Splunk EMEA Webinar: Scoping infections and disrupting breaches
•Download as PPTX, PDF•
0 likes•543 views
This document discusses best practices for scoping infections and disrupting breaches. It outlines the necessary data sources like network endpoint, access/identity, and threat intelligence data. It describes capabilities for monitoring, alerting, investigating incidents, and detecting threats. The document demonstrates investigating a breach example using the attack kill chain. It recommends establishing a security intelligence platform to connect and analyze security-related data from multiple sources. Lastly, it promotes the upcoming Splunk conference and training opportunities.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Splunk EMEA Webinar: Scoping infections and disrupting breaches
Similar to Splunk EMEA Webinar: Scoping infections and disrupting breaches (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Splunk EMEA Webinar: Scoping infections and disrupting breaches
- 1. Copyright © 2014 Splunk Inc. Best Practices for Scoping Infections and Disrupting Breaches
- 2. Legal Notices During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. 2
- 3. Today’s Speakers 3 Filip Wijnholds – Security Ninja – Splunk Matthias Maier • Product Marketing Manager Security • Splunk
- 4. General Information about Webinars • After the webinar you’ll get an E-Mail containing: • Recording of the Webinar • Link to Slideshare with this Presentation • Ask your questions during the Webinar and we will go through them in a Q&A Session at the End
- 5. IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things 5 Delivers Value Across IT and the Business Business Analytics Industrial Data and Internet of Things Security, Compliance and Fraud
- 6. 6 Single Platform for Security Intelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 7. Source: Mandiant M-Trends Report 2012/2013/2014 67% Victims notified by an external entity 100% Valid credentials were used 229 Median # of days before detection The Ever-Changing Threat Landscape
- 8. Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 9. Threat IntelligenceNetwork Endpoint Access/Identity Data Sources Required
- 10. Persist, Repeat Threat Intelligence Access/Identity Endpoint Network Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain • Third-party threat intel • Open-source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating system • Database • VPN, AAA, SSO Data Sources Required • Web proxy • NetFlow • Network
- 11. Capabilities—Scoping Infections and Breaches 11 Report and Analyze Custom Dashboards Monitor and Alert Ad hoc Search Threat Intelligence Asset & CMDB Employee Info Data Stores Applications Raw Events Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint
- 12. Capabilities—Scoping Infections and Breaches Analytics Context and Intelligence Connecting Data and People
- 13. The Journey starts at trivial… 13 A hit against Threat Intelligence Dropped files, spawned processes PDF Origin, Compromised website, campaign identified Weaponized PDF (easy to evade) Out of scope for this demo Brute force, Phishing email,
- 14. Kill Chain—Breach Example http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat Intelligence Access/Identity Endpoint Network
- 15. Demo
- 16. Demo Review Challenges – Difficult to go from threat-intel match to root cause – Hard to determine – was there a breach? Sources – Threat intel – open source threat intel feed – Network – web proxy logs, email logs – Endpoint – endpoint monitoring agent – Access/identity – asset management database Finding the root cause: connecting the dots – Match the threat-intel IP to network data to identify the infected machine – Identify the malicious process by mapping network data to endpoint data – Discover the infected email by matching local file access to email data
- 17. Best Practices—Breach Response Posture Bring in data from at least one from each category: – Network – next gen firewall or web proxy, email, DNS – Endpoint – Windows logs, registry changes, file changes – Threat intelligence – open source or subscription based – Access and identity – authentication events, machine-user mapping Establish a security intelligence platform so analysts can: – Contextualize events, analytics and alerts – Automate analysis and exploration – Share techniques and results to learn and improve
- 18. Compromise is unavoidable. Breaches are preventable. 18
- 19. Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 21. Thousands of Global Security Customers
- 22. Incident Troubleshooting and Improved Security • Established distributed search, alerting, event correlation and proactive monitoring for security • Health monitoring using baselines to identify anomalies and issues before they become problems • Quick and easy troubleshooting of business-critical issues “Traditional monitoring tools just tell you when something isn’t working. With Splunk, we can now proactively manage operations and respond before an outage occurs or service erodes.” — Security Architect, Telenor
- 23. • Centralize, monitor and analyze security-related data • Investigate incidents and detect advanced threats • Comply with Sarbanes-Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) Splunk Enterprise Selected as Symantec’s Security Investigation Platform “With today’s threat landscape, it’s critical that we react quickly to identify and respond to any type of threat, especially advanced threats that continue to increase in complexity.” — Chief Security Officer, Symantec
- 24. SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT and Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room and Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
- 25. Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 26. Copyright © 2014 Splunk Inc. Thank You / Q&A Questions later? Twitter @fwijnholds E-mail: fwijnholds@splunk.com
Editor's Notes
- Both IT and business professionals can analyze machine data to get real-time visibility and operational intelligence. With our platform for machine data, organizations can meaningfully improve their performance in a wide range of areas e.g. meet service levels, reduce costs, mitigate security risks, maintain compliance and gain insights.
- Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
- There are three numbers in the cyber security statistics are very telling, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 67% of , which represents 2 out 3, breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ? Network – network based attack, lateral movement, exfiltration Endpoint – malware exploitation – data gathering, launch point Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach Authentication – the basis of lateral movement and access to assets, intellectual property You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
- The capabilities required to distinguish an infection from a breach Why is it important to preserve an event?
- Risk Based Analytics to Align Security Operations With the Business Risk scoring framework enhances decision making by applying risk score to any data Quickly and easily assign any KSI or KPI to any event to produce risk scores Expose the contributing factors of a risk score for deeper insights Visualize and Discover Relationships for Faster Detection and Investigation Visually fuse data, context and threat-intel across the stack and time to discern any context Pre-built correlations, alerts and dashboards for detection, investigation and compliance Workflow actions and automated lookups enhance context building Enrich Security Analysis with Threat Intelligence Automatically apply threat intelligence from any number of providers Apply threat intelligence to event data as well as wire data Conduct historical analysis using new threat intelligence across all data
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Contextualization and exploration is automatic – you saw this in the field discovery menu Raw events without modification or changes – so you can auto-extract and search adhoc and tie things together as you see fit Nothing to join Create a search
- Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
- Industry • Telecommunications Splunk Use Cases • IT operations management • Security Challenges Needed to gain operational visibility into distributed infrastructure Wanted to improve inter-departmental collaboration Needed to address potential security and privacy breaches Laborious manual processes did not scale Splunk Products • Splunk Enterprise Data Sources Infrastructure logs: Network switch and firewall logs Server logs: Linux, Windows and Unix Application logs: Web, email, IPTV, etc. IP backbone: router logs Storage: SAN and NAS logs Mobile network logs Case Study http://www.splunk.com/en_us/customers/success-stories/telenor.html Speak: Founded in 1855, Telenor, Norway’s largest telecom services provider, has over 150 years of telecoms experience, including fixed and mobile telephony, broadband and data communication. Telenor’s customers rely on it to provide always-on voice, data and content services. The company needed to gain operational visibility into its distributed infrastructure and streamline processes for incident investigation and network monitoring. Since deploying Splunk Enterprise, Telenor has seen benefits including: Quick and easy troubleshooting of business-critical issues Faster and stronger security Increased availability
- Industry: Technology Use case: Security, PCI Members of the Splunk Team are in Berlin, Germany, too. Press Release: http://www.splunk.com/en_us/newsroom/press-releases/2014/splunk-enterprise-selected-as-symantecs-security-investigation-platform.html
- We’re headed to the East Coast! Product launches for all major products 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!