SlideShare a Scribd company logo

Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle

Timur Bagirov
Timur Bagirov

Splunk in Oracle - несколько советов как снизить риски ИБ доступными средствами

Data & Analytics
1 of 42
Download to read offline
Copyright  ©  2015  Splunk  Inc.   Craig  Merchant   Senior  Security  Architect,  Oracle   Affordable  Security:   Making  the  most  of  free  tools  and  data  
Disclaimer   2   During  the  course  of  this  presentaFon,  we  may  make  forward  looking  statements  regarding  future   events  or  the  expected  performance  of  the  company.  We  cauFon  you  that  such  statements  reflect  our   current  expectaFons  and  esFmates  based  on  factors  currently  known  to  us  and  that  actual  events  or   results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those   contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.  The  forward-­‐ looking  statements  made  in  the  this  presentaFon  are  being  made  as  of  the  Fme  and  date  of  its  live   presentaFon.  If  reviewed  aQer  its  live  presentaFon,  this  presentaFon  may  not  contain  current  or   accurate  informaFon.  We  do  not  assume  any  obligaFon  to  update  any  forward  looking  statements  we   may  make.       In  addiFon,  any  informaFon  about  our  roadmap  outlines  our  general  product  direcFon  and  is  subject  to   change  at  any  Fme  without  noFce.  It  is  for  informaFonal  purposes  only  and  shall  not,  be  incorporated   into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaFon  either  to  develop  the  features   or  funcFonality  described  or  to  include  any  such  feature  or  funcFonality  in  a  future  release.  
AddiFonal  Disclaimer   3   I  am  here  as  a  member  of  the  Splunk  community.   I  am  not  here  as  a  representaFve  of  Oracle  or  the  Oracle  Cloud.   Due  to  the  sensiFve  nature  of  some  of  our  customers,  I  am  only  authorized  to   disclose  a  limited  amount  of  specific  informaFon  about  our  environment.  
Personal  IntroducFon   4     Craig  Merchant,  Senior  Security  Architect,  Oracle  Cloud     Over  20  years  of  experience  in  security,  networking,  and     systems  management     Joined  Oracle  through  the  Responsys  acquisiFon  in  2014     Oracle  Cloud  was  announced  on  June  7,  2012   –  Offerings  include  SaaS,  PaaS,  IaaS   –  Growth  has  been  driven  by  over  a  dozen  acquisiFons     My  role:    To  Build  the  Be^er  Mouse  Trap  
Agenda     AugmenFng  Nessus  vulnerability  data  with  vFeed  project     Dynamic  vulnerability  scanning  using  SNMP  and  ARP  tables     IntegraFng  the  CollecFve  Intelligence  Framework  into  Splunk     Running  SCAP  security  checklists  using  Splunk  and  jOVAL     Gain  total  visibility  into  network  flows  using  Argus  and  Sysdig     All  content  available  at:   –  h^ps://github.com/SplunkSec/.conf2015     5  
Vulnerability  Data   Enrichment  
The  Incomplete  Picture   7     Vulnerability  Management  is  the  foundaFon  of  a  mature  security   pracFce     A  successful  remediaFon  strategy  depends  on  knowing:   –  Is  the  vulnerability  a  local  or  remote  exploit?   –  Can  an  unauthenFcated  user  perform  the  exploit?   –  How  easy  is  it  to  perform  the  exploit?   –  Is  there  a  known  exploit  for  the  vulnerability  in  the  wild?   –  Which  patches  or  updates  will  reduce  the  most  amount  of  risk?     The  data  contained  in  the  plugins  from  most  vulnerability  scanners   cannot  answer  all  of  those  quesFons  
What  is  vFeed?   8     h^ps://github.com/toolswatch/vFeed     vFeed  integrates  a  wealth  of  vulnerability  data:   –  CVE  –  Common  VulnerabiliFes  and  Exposures   –  CWE  –  Common  Weakness  EnumeraFon   –  CPE  –  Common  Plaform  EnumeraFon   –  OVAL  –  Open  Vulnerability  and  Assessment  Language   –  CAPEC  –  Common  A^ack  Pa^ern  EnumeraFon  and  ClassificaFon   –  CVSS  –  Common  Vulnerability  Scoring  System   –  MulFple  exploit  databases:    Exploit-­‐DB,  Metasploit,  Saint…   –  MulFple  vulnerability  databases:    OSVDB,  Bugtraq,  NVD   –  Vendor  Security  Advisories:    MSFT,  Red  Hat,  Cisco…    
Filling  in  the  Gaps   9     vFeed  provides  mappings  between  Nessus  and  CVE  IDs     Mapping  the  CVSS  metrics  to  CVE  IDs  answers:   –  Is  the  vulnerability  a  local  or  remote  exploit?   –  Can  an  unauthenFcated  user  perform  the  exploit?   –  How  easy  is  it  to  perform  the  exploit?     Mapping  CVE  IDs  to  public  exploit  databases  answers:   –  Is  there  a  known  exploit  for  the  vulnerability  in  the  wild?     Mapping  CVE  IDs  to  CPE  entries  answers:   –  Which  patches  or  updates  will  reduce  the  most  amount  of  risk?    
How  to  Build  It   10     Install  vFeed  and  create  a  cron  job  for  daily  updates     Connect  to  the  vFeed  SQLite  database  using  the  DB  Connect  1  app     Create  a  lookup  in  Splunk  for  each  table  in  vFeed     Dump  each  table,  saniFze  the  data,  and  augment  with  URL  info     Download  Common  InformaFon  Model  (CIM)  app  and  augment  the   Vulnerability  data  model  with  vFeed  fields     Modify  the  CIM  Vulnerability  data  model  to  perform     required  lookups     Populate  the  kvstore  with  vulnerability  data     Build  dashboards  driven  off  data  model  searches    
Bonus  Value   11     vFeed  has  mappings  for  Snort  IDs  to  CVE  IDs     Create  a  search  that  will  find  IDS  events  and:   –  Lookup  the  CVE  IDs  associated  with  each  Snort  ID   –  Use  mvexpand  to  create  a  single  event  per  CVE  ID   –  Lookup  the  CVE  ID  in  the  Snort  event  against  any  CVEs  for  the  dest/ dest_port/protocol  in  the  Vulnerability  kvstore     Alarm  on  a  match    
Dynamic  Vulnerability   Scanning  
Scheduled  Scanning  is  Risky   13     Missed  assets  –  Laptops  and  tablets  may  not  be  connected  to  the   corporate  network  during  the  scheduled  scanning  window     Fragile  infrastructure  –  Running  large  scans  can  exhaust  resources   on  switches,  routers,  and  firewalls     Huge  address  spaces  –  IPv6  networks  can  be  massive  and  virtually   impossible  to  scan  within  a  typical  scanning  window     Easy  evasion  –  Predictable  scanning  windows  create  opportuniFes   for  a^ackers  to  hide  evidence  of  their  intrusion  
