SlideShare a Scribd company logo

Splunk for Security: Endpoint, Identity, and Network Posture

Y
YoungCho50

This document provides information for an introductory Splunk security workshop, including: - Details about the workshop agenda, which covers basic posture and monitoring in the first section and an introduction to investigation in the second section. - Instructions for accessing the workshop environment and materials. - A legend explaining the visual guides that will be used during the hands-on portions of the workshop. - Overviews of the four key data sources - endpoint, identity, network, and threat intelligence - that will be analyzed to improve security posture and monitoring.

Technology
1 of 159
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk for Security Introductory Workshop <Enter Presenter’s Name> May 2018 | Version 1.2 (0425) WIFI Access Information ● SSID : VENUE_SSID ● Password : VENUE_Pass
© 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Forward-Looking Statements
© 2017 SPLUNK INC. Things needed for this workshop ● Your own laptop - Internet accessible ● Verify Wifi Access ● Verify Lab environment access. ● Required Materials Please register on-site ● Click on this link https://bit.ly/2KtLfBY Credentials (If challenged) ● ID : splunk ● Password : !splunk! Let’s Get Ready! Wifi Access ● SSID : ENTER_VENUE_NETWORK ● Password : ENTER_VENUE_PASS Materials you should have ● Workshop presentations ○ https://bit.ly/2juiKrx ● Workshop Environment Link Directory ○ https://bit.ly/2HSHAvW Test your access to environment ● Click on this link to see if you are ready. https://bit.ly/2HLK6bm
© 2017 SPLUNK INC. Presentation Legend / Hands-on Guide Visual Type Description https://bit.ly/2Jghx1N Short-cut URL links to each exercise Highlight boxes, presenter will explain more on these. Click Instruction with order (x), Follow the sequence of the action. Scroll Down InstructionScroll Down (1) CLICK (2) CLICK Please be familiarized with the following legend for you to effectively follow the content and the instructors.
© 2017 SPLUNK INC. Environment Access Test Link https://bit.ly/2HLK6bm (1) CLICK (2) CLICK (3) IF SEE DATA COMING IN LIKE THIS, YOU ARE READY TO GO! GO AHEAD AND SIP YOUR COFFEE.
© 2017 SPLUNK INC. ▶ Section 1 : Basic Posture and Monitoring ▶ Section 2 : Intro to Investigation ▶ Summary and Next Steps Session Agenda Time Schedule : - 08:30 ~ 09:30 - 09:30 ~ 09:40 Break - 09:40 ~ 10:40 - 10:40 ~ 10:50 Break - 10:50 ~ 11:50 - 11:50 ~ 12:00 Q&A
© 2017 SPLUNK INC. Analytics-Driven Security: Portfolio Premium Solution Enterprise Security 3rd Party Apps & Add-ons (590+) Premium Solution User Behavior Analytics Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps & Add-ons Network data RDBMS (any) data Windows host data Exchange data Analytics for Hadoop PCI ComplianceSecurity Essentials App for AWS ML Toolkit Google Cloud Microsoft Cloud Windows Infrastructure Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Platform for Operational Intelligence
© 2017 SPLUNK INC. - Part I - Presentation: Overview of basic posture and monitoring - Centralizing analysis, 4 key data sources - Hands-On: UI walkthrough for each data source - Splunk Enterprise -- partner apps - Splunk ES -- specific dashboards - Part II - Presentation: Investigation basics - Importance of investigations, Developing an investigative mindset - Hands-On: - Splunk Enterprise -- copy/paste SPL within exercises for login, endpoint, network - Splunk ES -- walkthrough of example investigative workflow How We’ll Explore Splunk Enterprise and Splunk Enterprise Security (ES)
© 2017 SPLUNK INC. Basic Posture and Monitoring 4 Key Data Sources
© 2017 SPLUNK INC. Centralizing Analysis of Point Layers Problem Solution Protect Endpoint Antiviruses: Symantec, McAfee Protect Network: Unauthorized Traffic Firewalls/Web Filter: Palo Alto, Cisco Control User Access Authentication/2-Factor: AD, RSA, Badges Network Attacks, Stolen Information, Phishing IDS/IPS: Cisco, Palo Alto Email Filter: Cisco, Proofpoint Unpatched Systems, Versions With Bugs Scanners/Patching: Nessus, SCCM Threat IntelligenceIndicators of Malicious Activity
© 2017 SPLUNK INC. Endpoint Access/Identity Network Threat Intelligence 4 Ways to Improve Posture Quickly
© 2017 SPLUNK INC. Understanding Your Endpoints Processes, File Info / Access, User Activity Endpoints End Point System: Windows Sysmon, Network, File Info Endpoint Security: Virus, Malware, Spyware, Whitelisting, Behaviors What You Discover ❑ Frequency of application executions, unique applications ❑ Non-corporate approved applications ❑ Known malicious executables Benefit ❑ Visibility into application executions ❑ Understanding of unknown applications – whom and where and frequency
© 2017 SPLUNK INC. Posture – Endpoint Splunk Enterprise
© 2017 SPLUNK INC. Environment Access : Endpoint Symantec App Security Online Experience Hands on Session Access URL : https://bit.ly/2Jghx1N SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. Endpoint : Symantec Endpoint Protection Analysis Scroll Down
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. (1) CLICK (2) CLICK
© 2017 SPLUNK INC. (2) CLICK (1) CLICK
© 2017 SPLUNK INC. (1) CLICK (2) SELECT ENTER
© 2017 SPLUNK INC. Posture – Endpoint Splunk Enterprise Security
© 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
© 2017 SPLUNK INC. Endpoint : Malware Center
© 2017 SPLUNK INC. (3) CLICK Endpoint : Malware Center (1) SELECT (2) SELECT
© 2017 SPLUNK INC. Endpoint : Malware Search
© 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
© 2017 SPLUNK INC. Endpoint : System Center (1) TYPE IN (2) CLICK
© 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
© 2017 SPLUNK INC. Endpoint : Update Center
© 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
© 2017 SPLUNK INC. Endpoint : Endpoint Changes
© 2017 SPLUNK INC. Access and Identity Who, Why and Credential Abuse Access/Identity Windows Security Events: Active Directory and Authentication Logs What You Discover ❑ Credentials used in multiple locations, or shared by users ❑ Admin credential abuse ❑ Login frequencies, users moving around quickly ❑ Users failing authentications trying to discover internal/external resources Benefit ❑ Uncover unusual login patterns ❑ Track user behavior
© 2017 SPLUNK INC. Posture – Login Activity Splunk Enterprise
© 2017 SPLUNK INC. Environment Access : Access - Cisco ISE App Security Online Experience Hands on Session Access URL : https://bit.ly/2vy5zyB SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. Access / Authentication : Cisco ISE App CLICK
© 2017 SPLUNK INC. Scroll Down
© 2017 SPLUNK INC. (1) CLICK (2) CLICK
© 2017 SPLUNK INC. (1) CLICK (2) CLICK
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. https://bit.ly/2HAkTQj (1) CLICK (2) CLICK (3) CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. (1) ADD / ENTER
© 2017 SPLUNK INC. (1) ADD / ENTER (2) CLICK
© 2017 SPLUNK INC. POP QUIZ How can you filter failed VPN sessions only from outside of “United States”? Hint add “search NOT” in between a couple of commands..
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Posture – Login Activity Splunk Enterprise Security
© 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Access : Access Center
© 2017 SPLUNK INC. Access : Access Center (2) CLICK
© 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Access : Account Management
© 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Access : Default Account Management
© 2017 SPLUNK INC. Access (Example) : SaaS Service Access
© 2017 SPLUNK INC. Identity : Asset Center CLICK CLICK CLICK
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Identity : Identity Center CLICK CLICK CLICK
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Network Activity Detecting Exfiltration and Unusual Communication What You Discover ❑ Who talked to whom, traffic volumes (in/out) ❑ Malware download/delivery, C2, exfiltration ❑ Horizontal and vertical movement Benefit ❑ Determine how threats got in ❑ Systems and endpoints communicating internally ❑ Detect intellectual property theft, insiders Network Network Access: ForeScout Firewall: Cisco, Palo Alto Network: DNS – Splunk Stream, DNS Server
© 2017 SPLUNK INC. Posture – Network Splunk Enterprise
© 2017 SPLUNK INC. Environment Access : Palo Alto Networks App Security Online Experience Hands on Session Access URL : https://bit.ly/2K34bY9 SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. Palo Alto Networks : All Incident
© 2017 SPLUNK INC.
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Posture – Network Splunk Enterprise Security
© 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Network : Traffic Center
© 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Network : Intrusion Center
© 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Network : Vulnerability Center
© 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
© 2017 SPLUNK INC. Network : Web Center
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Threat Intelligence Known and Early Warning Indicators What You Discover ❑ High risk behaviors and patterns ❑ Undetected/unblocked malware and command & control activities ❑ Known indicators of compromise Benefit ❑ Early warning of malicious activity ❑ Detect indication of C2 channels ❑ Confirm whether traffic going to compromised or watch-listed sites ❑ Compromised systems communicating with each other ❑ Compromised endpoints Threat Intelligence Threat Feeds: Public, Free, Private, Paid or Custom – ThreatConnect, Anomali Firewall: Cisco, Palo Alto Neworks
© 2017 SPLUNK INC. Posture – Threat Intelligence Splunk Enterprise
© 2017 SPLUNK INC. Environment Access : Custom Threat Intel App Security Online Experience Hands on Session Access URL : https://bit.ly/2HAkInY SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. Custom App (Sec Inv Quick Start) : Network Traffic Overview CLICK
© 2017 SPLUNK INC. Scroll Down
© 2017 SPLUNK INC. HIGHLIGHT HIGHLIGHT
© 2017 SPLUNK INC. Posture – Threat Intelligence Splunk Enterprise Security
© 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK CLICK
© 2017 SPLUNK INC. Threat Intelligence : Threat Activity
