During this advanced Splunk webinar, Splunk security experts covered the following security scenarios:
- Automated threat intelligence response
- Behavior profiling
- Anomaly detection
- Tracking an attack against the “kill chain”
You can watch a recording of the webinar here: https://splunkevents.webex.com/splunkevents/lsr.php?RCID=8163d71e6fa0646beb8f8354bfac61a1
2. Legal Notices
During the course of this presentation, we may make forward-looking statements regarding
future events or the expected performance of the company. We caution you that such
statements reflect our current expectations and estimates based on factors currently known to
us and that actual events or results could differ materially. For important factors that may cause
actual results to differ from those contained in our forward-looking statements, please review
our filings with the SEC. The forward-looking statements made in this presentation are being
made as of the time and date of its live presentation. If reviewed after its live presentation, this
presentation may not contain current or accurate information. We do not assume any
obligation to update any forward-looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the
features or functionality described or to include any such feature or functionality in a future
release.
2
4. Visibility—Analysis—Action in Four Scenarios
1. Automated threat intelligence response
2. Statistical Anomaly detection leads to opening a ticket
3. Statistical Profiling leads to manager confirmation
4. Visual correlation to track an attack against the “kill chain”
Agenda
4
5. ● Niklas Blomquist – Security Lead EMEA North
● nblomquist@splunk.com
● 18 years security experience
● 3 years @ splunk
● Love tech deep dives
● My favorite search command is stats!
Who Am I?
5
6. ● Framework for evaluating data and responding Splunk
● Applies to all existing frameworks, as it’s the Splunk side of the loop.
● For example, Let’s look at the lateral movement section of the kill
chain. (Not familiar with the kill chain? It’s a great way to understand the phases of an attack.
Check the URL below.)
● Visibility: What data will let you detect Lateral Movement?
● Analysis: What will you do to that data to come to a decision?
● Action: What will you do in response to that decision?
– Can we automate all of this?
Kill Chain: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Visibility – Analysis – Action
8. ● New threat list intel available for command and control (C&C)
● Changing firewall policy manually is too slow
● Goal: Take in the firewall logs, leverage intelligence to detect C&C behavior,
and block the destinations in near real time
● Visibility: Firewall logs, threat intel sources
● Analysis: Intersection (lookup) of the two
● Action: Apply dynamic firewall blocks
Command and Control Detection and Blocking
8
9. ● A feed of known bad IPs/DNS names/MD5s/URLs/etc. from a vendor or non-
profit that specializes in discovering Indicators of Compromise
● Great sources of open source threat intel include:
– Emerging Threats: http://rules.emergingthreats.net/
– I-Blocklist: https://www.iblocklist.com/lists.php
– MalwareDomains: http://www.malwaredomains.com/
– Zeus Tracker: https://zeustracker.abuse.ch/
● Many great commercial entities, too (generally better ranking / quality)
– iSight Partners, Verizon iDefense, commercial versions of most of the above, and many many
more
What / Where is Threat Intelligence
9
10. Palo Alto Networks Firewall Log
Sep 15 19:02:06 1,2014/09/15 19:02:06,0004C104559,TRAFFIC,end,1,2014/09/15
19:02:05,10.2.2.14,206.16.215.101,206.16.216.158,214.34.245.101,Internet Traffic,,,
salesforce-
base,vsys1,Trust,Untrust,ethernet1/8,ethernet1/2,MyLogForwarding,2014/09/15
19:02:05,24238,1,61845,443,57339,443,0x400000,tcp,allow,1275,761,514,14,2014/09/
15 19:01:31,5,any,0,358477769,0x0, 10.0.0.0-10.255.255.255, United States,0,8,6
Traffic Machine Data
10
Src and Dest IPs
Threat Intel Lookup:
dest,threat_intel_source
115.29.46.99/32,zeus_c2s
61.155.30.0/24,cymru_http
11. 1. First, we want to pull out all firewall traffic coming from inside our
network, going outside our network
2. Then, we want to cross-reference that data with our threat intel list.
This is accomplished in the Splunk world via a lookup
3. Finally, we want to pull just the logs that have threat intel
Analysis
11
index=pan_logs sourcetype=pan_traffic src=“10.*” dest!=“10.*”
| lookup ThreatIntel dest | search threat_intel_source=*
Name of our lookup, and
the key field
Data held in Lookup Table
12. ● Panblock! (or other network response)
Block a User or System
12
15. ● Have a Palo Alto device and like this particular feature? Visit
– Docs: https://live.paloaltonetworks.com/docs/DOC-6593
– App Page: http://apps.splunk.com/app/491/
● Want to automate other firewalls? Ask your SE about:
– Expect scripts for Cisco, Juniper, etc.
– Threat intel integration with Check Point
– How to integrate with your particular brand of firewall
Where to Learn More About PAN Blocking
15
16. ● Multiple Threat Lists—Deprioritize open source threat list vs.
premium threat list
– Solution: the Splunk App for Enterprise Security has this fixed with deduping
and prioritizing
– Alternate Solution: | inputlookup Premium| append [|inputlookup
OpenSource] | munge | outputlookup MyList
● Performance—you get lots of traffic, maybe you have lots of
threat intel entries
– Solution: the Splunk App for Enterprise Security
– Alternate Solution: data models help substantially
Analysis—Challenges
16
18. ● Process monitoring are good practice, and is easy with Splunk
● It becomes harder at scale, but data model acceleration helps
● Ultimately, by conquering statistical anomaly detection, you can
more effectively find the difficult to detect in your systems
● Visibility: Carbon Black Logs
● Analysis: System distribution, accelerated via data models
● Action: Security incident creation
Statistical Anomaly Detection Essentials
18
19. ● A measure of the variance for a series of numbers
● One file is opened on 100, 123, 79, and 145 hosts per day
– average of 111.75 and a standard deviation of 28.53
● Another file is opened on 100, 342, 3 and 2 hosts per day
– average of 111.75, but a standard deviation of 160.23
What is Standard Deviation?