Splunk  Powers  Dynamic  Scanning   14     Use  scripted  inputs  or  SNMP  apps  to  poll  network  switches  for  the   IP-­‐to-­‐MAC  address  relaFonships     Track  the  scanning  history  for  each  MAC  address  in  a  lookup  table     Use  that  history  to  launch  scans  via  the  Nessus  API     Index  the  status  of  each  scan  with  a  scripted  input     Generate  a  CSV  report  via  the  API  when  scans  complete  
Map  IPs  to  Physical  Address   15     For  IPv4,  SNMP  atPhysAddress  (.1.3.6.1.2.1.3.1.1.2)  to  enumerate   the  ARP  cache:   –  snmpwalk  –c  public  –v  2c  10.10.10.10  atPhysAddress     mib-­‐2.3.1.1.2.76.1.192.168.1.93  "3C  38  A6  D9  AA  4C  "   mib-­‐2.3.1.1.2.76.1.192.168.1.95  "A8  9D  21  DA  86  B3  "     For  both,  SNMP  ipNetToPhysicalPhysAddress  (.1.3.6.1.2.1.4.35.1.4):   –  snmpwalk  –c  public  –v  2c  10.10.10.10  ipNetToPhysicalTable     ê  IP-­‐MIB::ipNetToPhysicalPhysAddress.2.ipv4."10.0.0.1"  =  STRING:  0:26:5a:f4:1a:28     ê  IP-­‐MIB::ipNetToPhysicalPhysAddress.2.ipv6."fe:80:00:00:00:00:00:00:ca:60:00:ff:fe:e9:1a:e9“  =   STRING:  c8:60:0:e9:1a:e9  
Build  Scripted  SNMP  Input   16     Create  a  search  that  will  find  all  network  switches,  dedup  the   hostname  or  IP,  and  write  the  hostnames/IPs  to  a  lookup  table     Create  a  simple  “for”  loop  in  a  bash  script:   for  switch  in  `cat  ../lookups/switches.csv  |  sed  “1d”`   do      echo  “Switch:    $switch      snmpwalk  –c  public  –v  2c  $switch  ipNetToPhysicalPhysAddress     done     Schedule  the  scripted  input  to  run  every  5  minutes    
Interact  with  Nessus  6  API   17     Login  and  save  authenFcaFon  token:   –  curl  -­‐k  -­‐X  POST  -­‐H  'Content-­‐Type:  applicaFon/json'  -­‐d  '{"username":“nessus","password":“ne55us"}'  h^ps:// 10.10.10.10:8834/session  2>&1  |  grep  -­‐Po  '(?<="token":")[^"]+'     List  the  configured  scans  on  the  scanner:   –  curl  -­‐k  -­‐H  'X-­‐Cookie:  token=f99a30c7d590f07880f27aa913ee705955bcaa7b7d51e041'  h^ps://10.10.10.10:8834/scans     Launch  a  scan  with  a  list  of  dynamic  IPs:   –  curl  -­‐k  -­‐X  POST  -­‐H  'X-­‐Cookie:  token=f8f0b0821d0ef193d346a2951dbc9e28314bcf232d40e4e7'  -­‐H  'Content-­‐Type:   applicaFon/json'  -­‐d  '{"alt_targets":  [“10.10.10.1,10.10.10.2,10.10.10.3,10.10.10.4"]}'  h^ps://10.10.10.10:8834/scans/6/ launch     Export  a  scan  to  CSV  format:   –  curl  -­‐k  -­‐X  POST  -­‐H  'X-­‐Cookie:  token=f8f0b0821d0ef193d346a2951dbc9e28314bcf232d40e4e7'  -­‐H  'Content-­‐Type:   applicaFon/json'  -­‐d  '{"format":  "csv"}  '  h^ps://10.10.10.10:8834/scans/6/export   e  the  scripted  input  to  run  every  5  minutes    
How  to  Build  It   18     On  each  scanner,  define  the  necessary  policies  and  scan  configs     Use  the  Nessus  API  to  find  the  ID  of  configured  scans     Create  a  CIDR  match  lookup  table  to  assign  Nessus  IPs  and  scan  IDs   to  hosts  or  subnets:   dest,  nessus_ip,  scan_id   “10.10.10.0/24”,”10.10.10.10”,6   “10.10.11.0/24”,”10.10.10.10”,5     Create  a  lookup  to  track  the  last  scan  Fme  for  a  MAC  address  and   seed  it  with  data  that  adds  random  padding  to  the  last_scan  Fme:   (sourcetype="nessus"  AND  signature="12053"  OR  signature="19506")  OR  sourcetype=snmp_arp  |  rex  field=_raw  "(? i)resolves  as  (?P<hostname>[^$]+)(?=.)"  |  rex  mode=sed  field=dest_mac  "s/s/:/g"|  transacFon  maxspan=1h  dest  |  eval   padding=random()/2147483648*86400  |  eval  last_scan=now()+padding  |  table  last_scan,hostname,dest,dest_mac  |   outputlookup  nessus_last_scan_lookup    
How  to  Build  It   19     Create  a  lookup  table  to  queue  IPs  that  need  to  be  scanned     Create  a  search  that  will  check  incoming  ARP  events  against  the  last     scan  lookup,  lookup  the  scanner  IP  and  scan  ID,  and  save  those  events  to   the  queue     Create  a  scripted  input  to  iterate  through  the  Nessus  scanners,  list  the   status  of  scan  jobs  and  index  the  results     Create  a  lookup  table  to  track  completed  scan  jobs  and  export  status     Create  a  script  that  can  iterate  through  the  scan  job  lookup  table  and  use   the  Nessus  API  to  export  the  scan  in  CSV  format     Create  a  file  monitor  input  on  the  Nessus  scanner  that  will  index  all  CSV   files  found  in  each  user’s  “files”  directory    
IntegraFng  Threat   Intelligence  
Why  Threat  Intel?   21     Today’s  a^ackers  are  incredibly  sophisFcated  and  agile     Threat  Intel  providers  take  the  offensive  against  hackers     Data  is  updated  more  frequently  than  tradiFonal  AV  vendors     Indicators  of  Compromise  (IOCs)  can  be  found  in  a  wide  range  of   security  data  types    
What  is  CIF?   22     h^ps://code.google.com/p/collecFve-­‐intelligence-­‐framework/       CIF  collects,  normalizes,  qualifies,  and  categorizes  free  and   commercial  threat  intelligence  feeds     Supported  data  types:   –  File  Hashes  (MD5s)   –  IPv4  Addresses   –  Host  Names   –  Domain  Names   –  URLs  (MD5s)     v1  stores  each  category  of  threat  in  a  separate  Postgres     database  table    
What  Data  can  it  Enrich?   23     Network  Intrusion  DetecFon  events  (IPv4,  Host/Domain  names)     Network  Flow  events  (IPv4,  Host/Domain  Names,  URL)     Proxy  Logs  (IPv4  Host/Domain  names,  URL)     Firewall  Logs  (IPv4,  URL)     Endpoint  ProtecFon  SoluFons  (File  Hash,  IPv4,  Host/Domain  names)     AnF-­‐Malware  soluFons  (File  Hash,  IPv4,  Host/Domain  names,  URL)    
How  to  Build  It   24     Install  CIF  v1  and  configure  threat  intel  feeds     Connect  to  the  Postgres  database  using  DB  Connect  App     Create  Splunk  lookup  tables  for  each  classificaFon  type  –  botnet,   phishing,  spam,  etc.     Create  searches  to  periodically  dump  the  database  tables  into     lookup  tables     Create  automaFc  lookups  to  enhance  log  data     OpFonal:    Add  a  menu  context  item  to  check  fields  against  the  HTTP   API:    h^p://eyeis.net/2012/04/querying-­‐cif-­‐data-­‐from-­‐splunk/      
Automated  Security   ConfiguraFon   Monitoring  with  SCAP  
