EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
SplunkSummit 2015 - Splunk User Behavioral Analytics
1. Splunk
User
Behavior
Analy4cs
Nick
Cro8s
Senior
Sales
Engineer
ANZ
/
Security
SME
2. Disclaimer
2
During
the
course
of
this
presenta4on,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cau4on
you
that
such
statements
reflect
our
current
expecta4ons
and
es4mates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-‐
looking
statements
made
in
the
this
presenta4on
are
being
made
as
of
the
4me
and
date
of
its
live
presenta4on.
If
reviewed
a8er
its
live
presenta4on,
this
presenta4on
may
not
contain
current
or
accurate
informa4on.
We
do
not
assume
any
obliga4on
to
update
any
forward
looking
statements
we
may
make.
In
addi4on,
any
informa4on
about
our
roadmap
outlines
our
general
product
direc4on
and
is
subject
to
change
at
any
4me
without
no4ce.
It
is
for
informa4onal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obliga4on
either
to
develop
the
features
or
func4onality
described
or
to
include
any
such
feature
or
func4onality
in
a
future
release.
Referenced
customers
for
ITSI
product
par4cipated
in
a
limited
release
so8ware
program
that
included
items
at
no
charge.
15. Web
Gateway
Proxy
Server
Firewall
Box,
SF.com,
Dropbox,
other
SaaS
apps
Mobile
Devices
Malware
Norse,
Threat
Stream,
FS-‐ISAC
or
other
blacklists
for
IPs/domains
DATA
SOURCES
15
Ac4ve
Directory/
Domain
Controller
Single
Sign-‐on
HRMS
VPN
DNS,
DHCP
Iden8ty/Auth
SaaS/Mobile
Security
Products
External
Threat
Feeds
Ac8vity
(N-‐S,
E-‐W)
K
E
Y
OPTIONAL
Neilow,
PCAP
DLP,
File
Server/Host
Logs
AWS
CloudTrail
End-‐point
IDS,
IPS,
AV
16. 16
THE
OVERALL
SOLUTION
Online
Services
Web
Services
Servers
Security
GPS
Loca4on
Storage
Desktops
Networks
Packaged
Applica4ons
Custom
Applica4ons
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call
Detail
Records
Smartphones
and
Devices
RFID
Real-‐Time
Machine
Data
DEVELOPER
PLATFORM
REPORT
&
ANALYZE
CUSTOM
DASHBOARDS
MONITOR
&
ALERT
AD
HOC
SEARCH
MACHINE
LEARNING
BEHAVIOR
ANALYTICS
ANOMALY
DETECTION
THREAT
DETECTION
SECURITY
ANALYTICS
UBA
17. ATTACK
DEFENSES
17
Threat
ATack
Correla4on
Polymorphic
ATack
Analysis
Behavioral
Peer
Group
Analysis
User
&
En4ty
Behavior
Baseline
Entropy/Rare
Event
Detec4on
Cyber
ATack
/
External
Threat
Detec4on
Reconnaissance,
Botnet
and
C&C
Analysis
Lateral
Movement
Analysis
Sta4s4cal
Analysis
Data
Exfiltra4on
Models
IP
Reputa4on
Analysis
Insider
Threat
Detec4on
User/Device
Dynamic
Fingerprin4ng
18. SECURITY
ANALYTICS
KILL-‐CHAIN
HUNTER
KEY
WORKFLOWS
-‐
HUNTER
§ Inves4gate
suspicious
users,
devices,
and
applica4ons
§ Dig
deeper
into
iden4fied
anomalies
and
threat
indicators
§ Look
for
policy
viola4ons
19. THREAT
DETECTION
KEY
WORKFLOWS
–
SOC
ANALYST
SOC
ANALYST
§ Quickly
spot
threats
within
your
network
§ Leverage
Threat
Detec8on
workflow
to
inves4gate
insider
threats
and
cyber
aTacks
§ Act
on
forensic
details
–
deac4vate
accounts,
unplug
network
devices,
etc.
20. INSIDER
THREAT
20
USER ACTIVITIES! RISK/THREAT DETECTION AREAS!
John logs in via VPN from 1.0.63.14
Unusual Geo (China)
Unusual Activity Time3:00 PM!
