Splunk for Security Breakout Session

1. Copyright © 2015 Splunk Inc.
Security Session
Philipp Drieger
Sales Engineer

2. 2
Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described orto includeany suchfeatureor functionalityina futurerelease.

3. 3
Agenda
Splunk for Security
Enterprise Security
Splunk User Behavior Analytics

4. Splunk for Security

5. 5
CYBER
CRIMINALS
MALICIOUS
INSIDERS
NATION
STATES
5

6. 6
Advanced Threats Are Hard to Find
6
Cyber Criminals
Nation States
Insider Threats
Source: Mandiant M-Trends Report 2012/2013/2014
100%
Valid credentials were used
40
Average # of systems accessed
229
Median # of days before detection
67%
Of victims were notified by
external entity

7. 7 7
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Traditional
Authentication
All Data is Security Relevant = Big Data

8. 8
Solution: Splunk, The Engine For Machine Data
8
Online
Services
Web
Services
Servers
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Real-Time
Machine Data
References – Coded fields, mappings, aliases
Dynamic information – Stored in non-traditional formats
Environmental context – Human maintained files, documents
System/application – Available only using application request
Intelligence/analytics – Indicators, anomaly, research, white/blacklist

9. 9
Fraud
Detection
Insider
Threat
Advanced
Threat
Detection
Security &
Compliance
Reporting
Incident
Analysis &
Investigations
Real-time
Monitoring
& Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Security &
Compliance
Reporting
Incident
Analysis &
Investigations
Real-time
Monitoring
& Alerting

10. 10 1
Example Patterns of Fraud in Machine Data
Industry Type of Fraud/Theft/Abuse Pattern
Financial Services Account takeover
Abnormally high number or dollar amounts of wire transfer
withdrawals
Healthcare Physician billing Physician billing for drugs outside their expertise area
E-Tailing Account takeover Many accounts accessed from one IP
Telecoms Calling plan abuse
Customer making excessive amount of international calls
on an unlimited plan
Online Education Student loan fraud
Student receiving federal loan has IP in “high-risk” overseas
country and is absent from online classrooms and forums

11. 11
Insider Threat
What To Look For Data Source
Abnormally high number of file transfers to USB or CD/DVD OS
Abnormally large amount of data going to personal webmail account or uploaded to external
file hosting site
Email / web server
Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD
Above actions + employee is on an internal watchlist as result of transfer / demotion / poor
review / impending layoff
HR systems / above
User name of terminated employee accessing internal system AD / HR systems
11

12. 12
Example of Advanced Threat Activities
1
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
Emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

13. 13
Connect the “Data-Dots” to See the Whole Story
1
Persist, Repeat
Threat intelligence
Auth - User Roles,
Corp Context
Host
Activity/Security
Network
Activity/Security
Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign
intent and attribution
Where they went to, who talked to whom, attack transmitted,
abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process
owner, registry mods, attack/malware artifacts, patching level,
attack susceptibility
Access level, privileged users, likelihood of infection, where they
might be in kill chain
Delivery, Exploit
Installation
Gain Trusted
Access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
• Third-party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall
• IDS / IPS
• Vulnerability scanners
• Web Proxy
• NetFlow
• Network
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating System
• Database
• VPN, AAA, SSO

14. 14
Threat intelligence
Host
Activity/Security
Network
Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
Security Ecosystem for Coverage and Protection
Auth - User Roles,
Corp Context

15. 15
STIX/TAXII and Open IOC 101
• Info sharing across companies
and industries
• Standardized XML
• IOCs include IPs, web/email
domains, hashes, processes,
registry key, certificates

16. 16
Threat Intelligence in Splunk

17. 17
Sample TAXII Feeds
User Community Organisation
Cyber Threat XChange Health Information Trust Alliance
Defense Security Information Exchange Defense Industrial Base Information and Sharing
and Analysis Organization
ICS-ISAC Industrial Control System Information Sharing and
Analysis Center
NH-ISAC National Health Cybersecurity
Intelligence Platform
National Health Information and Analysis Center
FS-ISAC / Soltra Edge Financial Services Information Sharing and
Analyses Center (FS-ISAC)
Retail Cyber Intelligence Sharing Center,
Intelligence Sharing Portal
Retail Information Sharing and Analysis Center
(Retail-ISAC)
More: http://stixproject.github.io/supporters/

18. Customer Example

19. 19
Sample Nasdaq - Heartbleed

20. 20
20
Splunk Enterprise is a well thought-out solution, designed from the outset for
development and operation, and it delivers immediate results in a number of
areas.
“
SIEM General Project Manager, Finanz Informatik GmbH & Co. KG
Challenges: Existing SIEM tools did not meet security needs
– Different security information and event management (SIEM) solutions for the mainframe, network, Unix and
Windows.
– Difficult to correlate Security incidents accross variuos plaforms
Enter Splunk: One unified solution
– A single solution across platforms and functions means faster and more comprehensive investigation and
resolution of security incidents
– Guarantee Full protection of its customer data and at the same time reduce complexity, error rates and costs.
– Alerts that identify security events, authorization violations or unusual patterns of queries.
Splunk at Finanz Informatik
“ “