© 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK CLICK
© 2017 SPLUNK INC. Threat Intelligence : Threat Artifacts
© 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK
© 2017 SPLUNK INC. Threat Intelligence : Risk Analysis
© 2017 SPLUNK INC. Investigation Basics
© 2017 SPLUNK INC. Alert Indicator Data Security Technologies Are Designed to Detect Bad/Suspicious Activity Endpoint Network Threat Intelligence Access/Identity Possibilities: ▶ Data Breach ▶ Infection(s) ▶ Account Takeover ▶ Application Fault ▶ Misconfiguration ▶ Missing patch ▶ User Error ▶ Other (Ignore) Alert Indicator Data Endpoint Network Threat Intelligence Access/Identity
© 2017 SPLUNK INC. Importance of an Investigative Mindset “Investigate” – gather data, analyze, pinpoint digital evidence If each alert takes 10 min to investigate... ▶ Helps anyone handling alerts ▶ Gain control of posture • Old way – “escalate or ignore” • New way – find out what is actually going on * assumes 14 – 28 cases in a shift If you reduce to 5 minutes If you handle 100 alerts a month (5 alerts a day, 20 days in month) 100x10 = 1,000 min/60 = 16 hours 100x5 = 500 min/60 = 8 hours You get a day back (8 hours)
© 2017 SPLUNK INC. Developing an Investigative Mindset What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT What specific questions do I want answered? Where do I look?What is the logic / methodology to apply? What’s an example?
© 2017 SPLUNK INC. Investigation Splunk Enterprise
© 2017 SPLUNK INC. Investigation Session 1 - Authentication Security Online Experience Hands on Session Access URL : https://bit.ly/2rhdgF7 SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. Investigation -- Login Activity
© 2017 SPLUNK INC. The Splunk platform enables security analysts to quickly identify the root cause of security incidents and make informed decisions about how to remediate an issue. This Hands-on Experience enables you to use Splunk in a set of security- relevant real-world exercises. For the first phase of the investigation, Detection, we will use Splunk SPL to analyze authentication failures to expose threats. To get started, click "View Demo Video" to watch a demo session and click on "Launch Online Session" to open a Splunk online session and follow along with the real-world exercises. SECURITY INVESTIGATION WITH SPLUNK : Exercise 1, Detection
© 2017 SPLUNK INC. SEARCHING FOR AUTHENTICATION FAILURES : STEP 01 : Type fail* password into the Splunk search bar. Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain access to your environment. Start by looking for events that contain references to password failures. fail* password As you type fail, Splunk platform shows terms that match fail. This can help you refine your search. Use a wildcard (*) to get results for any event that contains fail, including fails, failed and failures for password. Select one of the matching terms that appear as you type to find events that match the specified criteria, or search only for password to see events that just STEP 02 : Select All time in the time range picker and click Search or press Enter to search.
© 2017 SPLUNK INC. STEP 03 : Review the search results. This search returns all failed system access attempts across the data in Splunk platform. Approximately 2,550 events match fail* password, which means that there are 2,550 failed authentication attempts in your environment. The search results show us the following: • Timeline : Shows the distribution of matching events over time as a histogram of events. You can zoom in and out of timeframes to understand the distribution of events over time. • Time range picker : Specify the time period for the search. • Fields sidebar : Shows the fields extracted from the authentication events in your search results. • Events view : Displays the raw events with the matching search terms highlighted. By default, the most recent event is listed first.
© 2017 SPLUNK INC. STEP 04 : Review the data types to see which types of systems have authentication failures. Click sourcetype to see the list of data source types. These authentication failures occurred on Windows, Linux, database, and file server systems. With this one search you can identify authentication failures across many different systems in your environment.
© 2017 SPLUNK INC. REVIEW THE FIELDS IN THE SEARCH RESULTS : Next, you want to identify the fields that help you analyze failed authentication attempts. You want to answer the following questions : • On which systems are the failed access attempts occurring? • From where or whom are the failed access attempts originating? • With which accounts are the failed access attempts occurring? After identifying the helpful fields for your analysis, you can format the search results as a table to more easily scan the aggregated search results.
© 2017 SPLUNK INC. STEP 05 : Mouse over the Fields sidebar and click the dest field. Click Yes add it to the selected fields and review the Top 10 Values. The dest field shows you servers or hosts accessed by the assets in your environment. You can use the dest field to identify the servers being targeted by failed authentication attempts. There are more than 60 different hosts being accessed by the assets in your environment. The destination ECOMMERCE-03 has more than 1400 authentication failures, the server AD-019 has several hundred authentication failures, and several other hosts show authentication failures.
© 2017 SPLUNK INC. STEP 06 : Mouse over the Fields sidebar and click the src field. Click Yes to add it to the selected fields and review the Top 10 Values. The src field contains the assets that authentication failures are coming from. The host 10.11.36.20 has more activity than other hosts with password failures, and is worth investigating further. You can identify the host STORE0329POS004 as a point of sale server based on the name. It has a troubling number of authentication failures for a host involved in credit card data transactions.
© 2017 SPLUNK INC. STEP 07 : Mouse over the Fields sidebar and click the user field. Click Yes to add it to the selected fields and review the Top 10 Values. The user field indicates which target users have the highest number of authentication failures.
© 2017 SPLUNK INC. ANALYZE THE FAILED AUTHENTICATION ATTEMPTS : After searching for authentication failures and reviewing the originating hosts (src), destination hosts (dest), and involved users (user), the next step is to analyze the data. You want to determine which users on which hosts are attempting to log in to which destination hosts. Analyze the authentication failures with simple statistics. • Origin of access (src) • Target system (dest) • Users on the target system (user) • Type of system (sourcetype)
© 2017 SPLUNK INC. STEP 08 : In the Splunk search bar, Append | stats count by src, dest, sourcetype, user to your existing search, then press the Enter key or click Search. fail* password | stats count by src, dest, user, sourcetype This search aggregates the number of authentication failures by the origin of the attempt (src), target system (dest), user attempting to log in to the target system (user), and the type of system (sourcetype). The stats command calculates the total number of authentication failures associated with the src, dest, and user account used to access the destination system. (1) ADD / ENTER
© 2017 SPLUNK INC. STEP 09 : Multiple failed authentication attempts are more of a threat than just one. Modify the search to look for hosts with more than two failed authentication attempts. Sort the attempts to see the highest number of attempts first. Append | sort – count | where count > 2 to your search, then press the Enter key or click Search. fail* password | stats count by src, dest, user, sourcetype | sort – count | where count > 2 You can now review the most critical failed authentication attempts in your environment and investigate further. (1) ADD / ENTER
© 2017 SPLUNK INC. EXERCISE 1 ASSESSMENT : Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain access to your environment. Start by looking for events that contain references to password failures. CASE 01 : Someone has tried to access the ECOMMERCE-03 host more than 1400 times. The high number of failed authentication attempts could indicate a password enumeration attack against the ECOMMERCE- 03 server. Given the high number of attempts, it is most likely a scripted attack.
© 2017 SPLUNK INC. CASE 02 : A single host (10.1.21.153) with a pattern of failed login attempts using multiple user accounts most likely indicates a compromised system under the control of an attacker. The attacker is likely attempting to infiltrate the network by logging in to other systems, a pattern indicating attempts at lateral movement. This potentially infected host is attempting to gain access to the DATABASE-001 server, which likely contains sensitive data.
© 2017 SPLUNK INC. STEP 10 : View visual analysis of results using “Parallel Coordinate” Visualization. Select Visualization and Parallel Coordinate. (1) CLICK (2) CLICK
© 2017 SPLUNK INC. Visual representation of the analysis clearly shows the entity relationships of authentication failure activities from 10.1.21.153. Visualization’s one-to-many representation clearly depicts lateral movement and attempts to DATABASE- 001 host shows the user DBADMIN logins attempts. (1) DRAG & SELECT
© 2017 SPLUNK INC. Investigation -- Login Activity
© 2017 SPLUNK INC. DRILL DOWN INTO AN INVESTIGATION : STEP 01 : From the analysis table that you saw when you searched " fail* password | stats count by src, dest, sourcetype, user | sort – count | where > 2 ", click the src value for a search result with the host 10.1.21.153, then click View Events to see all the authentication failure events associated with that host. In this exercise, you want to determine how a malicious host attempted to gain access to a target machine in your network. Continue to investigate the host 10.1.21.153, which attempted to access multiple web servers and a critical database server. You can easily pivot from a set of search results to a new search on a specific host. (1) CLICK (2) CLICK