19
21. • Acceleration facilitates better and broader analysis
• Splunk has a few ways of accelerating content:
• Report Acceleration
• Data Model Acceleration
• Summary Indexing
• Pre-Processing of logs
• Search pipeline parallelization
How To Accelerate
21
22. Create a data model and accelerate
Create Data Model
22
Visibility Analysis Action
23. • Create a baseline pivot search and open in search
• In this case, split dc(host) by path
• Add a filter for critical paths
Create Pivot Search
23
Visibility Analysis Action
24. Add additional stats command on top of accelerated Pivot search.
Create Additional Statistics
24
Visibility Analysis Action
28. ● 29 security related data models
● Normalize the data to get the searches easier to create
● Use’s TA’s to get the data in
● Available for free at Splunkbase
● https://splunkbase.splunk.com/app/1621/
CIM
32. ● Detecting known bad is great, but leaves you vulnerable
● Augment with synthetic checks of sensitive systems
● Statistics can consume all your time
● In this scenario, we are a hospital tracking patient chart opens
● Visibility: Charting system logs
● Analysis: Frequency analysis by user, role, etc.
● Action: Email the employees’ managers to investigate
Statistical Behavioral Anomaly Detection
33
33. ● A measure of the variance for a series of numbers
● Jane opens 100, 123, 79, and 145 charts per day
– average of 111.75 and a standard deviation of 28.53
● Jack opens 100, 342, 3 and 2 charts per day
– average of 111.75, but a standard deviation of 160.23
● Jack and Jane both open 500 records one day, Jane’s Z score will
be 13.6, but Jack’s will only be 2.42
● Z score = number of standard deviations away from average
What is Standard Deviation?
34
35. ● Core Metric: chart opens per day, per employee
● Dimensions to compare:
– Over time for the same user
– Others with same title
– Others in same city, etc.
● Why multiple dimensions?
Analysis
36
Visibility Analysis Action
39. • Acceleration facilitates better and broader analysis
• Splunk has a few ways of accelerating content:
• Report Acceleration
• Data Model Acceleration
• Summary Indexing
• Pre-Processing of logs
• Search pipeline parallelization
How To Accelerate
40
43. ● Email the manager
● This option is mostly just formatting. Join to the HR / LDAP database and utilize sendemail + map
● Could also escalate big violations to the SOC or GRC
| lookup LDAPSearch sAMAccountManager as username OUTPUT manager
| lookup LDAPSearch dn as manager OUTPUT mail as ManagerEmail
“
Send custom E-Mail
44
| map maxsearches=100 search=“
| stats count
| eval ManagerEmail=$ManagerEmail$ | eval EmployeeName=$EmployeeName$
| eval ZAvg = $Z_Avg$
| sendemail to=ManagerEmail
sendresults=f subject=EmployeeName . “ excess Chart Opens”
message=EmployeeName . “ has opened more charts than normal (“ . ZAvg . “ stdev).
_._Please Follow Up.”
Visibility Analysis Action
46. ● Analytics are key, but not everything can be correlated
● Human eye can detect all manner of subtlety
– Progress through Cyber Kill Chain
– Movement toward critical assets
– Etc.
● Easiest with the Splunk App for Enterprise Security, but possible
without
Visual Event Correlation
47
50. 361+ security appsSplunk App for Enterprise Security
Splunk Security Intelligence Platform
Palo Alto
Networks
NetFlow Logic
FireEye
Blue Coat
Proxy SG
OSSECCisco Security Suite
Active
Directory
F5 Security
Juniper Sourcefire
51. Build vs Buy
Most customer use a combination of build/buy
BuyBuild
● Knowledge – what to look for
● Time/money – create the content
● IT-Security Analysts and
Researchers are rare on the
market.
● Customized to your specific
organizational needs
● Out of the box content
● Requires no tuning
● Excessive analytics
● Quick time to value
54. User & Entity Behavior Analytic
Unsupervised machine learning with “out of the box” content
55. ● Anything. This should encompass all of your log sources,
correlation rules, alerts, etc.
● Include operational data here too (e.g., website response time
change)
Log Examples
56
56. ● Need more information? The Splunk App for Enterprise Security (ES) has many built-in
work flow actions to go pull more data
● Go pull more information from your Endpoint Threat Detection and Response app:
– Tanium: http://apps.splunk.com/app/1862/
– Tripwire / nCircle ip360: Ask your SE
– Bit9 / Carbon Black: https://www.bit9.com/solutions/splunk/
– Many others also exist
● File a ticket with your ticketing system
– Remedy: http://answers.splunk.com/answers/122019
● Open a new Notable Event in the Splunk App for ES
Action
57
57. Go Play With Data
58
App with data gens and documentation
http://splk.it/uo
1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it.
On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.
The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.