Value  and  Challenges   26     Security  configuraFon  monitoring  can  measure  the  compliance     of  systems  and  applicaFons  against  a  set  of  enterprise  security   standards     The  human  “checklist”  approach  is  slow,  expensive,  and  prone     to  error     CreaFng  customized  scripts  to  perform  configuraFon  checks  is   expensive  to  develop  and  maintain  and  difficult  to  instrument  and   report  on    
What  is  SCAP?   27     SCAP:    Security  Content  AutomaFon  Protocol   –  XCCDF:    Extensible  ConfiguraFon  Checklist  DefiniFon  Format   –  OVAL:    Open  Vulnerability  and  Assessment  Language     Public  repositories  of  SCAP  content:   –  h^ps://web.nvd.nist.gov/view/ncp/repository   –  h^p://usgcb.nist.gov/   –  h^p://iase.disa.mil/sFgs/scap/Pages/index.aspx   –  h^ps://benchmarks.cisecurity.org/downloads/     SCAP  scanners:   –  Free:    h^p://www.open-­‐scap.org/   –  Commercial:    h^p://jovalcm.com/  
What  Does  the  Data  Look  Like?   28     XCCDF  scan  using  OpenSCAP:   Title      Uninstall  squid  Package   Rule        uninstall_squid   Ident      CCE-­‐26977-­‐9   Result    pass       Title      Disable  snmpd  Service   Rule        disable_snmpd   Ident      CCE-­‐26906-­‐8   Result    pass     OVAL  scan  using  OpenSCAP:   DefiniFon  oval:ssg:def:959:  false   DefiniFon  oval:ssg:def:957:  true   DefiniFon  oval:ssg:def:955:  true      
How  to  Build  It   29     jOVAL  –  Install  on  central  scanning  host   OpenSCAP  –  yum  install  openscap  openscap-­‐uFls  openscap-­‐content     Index  the  XCCDF  or  OVAL  XML  files       Extract  important  fields  from  the  rule  objects  –  id,  Ftle,  descripFon,   severity,  weight,  and  fixtext     Create  a  lookup  table  or  kvstore  containing  the  policy  name  and  the   rule  objects  above     Create  automaFc  lookup  to  enrich  scanner  logs  with  rule  data     Create  an  app  for  the  policy  files  and  scripted  inputs   !!!    You  must  change  the  file  extension  from  XML  or  you  will  break  Splunk  !!!      
Improving  Visibility   With  Network  Flows  
Ge‡ng  Flow  Security  Right  is  Hard   31     What  collecFon  method  to  use  –  Neflow  protocols  or     taps/SPAN  ports?     Where  to  collect  the  data  –  Internet  connecFons,  internal  switches,   or  individual  hosts?     What  flow  metrics  need  to  be  collected  for  security  or  ops?     What  flow  aggregaFon  and  filtering  method  to  use?     What  events  are  worth  sending  to  Splunk?     How  can  flows  be  used  to  complement  other  security  data?  
What  is  Argus?   32     h^p://qosient.com/argus/     Free,  open  source  tool  capable  of  generaFng  flow  records  from  both   flow  protocols  (Neflow,  IPFIX)  and  raw  network  streams     Capable  of  capturing  all,  some,  or  none  of  the  packet  payload     Supports  a  rich  set  of  flow  metrics     Allows  tagging  of  flows  based  on  CIDR  match     Key  architecture  components:   –  argusd:    Argus  flow  collector  daemon   –  radium:    Collects  and  dedups  flows  from  mulFple  Argus  daemons   –  Argus  clients:    Individual  client  applicaFons  to  search  and  manage  Argus   data  
What  Can  Argus  Do?   33     ralabel:    Uses  CIDR  network  and  host  matches  to  apply  labels  to   flows     radark:    Looks  for  high  numbers  of  ICMP  unreachable  messages  to   detect  scanning  behavior     rapolicy:    Monitors  network  traffic  for  violaFons  of  Cisco  ACL  rules     Using  advanced  ji^er  analysis,  Argus  can  detect  keystrokes  in   encrypted  tunnels  –  excellent  for  detecFng  back  doors     Regex  pa^ern  matching  on  payload  can  idenFfy  SSH  on  unusual   ports  
How  to  Build  It   34     Compile  argusd  for  collecFon  servers     Compile  argus-­‐clients     Convert  Splunk  IPv4  threat  intel  lookup  table  to  Argus  label     file  format     Configure  Argus  client  searches     Create  Splunk  searches  to  index  output  of  Argus  clients     Advanced:    Use  radium  to  save  X  minutes/hours/days  of  all  flow   records  and  selecFvely  index  the  data  in  Splunk    
But  Wait…  Who  Dunnit?   35     Argus  has  no  user  or  process  a^ribuFon  capabiliFes  –  all  its  sees  is   the  network     Enter  Sysdig  –  “Think  of  sysdig  as  strace  +  tcpdump  +  htop  +  iQop  +   lsof  +  awesome  sauce”   –  h^p://www.sysdig.org     Sysdig  is  a  Linux  kernel  module  that  can  gather  data  about:   –  User  acFvity  such  as  shell  commands  and  network  connecFons   –  Process  acFvity   –  System  performance  –  I/O,  CPU,  network,  and  memory   –  Limited  Windows/OS  X  support  
How  to  Build  It   36     Compile  and  install  sysdig     Create  a  scripted  input  to  capture  user,  UID,  PID,  PPID,  process   names  and  arguments,  and  IP/port/protocol  data  for  each     network  connecFon:   –  sysdig  evt.type=connect  and  fd.lip!=127.0.0.1  –p”%evt.rawFme.s,%evt.type,%fd.cip,%fd.cport,%fd.sip,%fd.sport, %fd.l4proto,%proc.name,%proc.args,%proc.pid,%proc.ppid,%proc.pname,%user.uid,%user.name”Create       Create  searches  for  flow/IDS/firewall  and  sysdig  events  and  bind   them  together  with  the  “transacFon”  command     Build  alarms  and  reports  that  take  advantage  of  the     a^ribuFon  metadata  
Final  Thoughts  
Making  the  Most  of  Free   38     All  of  the  ideas  presented  require  basic  Splunking  skill  –  lookups,   transacFons,  data  models,  and  database  connecFons     The  vFeed  and  CIF  projects  provide  excellent  metadata   enhancement  capabiliFes  without  consuming  your  Splunk  license     Dynamic  vulnerability  scanning  and  SCAP  scanning  can  dramaFcally   improve  vulnerability  management  with  a  trivial  license  cost     Argus  offers  a  number  of  security  client  tools  that  offer  great   visibility  with  minimal  license  consumpFon     Sysdig  allows  security  to  link  network  events  with  the  users  and   programs  responsible  for  them  
Future  InvesFgaFons   39     Project  ArFllery:   –  h^ps://www.trustedsec.com/arFllery/     –  A  python-­‐based  low-­‐interacFon  honeypot  that  can  be  deployed  and   managed  with  Splunk     Google  Rapid  Response  (GRR)   –  h^ps://github.com/google/grr     –  A  comprehensive  incident  response  framework  that  could  be  automated   using  data  stored  in  Splunk,  such  as  Notable  Events  in  the  Enterprise   Security  app    
Get  It  at  Github   40     h^ps://github.com/SplunkSec/.conf2015    
41   QuesFons?  
THANK  YOU  