© 2017 SPLUNK INC. STEP 02 : Review the search results for the new search. The new search looks for authentication failure events associated with the specific source. fail* password src="10.1.21.153" You can easily see all the raw events associated with this source host, identifying patterns of access attempts and further evidence that there might be a malicious actor trying to access machines in your network.
© 2017 SPLUNK INC. VISUALIZE AUTHENTICATION FAILURE ACTIVITIES : STEP 03 : From the Fields sidebar, click the dest field. Click Top values by time. In this exercise, visualize the search results for authentication failures associated with the host 10.1.21.153 to quickly gain an understanding of how the attacker carried out the attempts to access internal servers. The destination (dest) field tells you which systems this particular workstation is targeting. Based on the aggregate number of failed login attempts,web_cloud_03, or a cloud web server, is the top targeted host with the most failed authentication attempts. Also, a critical asset DATABASE-001 was targeted. You can quickly visualize the failed attempts by the 10.1.21.153 host to access different destination hosts with the report created by clicking Top values by time.
© 2017 SPLUNK INC. STEP 04 : Review the visualization of failed attempts by the source host to access different destinations over time. The default visualization shows the activities visualized in a line chart. The visualization properties can be adjusted to show activities by separating each destination host.
© 2017 SPLUNK INC. STEP 05 : Click Line Chart and change the visualization type to Column/Bar The Column/bar view allows you to easily distinguish the volume of failed authentication attempts by destination.
© 2017 SPLUNK INC. STEP 06 : Click Format and click Yes for Multi-series Mode. Multi-series mode displays a separate bar or column for each destination host.
© 2017 SPLUNK INC. STEP 07 : Explore the visualization. Mouse over the different host names. This visualization lets you quickly visualize the volume of attacks from the host 10.1.21.153 organized by destination over time. With this visualization, you can identify the following aspects of the attack. • The sequence of authentication attempts made by the attacker over time, relative to different assets. • The interval and duration of activities, showing a periodic pattern of attempts by an attacker using the same host over time.
© 2017 SPLUNK INC. EXERCISE 2 : ASSESSMENT This exercise walked you through visualizing the aggregated statistics into interactive charts, allowing you to perform more detailed analysis over time and validate specific suspicious activity. With a clearer understanding of the failed authentication attempts, you can determine that the failed authentication attempts were likely initiated by a malware-infected host (10.1.21.153) probing the internal network. CASE 01 : A series of brute force authentication attempts to multiple web service hosts. CASE 02 : The attacks on the servers were carried out over two different time intervals. After the first series of attempts, the same attack was repeated eight minutes later. CASE 03 : Immediately after the first series of web server access attempts, the attacker attempted to access a more critical asset, database server 001. The attacker only attempted to access the database server after probing the web servers. With this analysis, you can identify the following elements that confirm this is a malicious attack on your organization :
© 2017 SPLUNK INC. Investigation -- Login Activity
© 2017 SPLUNK INC. INVESTIGATE THE SOURCE HOST ACTIONS ON THE CRITICAL ASSET STEP 01 : From the visualization of the workstation 10.1.21.153 activities, locate the events associated with DATABASE-001 on the the chart and click the cluster of events on the visualization. In this exercise, investigate specific combinations of source and destination activities between the workstation and the DATABASE-001 server. This workflow continues from the visual analysis of the previous exercise. Continue your investigation from the visualization in the previous exercise. Click the host DATABASE-001 to open a secondary search into the specific activities from the source 10.1.21.153on the database server.
© 2017 SPLUNK INC. STEP 02 : Review the search results for additional unexpected behavior. The search results now show only activities between the 10.1.21.153 host and the DATABASE-001 server that include authentication failures.
© 2017 SPLUNK INC. EXPAND THE SEARCH FOR TARGETED ANALYSIS STEP 03 : Modify the search to remove "fail* password" and see all activities with a "src=10.1.21.153" and a "dest=DATABASE-001". Press enter or click Search. To determine the full scope of activities between the 10.1.21.153 host and the DATABASE-001 server, expand the search to determine if there was a successful authentication attempt after the failed authentication attempts you already know about. In addition, you can identify which user accounts were used and which activities were performed on the server. Removing the search for "fail* password" expands the search to all types of activity between the source host and destination server.
© 2017 SPLUNK INC. The search results found other events between these hosts that add context to the activities between the two hosts.
© 2017 SPLUNK INC. STEP 04 : Examine the search results starting with the Fields sidebar. Click the field COMMENTTEXT to review information about session information on the database server. Click Yes to select the field.
© 2017 SPLUNK INC. STEP 05 : Click the field SQLTEXT to review information about SQL queries run on the database server. Click Yes to add the field to the selected fields. Selecting these 2 fields, COMMENTTEXT, SQLTEXT, provides the detail information on what database activities there were between these two hosts.
© 2017 SPLUNK INC. FORMATTING EVENT FOR QUICK VERIFICATION STEP 06 : In the Splunk search bar, append "| table _time, src, dest, user, COMMENTTEXT, SQLTEXT" to the search. Format the search results into a table to more easily analyze the important fields. Focus your analysis on the most useful fields. Because DATABASE-001 is a database server, the SQLTEXT and COMMENTTEXT fields contain valuable information. Include _time to review the sequence of activity between the two hosts, and the user field to identify which user account is performing the activities. Formatting the search results in a table allows you to easily follow the sequence of events over time. src="10.1.21.153" dest="DATABASE-001" | table _time, src, dest, user, COMMENTTEXT, SQLTEXT (1) ADD / ENTER
© 2017 SPLUNK INC. CASE 01 : The activities from the workstation indicate that an attacker used several different database credentials to gain access to the database, including credentials from a privileged database user. CASE 02 : After three failed authentication attempts, the attacker successfully logged in to the database as the ORACLE user and successfully gained administrative privileges to the database and modified the user privileges for a third user. CASE 03 : After the user privileges modification, you can identify clear signs of a transaction by the attacker in which they accessed a restricted database table containing customer information. EXERCISE 3 : ASSESSMENT With the Splunk platform you can easily move from a detailed visualization to detailed raw events, allowing you to perform exhaustive analysis and validate specific suspicious activities occurring between two hosts on your network. From this analysis you can determine that an attack occurred and attackers are querying the database server for valuable information.
© 2017 SPLUNK INC. More exercises to try at home! http://splk.it/2HkqPd5 http://splk.it/2ovYwAuhttp://splk.it/2FcN1I4
© 2017 SPLUNK INC. Investigation Session 2 - Endpoint http://splk.it/2HkqPd5 Security Online Experience Hands on Session Access URL : Register to sign in.
© 2017 SPLUNK INC. Investigation Session 3 - Network http://splk.it/2ovYwAu Security Online Experience Hands on Session Access URL : Register to sign in.
© 2017 SPLUNK INC. Investigation Splunk Enterprise Security
© 2017 SPLUNK INC. Environment Access : ES Incident Management https://bit.ly/2I6QXvk Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. (1) SELECT (2) CLICK
© 2017 SPLUNK INC. (1) ENTER (2) ENTER
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. Environment Access : ES Asset Investigator https://bit.ly/2I6QXvk Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. (1) CLICK (2) CLICK
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. Environment Access : ES Adaptive Response https://bit.ly/2HPlQkG Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. (1) CLICK (2) CLICK (3) CLICK
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Environment Access : ES Content Update https://bit.ly/2HBGKGT Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
© 2017 SPLUNK INC. CLICK
© 2017 SPLUNK INC. SELECT
© 2017 SPLUNK INC. (1) CLICK (2) CLICK (3) CLICK
© 2017 SPLUNK INC. Summary
Attend .conf18 .conf is Splunk’s premier education and thought leadership event for thousands of IT and business professionals who are keen to use machine data insights to find answers. .conf18 | October 1 - 4, 2018 University | September 29 – October 1 Walt Disney World Swan and Dolphin Resort | Orlando, Florida “.conf is an exciting collection of technical sessions, hands-on demos and social networking with industry professionals and users. I can’t wait for .conf18.” – Michael Deisher, Systems Analyst, Visa Registration opens April 10th! 3 Days of Innovation Keynotes with IT Visionary Thought Leaders Partners who enhance the value of Splunk Networking with Data Enthusiasts Education Sessions Hands-on Labs Customer Success Studio 300+ Education Sessions Business Analytics Development IoT IT Operations Security/Compliance/Fraud Foundations
© 2017 SPLUNK INC. Announcements
© 2017 SPLUNK INC. ANNOUNCING Free Splunk Training for Veterans veterans.splunk.com
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

