Brian Fennimore discusses how threat data can be useful for security operations. He explains that threat data provides information like IP addresses and file hashes that can help identify threats. This data can be used in many ways, such as blocking malicious IPs or scanning for vulnerable files. Fennimore also describes how his company Virtustream uses threat data with Splunk for security monitoring, automation of compliance reporting, and enrichment of security information. He advocates consuming high quality threat data from various sources to help prevent security issues rather than just detect them after the fact.

1. Copyright © 2015 Splunk Inc.
Why Threat Data is Cool

2. 2
About Me
2
Brian Fennimore – Manager of Security
Operations at Virtustream
– Now EMC
– Now Dell
14 years of experience in IT and Security
6 year Splunk user
My favorite Splunk T Shirt
– “See your world. Maybe wish you hadn’t.”

3. 3
About Virtustream
3
Enterprise-class cloud software and services provider
Strong focus in delivering on security, compliance,
performance and efficiency requirements
Service catalog includes SAP, ERP, CRM, complex
mission-critical enterprise applications
Multiple industries serviced including Enterprise, Service
Provider, Government, Financial Services, Healthcare

4. 4
How Virtustream Uses Splunk
- “Source of truth” for centrally indexing log / event data
- Single pane of glass for tracking metrics, KPIs (MTTR, e.g.)
- Automation of compliance reporting – internal and regulatory
- Security – service and internal, including enrichment via threat data

5. 5
Threat Data
Information that identifies a threat in a specific and usable manner
• E.g. IP address | Malicious URL | etc…
• Sometimes called “Threat Intelligence” “Threat Feeds”
• Tons of sources (free and pay)
• Quality > Quantity
– Both can be handy
– Prevention > Detection (do both | AND detect the preventions)
• Make your own
– Honeypots | Log inspection | etc…
• Where does it fit in?

6. 6
Prime Directive
All/Most of our efforts should associate to something here
Understand, manage and reduce risk
Common
Focus
Volatile
Plentiful
Institutional
Risk = 𝑓 𝑣𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦, 𝑡ℎ𝑟𝑒𝑎𝑡, 𝑖𝑚𝑝𝑎𝑐𝑡
Quantify the Qualitative

7. 7
Risk = f(V,T,I)
• Vulnerability
– Find ‘em - Track ‘em – Fix ‘em – fast – No more small vulnerabilities. Just
vulnerabilities.
• Threat
– Actors, conditions, friendly people (mistakes)
• Impact
– Confidentiality – Keep those secrets secret
– Integrity – Is that thing really that thing? Non-repudiation
– Availability – uptime | quality uptime
FURTHER READING: http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/

8. 8
How is threat data cool?
• What do I do with all this data?
– IP Address
– DNS Name
– File Hash
• High quality (block it, redirect it, auto-mitigate)
• Low quality (Alert, warrants further investigation)
• Better to prevent vs. detect. But always detect.

9. 9
Threat Data Consumption
We have the data, now what?
• IP Address
– Block it (firewall policy/API, Null Route, other…tons of ways to
block/drop an IP)
– Alert (You have Splunk, yes? | You have flows, yes?)
• DNS Name
– Control your local resolvers
– Block it - BlackHole DNS http://www.malwaredomains.com/bhdns.html
– Alert – BIND has some pretty cool logging available
• File Hash
– Vuln Scanner? HIPS? Forensics tools? Some custom scripting?

10. 10
The File Hash
• Not too invasive
• Frequent enough to be useful
• Is there a decent list somewhere? NSRL, VirusTotal, many others.
• White list | Black list | Gray list
FURTHER READING: http://www.nsrl.nist.gov/ National Software Reference Library

11. 11
Enter Ziften
• Splunk>Live! Philadelphia (July 2015)
– See? Lots of great things happen at these gatherings
• Lightweight agent (less than 1MB)
• Grabs processes/daemons
• Grabs associated files and network traffic
• Lovely Splunk TA
• Sends meta-data to central location
– Ziften Agent -> Ziften Server -> Splunk
 OR
– Ziften Agent -> Splunk

12. 12
OTX Detection x IP address x Binary
FURTHER READING: https://www.alienvault.com/open-threat-exchange

13. 13
Network Connecting Binary x Port

14. 14
Vulnerable Binaries (NVD)
FURTHER READING: https://nvd.nist.gov/download.cfm

15. 15
Ziften > Splunk
sourcetype=ziften* hoursago=1 | fillnull
imagefilemd5,imagefilepath | table imagefilemd5,imagefilepath

16. 16
But, does it work?
• Use cases
– Lookup tables and the CIM
• Real life examples
– Customer XYZ and their three hosts
dest=* | lookup local=true vtdata threatip AS dest | search lastseen=* | fillnull src,dest, lastseen |
stats count by sourcetype, src, dest, lastseen | sort - lastseen
# ./update-threats.sh
threatip,lastseen
59.90.86.210,
78.153.149.219,
199.59.243.119,2014-12-12
199.59.243.120,2015-12-01
FURTHER READING: http://docs.splunk.com/Documentation/CIM/latest/User/Overview

17. 17
What’s next
• Information sharing across a trusted community
• Spirit of CISA with benevolent ends
• More options for Threat Data Consumption
FURTHER READING: https://www.congress.gov/bill/114th-congress/senate-bill/754/text

18. 18
Threat data is really cool
Information that identifies a threat in a specific and usable manner
What is the return?
– Direct reduction of risk
– Greater visibility and from a different angle (new perspective)
“See your world. Maybe wish you hadn’t.”
The bad guys are already seeing it anyway.

19. Thank You