Copyright © 2014 Splunk Inc.
Joe Goldberg – Product MarkeAng, Splunk Gary Mikula – Senior Director InformaAon Security, FINRA Sivakanth Mundru – Product Manager, AWS
Building a cloud-‐based SIEM with Splunk Cloud and AWS
Disclaimer
2
During the course of this presentaAon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauAon you that such statements reflect our current expectaAons and
esAmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaAon are being made as of the Ame and date of its live presentaAon. If reviewed aVer its live presentaAon, this presentaAon may not contain current or accurate informaAon. We do not assume any obligaAon to update any forward-‐looking statements we may make. In addiAon, any informaAon about our roadmap outlines our general product direcAon and is subject to change at any Ame without noAce. It is for informaAonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaAon either to develop the features or funcAonality described or to
include any such feature or funcAonality in a future release.
Agenda
3
! Splunk for security and cloud offerings ! AWS CloudTrail ! FINRA using Splunk Cloud as a SIEM ! Demo of Splunk App for Enterprise Security & AWS CloudTrail
IT OperaAons
Security and Compliance
Digital Intelligence
App Dev and App Mgmt.
Developer Pla[orm (REST API, SDKs)
Business AnalyAcs
Industrial Data and Internet of Things
Small Data. Big Data. Huge Data.
Use Cases for Machine Data AnalyAcs
5
Core Use Cases Emerging Use Cases Today’s Focus
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackerremotetool.rootkit,Occurrences: 1,C:/Documents and Sejngs/smithe/Local Sejngs/Temp/evil.tmp,"""",Actual acAon: QuaranAned,Requested acAon: Cleaned, Ame: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [ClassificaAon: PotenAal Corporate Privacy ViolaAon] Credit Card Number Detected in Clear Text [Priority: 2]:
{"requestParameters": {"duraAonSeconds": 43200}, "responseElements": {"credenAals": {"sessionToken": "AQoDYXdzEPP///==", "accessKeyId": "ASIAJWQDLBKDOAKEWNIQ", "expiraAon": "Nov 13, 2013 5:22:32 AM"}, "eventSource": "sts.amazonaws.com", "sourceIPAddress": “10.11.36.1", "eventTime": "2013-‐11-‐12T17:22:32Z", "userIdenAty": {Administrator:root", "principalId": "930458123955", "accountId": "930458123955", "type": "Root"}, "eventName": "GetSessionToken", "userAgent": "signin.amazonaws.com"}
6
Machine Data Contains CriAcal Insights Sources
Time Range
Intrusion Detec2on
Endpoint Security
AWS CloudTrail
All three occurring within a 24-‐hour period
Example Correla0on – Data Loss
Source IP
Source IP
Source IP Data Loss
Default Admin Account
Malware Found
Big Data SIEM – All Data is Security Relevant
OSes
Service Desk
Storage
CloudTrail Email Web
Call Records
Network Flows
DHCP/ DNS
Hypervisor Custom Apps
Industrial Control
Badges
Databases
Mobile Intrusion DetecAon
Firewall
Data Loss PrevenAon
AnA-‐Malware
Vulnerability Scans
Tradi0onal SIEM
AuthenAcaAon
7
Top Splunk Security Use Cases A SIEM Plus Much More
Security & Compliance ReporAng
Real-‐Ame Monitoring of
Known Threats
Real-‐Ame Monitoring of Unknown Threats
Incident InvesAgaAons & Forensics
Splunk Can Complement OR Replace an ExisAng SIEM
Insider Threat
Fraud detecAon
8
Leading Big Data SIEM (plus more!)
10
Gartner SIEM MQ
Best SIEM & Enterprise Security Solu2on
Best SIEM
Cloud Offerings For Security and Compliance
• App for AWS CloudTrail – FREE
• Splunk App for Enterprise Security
Applica2ons
• Splunk Enterprise as a service
• Full app, SDK, API, pla[orm support
SaaS
• Self-‐deploy in cloud or on-‐premises
• Centralized view across cloud and on-‐premises
• Splunk Enterprise and Hunk AMIs
• Accelerate deployment in AWS
Amazon Machine Images (AMI)
SoEware
11
Amazon Confidential
Agenda
• Overview and Use cases
• Regional availability and support for AWS services
• Event payload review
• Aggregation of log files across accounts and services
Amazon Confidential
Customers are making API
calls...