Recommended

Splunk company overview april. 2015
Splunk company overview april. 2015Splunk company overview april. 2015
Splunk company overview april. 2015Timur Bagirov
 
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunk
 
SplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunk
 
SplunkLive! München 2016 - Getting started with Splunk
SplunkLive! München 2016 - Getting started with SplunkSplunkLive! München 2016 - Getting started with Splunk
SplunkLive! München 2016 - Getting started with SplunkSplunk
 
SplunkLive! Milano 2016 - Splunk Plenary Session
SplunkLive! Milano 2016 - Splunk Plenary SessionSplunkLive! Milano 2016 - Splunk Plenary Session
SplunkLive! Milano 2016 - Splunk Plenary SessionSplunk
 

Recommended

Splunk company overview april. 2015
Splunk company overview april. 2015Splunk company overview april. 2015
Splunk company overview april. 2015Timur Bagirov
 
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunk
 
SplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting Splunk
 
SplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunkLive! Paris 2016 - Plenary session
SplunkLive! Paris 2016 - Plenary sessionSplunk
 
SplunkLive! München 2016 - Getting started with Splunk
SplunkLive! München 2016 - Getting started with SplunkSplunkLive! München 2016 - Getting started with Splunk
SplunkLive! München 2016 - Getting started with SplunkSplunk
 
SplunkLive! Milano 2016 - Splunk Plenary Session
SplunkLive! Milano 2016 - Splunk Plenary SessionSplunkLive! Milano 2016 - Splunk Plenary Session
SplunkLive! Milano 2016 - Splunk Plenary SessionSplunk
 
SplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunk
 
Splunk live! Italy 2015
Splunk live! Italy 2015Splunk live! Italy 2015
Splunk live! Italy 2015Georg Knon
 
Best Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseBest Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseSplunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Splunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunk
 
Splunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodeSplunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodePhilipp Drieger
 
Operational Security Intelligence Breakout Session
Operational Security Intelligence Breakout SessionOperational Security Intelligence Breakout Session
Operational Security Intelligence Breakout SessionSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomGeorg Knon
 
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT OperationsSplunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT OperationsSplunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-onSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-onSplunk
 
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunk
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Splunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout SessionSplunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout SessionSplunk
 
SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunk
 
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationGreg Hanchin
 

More Related Content

What's hot

SplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunk
 
Splunk live! Italy 2015
Splunk live! Italy 2015Splunk live! Italy 2015
Splunk live! Italy 2015Georg Knon
 
Best Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseBest Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseSplunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Splunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunk
 
Splunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodeSplunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodePhilipp Drieger
 
Operational Security Intelligence Breakout Session
Operational Security Intelligence Breakout SessionOperational Security Intelligence Breakout Session
Operational Security Intelligence Breakout SessionSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomGeorg Knon
 
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT OperationsSplunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT OperationsSplunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-onSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-onSplunk
 
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunk
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Splunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout SessionSplunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout SessionSplunk
 
SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunk
 

What's hot (20)

SplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für Security
 
Splunk live! Italy 2015
Splunk live! Italy 2015Splunk live! Italy 2015
Splunk live! Italy 2015
 
Best Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The EnteprriseBest Practices For Sharing Data Across The Enteprrise
Best Practices For Sharing Data Across The Enteprrise
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXP
 
Splunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better CodeSplunk for DevOps - Faster Insights - Better Code
Splunk for DevOps - Faster Insights - Better Code
 
Operational Security Intelligence Breakout Session
Operational Security Intelligence Breakout SessionOperational Security Intelligence Breakout Session
Operational Security Intelligence Breakout Session
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case Swisscom
 
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT OperationsSplunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
Splunk Discovery Day Düsseldorf 2016 - Splunk für IT Operations
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-on
 
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech ComputertechnikSplunkLive! Wien 2016 - Use Case TTTech Computertechnik
SplunkLive! Wien 2016 - Use Case TTTech Computertechnik
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case Swisscom
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
 
Splunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout SessionSplunk for Monitoring and Diagnostics Breakout Session
Splunk for Monitoring and Diagnostics Breakout Session
 
SplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On VersionSplunkLive! Houston IT Service Intelligence Hands On Version
SplunkLive! Houston IT Service Intelligence Hands On Version
 

Similar to Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle

Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationGreg Hanchin
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour DallasSpring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour DallasVMware Tanzu
 
SplunkLive! Amsterdam 2015 Breakout - Getting Started with Splunk
SplunkLive! Amsterdam 2015 Breakout - Getting Started with SplunkSplunkLive! Amsterdam 2015 Breakout - Getting Started with Splunk
SplunkLive! Amsterdam 2015 Breakout - Getting Started with SplunkSplunk
 
SIGRed - Monitoring and Detecting with Splunk
SIGRed - Monitoring and Detecting with SplunkSIGRed - Monitoring and Detecting with Splunk
SIGRed - Monitoring and Detecting with SplunkAnthony Reinke
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
 
Splunk Conf 2014 - Splunking the Java Virtual Machine
Splunk Conf 2014 - Splunking the Java Virtual MachineSplunk Conf 2014 - Splunking the Java Virtual Machine
Splunk Conf 2014 - Splunking the Java Virtual MachineDamien Dallimore
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Splunk
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunk
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 

Similar to Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle (20)

Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentation
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour DallasSpring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour Dallas
 
SplunkLive! Amsterdam 2015 Breakout - Getting Started with Splunk
SplunkLive! Amsterdam 2015 Breakout - Getting Started with SplunkSplunkLive! Amsterdam 2015 Breakout - Getting Started with Splunk
SplunkLive! Amsterdam 2015 Breakout - Getting Started with Splunk
 
SIGRed - Monitoring and Detecting with Splunk
SIGRed - Monitoring and Detecting with SplunkSIGRed - Monitoring and Detecting with Splunk
SIGRed - Monitoring and Detecting with Splunk
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat Defense
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident Investigation
 
