Splunk for Enterprise Security featuring UBA Breakout Session
•
1 like•819 views
Splunk for Enterprise Security featuring UBA Breakout Session
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Splunk for Enterprise Security featuring UBA Breakout Session
Similar to Splunk for Enterprise Security featuring UBA Breakout Session (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Splunk for Enterprise Security featuring UBA Breakout Session
- 1. Copyright © 2015 Splunk Inc. Enterprise Security & UBA Overview splunklive SLC 2016 James Brodsky, Sales Engineering Manager
- 2. 2 Agenda Splunk Portfolio Update Enterprise Security 4.x User Behavior Analytics
- 3. VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Across Data Sources, Use Cases & Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 4. 4 Splunk Releases 4 Splunk Enterprise 6.4 Enterprise Security 4.1 ES User Behavior Analytics 2.2 UBA
- 5. 5 5 Splunk Security Vision Security Markets SIEM & Compliance Security Analytics (supervised and unsupervised) Fraud & Business Risk Managed Security & Intelligence Services Splunk Security Intelligence Framework Workflow/collaboration, case management, content/intelligence syndication and Eco-system brokering
- 6. 6 Enterprise Security Provides: support for security operations/command centers Functions: alert management, detects using correlation rules (pre- built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches, dynamic baselines 6
- 7. 7 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any) Functions: baselines behavior from log data and other data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 7
- 8. Copyright © 2015 Splunk Inc. Enterprise Security 8
- 9. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 10. Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 11. 11 11 App Servers Network Threat Intelligence Firewall Web Proxy Internal Network Security Endpoints Splunk as the Security Nerve Center Identity
- 12. 12 ES Fast Facts ● Current version: 4.1 released at RSA ● One release per quarter (soon) ● Content comes from industry experts, market analysis, but most importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and customizable ● ES has its own development team, dedicated support, services practice, and training courses
- 13. The best part of ES is free! ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
- 14. Copyright © 2015 Splunk Inc. NORMALIZATION?!?
- 15. Copyright © 2015 Splunk Inc. NORMALIZATION?!? Relax. This is therefore, CIM gets applied at SEARCH TIME.
- 16. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
- 17. 17 ES Evolution Q3 2014 Q4 2014 Q2 2015 ES 3.1 • Risk Framework • Guided Search • Unified Search Editor • Threatlist Scoring • Threatlist Audit ES 4.x • Breach Analysis • Integration with Splunk UBA • Splunk Security Framework • Facebook Threat ES 3.0 ES 3.2 • Protocol Intelligence (Stream capture) • Semantic Search (Dynamic Thresholding) ES 3.3 • Threat Intel framework • User Activity Monitoring • Content Sharing • Data Ingestion 2016
- 18. 18 What’s THE LATEST? 18 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
- 19. 19 Threat Investigation 19 Track Actions Allow analyst to identify attacker’s activities 1 32 Collaborate Leverage Knowledge Silos Communicate Share discovered Information Adhoc Searches Dynamic Filters Timely Memos Adhoc Stats Adhoc Reports The investigation analysis and reports must also be dynamic…
- 20. 20 Open Solutions Framework Supports critical security related management framework features 20 Enterprise Security Framework • Notable Events Framework • Thereat Intelligence Framework • Risk Scoring Framework • Identity & Asset Framework Customer Apps APPs / Contents Partner Apps APPs / Contents Splunk Apps APPs / Contents • Export • Import • Share • Summarization Framework • Alerting & Scheduling • Visualization Framework • Application Framework External Instance
- 22. 22 Adaptive Response Initiative 22 1. Not a product – we have a framework app to help 2. Generally involve custom commands and workflow actions 3. Faster, better informed decisions 4. Can carry out automation manually, with confirmation, or automatically
- 23. ES Demo
- 24. Copyright © 2015 Splunk Inc. ES Questions? 24
- 26. 26 THREATS CONSTANTLY EVOLVE You never know what’s coming next.
- 27. 27 Traditional SIEM detects 1% of breaches.
- 28. 28 80,000 Information Security Analysts. 0% Unemployment.
- 29. 29 Are they all of the same caliber? Sadly, No.
- 30. 30 Even if you had all the hiring budget in the world – the staff doesn’t exist.
- 31. 31 It’s hard to know what is NORMAL.
- 32. 32 Administering and using complex tech is hard.
- 33. 33 Administering and using complex tech is hard.And, how many incidents can you handle a day?
- 34. 34 Administering complex tech=hard. INSIDER THREAT is a big problem Outsiders look like insiders!
- 35. 35 Administering complex tech=hard.DATA BREACH COST: $154 on average per record.
- 36. 36 Administering complex tech=hard.DATA BREACH COST: $154 on average per record. We’re gonna need a bigger boat.
