Detecting the Undetectable in TAP
•
5 likes•1,832 views
Thousands of Security Operations Teams (SOCs) and Computer Incident Response Teams (CIRTs) use Splunk and FireEye. But many of them don't know that Splunk can be used in conjunction with FireEye’s TAP Detect offering. This session will explain how to integrate FireEye's industry-leading threat intelligence with your Splunk deployment for supercharged threat detection.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Detecting the Undetectable in TAP
Similar to Detecting the Undetectable in TAP (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Detecting the Undetectable in TAP
- 1. 1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL TAP Detect for Splunk Dave Davis, FireEye david.davis@fireeye.com
- 2. 2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL HOW HAS THE THREAT LANDSCAPE CHANGED? PROFESSIONAL ATTACKERS DETERMINED ORGANIZED WELL FUNDED SOPHISTICATED TOOLS MULTI-FLOW EXPLOITS SANDBOX DETECTION OBFUSCATION / HIDING * Source: FireEye DTI 100% 46%Of compromises used stolen credentials Of compromised computers had no malware PERSISTENT TACTICS TARGETED INNOVATIVE CUSTOMIZED
- 3. 3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL DETECT RESPOND PREVENT ANALYZE SIGNATURE-LESS AND MULTI FLOW VIRTUAL MACHINE BASED APPROACH THAT LEVERAGES SUPERIOR THREAT INTELLIGENCE REMEDIATION SUPPORT AND THREAT INTELLIGENCE TO RECOVER AND IMPROVE RISK POSTURE MULTI-VECTOR INLINE KNOWN AND UNKNOWN THREAT PREVENTION CONTAINMENT, FORENSICS INVESTIGATION AND KILL CHAIN RECONSTRUCTION THE CONTINUOUS THREAT PREVENTION PROCESS
- 4. 4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL TECHNOLOGY IDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS PATENTED VIRTUAL MACHINE TECHNOLOGY EXPERTISE “GO-TO” RESPONDERS FOR SECURITY INCIDENTS HUNDREDS OF CONSULTANTS AND ANALYSTS UNMATCHED EXPERIENCE WITH ADVANCED ATTACKERS INTELLIGENCE 50 BILLION+ OBJECTS ANALYZED PER DAY FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS MILLIONS OF NETWORK & ENDPOINT SENSORS HUNDREDS OF INTEL AND MALWARE EXPERTS HUNDREDS OF THREAT ACTOR PROFILES DISCOVERED 16 OF THE LAST 25 ZERO-DAYS FIREEYE ADAPTIVE DEFENSE
- 5. 5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL FIREEYE THREAT INTELLIGENCE
- 6. 6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 3,000+ CUSTOMERS IN 60+ COUNTRIES 9M+ VIRTUAL MACHINES 3M+ ENDPOINTS REAL-TIME INFORMATION SHARING RISK AND CONTEXT TO PRIORITIZE RESPONSE TACTICAL AND STRATEGIC INTELLIGENCE WITH ATTRIBUTION THAT IS APPLICABLE AND ACTIONABLE TO YOUR ORGANIZATION DYNAMIC THREAT INTELLIGENCE A GLOBAL DEFENSE COMMUNITY
- 7. 7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL ACQUIRE 100s CONSULTING ENGAGEMENTS "CLOSE TO BREACH" 9M+ VM DETONATIONS PER HOUR DEPLOYED WORLDWIDE, SHARING THREAT INTELLIGENCE BACK 100+ VENDORS IN ONE OF THE INDUSTRY’S LARGEST MALWARE AND INTELLIGENCE EXCHANGE NETWORK APPLYANALYZE HPC DTI 2B 760M EVENTS CALLBACK EVENTS MALWARE FAMILIES TRACKED 50 16 40 APT THREAT ACTORS TRACKED ZERO DAY EXPLOIT DISCOVERY SINCE 2013 INDUSTRY THREAT PROFILES 50B 240TB 1.2M RECORDS INTEL DATA BINARIES PER DAY 300+ FIREEYE THREAT INTELLIGENCE – DELIVERED TO SPLUNK THREAT ANALYTICS PLATFORM DETECT
