More Related Content
Similar to Detection as code splunk user group dec 2020 (20)
Detection as code splunk user group dec 2020
- 1. © 2019 SPLUNK INC.
Detection as Code
Building and testing use cases with
Enterprise Security Content Update
Mikael Bjerkeland
Senior Security Sales Engineer | Oslo
- 2. © 2019 SPLUNK INC.
Mikael Bjerkeland
Previous life:
• Cisco CCNP
• Network Monitoring & Splunk Consultant
• Linux Sysadmin (DNS,DHCP ++)
• OpenShift rookie
• VoIP - Asterisk PBX
Now:
• Security Sales Engineer serving Norway
Github: https://github.com/inspired
Authored 7 apps on Splunkbase
Cisco Networks App for Splunk
- 3. © 2019 SPLUNK INC.
Splunk Threat Research
Study
Threats
Create
Datasets
Build
Detections
Release
Tools
Share with
Community
- 5. © 2019 SPLUNK INC.
What is a detection?
Simple Attack for Credential Dumping
- 6. © 2019 SPLUNK INC.
What is a detection?
Sysmon Log in Windows Event Viewer
- 7. © 2019 SPLUNK INC.
What is a detection?
Same log forwarded to Splunk or other SIEM
- 8. © 2019 SPLUNK INC.
What is a detection?
data normalization as part of a data model
CommandLine
Image
ProcessId
Processes.process
Processes.process_name
Processes.process_id
- 9. © 2019 SPLUNK INC.
What is a detection?
Detection based on the data model
- 10. © 2019 SPLUNK INC.
Detection Types
• Signature based detections: focus on known threats
• Anomaly based detections: focus on changes in behavior
- 11. © 2019 SPLUNK INC.
Detection Accuracy - ROC
True
Positive
False Positive
High Accurarcy
Thank you @malwareunicorn
for the idea
- 12. © 2019 SPLUNK INC.
Detection Accuracy - ROC
True
Positive
False Positive
Anomaly-based Detections
Signature-based
Detections
- 13. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware
Thank you @malwareunicorn
for the idea
- 14. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware
- 15. © 2019 SPLUNK INC.
Detection Accuracy – Long Tail
more generic more specific
Anomaly-based Detections
Signature-based
Detections
number of
malware
- 16. © 2019 SPLUNK INC.
Detection Dependencies
Dependencies:
• Windows Settings
• Sysmon Config
• Splunk Core
• Sysmon TA
• Endpoint Datamodel
Windows 10 with Sysmon Splunk
Sysmon logs
- 17. © 2019 SPLUNK INC.
Detection Testing
30
Detections for
Sysmon
- 18. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30
Detections for
Sysmon
- 19. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30
Detections for
Sysmon
- 20. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version30
Detections for
Sysmon
- 21. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version
30 tests for new Sysmon TA
30
Detections for
Sysmon
- 22. © 2019 SPLUNK INC.
Detection Testing
30 tests for changes in Windows
30 tests for new Sysmon Version
30 tests for new Splunk Version
30 tests for new Sysmon TA
30 tests for changes in Endpoint Datamodel
30
Detections for
Sysmon
- 23. © 2019 SPLUNK INC.
Keep up with the ever
changing threat
landscape
Continuously testing and
improvement of
detections
Reduce detection
development lifecycle
between new attack and
new detection
Threat landscape Test & Improve
detections
Shorten
development
lifecycle
Challenges
- 24. © 2019 SPLUNK INC.
Splunk Security Content
• open source repository containing 200+
Splunk detections
• detections, baselines, responses are combined
to analytics stories.
• Available as ESCU Splunk App, GitHub
repository and REST API
• Mapped to Mitre ATT&CK Matrix
• Mapped to CIM data model / log sources
Security Content:
https://github.com/splunk/security-
content
- 25. © 2019 SPLUNK INC.
Commit
change
Trigger
build
Build
Notify of
build
outcome
Notify of
test
outcome
Run tests Deploy
CI/CD Workflow – Software Engineering
- 26. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
This is what I'll focus on today
- 28. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
- 30. © 2019 SPLUNK INC.
Commit detection – Branching worklfow
master
develop
detection1
detection2
branch
branch
branch
merge
merge
merge
Version 1.1
- 31. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
- 32. © 2019 SPLUNK INC.
Convert Detection & Package Detection
detection schema
format
savedsearches.conf
generate.py
Security Content
- 35. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
- 36. © 2019 SPLUNK INC.
Detection Development Workflow
Attack Technique Attack Dataset Detection +
Detection Test
Detection Testing
Pipeline
Detection
compatible to all
Splunk Security
Products
- 37. © 2019 SPLUNK INC.
Detection Development Workflow - People
Adversary Emulation
Engineer
Detection Developer Detection Engineer Blogger
- 38. © 2019 SPLUNK INC.
Detection Development Workflow - Tools
Attack Data
Generation Service
Attack Range
Cloud Attack Range
Detection Testing
Service
Security Content
- 39. © 2019 SPLUNK INC.
Detection Development Workflow - Tools
Attack Data
Generation Service
Attack Range
Cloud Attack Range
Detection Testing
Service
Security Content
- 41. © 2019 SPLUNK INC.
Automated Detection Testing
Build Env
Replay Attack
Data
Run Detections
Evaluate
Results
Attack Range
python attack_range.py
--action test
–test_file
tests/T1003_002.yml
- 42. © 2019 SPLUNK INC.
CI/CD Workflow – Detection Engineering
Commit
detection
Convert
detection
Package
detection
Notify of
build
outcome
Notify of
test
outcome
Test
detection
Deploy
detections
- 43. © 2019 SPLUNK INC.
Package detections into an app
Forking from a Git repository
Provide detections over REST API
Deploy detections
- 44. © 2019 SPLUNK INC.
Build your first detection!
1. Copy a detections/*/*.yml file to detections/*/my_detection_name.yml
1. Replace name with "My Detection Name"
2. Replace id with a new UUID (lower case!)
3. Change metadata fields
4. Replace search with your detection
1. Make it as generic as possible!
2. Use macros
3. End the search with | `my_detection_name_filter`
2. Copy a macros/*_filter.yml file to macros/my_detetection_name_filter.yml
1. Replace name but keep the rest super generic
3. Run: python bin/generate.py --path . --output package –v
4. Run: cp -r package /opt/splunk/etc/apps/DA-ESS-ContentUpdate
First: Clone and branch https://github.com/splunk/security-content
- 46. © 2019 SPLUNK INC.
Apply What you Learned Today
• Next week you should:
– Download and install Attack Range
• In the first three months following this presentation you should:
– Establish a CI/CD workflow for your SIEM detections
– Continuously test your detections
• Within six months you should:
– Share your detections with the InfoSec community
– Establish automated testing of detections
- 48. © 2019 SPLUNK INC.
Resources • Splunk Security Content:
https://github.com/splunk/security-
content
• Attack Range:
https://github.com/splunk/attack_range
• MITRE ATT&CK Matrix:
https://attack.mitre.org
• Atomic Red Team:
https://github.com/redcanaryco/atomic-
red-team