SplunkSummit 2015 - Splunk User Behavioral Analytics
•
2 likes•2,182 views
SplunkSummit 2015 - Sydney, Canberra, Melbourne
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to SplunkSummit 2015 - Splunk User Behavioral Analytics
Similar to SplunkSummit 2015 - Splunk User Behavioral Analytics (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
SplunkSummit 2015 - Splunk User Behavioral Analytics
- 1. Splunk User Behavior Analy4cs Nick Cro8s Senior Sales Engineer ANZ / Security SME
- 2. Disclaimer 2 During the course of this presenta4on, we may make forward looking statements regarding future events or the expected performance of the company. We cau4on you that such statements reflect our current expecta4ons and es4mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐ looking statements made in the this presenta4on are being made as of the 4me and date of its live presenta4on. If reviewed a8er its live presenta4on, this presenta4on may not contain current or accurate informa4on. We do not assume any obliga4on to update any forward looking statements we may make. In addi4on, any informa4on about our roadmap outlines our general product direc4on and is subject to change at any 4me without no4ce. It is for informa4onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga4on either to develop the features or func4onality described or to include any such feature or func4onality in a future release. Referenced customers for ITSI product par4cipated in a limited release so8ware program that included items at no charge.
- 3. ENTERPRISE CHALLENGES THREATS PEOPLE EFFICIENCY Cyber ATacks, Insider Threats, Hidden, Or Unknown Availability of Security Exper4se Too Many Alerts And False Posi4ves
- 4. How many alerts can the average SOC analyst can handle in a full 8 hour work day?
- 5. 24-‐32 alerts /8hr shi8.
- 6. Neiman Marcus had 60,000 un-‐remediated incidents.
- 7. 60,000 alerts / 28 alerts per analyst = 1,034 analysts required to remediate all alerts in 8 hours.
- 8. OLD PARADIGM SIGNATURES RULES HUMAN ANALYSIS
- 9. Majority of the Threat Detec8on Solu8ons focus on the KNOWNS. UNKNOWNS? What about the
- 10. ADVANCED CYBER ATTACKS SPLUNK UBA detects & INSIDER THREATS with BEHAVIORAL THREAT DETECTION
- 11. Splunk UBA adds Data-‐Science Driven Behavioral Analy8cs BIG DATA DRIVEN AUTOMATED SECURITY ANALYTICS MACHINE LEARNING A NEW PARADIGM
- 12. KEY USE-‐CASES 12 Advanced Cyber-‐ATacks Malicious Insider Threats Online ATO
- 13. WHAT DOES SPLUNK UBA DO? SIEM, Hadoop Firewall, AD, DLP AWS, VM, Cloud, Mobile End-‐point, App, DB logs NeOlow, PCAP Threat Feeds AUTOMATED THREAT DETECTION & SECURITY ANALYTICS Baseline KPIs Analy4cs DATA SOURCES DATA SCIENCE DRIVEN THREAT DETECTION 99.99% EVENT REDUCTION UBA
- 14. MULTI-‐ENTITY FOCUSED User App Systems (VMs, Hosts) Network Data
- 15. Web Gateway Proxy Server Firewall Box, SF.com, Dropbox, other SaaS apps Mobile Devices Malware Norse, Threat Stream, FS-‐ISAC or other blacklists for IPs/domains DATA SOURCES 15 Ac4ve Directory/ Domain Controller Single Sign-‐on HRMS VPN DNS, DHCP Iden8ty/Auth SaaS/Mobile Security Products External Threat Feeds Ac8vity (N-‐S, E-‐W) K E Y OPTIONAL Neilow, PCAP DLP, File Server/Host Logs AWS CloudTrail End-‐point IDS, IPS, AV
- 16. 16 THE OVERALL SOLUTION Online Services Web Services Servers Security GPS Loca4on Storage Desktops Networks Packaged Applica4ons Custom Applica4ons Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Real-‐Time Machine Data DEVELOPER PLATFORM REPORT & ANALYZE CUSTOM DASHBOARDS MONITOR & ALERT AD HOC SEARCH MACHINE LEARNING BEHAVIOR ANALYTICS ANOMALY DETECTION THREAT DETECTION SECURITY ANALYTICS UBA
- 17. ATTACK DEFENSES 17 Threat ATack Correla4on Polymorphic ATack Analysis Behavioral Peer Group Analysis User & En4ty Behavior Baseline Entropy/Rare Event Detec4on Cyber ATack / External Threat Detec4on Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Sta4s4cal Analysis Data Exfiltra4on Models IP Reputa4on Analysis Insider Threat Detec4on User/Device Dynamic Fingerprin4ng
- 18. SECURITY ANALYTICS KILL-‐CHAIN HUNTER KEY WORKFLOWS -‐ HUNTER § Inves4gate suspicious users, devices, and applica4ons § Dig deeper into iden4fied anomalies and threat indicators § Look for policy viola4ons
- 19. THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST § Quickly spot threats within your network § Leverage Threat Detec8on workflow to inves4gate insider threats and cyber aTacks § Act on forensic details – deac4vate accounts, unplug network devices, etc.