Recommended

Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsSplunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
Webinar: Splunk Enterprise Security Deep Dive: Analytics
Webinar: Splunk Enterprise Security Deep Dive: AnalyticsWebinar: Splunk Enterprise Security Deep Dive: Analytics
Webinar: Splunk Enterprise Security Deep Dive: AnalyticsSplunk
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 

Recommended

Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsSplunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
Webinar: Splunk Enterprise Security Deep Dive: Analytics
Webinar: Splunk Enterprise Security Deep Dive: AnalyticsWebinar: Splunk Enterprise Security Deep Dive: Analytics
Webinar: Splunk Enterprise Security Deep Dive: AnalyticsSplunk
 
Building an Analytics Enables SOC
Building an Analytics Enables SOCBuilding an Analytics Enables SOC
Building an Analytics Enables SOCSplunk
 
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Splunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018Splunk
 
Achieving observability-in-modern-applications
Achieving observability-in-modern-applicationsAchieving observability-in-modern-applications
Achieving observability-in-modern-applicationsJulio Antúnez Tarín
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Analytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the JourneyAnalytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the JourneySplunk
 
Splunk for Security - Hands-On
Splunk for Security - Hands-OnSplunk for Security - Hands-On
Splunk for Security - Hands-OnSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationSplunk
 
SplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBASplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBASplunk
 
Ecosystem
EcosystemEcosystem
EcosystemMoti Sagey מוטי שגיא
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Splunk
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunk
 

More Related Content

What's hot

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Splunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys Splunk
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018Splunk
 
Achieving observability-in-modern-applications
Achieving observability-in-modern-applicationsAchieving observability-in-modern-applications
Achieving observability-in-modern-applicationsJulio Antúnez Tarín
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Analytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the JourneyAnalytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the JourneySplunk
 
Splunk for Security - Hands-On
Splunk for Security - Hands-OnSplunk for Security - Hands-On
Splunk for Security - Hands-OnSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationSplunk
 
SplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBASplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBASplunk
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Splunk
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 

What's hot (19)

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security Operations
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Achieving observability-in-modern-applications
Achieving observability-in-modern-applicationsAchieving observability-in-modern-applications
Achieving observability-in-modern-applications
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
 
Analytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the JourneyAnalytics-Driven Security - How to Start and Continue the Journey
Analytics-Driven Security - How to Start and Continue the Journey
 
Splunk for Security - Hands-On
Splunk for Security - Hands-OnSplunk for Security - Hands-On
Splunk for Security - Hands-On
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
 
SplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBASplunkLive! London Enterprise Security & UBA
SplunkLive! London Enterprise Security & UBA
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
 

Similar to Splunk for Security: Endpoint, Identity, and Network Posture

Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunk
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocRene Aguero
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarSplunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightSplunk
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Adam Tice
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARSplunk
 
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk EnterpriseSplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk EnterpriseSplunk
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningDigital Transformation EXPO Event Series
 
Essential 8 App for Splunk
Essential 8 App for SplunkEssential 8 App for Splunk
Essential 8 App for SplunkMickey Perre
 

Similar to Splunk for Security: Endpoint, Identity, and Network Posture (20)

Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017Splunk Discovery Indianapolis - October 10, 2017
Splunk Discovery Indianapolis - October 10, 2017
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by Splunk
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensocSplunk live nyc_2017_sec_buildinganalyticsdrivensoc
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk EnterpriseSplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learning
 
Essential 8 App for Splunk
Essential 8 App for SplunkEssential 8 App for Splunk
Essential 8 App for Splunk
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 

