Presented by Oliver Kollenberg, Security Consultant at Siemens:
Digitalization at Siemens
Cybersecurity at Siemens
The EAGLE DataCenter
Using Splunk
Summary, Key Benefits and Tips
2. Megatrends that are changing our world
Digitalization
By 2020, the global volume of data will soar to
44 zettabytes, and 50 billion devices will be
connected.
Page 2 March 2018 siemens.com
Source: IDC, The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, April 2014; Dave Evans (Cisco): The Internet of Things, How the Next Evolution of the Internet Is Changing Everything, April 2011
3. Digitalization at Siemens
Siemens invests
about €510 million
each year in the
training and
education of
employees.
Maserati Ghibli: Virtual twin
to create, simulate and test
the car and its production.
Realtime monitoring and
diagnostics of the shop
floor.
It took 16 months to get to
market with 30% less
development time.
And sometimes it‘s in the
detail: Siemens, part of
Splunk .conf2017
Dubai DXB T3 is one of the
largest terminals with 1.5 mio m²
Its baggage handling system has
90km conveyer belts, 10,702
drives, reaches speeds of
27km/h and moves up to 15.000
pieces per hour.
Driven by Siemens products with
an open API and data interface.
Page 3 March 2018 siemens.com
1 to 2 Mio datapoints per
locomotive each year.
100 locomotives produce 50 TB
data from datapoints like axle
bearings, hydraulic oils and
brakes per year.
Turned into Analytics in
MindSphere Application Center
for Rail in Allach.
4. Page 4 March 2018 siemens.com
FY 2014
Research and development –
we‘re investing more and sharpening our focus
Cybersecurity
Power electronics
Autonomous robotics
Additive manufacturing
Distributed energy systems
Software systems and processes
Data analytics, artificialintelligence
Connectivity and edge devices
Simulation and digital twin
Blockchain applications
Connected (e)mobility
Future of automation
Energy storage
Materials
4.0
5.2 ~5.6
FY 2017 FY 2018e
R&D spending
in billions of €
~+40%
6. Page 6 March 2018 siemens.com
Security in IT Operations – the EAGLE DataCenter
7. Page 7 March 2018 siemens.com
EAGLE DataCenter in Numbers
Since 10 years
In 4 locations
8 Petabytes storage
Net-zero carbon footprint
Splunk as cooperate effort:
IT Ops and Security
70 indexes
3,200 data sources
210 data types
8. Page 8 March 2018 siemens.com
Responsibilities of EAGLE Security Team
9. Page 9 March 2018 siemens.com
How do we do Security at EAGLE DataCenter?
Security for us, is a Quality Assurance and
Continuous Improvement Process:
1. Prevent
2. Detect
3. Respond
4. Improve
10. Page 10 March 2018 siemens.com
The Security Role – Large Game Hunt, of course ;)
We laugh in the face of danger: But honestly – 99.9% of the day is:
11. Page 11 March 2018 siemens.com
Detect and find root cause – using Splunk
Detect: What is the cause?
Analyse issue, find and map root cause: NTP deviations
12. Page 12 March 2018 siemens.com
Correlate to respond – using Splunk
Respond: What do we need to do?
Correlate for actionable oversight:
Health of Firewall Log Connections
FW LiveData
„| tstats“
Poll AssetData
from FW Mgmt
ConfigData
Splunk Forwarder
ErrorLog
FW_Id
„| stats by FW_Id“
Done.
13. Page 13 March 2018 siemens.com
Provide answers – using Splunk
Report: What is the status?
What is the progress?
Security controls coverage:
Critical Activities
Spectre & Meltdown Checker:
https://github.com/speed47/spectre-meltdown-checker
14. Page 14 March 2018 siemens.com
Paint the full picture
How can we include dynamic assets and edge cases in the
baseline?
Correlate AssetDB with configuration and live data:
Machine generated network diagram
Loadbalancer
Router
Network
Server IP
Network
Network
Network
IP
IP
IP
IP
IP
IP
IP
1. Build List: „ObjName, IPName“
2. „| custom_viz D3_Force_Graph“
Done.
Firewall
15. Page 15 March 2018 siemens.com
Use it all to improve
Detect: How do we know if a port is really open, end to end?
Let the live data tell the truth: Across complex Firewall
rulesets, NAT and Loadbalancers
Improve: Apply gained insights
and measure success:
E.g. closure of SMB Ports
16. Page 16 March 2018 siemens.com
Detect & Prevent –
A typical MS Windows credentials dump / lateral movement attack
Server
Server
Attacker
Corporate
Perimeter
Credentials dump to
gather new credentials
and widen reach, e.g.
using Mimikatz
Firewall
SMB connection
with RPC calls
gained Remote Access
1. Connects as admin with
stolen credentials
2. Installs PSExec
3. Schedules a job to
dump credentials
SecurityZone
Perimeter
17. Page 17 March 2018 siemens.com
Detect & Prevent –
A typical MS Windows credentials dump / lateral movement attack
Server
Attacker
Corporate
Perimeter
Credentials dump to
gather new credentials
and widen reach, e.g.
using Mimikatz
Firewall
SMB connection
with RPC calls
1. Connects as admin with
stolen credentials
2. Installs PSExec
3. Schedules a job to
dump credentials
SecurityZone
Perimeter
Detect
Report foreign
entitlements
Use Sysmon to detect
signs of Meterpreter /
Credentials Store access
Check FW
connections using
SMB AppID named
„ms-service-controller“
Correlate login privilege
„Admin“ with Source IP
Look for specific
ServiceInstall EventSeries
Check for „remotely
created tasks“
Server
gained Remote Access
• LSASS Crossproc
• Overlong Commandline
• StreamPacker
• FromBase64
• UnknownDLLinCallTrace
18. Page 18 March 2018 siemens.com
Detect, Improve & Prevent –
A typical MS Windows credentials dump / lateral movement attack
Server
Attacker
Corporate
Perimeter
Credentials dump to
gather new credentials
and widen reach, e.g.
using Mimikatz
Firewall
SMB connection
with RPC calls
1. Connects as admin with
stolen credentials
2. Installs PSExec
3. Schedules a job to
dump credentials
SecurityZone
Perimeter
Improve
&
Prevent
Prohibit foreign
entitlements
Restrict SeDebugPrivilege
Disallow AppID
„ms-service-controller“
within SMB
Restrict admin sources /
establish unified admin
access path
Block PSExec alike
service
Server
gained Remote Access
19. Page 19 March 2018 siemens.com
Summary, Key Benefits and Tips
Key benefits
The community, open interfaces & Splunk mindset
allows you to leapfrog ahead in content building
Being able to drilldown and correlate data reduces
time spent walking and talking
Splunk allows for the fast iteration of ideas / rapid
prototyping of use cases
Top tips
Get your domain knowledge experts to use Splunk
Security girls and guys, be sure to support your
local IT Ops teams. Be their hero once a day.
20. Page 20 March 2018 siemens.com
Thank you for listening
Oliver Kollenberg
EAGLE DataCenter
Siemens AG
siemens.com