SplunkLive! Splunk for Security


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, wherther it be credit cards or IP, and many of their victims unfortunately end up in the headlines.FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats.
  • APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports.100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected.The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions.63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
  • Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigatethem, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
  • Here is why SIEMs are not catching the advanced threats and not generating value in general. (A later slide has more detail on Splunk points of differentiation. )For point 1, traditional SIEMs suffer from:Collectors or backend database require data reduction or normalization – hampers security use casesLittle support for custom data sourcesBrittle collectors break when data format changesClock icon indicates slow searches and long time to deploy. Dollar sign is the expensive costs behind the long deployment (lots of prof serv) and multiple products.
  • Splunk can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into Splunk for indexing. Once indexed, users can perform the use cases on the top right on the data. They can search through the data, monitor the data and be alerted in real-time if scheduled search parameters are met. The raw data can be aggregated in seconds for custom reports and dashboards. Also Splunk is a platform that developers can build on. It uses a well documented Rest API and several SDKs so developers and external; applications can directly access and act on the data within Splunk. Lastly, besides indexing raw data into its flat file data store, Splunk can also retreive and index data that resides in other data stores such as a SQL database or Hadoop.
  • Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
  • SC magazine award was determined by the readers of SC Mag who are IT Security professionals. We beat out:HP for ArcSight ExpressIBM Software Group for QRadar SIEMLogRhythm for LogRhythmNetIQ for NetIQ Sentinel 7SolarWinds for SolarWinds Log & Event Manager (LEM)
  • SC magazine award was determined by the readers of SC Mag who are IT Security professionals. We beat out:HP for ArcSight ExpressIBM Software Group for QRadar SIEMLogRhythm for LogRhythmNetIQ for NetIQ Sentinel 7SolarWinds for SolarWinds Log & Event Manager (LEM)
  • make sure to stress SIP and we can meet their needs w/4 use cases. We are more than a SIEM in that we are much more flexible and also can be used for use cases outside of security
  • Use case 1. Alert from a point product UI or traditional SIEM. Pin board image on right indicates “cold case/CSI” sort of investigation that Splunk can enable. (FYI - papers on the pin board image do not tell a “real” investigation story so do not try to read all the images on the pin board). From a forensics perspective, things like endpoint OS logs or packet captures can be put into Splunk at the time of the investigation to get deeper into the details.With exiting SIEMs they struggle with incident investigations because they cannot:Retain all the original unmodified data (because the normalize/reduce it)Often it is hard to pivot among the data b/c it is in different data stores (logger/SIEM/Hadoop/etc) with no common UIQuickly return back search results (because their DB causes scale/speed issues)Limited flexibility/ability to do external lookups
  • Use case 2 (a slide with building images)(*) Ad-hoc reports for security investigation, executives, auditors. Show me all internal machines connecting back to a known, bad external IP over the last 30 days.(*) Daily list of new security events that IT Security reviews each morning. They use this to decide what incidents to look into that day. Malware discovered, data loss events, etc.(*) Reports that count up top 10 sort of lists showing top malware infections, IDS attacks, failed logins by user, etc. (*) Security or Operations Network Center might have world map overlayed with security incidents, or maybe yellow/red/green dials showing the overall threat levels.Executives may want to see trendlines showing threats over time to see that risk is decreasing.This is a sample dashboard built by a customer
  • Use case 3. It is about about taking thousands of security events that are low severity in isolation and connecting the dots in an automated, policy-driven manner to see when a combination of seemingly low severity events, when correlated, is actually a high-severity incident that needs immediate attention.There are hundreds of possible cross-product correlations. One is above and tells the story of a data loss event being detected by signature-based security productsFor a specific internal IP address running Windows, someone logs into it using a default administrative user name “Administrator” which is not good. All users should have a unique user name (not root or Administrator) so you know exactly who is doing what in the IT environment. The OS logs see this log in.Endpoint-based anti-malware sees known, bad malware running on that machine. Malware means “malicious software” and is a red flag because it may lead to data being stolen by a hackerA data loss prevention tool (in this case the Snort Intrusion Detection Prevention product) sees unencrypted credit card numbers leaving the organization from the above machine. This data loss of credit cards is a major red flag.Why these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker inappropriately logged into the machine, probably using stolen credentials, then put malware on the machine, perhaps a backdoor to remotely connect back to the machine later, then exfiltrated stolen credit cards from the machine. The credit cards may have then been used for illegal purposes which ultimately may have resulted in the costs of re-issuing credit cards, bad publicity, unhappy customers taking their business elsewhere, customer lawsuits, fines for PCI non-compliance, etc.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.Two other sample correlations:Firewall on an internal PC indicates the PC is being port scanned from an internal IP addressNetwork-based firewall indicates it is being port scanned from the same internal IP addressImportant settings have been changed on the suspicious internal machineWhy: The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissanceVulnerability scanner shows that an internal server has an unpatched OSIntrusion Detection System sees an external attack on that specific server that exploits the vulnerability in the OS Why: The server is likely to be successfully compromised
