The document discusses security analytics methods for detecting threats using Splunk software. It covers common security challenges, types of analytics methods, and applying analytics to stages of an attack. The agenda includes an introduction to analytics methods, an overview of Splunk Security Essentials, a demo scenario of detecting a malicious insider, and next steps involving Enterprise Security and Splunk UBA. The demo scenario shows detecting large file uploads from Box to detect an insider exporting sales proposals. The summary recommends starting with Splunk Security Essentials, then leveraging Enterprise Security and UBA for advanced machine learning detection and automated response.

1. © 2017 SPLUNK INC.
Intro to Security Analytics Methods
Lorenzo INVERNIZZI I Sales Engineer
SESSIONE 3

2. © 2017 SPLUNK INC.
1. Intro to Analytics Methods
2. Splunk Security Essentials Overview
3. Demo Scenario
4. Next step
Agenda

3. © 2017 SPLUNK INC.
Common Security Challenges
Malicious
Insiders
Advanced
External
Attackers
Commodity
Malware

4. © 2017 SPLUNK INC.
First Time Seen
powered by stats
Time Series Analysis
with Standard Deviation
General Security
Analytics Searches
Analytics Methods
Types of Use Cases

5. © 2017 SPLUNK INC.
Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

6. © 2017 SPLUNK INC.
Detection of Suspicious Email Activity

7. © 2017 SPLUNK INC.
Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

8. © 2017 SPLUNK INC.
Verifying Malware Infection

9. © 2017 SPLUNK INC.
Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

10. © 2017 SPLUNK INC.
Identifying Exfiltration and/or Command and Control

11. © 2017 SPLUNK INC.
Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules

12. © 2017 SPLUNK INC.
The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence

13. © 2017 SPLUNK INC.
Splunk Security
Essentials Overview

14. © 2017 SPLUNK INC.
Download Splunk Security Essentials

15. © 2017 SPLUNK INC.
Where Can I Install Splunk Security Essentials?
Survey Results: Have You Tried to Install the App?
Tried and Failed
Installed in Dev
Installed in Production
Installed in Distributed Environment
Installed in a SHC Environment
Your
Laptop!
Your
Production
Environment!
All Kinds of
Production
Environments!
Your Dev
Environment!

16. © 2017 SPLUNK INC.
▶ You can think about operational
maturity in terms of data
▶ Start with the basics – get your
data into a single location
▶ Then work your way up the stack
▶ Not sure how to start? Yes, there
is an app for that
Looking at Security in Terms of Data

17. © 2017 SPLUNK INC.
▶ Identify bad guys:
• 300+ security analytics methods
• Target external and insider threats
• Scales from small to massive companies
• Save from app, send hits to ES/UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.

18. © 2017 SPLUNK INC.
▶ Download from apps.splunk.com
▶ Browse use cases that match
your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials

19. © 2017 SPLUNK INC.
Demo Scenario

20. © 2017 SPLUNK INC.
▶ No proxy
▶ No standard file servers
▶ No agents on laptop
▶ Cloud Services with their own APIs
How would you detect that?
Monitoring Challenges

21. © 2017 SPLUNK INC.
▶ Actor:
Malicious Insider (because it’s hardest)
▶ Motivation:
Going to work for competitor
▶ Target:
Accounts, Opportunities, Contacts in Salesforce
▶ Additional Target:
Sales Proposals in Box
▶ Exfiltration:
Upload to a remote server
Apply Splunk to Real Life Scenario
Malicious Insider
Chris Geremy
Director of Finance
* Photo of Splunker, I promise she is not a malicious insider

22. © 2017 SPLUNK INC.
▶ Ingest Salesforce Event Log File
• https://splunkbase.splunk.com/app/1931/
▶ Ingest Box Data
• https://splunkbase.splunk.com/app/2679/
▶ Install Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
▶ Schedule Salesforce use cases
▶ Build a custom Box use case
Set Up Monitoring
About 1 Hour of Work

23. © 2017 SPLUNK INC.
▶ Do you want to build your own
detections like this?
▶ What if your environment is
totally custom?
▶ No product has ever worked
out of the box, and that’s why
you like Splunk, right?
We’ve got you.
But My Company Is So Custom
Click Assistants, then “Detect Spikes”

24. © 2017 SPLUNK INC.
▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations

25. © 2017 SPLUNK INC.
▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
Got Her!

26. © 2017 SPLUNK INC.
Next Steps

27. © 2017 SPLUNK INC.
▶ Enterprise Security has a Risk Framework designed
for aggregating low severity indicators
Aggregate Alerting with ES Risk

28. © 2017 SPLUNK INC.
▶ Splunk UBA Threat Models leverage
Data Science, Machine Learning
▶ Finds important, inter-related
anomalies that analysts should
actually view
▶ Support more advanced
anomaly detections!
Apply Machine Learning With Splunk UBA

29. © 2017 SPLUNK INC.
▶ High Confidence alerts from UBA fed into ES
▶ Take actions like
• Box: “Change Permissions”
• AD: “Reset Password” or “Disable Account”
• PAN: Isolate Host
▶ 40+ partners!
Respond With ES Adaptive Response

30. © 2017 SPLUNK INC.
Wrap Up

31. © 2017 SPLUNK INC.
▶ Splunk Security Essentials shows you new
detection use cases
▶ Ultimately it just uses Splunk Enterprise – power
of the platform!
▶ You can build your own use cases easily!
▶ As you advance, look to ES or UBA to improve
threat detection
What Did We
Cover?

32. © 2017 SPLUNK INC.
Splunk Security Portfolio
Splunk Enterprise
Detection
Human-driven
• Log Aggregation
• Splunk Security Essentials
• Rules, statistics, correlation
Realm of
Known
Enterprise Security
Response
• OOB key security metrics
• Incident response workflow
• Adaptive response
Splunk UBA
Detection
ML-driven
• Risky behavior detection
• Entity profiling, scoring
• Kill chain, graph analysis
Realm of
Unknown

33. © 2017 SPLUNK INC.
Slow Response
from Basic Alerts
Fast Response from
Advanced Alerts
Managing Alert Volume vs Value
Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response

34. © 2017 SPLUNK INC.
Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response
Managing Alert Volume vs Value
Everyone starts here, and spends most of their time here

35. © 2017 SPLUNK INC.
▶ Download from apps.splunk.com
▶ Find use cases that match your
needs
▶ Data Source Check shows other
use cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!
[01] [01]

36. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
GRAZIE