Virtual Gov Day - Security Breakout - Deloitte
•
1 like•1,834 views
Customer Use Case: Deloitte Glenn Keaveny, Manager, Deloitte Jatinder Sharma Senior Specialist, Deloitte Kishore Lekkala Kannaian Solution Engineer, Deloitte Security Overview: Bert Hayes, Solutions Engineer, Splunk
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Virtual Gov Day - Security Breakout - Deloitte
Similar to Virtual Gov Day - Security Breakout - Deloitte (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Virtual Gov Day - Security Breakout - Deloitte
- 1. Copyright © 2014 Splunk Inc. Deloitte at a Large State HHS Agency Glenn Keaveny Manager
- 2. Deloitte at a Large State HHS Agency Top IT Initiatives Security Monitoring – Looking for SIEM replacement – Technical security Compliance – Subject to multiple yearly audits – CMS, IRS, PCI Healthcare Program Integrity – Internal & external monitoring – Looking for high-risk behaviors and activities – indicators 2
- 3. IT Challenges Incident investigation/Incident Response: – Tough to correlate events across infrastructure – Time consuming process – Low visibility into what’s actually going on in environment Data Correlation: – Other departments with relevant security data were creating a bottleneck – Stove piped applications – hard to integrate applications Program Integrity Issue detection: – Need to detect high risk behaviors and activities proactively Remaining compliant: – Compliance reporting automation – Splunk & Archer Integration 3
- 4. Improved Agency Efficiency With Splunk: Ingesting security data – Couple of hours Reporting & dashboard set-up – 1-2 days Incident investigation – Days Compliance reports – Minutes Program Integrity set-up – 1-2 months 4 Without Splunk: Ingesting security data – 3-5 days Reporting & dashboard set-up – 1-2 weeks Incident investigation – 2-4 weeks Compliance reports – Days Program Integrity set-up – 6 months
- 5. Program Integrity Agency defined 6 priority use cases to detect program integrity violations within individuals benefits programs Ingesting application, endpoint, backend and mainframe data to detect high risk behaviors and activities Monitoring external program integrity issues: Individuals doubling up on monthly benefits Multiple families receiving benefits under one household Monitoring internal program integrity issues: Agency caseworkers approving inappropriate transactions 5
- 6. Use Case: Program Integrity analysis 6 Insert Screenshot – can be dashboard, report, etc. Can add as many as needed to explain how you’re using Splunk Dashboard to identify repeated issuances of benefits within a timeframe
- 7. Use Case: Database Audit 7 Insert Screenshot – can be dashboard, report, etc. Can add as many as needed to explain how you’re using Splunk Dashboard to analyze audit logs from multiple Oracle database servers
- 8. Use Case: Access Logs 8 Insert Screenshot – can be dashboard, report, etc. Can add as many as needed to explain how you’re using Splunk Dashboard provides overview of authentication and authorization actions by applications
- 9. Why Splunk? Cost savings: – One solution for security investigation, compliance reporting and program integrity issue detection Increased visibility Flexibility: – Ability to integrate data sources without help of an application development team – 450 custom reports Fast time to value: – Only took 4-6 months to implement 9 “Our client is very happy with the results. It would be hard to convince them to get rid of Splunk – they are very, very impressed. ”
- 10. Thank you
- 11. Copyright © 2014 Splunk Inc. Splunk for Security Analytics Driven Security Bert Hayes, Solutions Engineer
- 12. Advanced Threats Are Hard to Find “Another Day, Another Retailer in a Massive Credit Card Breach” – Bloomberg Businessweek, March 2014 “Edward Snowden Tells SXSW He'd Leak Those Secrets Again” – NPR, March 2014 “Banks Seek U.S. Help on Iran Cyber attacks” – Wall Street Journal, Jan 2013 Cyber Criminals Nation States Insider Threats 12 Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
- 13. Attackers & Threats Have Changed & Matured 13 • Goal-oriented • Human directed • Multiple tools, steps & activities • New evasion techniques • Coordinated • Dynamic, adjust to changes People • Outsider (organized crime, competitor, nation/state) • Insiders (contractor, disgruntled employee) Technology • Malware, bots, backdoors, rootkits, zero-day • Exploit kits, password dumper, etc. Threat Process • Attack Lifecycle, multi-stage, remote controlled • Threat marketplaces – buy and rent
- 14. Modern Security Program Needs More than Technology 14 People • Outsider (organized crime, competitor, nation/state) • Insiders (contractor, disgruntled employee) Technology • Malware, bots, backdoors, rootkits, zero-day • Exploit kits, password dumper, etc. Threat Technology • Firewall, Anti-malware, AV, IPS, etc. • Anti-spam, etc. Solution Process • Attack Lifecycle, multi-stage, remote controlled • Threat marketplaces – buy and rent Human Intuition and Observation Coordination, Collaboration and Counter Measures
- 15. New Approach to Security Operations is Needed 15 • Goal-oriented • Human directed • Multiple tools & activities • New evasion techniques • Coordinated • Dynamic (adjust to changes) Threat • Analyze all data for relevance • Contextual and behavioral • Rapid learning and response • Leverage IOC & Threat Intel • Share info & collaborate • Fusion of technology, people & process
- 16. From Alert Based to Analytics Driven Security 16 Traditional Alert-based Approach Time & Event based Data reduction Event correlation Detect attacks Needle in a haystack Power Users, Specialist Additional Analysis Approach ..and phase, location, more… Data inclusion Multiple/dynamic relationships Detect attackers Hay in a haystack Everyone - Analytics-enabled Team
- 17. Splunk software complements, replaces and goes beyond traditional SIEMs. Moving Past SIEM to Security Intelligence Small Data. Big Data. Huge Data. SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT
- 18. Machine Data Enables Security and Business Insights 18 Order ID Customer’s Tweet Time Waiting On Hold Product ID Company’s Twitter ID Order ID Customer ID Twitter ID Customer ID Customer ID Twitter Care IVR Middleware Error Order Processing Sources
- 19. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication 19 All Machine Data is Security Relevant
- 20. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication 20 All Machine Data is Security Relevant Traditional SIEM