Splunk for Security: Endpoint, Identity, and Network Posture

  • 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk for Security Introductory Workshop <Enter Presenter’s Name> May 2018 | Version 1.2 (0425) WIFI Access Information ● SSID : VENUE_SSID ● Password : VENUE_Pass
  • 2. © 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 3. © 2017 SPLUNK INC. Things needed for this workshop ● Your own laptop - Internet accessible ● Verify Wifi Access ● Verify Lab environment access. ● Required Materials Please register on-site ● Click on this link https://bit.ly/2KtLfBY Credentials (If challenged) ● ID : splunk ● Password : !splunk! Let’s Get Ready! Wifi Access ● SSID : ENTER_VENUE_NETWORK ● Password : ENTER_VENUE_PASS Materials you should have ● Workshop presentations ○ https://bit.ly/2juiKrx ● Workshop Environment Link Directory ○ https://bit.ly/2HSHAvW Test your access to environment ● Click on this link to see if you are ready. https://bit.ly/2HLK6bm
  • 4. © 2017 SPLUNK INC. Presentation Legend / Hands-on Guide Visual Type Description https://bit.ly/2Jghx1N Short-cut URL links to each exercise Highlight boxes, presenter will explain more on these. Click Instruction with order (x), Follow the sequence of the action. Scroll Down InstructionScroll Down (1) CLICK (2) CLICK Please be familiarized with the following legend for you to effectively follow the content and the instructors.
  • 5. © 2017 SPLUNK INC. Environment Access Test Link https://bit.ly/2HLK6bm (1) CLICK (2) CLICK (3) IF SEE DATA COMING IN LIKE THIS, YOU ARE READY TO GO! GO AHEAD AND SIP YOUR COFFEE.
  • 6. © 2017 SPLUNK INC. ▶ Section 1 : Basic Posture and Monitoring ▶ Section 2 : Intro to Investigation ▶ Summary and Next Steps Session Agenda Time Schedule : - 08:30 ~ 09:30 - 09:30 ~ 09:40 Break - 09:40 ~ 10:40 - 10:40 ~ 10:50 Break - 10:50 ~ 11:50 - 11:50 ~ 12:00 Q&A
  • 7. © 2017 SPLUNK INC. Analytics-Driven Security: Portfolio Premium Solution Enterprise Security 3rd Party Apps & Add-ons (590+) Premium Solution User Behavior Analytics Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps & Add-ons Network data RDBMS (any) data Windows host data Exchange data Analytics for Hadoop PCI ComplianceSecurity Essentials App for AWS ML Toolkit Google Cloud Microsoft Cloud Windows Infrastructure Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Platform for Operational Intelligence
  • 8. © 2017 SPLUNK INC. - Part I - Presentation: Overview of basic posture and monitoring - Centralizing analysis, 4 key data sources - Hands-On: UI walkthrough for each data source - Splunk Enterprise -- partner apps - Splunk ES -- specific dashboards - Part II - Presentation: Investigation basics - Importance of investigations, Developing an investigative mindset - Hands-On: - Splunk Enterprise -- copy/paste SPL within exercises for login, endpoint, network - Splunk ES -- walkthrough of example investigative workflow How We’ll Explore Splunk Enterprise and Splunk Enterprise Security (ES)
  • 9. © 2017 SPLUNK INC. Basic Posture and Monitoring 4 Key Data Sources
  • 10. © 2017 SPLUNK INC. Centralizing Analysis of Point Layers Problem Solution Protect Endpoint Antiviruses: Symantec, McAfee Protect Network: Unauthorized Traffic Firewalls/Web Filter: Palo Alto, Cisco Control User Access Authentication/2-Factor: AD, RSA, Badges Network Attacks, Stolen Information, Phishing IDS/IPS: Cisco, Palo Alto Email Filter: Cisco, Proofpoint Unpatched Systems, Versions With Bugs Scanners/Patching: Nessus, SCCM Threat IntelligenceIndicators of Malicious Activity
  • 11. © 2017 SPLUNK INC. Endpoint Access/Identity Network Threat Intelligence 4 Ways to Improve Posture Quickly
  • 12. © 2017 SPLUNK INC. Understanding Your Endpoints Processes, File Info / Access, User Activity Endpoints End Point System: Windows Sysmon, Network, File Info Endpoint Security: Virus, Malware, Spyware, Whitelisting, Behaviors What You Discover ❑ Frequency of application executions, unique applications ❑ Non-corporate approved applications ❑ Known malicious executables Benefit ❑ Visibility into application executions ❑ Understanding of unknown applications – whom and where and frequency
  • 13. © 2017 SPLUNK INC. Posture – Endpoint Splunk Enterprise
  • 14. © 2017 SPLUNK INC. Environment Access : Endpoint Symantec App Security Online Experience Hands on Session Access URL : https://bit.ly/2Jghx1N SCREEN CAPTURE (To be provided)
  • 15. © 2017 SPLUNK INC. Endpoint : Symantec Endpoint Protection Analysis Scroll Down
  • 16. © 2017 SPLUNK INC. CLICK
  • 17. © 2017 SPLUNK INC. CLICK
  • 18. © 2017 SPLUNK INC. CLICK
  • 19. © 2017 SPLUNK INC. CLICK
  • 20. © 2017 SPLUNK INC. (1) CLICK (2) CLICK
  • 21. © 2017 SPLUNK INC. (2) CLICK (1) CLICK
  • 22. © 2017 SPLUNK INC. (1) CLICK (2) SELECT ENTER
  • 23. © 2017 SPLUNK INC. Posture – Endpoint Splunk Enterprise Security
  • 24. © 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
  • 25. © 2017 SPLUNK INC. Endpoint : Malware Center
  • 26. © 2017 SPLUNK INC. (3) CLICK Endpoint : Malware Center (1) SELECT (2) SELECT
  • 27. © 2017 SPLUNK INC. Endpoint : Malware Search
  • 28. © 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
  • 29. © 2017 SPLUNK INC. Endpoint : System Center (1) TYPE IN (2) CLICK
  • 30. © 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
  • 31. © 2017 SPLUNK INC. Endpoint : Update Center
  • 32. © 2017 SPLUNK INC. Environment Access : ES Endpoint Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) 1-CLICK 2-CLICK 3-CLICK
  • 33. © 2017 SPLUNK INC. Endpoint : Endpoint Changes
  • 34. © 2017 SPLUNK INC. Access and Identity Who, Why and Credential Abuse Access/Identity Windows Security Events: Active Directory and Authentication Logs What You Discover ❑ Credentials used in multiple locations, or shared by users ❑ Admin credential abuse ❑ Login frequencies, users moving around quickly ❑ Users failing authentications trying to discover internal/external resources Benefit ❑ Uncover unusual login patterns ❑ Track user behavior
  • 35. © 2017 SPLUNK INC. Posture – Login Activity Splunk Enterprise
  • 36. © 2017 SPLUNK INC. Environment Access : Access - Cisco ISE App Security Online Experience Hands on Session Access URL : https://bit.ly/2vy5zyB SCREEN CAPTURE (To be provided)
  • 37. © 2017 SPLUNK INC. Access / Authentication : Cisco ISE App CLICK
  • 38. © 2017 SPLUNK INC. Scroll Down
  • 39. © 2017 SPLUNK INC. (1) CLICK (2) CLICK
  • 40. © 2017 SPLUNK INC. (1) CLICK (2) CLICK
  • 42. © 2017 SPLUNK INC. https://bit.ly/2HAkTQj (1) CLICK (2) CLICK (3) CLICK
  • 43. © 2017 SPLUNK INC. CLICK
  • 44. © 2017 SPLUNK INC. (1) ADD / ENTER
  • 45. © 2017 SPLUNK INC. (1) ADD / ENTER (2) CLICK
  • 46. © 2017 SPLUNK INC. POP QUIZ How can you filter failed VPN sessions only from outside of “United States”? Hint add “search NOT” in between a couple of commands..
  • 48. © 2017 SPLUNK INC. Posture – Login Activity Splunk Enterprise Security
  • 49. © 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 50. © 2017 SPLUNK INC. Access : Access Center
  • 51. © 2017 SPLUNK INC. Access : Access Center (2) CLICK
  • 52. © 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 53. © 2017 SPLUNK INC. Access : Account Management
  • 54. © 2017 SPLUNK INC. Environment Access : ES Access & Identity Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 55. © 2017 SPLUNK INC. Access : Default Account Management
  • 56. © 2017 SPLUNK INC. Access (Example) : SaaS Service Access
  • 57. © 2017 SPLUNK INC. Identity : Asset Center CLICK CLICK CLICK
  • 59. © 2017 SPLUNK INC. Identity : Identity Center CLICK CLICK CLICK
  • 61. © 2017 SPLUNK INC. Network Activity Detecting Exfiltration and Unusual Communication What You Discover ❑ Who talked to whom, traffic volumes (in/out) ❑ Malware download/delivery, C2, exfiltration ❑ Horizontal and vertical movement Benefit ❑ Determine how threats got in ❑ Systems and endpoints communicating internally ❑ Detect intellectual property theft, insiders Network Network Access: ForeScout Firewall: Cisco, Palo Alto Network: DNS – Splunk Stream, DNS Server