Unusual Machine Access
(lateral movement; individual +
peer group)
3:15 PM!John (Admin) performs an ssh as root to a new
machine from the BizDev department
Unusual Zone (CorpàPCI) traversal
(lateral movement)3:10 PM!
John performs a remote desktop on a system as
Administrator on the PCI network zone
3:05 PM! Unusual Activity Sequence
(AD/DC Privilege Escalation)
John elevates his privileges for the PCI network
Excessive Data Transmission
(individual + peer group)
Unusual Zone combo (PCIàcorp)"
6:00 PM!John (Adminàroot) copies all the negotiation docs
to another share on the corp zone
Unusual File Access
(individual + peer group)3:40 PM!
John (Adminàroot) accesses all the excel and
negotiations documents on the BizDev file shares
Multiple Outgoing Connections
Unusual VPN session duration (11h)11:35 PM!John (Adminàroot) uses a set of Twitter handles to
chop and copy the data outside the enterprise
21. DEPLOYMENT
MODELS
21
CLUSTERED
VMs
Enterprise
On
AWS
for
Cloud/Hybrid
Deployments
DATA
SOURCES
/
SPLUNK
ENTERPRISE
ON-‐PREM
CLOUD
UBA
UBA
22. 22
MAPPING
RATs
TO
ACTIONABLE
KILL-‐CHAIN
A
W
N
O
M
A
L
I
E
S
H
R
E
A
T
28. CUSTOMER
EXAMPLES
28
q Malicious
domain
ac4vity
q Infected
user
accounts
q Insider
threat
actor
watch
lists
q Suspicious
privileged
account
ac4vity
q Fake
Windows
update
server
ac4vity
q Asprox,
Redyms
malware
q Lateral
movement
amongst
contractors
q Cryptowall
ransomware
q Fiesta
exploit
kit
q Account
takeover
of
privileged
account
q Login
irregulari4es
and
land-‐speed
viola4on
q IOCs
and
viola4ons
RETAIL
HI-‐TECH
MANUFACTURING
FINANCIAL
29. Cost-‐Effec4ve
Threat
Detec4on
29
Seconds
Billion
of
Incoming
Events
Learn
Data
&
Detect
Anomalies
Group
Indicators
Final
Ranked
Threats
(for
review)
Human
Assisted
Threat
Review
MobileCloud
Sources
?
Threat
Models
Threat
Intelligence
Feeds
Security
Alert
Baselines
+
Suppor8ng
Evidence
Enterprise
99.99%
Reduction
Local/Global
Threat
Correla8on
Indicators
of
Compromise
30. Splunk
UBA
VM-‐based
On-‐Prem
Physical
Deployment
30
Splunk
UBA
On-‐Prem
Deployment
IAM,
Ac8ve
Directory
DHCP,
DNS,
Proxy
Servers
FW,
IDS
VPN
Server
App
Servers
Syslog
Enterprise
Network
SIEM
Caspida
App
Server
VM
500
GB
100
GB
Network
Disks
for
UI/Inges8on
VM
VM1
Linux
VM1
Linux
Analysis
VM
VM
…
100
GB
100
GB
Network
Disks
for
Analysis
VMs
Requirements:
• vSphere
(ESXi
v5.0+)
• Availability
of
storage
volumes
(100
GB
for
each
Analysis
VMs,
500
GB
for
App
Server)
• Splunk
UBA
is
packaged
in
an
OVA
31. Sizing*
31
10
nodes
40
nodes
100
nodes
Events
per
sec
50K
200K
500K
Events
per
day
4.3B
17.3B
43B
TB
per
day
4.3TB
17.3TB
43TB
*Assumes ~10-20K user accounts and 50K internal devices
33. Overall
Model
Workflow
33
Data
Parsing
ETL
Engine
Data
Profiling
Model
Building
Threat
Model
Scoring
Models
nottrainedModels
trained
Threat
Grouping
Engine
Model
1
Model
2
…
Model
N
Universal
Scoring
Engine
Security
Alert
Threat
Review
Threats
Anomalies
Normalized
Anomalies
Not
a
Threat?
Model
Re-‐enforcement
Learning
Adjustment of Model Weights (optional)
Enable/Disable Models (optional)
Source
s
Decision
Making
MobileCloudEnterprise