- 21. Insider Threat 21 The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli, Software Engineering Institute, Carnegie Mellon University, 2012 Non-tech indicators HR HDFS SAP Time Management Asset DB Dunn & Bradstreet Lexus Nexus Traditional Data Threat Intelligence User & Identity Network & malware Host & Application
- 22. Human expertise fused with the power of correlation and visualization technology are key to detecting the unknowns 22
- 23. Visual Investigations for All Users Visually organize and fuse any data to discern any context Giving users the ability to find relationships visually 23
- 24. Enhance Security Analysis with Threat Intelligence Integrate high fidelity and complex URL’s and domain names into threat intelligence Aggregation, de-duplication and prioritization of multiple feeds Assign weights to the business value of the feeds 24
- 25. Risk-based analytics enhance decision- making and minimize impacts 25
- 26. Contributing Factors Analysis Expose risk factors to analysts and decision makers Investigate risk factors to anticipate threats and prevent future breach 26
- 27. Enable Risk-based Decision Making
- 28. Security is a team sport and takes a village! 28
- 29. Leverage a Rich Eco System 29 Security Intelligence platform 200+ SECURITY APPS/ADD-ONS SPLUNK FOR ENTERPRISE SECURITY Cisco WSA, ESA, ISE, SF Palo Alto Networks FireEye DShield DNS OSSEC VENDOR COMMUNITY CUSTOM APPS Symantec ADDITIONAL SPLUNK APPS … Threat Stream
- 30. Analytics Driven Security – Empowering People and Data A security intelligence platform should enable any Security Program to leverage Technology, Human Expertise, and Business/IT Processes in the most effective way to deliver on security 30
- 31. 31 Why Splunk? Integrated, Holistic & Open • Single product & data store • All original machine data is indexed and searchable • Open platform with API, SDKs, +500 Apps Flexible & Empowering • Schema on read • Search delivers accurate, faster investigations and detection • Powerful visualizations and analytics help identify outliers Simplicity, Speed and Scale • Fast deployment + ease-of- use = rapid time-to-value • Runs on commodity hardware, virtualized and/or in the cloud • Scales as your needs grow All Your Data in One Place: Increases Collaboration and Partnership, Eliminates Silos & Delivers Proven ROI
- 32. Customerand IndustryRecognition 32 2800 Security Customers Leader in Gartner SIEM MQ Splunk Industry Awards
- 33. Questions
- 34. Thank You
Editor's Notes
- Glenn – can you please update your title and add anyone else presenting with you?
- You can add as many screen shots as you like – this is where you’d discuss your specific use case(s)
- The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, whether it be credit cards or IP, and many of their victims unfortunately end up in the headlines. Cyber criminals include the credit card theft at Target and Neiman Marcus. Nation state attacks include Iran and China attacking governments and private sector companies to steal intellectual property and/or national secrets. FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats. APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports. 100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected. The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors 243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions. 63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
- Concept is that NEW analysis is required – beyond simple event correlation – this is why SIEMs are not solving the problem – the requires have changed Phase, location, etc. – speak to additional attributes are required to both understand and to defend against attacks Data inclusion – core splunk message – don’t filter/tune out noise/false positive, look at all data, collect so it’s available when needed Multiple/dynamic relationships – the event chain and bits of any attack are scattered, and cannot be detected using pre-defined correlation rules – example of multiple login failure with success and then access to internal resources – great for gaining an advantage, but then what happens when they download additional malware – how does static correlation rules help find the new malware, or how does it look for potential data that is accessed/stolen. Detect attackers – main concept is there is an attacker directing the malware (once internal access is established via valid credentials, therefore the attacker must be deduced from activities associated with normal activities from those trusted credentials) - once the malware is delivered, the additional attack tools and activities will not be “attacks” anymore, then are activities of the attacker Hay in a haystack – needle is a different object from hay – but now, since trusted credential are used, and often in normal, good traffic – the analysis is to look for particular attributes and characteristics of the hay to determine good/bad – this applies to concepts like insider threat is an insider with access (account privileges, etc.), and fraud uses good access (credit card, accounts, etc.) – the identifiable traits are their activities, characteristics, etc.
- Make sure to stress we are a Security Intelligence Platform and we can meet their needs these use cases plus more. We are more than a SIEM in that we are much more flexible and also can be used for use cases outside of security. Do not go into detail on the 5 use cases because the next few slides detail each of them. And highlight that many customers already have a SIEM and are generally happy with it. But they do have some pain with current SIEM….maybe it struggles getting in non-security data, maybe it has limited search/reporting capabilities, etc. In these cases, Splunk can happily complement their SIEM. They perhaps use their existing SIEM for alerting, and they then log into Splunk to do the investigation, etc. But key point is that we can easily complement or replace a SIEM.
- Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigate them, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats. Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
- Insight for Insider threats comes both traditional data sources used for security AS WELL AS FROM non-traditional, often from HR, personnel and other “people-oriented” data.
- 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3. The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
- 3:45pm – Bert: Moderate Q&A REMEMBER: Check the presenter pod to ensure Deloitte has not asked you to skip any questions NEXT: 3:55pm – Close session: Thank our presenters Hand it over to Alicia to close and mention Splunk’s upcoming events
- 3:55pm – Close session: Thank our presenters Hand it over to Alicia to close and mention Splunk’s upcoming events