Splunk Conf 2014 - Splunking the Java Virtual Machine
Splunk Conf 2014 - Splunking the Java Virtual MachineSplunk Conf 2014 - Splunking the Java Virtual Machine
Splunk Conf 2014 - Splunking the Java Virtual Machine
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?Do You Really Need to Evolve From Monitoring to Observability?
Do You Really Need to Evolve From Monitoring to Observability?
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 

More from Timur Bagirov

презентация Clever data конференция splunk октябрь 2016 v2
презентация Clever data конференция splunk октябрь 2016 v2презентация Clever data конференция splunk октябрь 2016 v2
презентация Clever data конференция splunk октябрь 2016 v2Timur Bagirov
 
Splunk for NAC in Yandex
Splunk for NAC in YandexSplunk for NAC in Yandex
Splunk for NAC in YandexTimur Bagirov
 
11 nov splunk_conf_мониторинг доступности услуг в мегафон
11 nov splunk_conf_мониторинг доступности услуг в мегафон11 nov splunk_conf_мониторинг доступности услуг в мегафон
11 nov splunk_conf_мониторинг доступности услуг в мегафонTimur Bagirov
 
Splunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for allSplunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for allTimur Bagirov
 
Qwasi Splunk and NCR Integration: Business Analytics
Qwasi Splunk and NCR Integration: Business AnalyticsQwasi Splunk and NCR Integration: Business Analytics
Qwasi Splunk and NCR Integration: Business AnalyticsTimur Bagirov
 
Splunk in Yoox: Security and Compliance
Splunk in Yoox: Security and ComplianceSplunk in Yoox: Security and Compliance
Splunk in Yoox: Security and ComplianceTimur Bagirov
 
Splunk in Target: Internet of Things (Robot Analytics)
Splunk in Target: Internet of Things (Robot Analytics)Splunk in Target: Internet of Things (Robot Analytics)
Splunk in Target: Internet of Things (Robot Analytics)Timur Bagirov
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsTimur Bagirov
 
Splunk in Otto: Business Analytics
Splunk in Otto: Business Analytics Splunk in Otto: Business Analytics
Splunk in Otto: Business Analytics Timur Bagirov
 
Splunk in Staples: IT Operations
Splunk in Staples: IT OperationsSplunk in Staples: IT Operations
Splunk in Staples: IT OperationsTimur Bagirov
 
Splunk in John Lewis: Business Analytics
Splunk in John Lewis: Business AnalyticsSplunk in John Lewis: Business Analytics
Splunk in John Lewis: Business AnalyticsTimur Bagirov
 
Splunk Check Point технологические партнеры
Splunk Check Point технологические партнерыSplunk Check Point технологические партнеры
Splunk Check Point технологические партнерыTimur Bagirov
 
Немного о Splunk в Yota
Немного о Splunk в YotaНемного о Splunk в Yota
Немного о Splunk в YotaTimur Bagirov
 
Splunk live мегафон 2015 - v4
Splunk live мегафон 2015 - v4Splunk live мегафон 2015 - v4
Splunk live мегафон 2015 - v4Timur Bagirov
 

More from Timur Bagirov (16)

презентация Clever data конференция splunk октябрь 2016 v2
презентация Clever data конференция splunk октябрь 2016 v2презентация Clever data конференция splunk октябрь 2016 v2
презентация Clever data конференция splunk октябрь 2016 v2
 
Splunk for NAC in Yandex
Splunk for NAC in YandexSplunk for NAC in Yandex
Splunk for NAC in Yandex
 
Tinkoff splunk 2016
Tinkoff splunk 2016Tinkoff splunk 2016
Tinkoff splunk 2016
 
Splunk sberbank cib
Splunk sberbank cibSplunk sberbank cib
Splunk sberbank cib
 
11 nov splunk_conf_мониторинг доступности услуг в мегафон
11 nov splunk_conf_мониторинг доступности услуг в мегафон11 nov splunk_conf_мониторинг доступности услуг в мегафон
11 nov splunk_conf_мониторинг доступности услуг в мегафон
 
Splunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for allSplunk in Rakuten: Splunk as a Service for all
Splunk in Rakuten: Splunk as a Service for all
 
Qwasi Splunk and NCR Integration: Business Analytics
Qwasi Splunk and NCR Integration: Business AnalyticsQwasi Splunk and NCR Integration: Business Analytics
Qwasi Splunk and NCR Integration: Business Analytics
 
Splunk in Yoox: Security and Compliance
Splunk in Yoox: Security and ComplianceSplunk in Yoox: Security and Compliance
Splunk in Yoox: Security and Compliance
 
Splunk in Target: Internet of Things (Robot Analytics)
Splunk in Target: Internet of Things (Robot Analytics)Splunk in Target: Internet of Things (Robot Analytics)
Splunk in Target: Internet of Things (Robot Analytics)
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT Operations
 
Splunk in Otto: Business Analytics
Splunk in Otto: Business Analytics Splunk in Otto: Business Analytics
Splunk in Otto: Business Analytics
 
Splunk in Staples: IT Operations
Splunk in Staples: IT OperationsSplunk in Staples: IT Operations
Splunk in Staples: IT Operations
 
Splunk in John Lewis: Business Analytics
Splunk in John Lewis: Business AnalyticsSplunk in John Lewis: Business Analytics
Splunk in John Lewis: Business Analytics
 
Splunk Check Point технологические партнеры
Splunk Check Point технологические партнерыSplunk Check Point технологические партнеры
Splunk Check Point технологические партнеры
 
Немного о Splunk в Yota
Немного о Splunk в YotaНемного о Splunk в Yota
Немного о Splunk в Yota
 
Splunk live мегафон 2015 - v4
Splunk live мегафон 2015 - v4Splunk live мегафон 2015 - v4
Splunk live мегафон 2015 - v4
 

Recently uploaded

{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...Pooja Nehwal
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...amitlee9823
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Delhi Call girls
 

Recently uploaded (20)

{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptx
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 

Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle

  • 1. Copyright  ©  2015  Splunk  Inc.   Craig  Merchant   Senior  Security  Architect,  Oracle   Affordable  Security:   Making  the  most  of  free  tools  and  data  
  • 2. Disclaimer   2   During  the  course  of  this  presentaFon,  we  may  make  forward  looking  statements  regarding  future   events  or  the  expected  performance  of  the  company.  We  cauFon  you  that  such  statements  reflect  our   current  expectaFons  and  esFmates  based  on  factors  currently  known  to  us  and  that  actual  events  or   results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those   contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.  The  forward-­‐ looking  statements  made  in  the  this  presentaFon  are  being  made  as  of  the  Fme  and  date  of  its  live   presentaFon.  If  reviewed  aQer  its  live  presentaFon,  this  presentaFon  may  not  contain  current  or   accurate  informaFon.  We  do  not  assume  any  obligaFon  to  update  any  forward  looking  statements  we   may  make.       In  addiFon,  any  informaFon  about  our  roadmap  outlines  our  general  product  direcFon  and  is  subject  to   change  at  any  Fme  without  noFce.  It  is  for  informaFonal  purposes  only  and  shall  not,  be  incorporated   into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaFon  either  to  develop  the  features   or  funcFonality  described  or  to  include  any  such  feature  or  funcFonality  in  a  future  release.  
  • 3. AddiFonal  Disclaimer   3   I  am  here  as  a  member  of  the  Splunk  community.   I  am  not  here  as  a  representaFve  of  Oracle  or  the  Oracle  Cloud.   Due  to  the  sensiFve  nature  of  some  of  our  customers,  I  am  only  authorized  to   disclose  a  limited  amount  of  specific  informaFon  about  our  environment.  
  • 4. Personal  IntroducFon   4     Craig  Merchant,  Senior  Security  Architect,  Oracle  Cloud     Over  20  years  of  experience  in  security,  networking,  and     systems  management     Joined  Oracle  through  the  Responsys  acquisiFon  in  2014     Oracle  Cloud  was  announced  on  June  7,  2012   –  Offerings  include  SaaS,  PaaS,  IaaS   –  Growth  has  been  driven  by  over  a  dozen  acquisiFons     My  role:    To  Build  the  Be^er  Mouse  Trap  
  • 5. Agenda     AugmenFng  Nessus  vulnerability  data  with  vFeed  project     Dynamic  vulnerability  scanning  using  SNMP  and  ARP  tables     IntegraFng  the  CollecFve  Intelligence  Framework  into  Splunk     Running  SCAP  security  checklists  using  Splunk  and  jOVAL     Gain  total  visibility  into  network  flows  using  Argus  and  Sysdig     All  content  available  at:   –  h^ps://github.com/SplunkSec/.conf2015     5  
  • 7. The  Incomplete  Picture   7     Vulnerability  Management  is  the  foundaFon  of  a  mature  security   pracFce     A  successful  remediaFon  strategy  depends  on  knowing:   –  Is  the  vulnerability  a  local  or  remote  exploit?   –  Can  an  unauthenFcated  user  perform  the  exploit?   –  How  easy  is  it  to  perform  the  exploit?   –  Is  there  a  known  exploit  for  the  vulnerability  in  the  wild?   –  Which  patches  or  updates  will  reduce  the  most  amount  of  risk?     The  data  contained  in  the  plugins  from  most  vulnerability  scanners   cannot  answer  all  of  those  quesFons  
  • 8. What  is  vFeed?   8     h^ps://github.com/toolswatch/vFeed     vFeed  integrates  a  wealth  of  vulnerability  data:   –  CVE  –  Common  VulnerabiliFes  and  Exposures   –  CWE  –  Common  Weakness  EnumeraFon   –  CPE  –  Common  Plaform  EnumeraFon   –  OVAL  –  Open  Vulnerability  and  Assessment  Language   –  CAPEC  –  Common  A^ack  Pa^ern  EnumeraFon  and  ClassificaFon   –  CVSS  –  Common  Vulnerability  Scoring  System   –  MulFple  exploit  databases:    Exploit-­‐DB,  Metasploit,  Saint…   –  MulFple  vulnerability  databases:    OSVDB,  Bugtraq,  NVD   –  Vendor  Security  Advisories:    MSFT,  Red  Hat,  Cisco…    
  • 9. Filling  in  the  Gaps   9     vFeed  provides  mappings  between  Nessus  and  CVE  IDs     Mapping  the  CVSS  metrics  to  CVE  IDs  answers:   –  Is  the  vulnerability  a  local  or  remote  exploit?   –  Can  an  unauthenFcated  user  perform  the  exploit?   –  How  easy  is  it  to  perform  the  exploit?     Mapping  CVE  IDs  to  public  exploit  databases  answers:   –  Is  there  a  known  exploit  for  the  vulnerability  in  the  wild?     Mapping  CVE  IDs  to  CPE  entries  answers:   –  Which  patches  or  updates  will  reduce  the  most  amount  of  risk?    
  • 10. How  to  Build  It   10     Install  vFeed  and  create  a  cron  job  for  daily  updates     Connect  to  the  vFeed  SQLite  database  using  the  DB  Connect  1  app     Create  a  lookup  in  Splunk  for  each  table  in  vFeed     Dump  each  table,  saniFze  the  data,  and  augment  with  URL  info     Download  Common  InformaFon  Model  (CIM)  app  and  augment  the   Vulnerability  data  model  with  vFeed  fields     Modify  the  CIM  Vulnerability  data  model  to  perform     required  lookups     Populate  the  kvstore  with  vulnerability  data     Build  dashboards  driven  off  data  model  searches    
  • 11. Bonus  Value   11     vFeed  has  mappings  for  Snort  IDs  to  CVE  IDs     Create  a  search  that  will  find  IDS  events  and:   –  Lookup  the  CVE  IDs  associated  with  each  Snort  ID   –  Use  mvexpand  to  create  a  single  event  per  CVE  ID   –  Lookup  the  CVE  ID  in  the  Snort  event  against  any  CVEs  for  the  dest/ dest_port/protocol  in  the  Vulnerability  kvstore     Alarm  on  a  match    
  • 13. Scheduled  Scanning  is  Risky   13     Missed  assets  –  Laptops  and  tablets  may  not  be  connected  to  the   corporate  network  during  the  scheduled  scanning  window     Fragile  infrastructure  –  Running  large  scans  can  exhaust  resources   on  switches,  routers,  and  firewalls     Huge  address  spaces  –  IPv6  networks  can  be  massive  and  virtually   impossible  to  scan  within  a  typical  scanning  window     Easy  evasion  –  Predictable  scanning  windows  create  opportuniFes   for  a^ackers  to  hide  evidence  of  their  intrusion  