- 37. 37 Administering complex tech=hard.DATA BREACH COST: $154 on average per record. UBA Unsupervised Machine Learning + Data Science for User/Entity Behavior Analytics
- 38. 38 Splunk UBA: Main Use Cases Advanced Cyber-Attacks Malicious Insider Threats
- 39. 39 Splunk UBA: Anomaly & Threat ModelsIce cream shops have 31 flavors…
- 40. 40 …Splunk UBA has 31+ Threat and Anomaly Models ThreatAttackCorrelation Polymorphic Attack Analysis Behavioral Peer Group Analysis User & Entity Behavior Baseline Entropy/Rare Event Detection Cyber Attack / External Threat Detection Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Statistical Analysis Data Exfiltration Models IP Reputation Analysis Insider Threat Detection User/Device Dynamic Fingerprinting
- 41. 41 TWO UBA WORKFLOWS Guided SOC Analyst and…
- 42. 42 Hunter.
- 43. 43 OVA provided for on-prem, or bare-metal. AMI available for AWS
- 44. 44 Web Gateway Proxy Server Firewall Box, SF.com, Dropbox, other SaaS apps Mobile Devices Malware Threat Stream, FS- ISAC or other blacklists for IPs/domains Active Directory/ Domain Controller Single Sign-on HRMS VPN Identity/Auth SaaS/MobileSecurity Products External Threat Feeds Activity (N-S, E-W) OPTIONAL Netflow, PCAP AWS CloudTrail End-point IDS, IPS, AV DNS, DHCP K E YDLP, File Server/Host Logs Data Sources
- 45. 45 Web Gateway Proxy Server Firewall Box, SF.com, Dropbox, other SaaS apps Mobile Devices Malware Norse, Threat Stream, FS-ISAC or other blacklists for IPs/domains Active Directory/ Domain Controller Single Sign-on HRMS VPN Identity/Auth SaaS/MobileSecurity Products External Threat Feeds Activity (N-S, E-W) OPTIONAL Netflow, PCAP AWS CloudTrail End-point IDS, IPS, AV DNS, DHCP K E YDLP, File Server/Host Logs Data Sources Splunk Enterprise & ES preferred, but not required. UBA can be standalone!
- 46. UBA Demo
- 47. UBA Questions?
- 48. 48 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education! #splunkconf2016
- 49. Thank You!
Editor's Notes
- The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – log search and analytics for small IT environments Hunk – for analytics on data in Hadoop The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- For the purposes of this discussion we’ll be talking about and seeing Splunk ES 4.1 and UBA 2.2, running on top of our current release of Splunk Enterprise 6.4.
- Splunk solutions provide capabilities across the modern security markets – from left to right – Splunk isn’t a traditional SIEM but provides SIEM capabilities via Enterprise Security. Enterprise Security also helps with various compliance regulations, and if you need a more specific approach to PCI we have a separate app just for that. Then we provide various methods for security analytics – nothing in Splunk is set in stone or tied down which is a major advantage over rigid SIEM technology. If you want to hunt through your data and create your own searches for analytics – go right ahead with Core Splunk and ES. If you’d rather have a fully curated, out of the box machine learning driven experience, or also want that – then that’s UBA. We are also finding that customers can and do leverage our platform to analyze for fraud and business risk. And finally, many of our partners are offering managed security services with our platform at the center.
- Enterprise Security is a premium app designed to be used in a SOC or incident response group, and it provides SIEM-like functions on top of the Splunk Enterprise or Splunk Cloud platform.
- UBA is very different – it is a standalone platform and doesn’t necessarily need the Splunk Enterprise platform to do what it does. We expect it to be used by SOC analysts and hunters. It is specifically designed to surface vetted threats about outside attackers and insiders, and it does this with a software appliance based approach.
- Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
- We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything. . There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
- 3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models. Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless. Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable. Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem. ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
- Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
- …that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
- …we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
- It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the… -Date and Time -Type of action performed -Subsystem performing the action -Identifiers for the object requesting the action -Identifiers for the object providing the action -Status, outcome, or result of the action So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
- Now we understand in order for us to effectively respond to a complex breach incident investigation in a timely manner, There is constant jumping around to find evidence, / dynamic analysis actions which needs to be well organized. Because the investigation analysis and reports are so dynamic… Our goals for delivering “investigator journal and timeline” is to address the very challenges : 1. To be able to track investigator's actions 2. Clearly and accurately communicate the scope of breach / through single aggregated view 3. Leverage collective knowledge of security experienced analysts, / break down the silos, / maximizing capabilities by bringing diverse expertise into one common objective.
- So our vision was to create flexible, yet powerful. Of course open frameworks where we can nurture and embrace our overall eco-system which includes, customer, resellers, technology partners and even students who wants to develop cools features, rules, intelligent feeds etc. on top of ES. the community can easily share the knowledge or provide a mechanism to accelerate the innovation trends. Customers, vendors and third parties can create and extend the functionality of ES, and run the contents within the ES framework. The content can be imported and exported. Developers can share new apps and modules internally, / or distribute them to the Splunk community on splunkbase Content packs have access to ES specific functionality, / including notable events, the risk framework, and the identity framework.