21. 21
Replacing a SIEM @ Cisco
21
We moved to Splunk from traditional SIEM as Splunk is designed and
engineered for “big data” use cases. Our previous SIEM was not and simply
could not scale to the data volumes we have.
““
Gavin Reid, Leader, Cisco Computer Security Incident Response Team
Challenges: SIEM could not meet security needs
– Very difficult to index non-security or custom app log data
– Serious scale and speed issues. 10GB/day and searches took > 6 minutes
– Difficult to customize with reliance on pre-built rules which generated false positives
Enter Splunk: Flexible SIEM and empowered team
– Easy to index any type of machine data from any source
– Over 60 users doing investigations, RT correlations, reporting, advanced threat detection
– All the data + flexible searches and reporting = empowered team
– 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data
– Estimate Splunk is 25% the cost of a traditional SIEM

22. Enterprise Security

23. 23

24. 24
1Risk-based
security
Fast Incident Review and Investigation

25. 25
1Risk-based
security
Continuous Monitoring for Security Domains
2

26. 26
Visual Investigations—Kill Chain

27. 27
Visual investigations—Kill Chain

28. 28

29. 29

30. 30

31. 31
Spot Suspicious Access
• Simultaneous logins for single
user occurring at two distant
locations
• Concurrent application access –
password sharing or theft

32. 32

33. 33

34. 34
Outlook: New Features in Enterprise Security 4.0
Optimize multi-step
analyses to improve breach
detection and response
Extensible Analytics &
Collaboration
INVESTIGATION COLLABORATION
• Investigator Journal
• Attack & Investigation Timeline
• Open Solutions Framework
• Framework App : PCI

36. User Behavior Analytics

37. ENTERPRISE CHALLENGES
THREATS
PEOPLE
EFFICIENCY
Cyber Attacks, Insider
Threats, Hidden,
Or Unknown
Availability of
Security Expertise
Too Many Alerts And
False Positives

38. 38
Majority of the
Threat Detection Solutions
focus on the KNOWNS.
UNKNOWNS?
What about the

39. OLD PARADIGM
SIGNATURES
RULES HUMAN
ANALYSIS

40. DATA-SCIENCE DRIVEN
BEHAVIORAL ANALYTICS
BIG DATA
DRIVEN
SECURITY
ANALYTICS
MACHINE
LEARNING
A NEW PARADIGM

41. MAPPING RATs
TO
ACTIONABLE KILL-CHAIN
A
W
N
O
M
A
L
I
E
S
H
R
E
A
T

42. ADVANCED CYBER ATTACKS
SPLUNK UBA detects
& INSIDER THREATS
with BEHAVIORAL THREAT DETECTION

43. SECURITY ANALYTICS
ADVANCED

45. 45
SECURITY ANALYTICS
KILL-CHAIN
HUNTER
KEY WORKFLOWS - HUNTER
 Investigate suspicious users, devices,
and applications
 Dig deeper into identified anomalies
and threat indicators
 Look for policy violations

48. 48
THREAT DETECTION
KEY WORKFLOWS – SOC ANALYST
SOC ANALYST
 Quickly spot threats within your
network
 Leverage Threat Detection workflow
to investigate insider threats and
cyber attacks
 Act on forensic details – deactivate
accounts, unplug network devices, etc.

52. 52
INSIDER THREAT
5
USER ACTIVITIES RISK/THREAT DETECTION AREAS
John logs in via VPN from 1.0.63.14
Unusual Geo (China)
Unusual Activity Time3:00 PM
Unusual Machine Access
(lateral movement; individual +
peer group)
3:15 PMJohn (Admin) performs an ssh as root to a new
machine from the BizDev department
Unusual Zone (CorpPCI) traversal
(lateral movement)3:10 PM
John performs a remote desktop on a system as
Administrator on the PCI network zone
3:05 PM Unusual Activity Sequence
(AD/DC Privilege Escalation)
John elevates his privileges for the PCI network
Excessive Data Transmission
(individual + peer group)
Unusual Zone combo (PCIcorp)
6:00 PMJohn (Adminroot) copies all the negotiation docs
to another share on the corp zone
Unusual File Access
(individual + peer group)3:40 PM
John (Adminroot) accesses all the excel and
negotiations documents on the BizDev file shares
Multiple Outgoing Connections
Unusual VPN session duration (11h)11:35 PMJohn (Adminroot) uses a set of Twitter handles to
chop and copy the data outside the enterprise

53. 53
EXTERNAL ATTACK
5
USER ACTIVITIES RISK/THREAT DETECTION AREAS
Peter and Sam access a malicious website. A
backdoor gets installed on their computers
Malicious Domain (AGD)
Unusual Browser HeaderNov 15
Unusual Machine Access for Peter
(lateral movement; individual + peer group)Dec 10The attacker logs on to Domain Controller via
VPN with Peter’s stolen credentials from 1.0.63.14
Unusual Browser Header for Peter
and SamNov 16
The attacker uses Peter and Sam’s backdoors to
download and execute WCE to crack their password
Nov 16 Beacons for Peter and Sam to
www.byeigs.ddns.com
Peter and Sam’s machines are communicating
with www.byeigs.ddns.info
Unusual Machine Access for Sam
Unusual File Access for Sam
(individual + peer group))
Dec 10
The attacker logs in as Sam and accesses all excel
and negotiations docs on the BizDev shares
Unusual Activity Sequence of Admin for
Sam (AD/DC Privilege Escalation)Dec 10
The attacker steals the admin Kerberos ticket from
admin account and escalates the privileges for Sam.
Excessive Data Transmission for Peter
Unusual VPN session durationJan 14The attacker VPNs as Peter, copies the docs to an
external staging IP and then logs out after 3 hours.

54. Copyright © 2015 Splunk Inc.
Thank You! – Q&A