  • 14. Splunk  Powers  Dynamic  Scanning   14     Use  scripted  inputs  or  SNMP  apps  to  poll  network  switches  for  the   IP-­‐to-­‐MAC  address  relaFonships     Track  the  scanning  history  for  each  MAC  address  in  a  lookup  table     Use  that  history  to  launch  scans  via  the  Nessus  API     Index  the  status  of  each  scan  with  a  scripted  input     Generate  a  CSV  report  via  the  API  when  scans  complete  
  • 15. Map  IPs  to  Physical  Address   15     For  IPv4,  SNMP  atPhysAddress  (.1.3.6.1.2.1.3.1.1.2)  to  enumerate   the  ARP  cache:   –  snmpwalk  –c  public  –v  2c  10.10.10.10  atPhysAddress     mib-­‐2.3.1.1.2.76.1.192.168.1.93  "3C  38  A6  D9  AA  4C  "   mib-­‐2.3.1.1.2.76.1.192.168.1.95  "A8  9D  21  DA  86  B3  "     For  both,  SNMP  ipNetToPhysicalPhysAddress  (.1.3.6.1.2.1.4.35.1.4):   –  snmpwalk  –c  public  –v  2c  10.10.10.10  ipNetToPhysicalTable     ê  IP-­‐MIB::ipNetToPhysicalPhysAddress.2.ipv4."10.0.0.1"  =  STRING:  0:26:5a:f4:1a:28     ê  IP-­‐MIB::ipNetToPhysicalPhysAddress.2.ipv6."fe:80:00:00:00:00:00:00:ca:60:00:ff:fe:e9:1a:e9“  =   STRING:  c8:60:0:e9:1a:e9  
  • 16. Build  Scripted  SNMP  Input   16     Create  a  search  that  will  find  all  network  switches,  dedup  the   hostname  or  IP,  and  write  the  hostnames/IPs  to  a  lookup  table     Create  a  simple  “for”  loop  in  a  bash  script:   for  switch  in  `cat  ../lookups/switches.csv  |  sed  “1d”`   do      echo  “Switch:    $switch      snmpwalk  –c  public  –v  2c  $switch  ipNetToPhysicalPhysAddress     done     Schedule  the  scripted  input  to  run  every  5  minutes    
  • 17. Interact  with  Nessus  6  API   17     Login  and  save  authenFcaFon  token:   –  curl  -­‐k  -­‐X  POST  -­‐H  'Content-­‐Type:  applicaFon/json'  -­‐d  '{"username":“nessus","password":“ne55us"}'  h^ps:// 10.10.10.10:8834/session  2>&1  |  grep  -­‐Po  '(?<="token":")[^"]+'     List  the  configured  scans  on  the  scanner:   –  curl  -­‐k  -­‐H  'X-­‐Cookie:  token=f99a30c7d590f07880f27aa913ee705955bcaa7b7d51e041'  h^ps://10.10.10.10:8834/scans     Launch  a  scan  with  a  list  of  dynamic  IPs:   –  curl  -­‐k  -­‐X  POST  -­‐H  'X-­‐Cookie:  token=f8f0b0821d0ef193d346a2951dbc9e28314bcf232d40e4e7'  -­‐H  'Content-­‐Type:   applicaFon/json'  -­‐d  '{"alt_targets":  [“10.10.10.1,10.10.10.2,10.10.10.3,10.10.10.4"]}'  h^ps://10.10.10.10:8834/scans/6/ launch     Export  a  scan  to  CSV  format:   –  curl  -­‐k  -­‐X  POST  -­‐H  'X-­‐Cookie:  token=f8f0b0821d0ef193d346a2951dbc9e28314bcf232d40e4e7'  -­‐H  'Content-­‐Type:   applicaFon/json'  -­‐d  '{"format":  "csv"}  '  h^ps://10.10.10.10:8834/scans/6/export   e  the  scripted  input  to  run  every  5  minutes    
  • 18. How  to  Build  It   18     On  each  scanner,  define  the  necessary  policies  and  scan  configs     Use  the  Nessus  API  to  find  the  ID  of  configured  scans     Create  a  CIDR  match  lookup  table  to  assign  Nessus  IPs  and  scan  IDs   to  hosts  or  subnets:   dest,  nessus_ip,  scan_id   “10.10.10.0/24”,”10.10.10.10”,6   “10.10.11.0/24”,”10.10.10.10”,5     Create  a  lookup  to  track  the  last  scan  Fme  for  a  MAC  address  and   seed  it  with  data  that  adds  random  padding  to  the  last_scan  Fme:   (sourcetype="nessus"  AND  signature="12053"  OR  signature="19506")  OR  sourcetype=snmp_arp  |  rex  field=_raw  "(? i)resolves  as  (?P<hostname>[^$]+)(?=.)"  |  rex  mode=sed  field=dest_mac  "s/s/:/g"|  transacFon  maxspan=1h  dest  |  eval   padding=random()/2147483648*86400  |  eval  last_scan=now()+padding  |  table  last_scan,hostname,dest,dest_mac  |   outputlookup  nessus_last_scan_lookup    
  • 19. How  to  Build  It   19     Create  a  lookup  table  to  queue  IPs  that  need  to  be  scanned     Create  a  search  that  will  check  incoming  ARP  events  against  the  last     scan  lookup,  lookup  the  scanner  IP  and  scan  ID,  and  save  those  events  to   the  queue     Create  a  scripted  input  to  iterate  through  the  Nessus  scanners,  list  the   status  of  scan  jobs  and  index  the  results     Create  a  lookup  table  to  track  completed  scan  jobs  and  export  status     Create  a  script  that  can  iterate  through  the  scan  job  lookup  table  and  use   the  Nessus  API  to  export  the  scan  in  CSV  format     Create  a  file  monitor  input  on  the  Nessus  scanner  that  will  index  all  CSV   files  found  in  each  user’s  “files”  directory    
  • 21. Why  Threat  Intel?   21     Today’s  a^ackers  are  incredibly  sophisFcated  and  agile     Threat  Intel  providers  take  the  offensive  against  hackers     Data  is  updated  more  frequently  than  tradiFonal  AV  vendors     Indicators  of  Compromise  (IOCs)  can  be  found  in  a  wide  range  of   security  data  types    
  • 22. What  is  CIF?   22     h^ps://code.google.com/p/collecFve-­‐intelligence-­‐framework/       CIF  collects,  normalizes,  qualifies,  and  categorizes  free  and   commercial  threat  intelligence  feeds     Supported  data  types:   –  File  Hashes  (MD5s)   –  IPv4  Addresses   –  Host  Names   –  Domain  Names   –  URLs  (MD5s)     v1  stores  each  category  of  threat  in  a  separate  Postgres     database  table    
  • 23. What  Data  can  it  Enrich?   23     Network  Intrusion  DetecFon  events  (IPv4,  Host/Domain  names)     Network  Flow  events  (IPv4,  Host/Domain  Names,  URL)     Proxy  Logs  (IPv4  Host/Domain  names,  URL)     Firewall  Logs  (IPv4,  URL)     Endpoint  ProtecFon  SoluFons  (File  Hash,  IPv4,  Host/Domain  names)     AnF-­‐Malware  soluFons  (File  Hash,  IPv4,  Host/Domain  names,  URL)    
  • 24. How  to  Build  It   24     Install  CIF  v1  and  configure  threat  intel  feeds     Connect  to  the  Postgres  database  using  DB  Connect  App     Create  Splunk  lookup  tables  for  each  classificaFon  type  –  botnet,   phishing,  spam,  etc.     Create  searches  to  periodically  dump  the  database  tables  into     lookup  tables     Create  automaFc  lookups  to  enhance  log  data     OpFonal:    Add  a  menu  context  item  to  check  fields  against  the  HTTP   API:    h^p://eyeis.net/2012/04/querying-­‐cif-­‐data-­‐from-­‐splunk/      
  • 25. Automated  Security   ConfiguraFon   Monitoring  with  SCAP  
  • 26. Value  and  Challenges   26     Security  configuraFon  monitoring  can  measure  the  compliance     of  systems  and  applicaFons  against  a  set  of  enterprise  security   standards     The  human  “checklist”  approach  is  slow,  expensive,  and  prone     to  error     CreaFng  customized  scripts  to  perform  configuraFon  checks  is   expensive  to  develop  and  maintain  and  difficult  to  instrument  and   report  on    