  • Use case 4. Like prior slide so see notes at the top. But in this case the events being correlated on all are from “non-security” data sources. This is because the threats are “unknown” to traditional security products because no signature exists for them. Each of these events in isolation would raise no alarms. Only when combined can see you see that they are risky because they represent outliers/anomolies that could be advanced threats like a sophisticated cybercriminal or a nation-state.There are hundreds of possible cross-product correlations. One is above and tells the story of a spearphising attack done in order to obtain and steal confidential data. More sample correlations are on the next slide. In this scenario above Splunk is keeping track of all the external email domains that are sending emails into the company, all external web sites being visited by internal employees, and all the services and executables running on internal machines. It can automatically count up things like # of emails received by each external domain, # of times employees visit external web domains, etc, to see the rarely seen items that are outliers. In the above scenario:Splunk sees an email reach an internal employee from an external email domain that has never/rarely been seen beforeThat same employee then visits a web site that is never/rarely visited by internal employeesA service starts up on the employees machine that is never/rarely seen in the organizationWhy these 3 events are bad: These 3 events happening on the same machine in a short time period indicates a hacker has performed a spearphising attack. They sent a realistic looking email to an internal employee that compelled the employee to click on a link or open an executable. This resulted in the web site dropping malware on the machine.Splunk can correlate on all these 3 events happening on the same machine and within a short time period. It has connected the dots to find the proverbial needle in the haystack. Splunk can detect and/or alert on these sorts of correlations in real-time or on a scheduled bases.
  • More on use case 4. Nothing on this slide and next would generate an alert in a traditional security tool like anti-malware or firewall. All of these “what to look for” can be automated, real-time searches. These are just a few examples of how to detect what may be an advanced threat.#2 Haversine algorithm used to calculate distance
  • Customers start by using Splunk Enterprise to address one specific solution area. Then they leverage it and their machine data to solve other pressing problems over time.Consequently, Splunk Enterprise has many critical uses across IT and the business: Application Management: provide end-to-end visibility across distributed infrastructures; troubleshoot across application environments; monitor for performance degradation; trace transactions across distributed systems and infrastructure.Development: accelerate development and test cycles; support advanced development methodologies like agile, continuous; integrate enterprise applications with SDKs and a robust API; build enterprise applications that leverage Splunk software.Infrastructure and Operations Management: proactively monitor across IT silos to ensure uptime; rapidly pinpoint and resolve problems; report on SLAs/track SLAs of service providers.Security and Compliance: provide rapid incident response, real-time correlation and in-depth monitoring across data sources; statistical analysis for advance pattern detection and threat defense.Web and Business Analytics: gain visibility and intelligence on customers, services and transactions; identify trends and patterns in real time; fully understand the impact of new product features on back-end services.
  • 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
  • You need to look for abnormal events in normal user activity data. SIEM not built for this and the architecture doesn’t support it. Data reduction modelTypical funnel representation of:Limited data collectionData subset used for securitySubset may fire one of 200+ rulesLinear approach – no going back in time1. Traditional SIEM / log management sources – almost always not all your sources are supported. Custom application data almost always left out2. Data sent to a log managed solution for scale and filtering only to ‘security related” events. Nice to have information level data from security devices and data sent by applications left out.3. Security data sent to the SIEM – only that which fires a rule responded to.4.Reinforces silos between applications, operations and security. This means investigations limited to only what you expect to see – you never know what you don’t know! Splunk – a data inclusion model – ALL data is security relevantIf a correlation search produces a positive result – investigations aren’t artificially limited. Investigations can include seeing the affect of a security event all the way to the application – up to the second. Pattern and threshold based rather than rules based – watch for a pattern of activity get an alert before and after it hits a thresholdMassive scale can offer broader view of attack vectors and surfacesOperations and security data seen in the same system – breaks down silos/barriers
  • SplunkLive! Splunk for Security

    1. 1. Copyright © 2013 Splunk Inc. Splunk for Security
    2. 2. Who is this session for? Security Practitioners Security Architects Security execs Compliance/Audit
    3. 3. Agenda Splunk for Security (20 min) • Demonstration of Splunk Enterprise (10 min) • Demonstration of the Splunk App for Enterprise Security (20 min) • Q&A •