  • 62. © 2017 SPLUNK INC. Posture – Network Splunk Enterprise
  • 63. © 2017 SPLUNK INC. Environment Access : Palo Alto Networks App Security Online Experience Hands on Session Access URL : https://bit.ly/2K34bY9 SCREEN CAPTURE (To be provided)
  • 64. © 2017 SPLUNK INC. Palo Alto Networks : All Incident
  • 67. © 2017 SPLUNK INC. Posture – Network Splunk Enterprise Security
  • 68. © 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 69. © 2017 SPLUNK INC. Network : Traffic Center
  • 70. © 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 71. © 2017 SPLUNK INC. Network : Intrusion Center
  • 72. © 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 73. © 2017 SPLUNK INC. Network : Vulnerability Center
  • 74. © 2017 SPLUNK INC. Environment Access : ES Network Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) CLICK CLICK CLICK
  • 75. © 2017 SPLUNK INC. Network : Web Center
  • 77. © 2017 SPLUNK INC. Threat Intelligence Known and Early Warning Indicators What You Discover ❑ High risk behaviors and patterns ❑ Undetected/unblocked malware and command & control activities ❑ Known indicators of compromise Benefit ❑ Early warning of malicious activity ❑ Detect indication of C2 channels ❑ Confirm whether traffic going to compromised or watch-listed sites ❑ Compromised systems communicating with each other ❑ Compromised endpoints Threat Intelligence Threat Feeds: Public, Free, Private, Paid or Custom – ThreatConnect, Anomali Firewall: Cisco, Palo Alto Neworks
  • 78. © 2017 SPLUNK INC. Posture – Threat Intelligence Splunk Enterprise
  • 79. © 2017 SPLUNK INC. Environment Access : Custom Threat Intel App Security Online Experience Hands on Session Access URL : https://bit.ly/2HAkInY SCREEN CAPTURE (To be provided)
  • 80. © 2017 SPLUNK INC. Custom App (Sec Inv Quick Start) : Network Traffic Overview CLICK
  • 81. © 2017 SPLUNK INC. Scroll Down
  • 82. © 2017 SPLUNK INC. HIGHLIGHT HIGHLIGHT
  • 83. © 2017 SPLUNK INC. Posture – Threat Intelligence Splunk Enterprise Security
  • 84. © 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK CLICK
  • 85. © 2017 SPLUNK INC. Threat Intelligence : Threat Activity
  • 86. © 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK CLICK
  • 87. © 2017 SPLUNK INC. Threat Intelligence : Threat Artifacts
  • 88. © 2017 SPLUNK INC. Environment Access : ES Threat Intel Domain Security Online Experience Hands on Session Access URL : https://bit.ly/2qNGriO SCREEN CAPTURE (To be provided) ` CLICK CLICK
  • 89. © 2017 SPLUNK INC. Threat Intelligence : Risk Analysis
  • 90. © 2017 SPLUNK INC. Investigation Basics
  • 91. © 2017 SPLUNK INC. Alert Indicator Data Security Technologies Are Designed to Detect Bad/Suspicious Activity Endpoint Network Threat Intelligence Access/Identity Possibilities: ▶ Data Breach ▶ Infection(s) ▶ Account Takeover ▶ Application Fault ▶ Misconfiguration ▶ Missing patch ▶ User Error ▶ Other (Ignore) Alert Indicator Data Endpoint Network Threat Intelligence Access/Identity
  • 92. © 2017 SPLUNK INC. Importance of an Investigative Mindset “Investigate” – gather data, analyze, pinpoint digital evidence If each alert takes 10 min to investigate... ▶ Helps anyone handling alerts ▶ Gain control of posture • Old way – “escalate or ignore” • New way – find out what is actually going on * assumes 14 – 28 cases in a shift If you reduce to 5 minutes If you handle 100 alerts a month (5 alerts a day, 20 days in month) 100x10 = 1,000 min/60 = 16 hours 100x5 = 500 min/60 = 8 hours You get a day back (8 hours)
  • 93. © 2017 SPLUNK INC. Developing an Investigative Mindset What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT What specific questions do I want answered? Where do I look?What is the logic / methodology to apply? What’s an example?
  • 94. © 2017 SPLUNK INC. Investigation Splunk Enterprise
  • 95. © 2017 SPLUNK INC. Investigation Session 1 - Authentication Security Online Experience Hands on Session Access URL : https://bit.ly/2rhdgF7 SCREEN CAPTURE (To be provided)
  • 96. © 2017 SPLUNK INC. Investigation -- Login Activity
  • 97. © 2017 SPLUNK INC. The Splunk platform enables security analysts to quickly identify the root cause of security incidents and make informed decisions about how to remediate an issue. This Hands-on Experience enables you to use Splunk in a set of security- relevant real-world exercises. For the first phase of the investigation, Detection, we will use Splunk SPL to analyze authentication failures to expose threats. To get started, click "View Demo Video" to watch a demo session and click on "Launch Online Session" to open a Splunk online session and follow along with the real-world exercises. SECURITY INVESTIGATION WITH SPLUNK : Exercise 1, Detection
  • 98. © 2017 SPLUNK INC. SEARCHING FOR AUTHENTICATION FAILURES : STEP 01 : Type fail* password into the Splunk search bar. Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain access to your environment. Start by looking for events that contain references to password failures. fail* password As you type fail, Splunk platform shows terms that match fail. This can help you refine your search. Use a wildcard (*) to get results for any event that contains fail, including fails, failed and failures for password. Select one of the matching terms that appear as you type to find events that match the specified criteria, or search only for password to see events that just STEP 02 : Select All time in the time range picker and click Search or press Enter to search.
  • 99. © 2017 SPLUNK INC. STEP 03 : Review the search results. This search returns all failed system access attempts across the data in Splunk platform. Approximately 2,550 events match fail* password, which means that there are 2,550 failed authentication attempts in your environment. The search results show us the following: • Timeline : Shows the distribution of matching events over time as a histogram of events. You can zoom in and out of timeframes to understand the distribution of events over time. • Time range picker : Specify the time period for the search. • Fields sidebar : Shows the fields extracted from the authentication events in your search results. • Events view : Displays the raw events with the matching search terms highlighted. By default, the most recent event is listed first.
  • 100. © 2017 SPLUNK INC. STEP 04 : Review the data types to see which types of systems have authentication failures. Click sourcetype to see the list of data source types. These authentication failures occurred on Windows, Linux, database, and file server systems. With this one search you can identify authentication failures across many different systems in your environment.
  • 101. © 2017 SPLUNK INC. REVIEW THE FIELDS IN THE SEARCH RESULTS : Next, you want to identify the fields that help you analyze failed authentication attempts. You want to answer the following questions : • On which systems are the failed access attempts occurring? • From where or whom are the failed access attempts originating? • With which accounts are the failed access attempts occurring? After identifying the helpful fields for your analysis, you can format the search results as a table to more easily scan the aggregated search results.
  • 102. © 2017 SPLUNK INC. STEP 05 : Mouse over the Fields sidebar and click the dest field. Click Yes add it to the selected fields and review the Top 10 Values. The dest field shows you servers or hosts accessed by the assets in your environment. You can use the dest field to identify the servers being targeted by failed authentication attempts. There are more than 60 different hosts being accessed by the assets in your environment. The destination ECOMMERCE-03 has more than 1400 authentication failures, the server AD-019 has several hundred authentication failures, and several other hosts show authentication failures.
