SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
•
1 like•611 views
This document discusses best practices for detecting and responding to security breaches. It summarizes that comprehensive security intelligence is needed to scope infections and disrupt breaches. An investigation demo shows connecting threat intelligence, network, endpoint, and identity data to identify the root cause of a breach. Best practices for breach response include ingesting data from network, endpoint, threat intelligence, and identity sources and using a security intelligence platform to automate analysis and improve techniques for preventing compromises from becoming breaches.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
Similar to SplunkLive! London - Scoping Infections and Disrupting Breaches breakout (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
- 1. Copyright © 2015 Splunk Inc. Best Practices for Scoping Infections and Disrupting Breaches Matthias Maier Security Product Marketing, EMEA
- 2. 2
- 3. 3 Source: Mandiant M-Trends Report 2012/2013/2014 67% Victims notified by an external entity 100% Valid credentials were used 229 Median # of days before detection The Ever-Changing Threat Landscape
- 4. 4 Single Platform for Security Intelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 5. 5 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 7. 7 Threat IntelligenceNetwork Endpoint Access/Identity Data Sources Required
- 8. Persist, Repeat Threat Intelligence Access/Identity Endpoint Network Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain • Third-party threat intel • Open-source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating system • Database • VPN, AAA, SSO Data Sources Required • Web proxy • NetFlow • Network
- 9. 9 Required Data Sources Required Capabilities Roadmap
- 10. 10 Capabilities—Scoping Infections and Breaches 1 Report and Analyze Custom Dashboards Monitor and Alert Ad hoc Search Threat Intelligence Asset & CMDB Employee Info Data Stores Applications Raw Events Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint
- 11. Capabilities—Scoping Infections and Breaches Analytics Context and Intelligence Connecting Data and People
- 12. 12 Required Data Sources Required Capabilities The Attack Kill Chain Roadmap
- 13. Adversary Perspective—Attack Kill Chain Discovery Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives Lockheed Martin white paper: Intelligence-Driven Computer Network Defense of Analysis of Adversary Campaigns and Intrusion Kill Chains
- 15. 15 Kill Chain—Breach Example http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat Intelligence Access/Identity Endpoint Network
- 16. 16 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Roadmap
- 17. 17 Demo
- 18. Demo Review Challenges – Difficult to go from threat-intel match to root cause – Hard to determine – was there a breach? Sources – Threat intel – open source threat intel feed – Network – web proxy logs, email logs – Endpoint – endpoint monitoring agent – Access/identity – asset management database Finding the root cause: connecting the dots – Match the threat-intel IP to network data to identify the infected machine – Identify the malicious process by mapping network data to endpoint data – Discover the infected email by matching local file access to email data
- 19. Best Practices—Breach Response Posture Bring in data from at least one from each category: – Network – next gen firewall or web proxy, email, DNS – Endpoint – Windows logs, registry changes, file changes – Threat intelligence – open source or subscription based – Access and identity – authentication events, machine-user mapping Establish a security intelligence platform so analysts can: – Contextualize events, analytics and alerts – Automate analysis and exploration – Share techniques and results to learn and improve
- 20. 20 Compromise is unavoidable. Breaches are preventable. 2
- 21. 21 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 22. 22 Tech Brief – Advanced Threat Detection and Response
- 23. Thousands of Global Security Customers
- 25. 25 Dev.splunk.com40,000+ questions and answers 600+ apps SplunkLive! Events And .Conf2015 Thriving Community
- 26. 26 Required Data Sources Required Capabilities The Attack Kill Chain Demo Investigation Learn More Roadmap
- 27. Copyright © 2015 Splunk Inc. Thank You
Editor's Notes
- There are three numbers in the cyber security statistics are very telling, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 67% of , which represents 2 out 3, breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
- You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ? Network – network based attack, lateral movement, exfiltration Endpoint – malware exploitation – data gathering, launch point Authentication – the basis of lateral movement and access to assets, intellectual property Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
- The capabilities required to distinguish an infection from a breach Why is it important to preserve an event?
- Risk Based Analytics to Align Security Operations With the Business Risk scoring framework enhances decision making by applying risk score to any data Quickly and easily assign any KSI or KPI to any event to produce risk scores Expose the contributing factors of a risk score for deeper insights Visualize and Discover Relationships for Faster Detection and Investigation Visually fuse data, context and threat-intel across the stack and time to discern any context Pre-built correlations, alerts and dashboards for detection, investigation and compliance Workflow actions and automated lookups enhance context building Enrich Security Analysis with Threat Intelligence Automatically apply threat intelligence from any number of providers Apply threat intelligence to event data as well as wire data Conduct historical analysis using new threat intelligence across all data
- The adversary’s success lies in a deliberate methodology. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- Exploitation != Gameover when you have analysts that can use the analytics ability and contextualize it
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Contextualization and exploration is automatic – you saw this in the field discovery menu Raw events without modification or changes – so you can auto-extract and search adhoc and tie things together as you see fit Nothing to join Create a search
- Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
- We are humbled by your trust. You have confirmed to us that in partnering with you – our customers we deliver a world class security intelligence platform. Thank you! Before we jump into questions. Some important .conf announcements…
- Splunk has an active community: There is an emerging ecosystem of new companies building apps on top of Splunk. They are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications. Splunk Answers is the go-to place for your questions – and answers. Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions. You can participate in meet-ups and User Groups, contribute to our forums, or attend local SplunkLive events (like this one) to hear from you peers.