    4. 4. Advanced Threats in the Headlines Cyber Criminals Nation States Insider Threats “160 million credit cards later, cutting edge hacking ring cracked” – NBC News, July 2013 “Banks Seek U.S. Help on Iran Cyber attacks” – Wall Street Journal, Jan 2013 “Verizon: Most Intellectual Property Theft Involves Company Insiders” – Dark Reading, Oct 2012
    5. 5. Advanced Threats Are Hard to Detect 100% 243 Valid credentials were used Median # of days before detection 40 63% Average # of systems accessed Of victims were notified by external entity Source: Mandiant M-Trends Report 2012 and 2013 5
    6. 6. All Data is Security Relevant = Big Data Databases Email Web Desktops Servers DHCP/ DNS Network Flows Traditional SIEM Custom Hypervisor Badges Firewall Authentication Vulnerability Apps Scans Storage Mobile Data Loss Intrusion Detection Prevention AntiMalware Service Desk Call Industrial Control Records
    7. 7. Limitations of Existing SIEMs Traditional SIEM • Limits view of security threats. Difficult to collect all data sources; requires costly, custom collectors for DB schema. • Inflexible search/reporting hampers investigations and threat detection • Scale/speed issues impede ability to do big data analytics • Difficult to deploy and manage; often multiple products 7
    8. 8. Solution: Splunk, the Engine For Machine Data GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases Ad hoc search Monitor and alert Custom dashboards Report and analyze Developer Platform Real-time Machine Data Sensors, Telematics, Storage, Servers, Security devices, Desktops, CDRs Splunk storage 8 Other Big Data stores
    9. 9. Over 2500 Global Security Customers 9
    10. 10. Rapid Ascent in the Gartner SIEM Magic Quadrant 2011 2012 10 2013
    11. 11. Industry Accolades Best SIEM Solution Best Enterprise Security Solution 11 Best SIEM
    12. 12. Splunk Security Use Cases A Security Intelligence Platform Splunk Can Complement OR Replace Existing SIEMs Incident Investigations / Forensics Security / Compliance Reporting Real-Time Monitoring of Known Threats Real-Time Monitoring of Unknown Threats
    13. 13. Use Case 1 - Incident Investigation/Forensics January • May be a “cold case” investigation requiring machine data going back months March Often initiated by alert in another product • February • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone, and did they steal any data? – • client=unknown[] <160>Jan 2616:27 (cJFFNMS Has this occurred elsewhere in the past? truncating integer value > 32 bits <46>Jan ASCII from client=unknow n Take results and turn them into a real-time search/alert if needed DHCPACK =ASCII from host=85.19 6.82.110 13 April
    14. 14. Case #2 – Security/Compliance Reporting Many types of visualizations Easy to create in Splunk – Ad-hoc auditor reports – New incident list – Historical reports – SOC/NOC dashboards – Executive/auditor dashboards 14
    15. 15. Case #3 – Real-time Monitoring of Known Threats Sources Windows Authentication Endpoint Security Example Correlation – Data Loss 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: Default Admin Account TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Source IP Status=Degradedwmi_ type=UserAccounts Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: Malware Found Source IP 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: Aug 08 08:26:54 snort.acmetech.com {TCP} -> itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Intrusion Detection All three occurring within a 24-hour period Time Range 15
    16. 16. Case #4 – Real-time Monitoring of Unknown Threats Sources Example Correlation - Spearphishing User Name 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1 ,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-0809T22:40:24.975Z Email Server Rarely seen email domain Rarely 16:21:38 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET 2013-08-09visited web site www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe," User Name Web Proxy Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="John DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“ registry_type ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion Printers PrintProviders John Doe-PCPrinters{} NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range 16
    17. 17. Case #4 – More Examples Attack Phase What Threat is Doing What to Look For Lateral movement Creating new admin accounts Account creation without corresponding IT service desk ticket Data gathering Stealing credentials For single employee: Badges in at one location, then logs in countries away Data gathering Gathering confidential data for theft Employee makes standard deviations more data requests from file server with confidential data than normal Exfiltration Exfiltration of info Standard deviations larger traffic flows (incl DNS) from a host to a given IP 17 Data Source AD/ Service Desk logs Badge/ VPN/ Auth OS NetFlow
    18. 18. Splunk Delivers Value Across IT and the Business
    19. 19. Splunk Key Differentiators • • • • • • • • Splunk Traditional SIEM Single product, UI, data store Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value All original machine data is indexed and searchable Big data architecture enables strong scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies Open platform with API, SDKs, Apps Use cases outside security lead to cross-dept collaboration and increased ROI 19
    20. 20. Splunk Security Intelligence Platform 80+ security apps Splunk App for Enterprise Security Palo Alto Networks Cisco Security Suite F5 Security FireEye NetFlow Logic Active Directory Juniper 20 Blue Coat Proxy SG Sourcefire OSSEC
    21. 21. Next Steps Splunk Traditional SIEM • Info, data sheets, white papers, recorded demos at:  Splunk.com > Solutions > Security  Splunk.com > Solutions > Compliance • Try Splunk for free!     Download Splunk at www.splunk.com Go to Splunk.com > Community > Documentation > Search Tutorial In 30 minutes will have imported data, run searches, created reports Free Apps at Splunk.com > Community > Apps • Contact sales team at Splunk.com > About Us > Contact 21
    22. 22. Thank You