  • 103. © 2017 SPLUNK INC. STEP 06 : Mouse over the Fields sidebar and click the src field. Click Yes to add it to the selected fields and review the Top 10 Values. The src field contains the assets that authentication failures are coming from. The host 10.11.36.20 has more activity than other hosts with password failures, and is worth investigating further. You can identify the host STORE0329POS004 as a point of sale server based on the name. It has a troubling number of authentication failures for a host involved in credit card data transactions.
  • 104. © 2017 SPLUNK INC. STEP 07 : Mouse over the Fields sidebar and click the user field. Click Yes to add it to the selected fields and review the Top 10 Values. The user field indicates which target users have the highest number of authentication failures.
  • 105. © 2017 SPLUNK INC. ANALYZE THE FAILED AUTHENTICATION ATTEMPTS : After searching for authentication failures and reviewing the originating hosts (src), destination hosts (dest), and involved users (user), the next step is to analyze the data. You want to determine which users on which hosts are attempting to log in to which destination hosts. Analyze the authentication failures with simple statistics. • Origin of access (src) • Target system (dest) • Users on the target system (user) • Type of system (sourcetype)
  • 106. © 2017 SPLUNK INC. STEP 08 : In the Splunk search bar, Append | stats count by src, dest, sourcetype, user to your existing search, then press the Enter key or click Search. fail* password | stats count by src, dest, user, sourcetype This search aggregates the number of authentication failures by the origin of the attempt (src), target system (dest), user attempting to log in to the target system (user), and the type of system (sourcetype). The stats command calculates the total number of authentication failures associated with the src, dest, and user account used to access the destination system. (1) ADD / ENTER
  • 107. © 2017 SPLUNK INC. STEP 09 : Multiple failed authentication attempts are more of a threat than just one. Modify the search to look for hosts with more than two failed authentication attempts. Sort the attempts to see the highest number of attempts first. Append | sort – count | where count > 2 to your search, then press the Enter key or click Search. fail* password | stats count by src, dest, user, sourcetype | sort – count | where count > 2 You can now review the most critical failed authentication attempts in your environment and investigate further. (1) ADD / ENTER
  • 108. © 2017 SPLUNK INC. EXERCISE 1 ASSESSMENT : Identify patterns of authentication failures across the entire system to detect potential bad actors attempting to gain access to your environment. Start by looking for events that contain references to password failures. CASE 01 : Someone has tried to access the ECOMMERCE-03 host more than 1400 times. The high number of failed authentication attempts could indicate a password enumeration attack against the ECOMMERCE- 03 server. Given the high number of attempts, it is most likely a scripted attack.
  • 109. © 2017 SPLUNK INC. CASE 02 : A single host (10.1.21.153) with a pattern of failed login attempts using multiple user accounts most likely indicates a compromised system under the control of an attacker. The attacker is likely attempting to infiltrate the network by logging in to other systems, a pattern indicating attempts at lateral movement. This potentially infected host is attempting to gain access to the DATABASE-001 server, which likely contains sensitive data.
  • 110. © 2017 SPLUNK INC. STEP 10 : View visual analysis of results using “Parallel Coordinate” Visualization. Select Visualization and Parallel Coordinate. (1) CLICK (2) CLICK
  • 111. © 2017 SPLUNK INC. Visual representation of the analysis clearly shows the entity relationships of authentication failure activities from 10.1.21.153. Visualization’s one-to-many representation clearly depicts lateral movement and attempts to DATABASE- 001 host shows the user DBADMIN logins attempts. (1) DRAG & SELECT
  • 112. © 2017 SPLUNK INC. Investigation -- Login Activity
  • 113. © 2017 SPLUNK INC. DRILL DOWN INTO AN INVESTIGATION : STEP 01 : From the analysis table that you saw when you searched " fail* password | stats count by src, dest, sourcetype, user | sort – count | where > 2 ", click the src value for a search result with the host 10.1.21.153, then click View Events to see all the authentication failure events associated with that host. In this exercise, you want to determine how a malicious host attempted to gain access to a target machine in your network. Continue to investigate the host 10.1.21.153, which attempted to access multiple web servers and a critical database server. You can easily pivot from a set of search results to a new search on a specific host. (1) CLICK (2) CLICK
  • 114. © 2017 SPLUNK INC. STEP 02 : Review the search results for the new search. The new search looks for authentication failure events associated with the specific source. fail* password src="10.1.21.153" You can easily see all the raw events associated with this source host, identifying patterns of access attempts and further evidence that there might be a malicious actor trying to access machines in your network.
  • 115. © 2017 SPLUNK INC. VISUALIZE AUTHENTICATION FAILURE ACTIVITIES : STEP 03 : From the Fields sidebar, click the dest field. Click Top values by time. In this exercise, visualize the search results for authentication failures associated with the host 10.1.21.153 to quickly gain an understanding of how the attacker carried out the attempts to access internal servers. The destination (dest) field tells you which systems this particular workstation is targeting. Based on the aggregate number of failed login attempts,web_cloud_03, or a cloud web server, is the top targeted host with the most failed authentication attempts. Also, a critical asset DATABASE-001 was targeted. You can quickly visualize the failed attempts by the 10.1.21.153 host to access different destination hosts with the report created by clicking Top values by time.
  • 116. © 2017 SPLUNK INC. STEP 04 : Review the visualization of failed attempts by the source host to access different destinations over time. The default visualization shows the activities visualized in a line chart. The visualization properties can be adjusted to show activities by separating each destination host.
  • 117. © 2017 SPLUNK INC. STEP 05 : Click Line Chart and change the visualization type to Column/Bar The Column/bar view allows you to easily distinguish the volume of failed authentication attempts by destination.
  • 118. © 2017 SPLUNK INC. STEP 06 : Click Format and click Yes for Multi-series Mode. Multi-series mode displays a separate bar or column for each destination host.
  • 119. © 2017 SPLUNK INC. STEP 07 : Explore the visualization. Mouse over the different host names. This visualization lets you quickly visualize the volume of attacks from the host 10.1.21.153 organized by destination over time. With this visualization, you can identify the following aspects of the attack. • The sequence of authentication attempts made by the attacker over time, relative to different assets. • The interval and duration of activities, showing a periodic pattern of attempts by an attacker using the same host over time.