- They have been evolving for years. Go back 15 years and we cared about viruses and worms. Then, phishing and malware and we’re concerned about that too. Malicious insider threats. Now originally we had signature based detection, and the problem there is that things change and morph and come out so quickly that we can’t keep up. There are highly paid groups of people looking to break into our customers organizations and they spend time around the clock every day trying to do that. So we apply a lot of people, process, technology to try and protect ourselves – this is a “defensive” measure.
- ASK: Are you running an existing SIEM? Just about every company invests in a SIEM, sometimes multiple. Do they work? Maybe, if you provide the right care and feeding. SIEM has over promised and under delivered. Why? Basically because SIEMs are programmed by humans to look, mostly, for known events. They use rules, These rules can be complex and quite effective, but they are only as good as the human creating the rules. Think about all of the companies that have been breached in the past few years. Do you think they didn’t have a SIEM? In the 2014 Verizon Data Breach report, it was found that only 1% of successful breaches were spotted by SIEM systems. That figure hasn’t changed much over the past few years. OWNING a SIEM is not the same as RUNNING a SIEM.
- ASK: Are you able to hire good security people? The latest Bureau of Labor Statistics show that there are about 80,000 individuals in the US with this title. Do you know how many are typically unemployed at any given time? 0%
- ASK: Are all of your SOC personnel competent at the same levels? All of those 80,000 employees are not created equal. Some hit a high bar. Others, not so much.
- Even if you have all the money in the world to hire, you often can’t hire the very talented infosec hunters you need to.
- It’s really hard to know what normal is…
- And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
- And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
- The great majority of successful breaches occur when a users credentials are compromised and then they are used to infiltrate a network, move laterally, and steal stuff. Problem is, how do you know who the “real” users are as opposed to the imposters? 100% of publicized breaches use compromised credentials. So if we can find users or systems USING these credentials…
- Compound all that with the cost of breaches, which on average is $154 in recovery costs per stolen record, and you start to understand the scope of the problem, and realize…
- …we’re gonna need a bigger boat. Because the boat we have today ain’t working all that well for us. We don’t have the time. We don’t have the resources. So let’s take a look at a bigger boat.
- We bought a company called Caspida right before Blackhat this year. They had only been around for about two years, but we were extremely impressed with their technology and vision. This technology has become Splunk UBA. Infosec and threat detection solution. Helps you find hidden threats without using rules, signatures, or human analysis. It uses behavior modeling, peer group analysis, graph models, real time statistical analysis, collaborative filtering, and other machine learning techniques.
- UBA isn’t designed to replace anything in your environment today – it supplements. It focuses on two main uses cases – detecting advanced cyber attacks, and detecting malicious insider threats. And it does this with a very high degree of confidence, automatically. Is it going to find every possible threat in your environment? Nope. But what it does find, you can feel confident in the reported results.
- I’m pretty old – when I went out for ice cream with my family as a kid we always went to Baskin Robbins.
- Now, we do add to these models, but not as quickly as you might think. The reason is – these are all behavior based, and although individual threat patterns and types change frequently, the underlying behavior of the threats does not. So when you have behavior based models you don’t need to constantly update them. We do tweak them and test them though. Modify? Not yet. But if you do have a team of data scientists that can program in Scalar and understand things like Markov probability graphs extensively, then we offer services to allow for your own models. In the future we will provide an SDK.
- When you’re in the product there are two distinct ways to use it, and this is where we have a significant advantage. There’s a wizard-like interface that steps a junior analyst through threats found, and makes recommendations as to what to do. You can click on the findings and see the raw results, too. The interface is beautiful and intuitive. This plays right in line with the need to make life as easy as possible for the tiny number of security analysts that are usually in each account. But for the hardcore geeks that want to pick through the individual anomalies…
- There’s the Hunter workflow. This is more hands on, allowing the seasoned security person to view all anomalous users, or traffic, or devices, or what have you, and use that data to hunt. You can of course drill into this data in Splunk to take things as far as you need to.
- The standard delivery is via an OVA that you install in your current vmware environment. It scales horizontally – about 5,000 EPS per appliance. You can install it on bare metal Linux if you would like. Or, you can install it as an AMI in AWS.
- The data sources that UBA expects to consume are typical, and if you’re an existing Splunk security customer, you are probably putting a lot of this in Splunk today. The more data you feed UBA, the better the analysis will be.
- And…you don’t even need to run traditional Splunk to take advantage of UBA. UBA can consume data directly via a few different methods, and connectors exist for a few of the popular SIEM technologies. Let’s see a quick demo.
- We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!