
Understand, manage and reduce risk
Common
Focus
Volatile
Plentiful
Institutional
Risk = 𝑓 𝑣𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦, 𝑡ℎ𝑟𝑒𝑎𝑡, 𝑖𝑚𝑝𝑎𝑐𝑡
Quantify the Qualitative
7. 7
Risk = f(V,T,I)
• Vulnerability
– Find ‘em - Track ‘em – Fix ‘em – fast – No more small vulnerabilities. Just
vulnerabilities.
• Threat
– Actors, conditions, friendly people (mistakes)
• Impact
– Confidentiality – Keep those secrets secret
– Integrity – Is that thing really that thing? Non-repudiation
– Availability – uptime | quality uptime
FURTHER READING: http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
8. 8
How is threat data cool?
• What do I do with all this data?
– IP Address
– DNS Name
– File Hash
• High quality (block it, redirect it, auto-mitigate)
• Low quality (Alert, warrants further investigation)
• Better to prevent vs. detect. But always detect.
9. 9
Threat Data Consumption
We have the data, now what?
• IP Address
– Block it (firewall policy/API, Null Route, other…tons of ways to
block/drop an IP)
– Alert (You have Splunk, yes? | You have flows, yes?)
• DNS Name
– Control your local resolvers
– Block it - BlackHole DNS http://www.malwaredomains.com/bhdns.html
– Alert – BIND has some pretty cool logging available
• File Hash
– Vuln Scanner? HIPS? Forensics tools? Some custom scripting?
10. 10
The File Hash
• Not too invasive
• Frequent enough to be useful
• Is there a decent list somewhere? NSRL, VirusTotal, many others.
• White list | Black list | Gray list
FURTHER READING: http://www.nsrl.nist.gov/ National Software Reference Library
11. 11
Enter Ziften
• Splunk>Live! Philadelphia (July 2015)
– See? Lots of great things happen at these gatherings
• Lightweight agent (less than 1MB)
• Grabs processes/daemons
• Grabs associated files and network traffic
• Lovely Splunk TA
• Sends meta-data to central location
– Ziften Agent -> Ziften Server -> Splunk
OR
– Ziften Agent -> Splunk
12. 12
OTX Detection x IP address x Binary
FURTHER READING: https://www.alienvault.com/open-threat-exchange
16. 16
But, does it work?
• Use cases
– Lookup tables and the CIM
• Real life examples
– Customer XYZ and their three hosts
dest=* | lookup local=true vtdata threatip AS dest | search lastseen=* | fillnull src,dest, lastseen |
stats count by sourcetype, src, dest, lastseen | sort - lastseen
# ./update-threats.sh
threatip,lastseen
59.90.86.210,
78.153.149.219,
199.59.243.119,2014-12-12
199.59.243.120,2015-12-01
FURTHER READING: http://docs.splunk.com/Documentation/CIM/latest/User/Overview
17. 17
What’s next
• Information sharing across a trusted community
• Spirit of CISA with benevolent ends
• More options for Threat Data Consumption
FURTHER READING: https://www.congress.gov/bill/114th-congress/senate-bill/754/text
18. 18
Threat data is really cool
Information that identifies a threat in a specific and usable manner
What is the return?
– Direct reduction of risk
– Greater visibility and from a different angle (new perspective)
“See your world. Maybe wish you hadn’t.”
The bad guys are already seeing it anyway.