  • 27. What  is  SCAP?   27     SCAP:    Security  Content  AutomaFon  Protocol   –  XCCDF:    Extensible  ConfiguraFon  Checklist  DefiniFon  Format   –  OVAL:    Open  Vulnerability  and  Assessment  Language     Public  repositories  of  SCAP  content:   –  h^ps://web.nvd.nist.gov/view/ncp/repository   –  h^p://usgcb.nist.gov/   –  h^p://iase.disa.mil/sFgs/scap/Pages/index.aspx   –  h^ps://benchmarks.cisecurity.org/downloads/     SCAP  scanners:   –  Free:    h^p://www.open-­‐scap.org/   –  Commercial:    h^p://jovalcm.com/  
  • 28. What  Does  the  Data  Look  Like?   28     XCCDF  scan  using  OpenSCAP:   Title      Uninstall  squid  Package   Rule        uninstall_squid   Ident      CCE-­‐26977-­‐9   Result    pass       Title      Disable  snmpd  Service   Rule        disable_snmpd   Ident      CCE-­‐26906-­‐8   Result    pass     OVAL  scan  using  OpenSCAP:   DefiniFon  oval:ssg:def:959:  false   DefiniFon  oval:ssg:def:957:  true   DefiniFon  oval:ssg:def:955:  true      
  • 29. How  to  Build  It   29     jOVAL  –  Install  on  central  scanning  host   OpenSCAP  –  yum  install  openscap  openscap-­‐uFls  openscap-­‐content     Index  the  XCCDF  or  OVAL  XML  files       Extract  important  fields  from  the  rule  objects  –  id,  Ftle,  descripFon,   severity,  weight,  and  fixtext     Create  a  lookup  table  or  kvstore  containing  the  policy  name  and  the   rule  objects  above     Create  automaFc  lookup  to  enrich  scanner  logs  with  rule  data     Create  an  app  for  the  policy  files  and  scripted  inputs   !!!    You  must  change  the  file  extension  from  XML  or  you  will  break  Splunk  !!!      
  • 30. Improving  Visibility   With  Network  Flows  
  • 31. Ge‡ng  Flow  Security  Right  is  Hard   31     What  collecFon  method  to  use  –  Neflow  protocols  or     taps/SPAN  ports?     Where  to  collect  the  data  –  Internet  connecFons,  internal  switches,   or  individual  hosts?     What  flow  metrics  need  to  be  collected  for  security  or  ops?     What  flow  aggregaFon  and  filtering  method  to  use?     What  events  are  worth  sending  to  Splunk?     How  can  flows  be  used  to  complement  other  security  data?  
  • 32. What  is  Argus?   32     h^p://qosient.com/argus/     Free,  open  source  tool  capable  of  generaFng  flow  records  from  both   flow  protocols  (Neflow,  IPFIX)  and  raw  network  streams     Capable  of  capturing  all,  some,  or  none  of  the  packet  payload     Supports  a  rich  set  of  flow  metrics     Allows  tagging  of  flows  based  on  CIDR  match     Key  architecture  components:   –  argusd:    Argus  flow  collector  daemon   –  radium:    Collects  and  dedups  flows  from  mulFple  Argus  daemons   –  Argus  clients:    Individual  client  applicaFons  to  search  and  manage  Argus   data  
  • 33. What  Can  Argus  Do?   33     ralabel:    Uses  CIDR  network  and  host  matches  to  apply  labels  to   flows     radark:    Looks  for  high  numbers  of  ICMP  unreachable  messages  to   detect  scanning  behavior     rapolicy:    Monitors  network  traffic  for  violaFons  of  Cisco  ACL  rules     Using  advanced  ji^er  analysis,  Argus  can  detect  keystrokes  in   encrypted  tunnels  –  excellent  for  detecFng  back  doors     Regex  pa^ern  matching  on  payload  can  idenFfy  SSH  on  unusual   ports  
  • 34. How  to  Build  It   34     Compile  argusd  for  collecFon  servers     Compile  argus-­‐clients     Convert  Splunk  IPv4  threat  intel  lookup  table  to  Argus  label     file  format     Configure  Argus  client  searches     Create  Splunk  searches  to  index  output  of  Argus  clients     Advanced:    Use  radium  to  save  X  minutes/hours/days  of  all  flow   records  and  selecFvely  index  the  data  in  Splunk    
  • 35. But  Wait…  Who  Dunnit?   35     Argus  has  no  user  or  process  a^ribuFon  capabiliFes  –  all  its  sees  is   the  network     Enter  Sysdig  –  “Think  of  sysdig  as  strace  +  tcpdump  +  htop  +  iQop  +   lsof  +  awesome  sauce”   –  h^p://www.sysdig.org     Sysdig  is  a  Linux  kernel  module  that  can  gather  data  about:   –  User  acFvity  such  as  shell  commands  and  network  connecFons   –  Process  acFvity   –  System  performance  –  I/O,  CPU,  network,  and  memory   –  Limited  Windows/OS  X  support  
  • 36. How  to  Build  It   36     Compile  and  install  sysdig     Create  a  scripted  input  to  capture  user,  UID,  PID,  PPID,  process   names  and  arguments,  and  IP/port/protocol  data  for  each     network  connecFon:   –  sysdig  evt.type=connect  and  fd.lip!=127.0.0.1  –p”%evt.rawFme.s,%evt.type,%fd.cip,%fd.cport,%fd.sip,%fd.sport, %fd.l4proto,%proc.name,%proc.args,%proc.pid,%proc.ppid,%proc.pname,%user.uid,%user.name”Create       Create  searches  for  flow/IDS/firewall  and  sysdig  events  and  bind   them  together  with  the  “transacFon”  command     Build  alarms  and  reports  that  take  advantage  of  the     a^ribuFon  metadata  
  • 38. Making  the  Most  of  Free   38     All  of  the  ideas  presented  require  basic  Splunking  skill  –  lookups,   transacFons,  data  models,  and  database  connecFons     The  vFeed  and  CIF  projects  provide  excellent  metadata   enhancement  capabiliFes  without  consuming  your  Splunk  license     Dynamic  vulnerability  scanning  and  SCAP  scanning  can  dramaFcally   improve  vulnerability  management  with  a  trivial  license  cost     Argus  offers  a  number  of  security  client  tools  that  offer  great   visibility  with  minimal  license  consumpFon     Sysdig  allows  security  to  link  network  events  with  the  users  and   programs  responsible  for  them  
  • 39. Future  InvesFgaFons   39     Project  ArFllery:   –  h^ps://www.trustedsec.com/arFllery/     –  A  python-­‐based  low-­‐interacFon  honeypot  that  can  be  deployed  and   managed  with  Splunk     Google  Rapid  Response  (GRR)   –  h^ps://github.com/google/grr     –  A  comprehensive  incident  response  framework  that  could  be  automated   using  data  stored  in  Splunk,  such  as  Notable  Events  in  the  Enterprise   Security  app    
  • 40. Get  It  at  Github   40     h^ps://github.com/SplunkSec/.conf2015