  • 120. © 2017 SPLUNK INC. EXERCISE 2 : ASSESSMENT This exercise walked you through visualizing the aggregated statistics into interactive charts, allowing you to perform more detailed analysis over time and validate specific suspicious activity. With a clearer understanding of the failed authentication attempts, you can determine that the failed authentication attempts were likely initiated by a malware-infected host (10.1.21.153) probing the internal network. CASE 01 : A series of brute force authentication attempts to multiple web service hosts. CASE 02 : The attacks on the servers were carried out over two different time intervals. After the first series of attempts, the same attack was repeated eight minutes later. CASE 03 : Immediately after the first series of web server access attempts, the attacker attempted to access a more critical asset, database server 001. The attacker only attempted to access the database server after probing the web servers. With this analysis, you can identify the following elements that confirm this is a malicious attack on your organization :
  • 121. © 2017 SPLUNK INC. Investigation -- Login Activity
  • 122. © 2017 SPLUNK INC. INVESTIGATE THE SOURCE HOST ACTIONS ON THE CRITICAL ASSET STEP 01 : From the visualization of the workstation 10.1.21.153 activities, locate the events associated with DATABASE-001 on the the chart and click the cluster of events on the visualization. In this exercise, investigate specific combinations of source and destination activities between the workstation and the DATABASE-001 server. This workflow continues from the visual analysis of the previous exercise. Continue your investigation from the visualization in the previous exercise. Click the host DATABASE-001 to open a secondary search into the specific activities from the source 10.1.21.153on the database server.
  • 123. © 2017 SPLUNK INC. STEP 02 : Review the search results for additional unexpected behavior. The search results now show only activities between the 10.1.21.153 host and the DATABASE-001 server that include authentication failures.
  • 124. © 2017 SPLUNK INC. EXPAND THE SEARCH FOR TARGETED ANALYSIS STEP 03 : Modify the search to remove "fail* password" and see all activities with a "src=10.1.21.153" and a "dest=DATABASE-001". Press enter or click Search. To determine the full scope of activities between the 10.1.21.153 host and the DATABASE-001 server, expand the search to determine if there was a successful authentication attempt after the failed authentication attempts you already know about. In addition, you can identify which user accounts were used and which activities were performed on the server. Removing the search for "fail* password" expands the search to all types of activity between the source host and destination server.
  • 125. © 2017 SPLUNK INC. The search results found other events between these hosts that add context to the activities between the two hosts.
  • 126. © 2017 SPLUNK INC. STEP 04 : Examine the search results starting with the Fields sidebar. Click the field COMMENTTEXT to review information about session information on the database server. Click Yes to select the field.
  • 127. © 2017 SPLUNK INC. STEP 05 : Click the field SQLTEXT to review information about SQL queries run on the database server. Click Yes to add the field to the selected fields. Selecting these 2 fields, COMMENTTEXT, SQLTEXT, provides the detail information on what database activities there were between these two hosts.
  • 128. © 2017 SPLUNK INC. FORMATTING EVENT FOR QUICK VERIFICATION STEP 06 : In the Splunk search bar, append "| table _time, src, dest, user, COMMENTTEXT, SQLTEXT" to the search. Format the search results into a table to more easily analyze the important fields. Focus your analysis on the most useful fields. Because DATABASE-001 is a database server, the SQLTEXT and COMMENTTEXT fields contain valuable information. Include _time to review the sequence of activity between the two hosts, and the user field to identify which user account is performing the activities. Formatting the search results in a table allows you to easily follow the sequence of events over time. src="10.1.21.153" dest="DATABASE-001" | table _time, src, dest, user, COMMENTTEXT, SQLTEXT (1) ADD / ENTER
  • 129. © 2017 SPLUNK INC. CASE 01 : The activities from the workstation indicate that an attacker used several different database credentials to gain access to the database, including credentials from a privileged database user. CASE 02 : After three failed authentication attempts, the attacker successfully logged in to the database as the ORACLE user and successfully gained administrative privileges to the database and modified the user privileges for a third user. CASE 03 : After the user privileges modification, you can identify clear signs of a transaction by the attacker in which they accessed a restricted database table containing customer information. EXERCISE 3 : ASSESSMENT With the Splunk platform you can easily move from a detailed visualization to detailed raw events, allowing you to perform exhaustive analysis and validate specific suspicious activities occurring between two hosts on your network. From this analysis you can determine that an attack occurred and attackers are querying the database server for valuable information.
  • 130. © 2017 SPLUNK INC. More exercises to try at home! http://splk.it/2HkqPd5 http://splk.it/2ovYwAuhttp://splk.it/2FcN1I4
  • 131. © 2017 SPLUNK INC. Investigation Session 2 - Endpoint http://splk.it/2HkqPd5 Security Online Experience Hands on Session Access URL : Register to sign in.
  • 132. © 2017 SPLUNK INC. Investigation Session 3 - Network http://splk.it/2ovYwAu Security Online Experience Hands on Session Access URL : Register to sign in.
  • 133. © 2017 SPLUNK INC. Investigation Splunk Enterprise Security
  • 134. © 2017 SPLUNK INC. Environment Access : ES Incident Management https://bit.ly/2I6QXvk Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
  • 135. © 2017 SPLUNK INC. (1) SELECT (2) CLICK
  • 136. © 2017 SPLUNK INC. (1) ENTER (2) ENTER
  • 137. © 2017 SPLUNK INC. CLICK
  • 138. © 2017 SPLUNK INC. CLICK
  • 139. © 2017 SPLUNK INC.
  • 140. © 2017 SPLUNK INC. CLICK
  • 141. © 2017 SPLUNK INC. CLICK
  • 142. © 2017 SPLUNK INC. CLICK
  • 143. © 2017 SPLUNK INC. CLICK
  • 144. © 2017 SPLUNK INC. Environment Access : ES Asset Investigator https://bit.ly/2I6QXvk Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
  • 145. © 2017 SPLUNK INC. (1) CLICK (2) CLICK
  • 146. © 2017 SPLUNK INC. CLICK
  • 147. © 2017 SPLUNK INC. Environment Access : ES Adaptive Response https://bit.ly/2HPlQkG Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
  • 148. © 2017 SPLUNK INC. CLICK
  • 149. © 2017 SPLUNK INC. (1) CLICK (2) CLICK (3) CLICK
  • 150. © 2017 SPLUNK INC.
  • 151. © 2017 SPLUNK INC. Environment Access : ES Content Update https://bit.ly/2HBGKGT Security Online Experience Hands on Session Access URL : SCREEN CAPTURE (To be provided)
  • 152. © 2017 SPLUNK INC. CLICK
  • 153. © 2017 SPLUNK INC. SELECT
  • 154. © 2017 SPLUNK INC. (1) CLICK (2) CLICK (3) CLICK
  • 155. © 2017 SPLUNK INC. Summary
  • 156. Attend .conf18 .conf is Splunk’s premier education and thought leadership event for thousands of IT and business professionals who are keen to use machine data insights to find answers. .conf18 | October 1 - 4, 2018 University | September 29 – October 1 Walt Disney World Swan and Dolphin Resort | Orlando, Florida “.conf is an exciting collection of technical sessions, hands-on demos and social networking with industry professionals and users. I can’t wait for .conf18.” – Michael Deisher, Systems Analyst, Visa Registration opens April 10th! 3 Days of Innovation Keynotes with IT Visionary Thought Leaders Partners who enhance the value of Splunk Networking with Data Enthusiasts Education Sessions Hands-on Labs Customer Success Studio 300+ Education Sessions Business Analytics Development IoT IT Operations Security/Compliance/Fraud Foundations
  • 157. © 2017 SPLUNK INC. Announcements
  • 158. © 2017 SPLUNK INC. ANNOUNCING Free Splunk Training for Veterans veterans.splunk.com
  • 159. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You