- 8. 8Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL INDICATORS RULES SECURITY ANALYTICS DETECTING THE UNDETECTABLE IN TAP • MILLIONS OF SIMPLE FACTS ABOUT KNOWN BAD BEHAVIOR • COLLECTED VIA 100K+ HOURS OF INCIDENT RESPONSE AND 9M+ VM SENSORS WORLDWIDE • DOMAINS, IP ADDRESSES, EMAIL ADDRESSES, AND MD5 HASHES • OUR EXPERTS’ KNOWLDEGE EXPRESSED THROUGH TAP • UPDATED BASED ON LATEST MANDIANT IR WORK & HEADLINES • DETECTS NON-MALWARE ATTACKER METHODOLOGIES AS WELL AS MALWARE FAMILY BEHAVIOR • ENRICHMENT POINTS ADD TO CORRELATIONS IN SPLUNK • DETECTS PREVIOUSLY UNKNOWN ATTACKER BEHAVIOR • FOCUSED ON NON- MALWARE ACTIVITY; E.G. LATERAL MOVEMENT & EXFILTRATION
- 9. 9Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL TACTICAL INTELLIGENCE CONTEXTUAL INTELLIGENCE STRATEGIC INTELLIGENCE FIREEYE INTELLIGENCE: MORE THAN JUST DETECTION MACHINE-TO-MACHINE INTELLIGENCE TO DETECT AND PREVENT THE KNOWN AND UNKNOWN ATTACKS ALERT CONTEXT TO IDENTIFY RISK LEVEL, ATTACKER INSIGHTS, AND IOCS TO INFORM ALERT RESPONSE ATTACK CONTEXT TO BUILD THREAT ACTOR AND INDUSTRY INSIGHTS TO PROACTIVELY STAY AHEAD OF THE ATTACKER
- 10. 10Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL CONTEXT VIA FIREEYE INTELLIGENCE CENTER (FIC)
- 11. 11Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL TAP DETECT
- 12. 12Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL FIREEYE TAP AND SPLUNK: BETTER TOGETHER FireEye applies intelligence, rules, and analytics Process 2 Detected alerts are pulled in to Splunk Detect 3 THREAT ANALYTICS PLATFORM DETECT Security Operations 4 End-to-end Enterprise Visibility 1
- 13. 13Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL CONFIGURING TAP DETECT
- 14. 14Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL CONFIGURING TAP DETECT IN SPLUNK INSTALL THE FIREEYE SPLUNK APP
- 15. 15Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL CONFIGURING TAP DETECT FORWARD EVENTS TO TAP
- 16. 16Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL CONFIGURING SPLUNK FOR TAP CREATE AN API KEY TO ALLOW DATA TO BE PULLED INTO SPLUNK
- 17. 17Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL CONFIGURE SPLUNK INPUTS SPLUNK WILL PULL ALERTS AND INCIDENTS FROM TAP
- 18. 18Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL THE SPLUNK + TAP EXPERIENCE
- 19. 19Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL THE FIREEYE SPLUNK APP
- 20. 20Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Attribution SPLUNK + TAP IN ACTION Attribution APT FamilyThreat Actor Profile
- 21. 21Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL MANAGING INTEL WITH FIREEYE Importing Threat Intel Enrichment Redaction Sharing Exporting Signatures
- 22. 23Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL THE INTELLIGENCE WORKFLOW SUMMARY DETECTION CONTEXT LEARN COLLABORATESHARE
- 23. 24Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL SOUND INTERESTING? TAP Detect is available now Visit our booth, talk with your FireEye Account Executive, or email tap@fireeye.com Find evil!
- 24. 25Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL QUESTIONS?