- 20. INSIDER THREAT 20 USER ACTIVITIES! RISK/THREAT DETECTION AREAS! John logs in via VPN from 1.0.63.14 Unusual Geo (China) Unusual Activity Time3:00 PM! Unusual Machine Access (lateral movement; individual + peer group) 3:15 PM!John (Admin) performs an ssh as root to a new machine from the BizDev department Unusual Zone (CorpàPCI) traversal (lateral movement)3:10 PM! John performs a remote desktop on a system as Administrator on the PCI network zone 3:05 PM! Unusual Activity Sequence (AD/DC Privilege Escalation) John elevates his privileges for the PCI network Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIàcorp)" 6:00 PM!John (Adminàroot) copies all the negotiation docs to another share on the corp zone Unusual File Access (individual + peer group)3:40 PM! John (Adminàroot) accesses all the excel and negotiations documents on the BizDev file shares Multiple Outgoing Connections Unusual VPN session duration (11h)11:35 PM!John (Adminàroot) uses a set of Twitter handles to chop and copy the data outside the enterprise
- 21. DEPLOYMENT MODELS 21 CLUSTERED VMs Enterprise On AWS for Cloud/Hybrid Deployments DATA SOURCES / SPLUNK ENTERPRISE ON-‐PREM CLOUD UBA UBA
- 22. 22 MAPPING RATs TO ACTIONABLE KILL-‐CHAIN A W N O M A L I E S H R E A T
- 23. DEMO TIME
- 24. QUESTIONS?
- 25. THANK YOU!
- 26. CUSTOMER THREATS UNCOVERED ACCOUNT TAKEOVER • Privileged account compromise • Data loss LATERAL MOVEMENT • Pass-‐the-‐hash kill chain • Privilege escala4on INSIDER THREATS • Misuse of creden4als • IP the8 2 MALWARE ATTACKS • Hidden malware ac4vity • Advanced Persistent Threats (APTs) BOTNET, C&C • Malware beaconing • Data exfiltra4on USER & ENTITY BEHAVIOR ANALYTICS • Login creden4al abuse • Suspicious behavior
- 28. CUSTOMER EXAMPLES 28 q Malicious domain ac4vity q Infected user accounts q Insider threat actor watch lists q Suspicious privileged account ac4vity q Fake Windows update server ac4vity q Asprox, Redyms malware q Lateral movement amongst contractors q Cryptowall ransomware q Fiesta exploit kit q Account takeover of privileged account q Login irregulari4es and land-‐speed viola4on q IOCs and viola4ons RETAIL HI-‐TECH MANUFACTURING FINANCIAL
- 29. Cost-‐Effec4ve Threat Detec4on 29 Seconds Billion of Incoming Events Learn Data & Detect Anomalies Group Indicators Final Ranked Threats (for review) Human Assisted Threat Review MobileCloud Sources ? Threat Models Threat Intelligence Feeds Security Alert Baselines + Suppor8ng Evidence Enterprise 99.99% Reduction Local/Global Threat Correla8on Indicators of Compromise
- 30. Splunk UBA VM-‐based On-‐Prem Physical Deployment 30 Splunk UBA On-‐Prem Deployment IAM, Ac8ve Directory DHCP, DNS, Proxy Servers FW, IDS VPN Server App Servers Syslog Enterprise Network SIEM Caspida App Server VM 500 GB 100 GB Network Disks for UI/Inges8on VM VM1 Linux VM1 Linux Analysis VM VM … 100 GB 100 GB Network Disks for Analysis VMs Requirements: • vSphere (ESXi v5.0+) • Availability of storage volumes (100 GB for each Analysis VMs, 500 GB for App Server) • Splunk UBA is packaged in an OVA
- 31. Sizing* 31 10 nodes 40 nodes 100 nodes Events per sec 50K 200K 500K Events per day 4.3B 17.3B 43B TB per day 4.3TB 17.3TB 43TB *Assumes ~10-20K user accounts and 50K internal devices
- 32. Event workflow Raw Events" 1 Anomalies" Statistical methods! Security semantics! 2 Threat Models" Lateral movement ML! Patterns! Sequences! Beaconing Land-‐speed viola4on Threats" Kill chain sequence! 5 Supporting evidence! Threat scoring! Graph Mining" 4 Continuousself-learning Anomalies graph! Uber graph! 3
- 33. Overall Model Workflow 33 Data Parsing ETL Engine Data Profiling Model Building Threat Model Scoring Models nottrainedModels trained Threat Grouping Engine Model 1 Model 2 … Model N Universal Scoring Engine Security Alert Threat Review Threats Anomalies Normalized Anomalies Not a Threat? Model Re-‐enforcement Learning Adjustment of Model Weights (optional) Enable/Disable Models (optional) Source s Decision Making MobileCloudEnterprise