Editor's Notes
- Of course “Detection to Response in Minutes” could sounds like just a slogan unless you put some substance to back it up. That’s what I will talk about next. First, as with most things you process is key – a continuous threat prevention process. It’s continuous because the attackers are always there. So if you were attacked today, and you manage to detect it and get the attacker out, there is no reason you will not be attacked tomorrow. This is a business process like everything else you do in your business. And it has to be continual to be effective. And that means it has to have the appropriate technology, the appropriate staff so it can operate like a regular part of your business and not some fire drill. So what are the phases you need to care about? Well, you definitely care about detection. Can you identify as early as possible that you’re being attacked? And we’re absolutely providing that in our solution. We’ll talk about that in just a minute. You do want to have some prevention. When I say prevention, understand that you can’t prevent every attack outright. But there are many that you can. And if you can, and you’re slowing the attacker down because perhaps a piece of malicious software gets into the victim environment but it can’t communicate back to the bad guy, you prevented or blocked it, or contained it to the impacted system, fantastic. Now you’re reducing the attacker’s agility. That’s an important step in the process. You have to be able to analyze. So if you see that attack, you can’t just say “oh, I probably prevented it.” You need to go and look and find out for sure. And if you don’t go and look and find out for sure, you’re contributing to the 229-day statistic. You need to analyze and investigate to find out for sure, and scope whether you have problem. And if you do have a problem, you ultimately at the end of the day need to respond to it. You have to remediate. You need to contain the systems involved. You need to get the attacker off of your network. And you can only effectively do that when you understand the full scope of their activities. That’s why analysis is required before you can be effective at responding to the attack. And then when you’re done, you’re right back into detection. And this is a forever cycle. The attacker doesn’t sleep. They’re not going away. You have to do the same thing. This is how FireEye is thinks about this problem. Our solutions then assist you in applying it in your environment as well as measuring it for effectiveness so you can improve it.
- So what is the solution? Why FireEye? At the end of the day, you have to have technology – best-in-class products that can support each phase of that process and can scale to serve large organizations. It’s not a technology that’s based on just looking for signatures. It has to be one that’s based on looking at behaviors. And one that can find new attacks without having to know what they look like. So that’s a must-have to enter this space and be effective. You also have to have intelligence. You have to be close to the breach. In other words, when attackers are attacking companies, when they are having success, you have to have experience seeing how they behave. This is important because it gives an unparalleled view of what’s actually going on day-to-day. You also need that intelligence to span not just one organization, but a group of organizations all standing together so you can see trends across industries and geographies. And we, of course, have a fantastic track record there in terms of our number of customers, the way our products are built and architected and our track record in identifying new attacks. In 16 of the last 22 Zero-Days out in the public who identified them? FireEye. We have that track record. This is also where we have a significant differentiator in our Mandiant’s incident response and security consulting services. We use that frontline incident response experience to improve our products and to make our products more intelligent. Finally, you have to have expertise. I’ve talked all through this conversation about the need to have a person that is countering the attacker who is also a person. So that’s a human being. That’s knowledge. And whether that’s you, or you select a strategic partner that can provide that expertise for you, one way or another you have to have that part of the equation as well. You can’t just be a product vendor. You have to be a security company if you’re going to be successful. And if we think about all the things that FireEye is across our entire portfolio, that’s us. We are that solution. This is Adaptive Defense. Note: These past two slides are really important. And the specifics are important. So you’re going to want to keep the phrases technology, intelligence and expertise, at the core of the way you talk about your customers, because a lot of things will come from marketing and the CTOs office that use that. And you want us to be an amplifier for your message. Some customers want white papers and thought leadership pieces, and other stuff besides the sales materials about a product. You’re going to want that anchor. So what you say and what we say links. The other important concept is Detect Prevent Analyze Respond. You will see different cycle loops out there like this. And some of them use different words. Make sure you use these words consistently.
- In addition to the MVX engine, we’ve also enabled our products with something that we call DTI, or Dynamic Threat Intelligence. And what does that do? Well, we’re interconnecting the appliances in a customer’s environment with each other. And we’re also interconnecting them with FireEye. You can enable one-way sharing, which ensures FireEye will send intelligence updates to your MVX appliances. But you can also enable two-way sharing which allows us to move some of that intelligence around the FireEye global defense community. And protect not only you, but the entire FireEye universe. And as we’re continuing to evolve the intelligence offering, we’re now going to be able to do things like give you more context about an attack. We don’t want to tell you just, “hey, I got attacked”. We want to say “Here’s who it is. Here’s the risk, and here’s how active that threat is.” That’s the power of being part of a global defense community. And with our thousands of customers and millions of virtual machines you know we can give you access to a defense community that’s, frankly, more effective than anyone else’s.
- Remember: a percentage of attacks will get through
- Remember: a percentage of attacks will get through