On a growing set of services around
the world…
CloudTrail is continuously recording API
calls…
And delivering log files to customers
CloudTrail – Overview
Amazon Confidential
Use Cases Enabled By CloudTrail
• Security Analysis v Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns
• Track Changes to AWS Resources v Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues v Quickly identify the most recent changes made to resources in your environment
• Compliance Aid
v Easier to demonstrate compliance with internal policies and regulatory standards
Amazon Confidential
• Who made the API call? • When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
What’s in a CloudTrail Event?
Amazon Confidential
• Records detailed information for all AWS identity types v Root user v IAM user v Federated user v Role
• Information includes
v Friendly user name v AWS AccessKeyId v 12 digit AWS account number v Amazon Resource Name (ARN) v Session context and issuer information, if applicable v invokedBy section identifies the AWS service making request on behalf of
the user
Who Made the API Call?
Amazon Confidential
• IAM user Bob making an API call
"userIdentity": { "accessKeyId": "AKEXAMPLE123EJVA", "accountId": “123456789012", "arn": "arn:aws:iam::123456789012:user/Bob",
"principalId": "AIEXAMPLE987ZKLALD3HS", "type": "IAMUser",
"userName": “Bob" }
Who Made the API Call?
Amazon Confidential
• Federated user Alice making an API call
"userIdentity":{ "type":"FederatedUser", "principalId":"123456789012:Alice", "arn":"arn:aws:sts::123456789012:federated-user/Alice", "accountId":"123456789012", "accessKeyId":"ASEXAMPLE1234WTROX8F", "sessionIssuer":{ "type":"IAMUser",
"accountId":"123456789012", "userName":“Bob" } }
Who Made the API Call?
Amazon Confidential
• Time and Date of the event in ISO 8601 format
"eventTime": "2013-10-23T23:30:42Z“ • Event time is captured on the service host where the API call is
executed
• Event time is NOT the time log file is written to S3
When Was the API Call Made?
Amazon Confidential
What Was the API Call? What Resources Were Acted Up On?
• API call and the service the API call belongs to.
"eventName": "RunInstances" "eventSource": "EC2"
• Request parameters provided by the requester and Response
elements returned by the AWS service
• Response elements for read only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation
Amazon Confidential
• Apparent IP address of the requester making the API call • Records the apparent IP address of the requester when making API calls
from AWS Management Console • AWS region to which the API call was made. Global services ( Examples: IAM/STS) will be recorded as us-east-1
"sourceIPAddress": "54.234.127.135", "awsRegion": "us-east-1“
Where Was the API Call Made From and To?
Amazon Confidential
• Detailed and Descriptive error codes and error messages, recorded only when errors occur. Examples v Client error code: TagLimitExceeded v Server error code: Internal Error v Authorization failure: UnauthorizedOperation
• Authorization Failure Example “eventName": “TerminateInstances", “errorCode": “UnauthorizedOperation”, “errorMessage”:”You are not authorized to perform this operation”
Client Errors, Server Errors & Authorization Failures
Amazon Confidential
• Optionally, CloudTrail will publish SNS notification of each new log file
• Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action
• Does not require you to continuously poll S3 to check whether new log files were delivered
• Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis
SNS Notifications for Log File Delivery
Amazon Confidential
• Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket
• Detailed log file name helps identify the contents of the log file, regardless of where they are stored
• Time stamp of the log file is the event time of the first event in chronological order
• In the rare event of duplicate file delivery, unique identifier in the file name prevents overwriting log files
Aggregate Log Files Across Regions and Accounts
FINRA Splunk Presentation � Copyright 2014FINRA
Who We Are n FINRA—the Financial Industry Regulatory Authority—is an
independent, non-governmental regulator for all securities firms doing business with the public in the United States
n FINRA protects investors by regulating brokers and brokerage firms and by monitoring trading on U.S. stock markets
n FINRA monitor over 6 billion shares traded on the stock market each day
n FINRA handles more ‘big data’ on a daily basis than the Library of Congress or Visa®—to build a holistic picture of the trading market
n FINRA – Deter, Detect, Discipline
FINRA Splunk Presentation � Copyright 2014FINRA
n Wanted ALL logs Centralized
n Enterprise Resource
n Maintenance <<< Analytics
n Push Changes Centrally
n Integrated into Process Flow
n Ease/Flexibility in Reporting
n Avoid Hidden Costs
n Relational DB Independent
n Tech Refreshes Hurt
What We Learned Owning a SIEM
FINRA Splunk Presentation � Copyright 2014FINRA
Where We Are: Splunk Cloud n Offload HW/SW Worries
n Can Collect Anything
n Widened Our User Base
n Granular AC
n Easily Duplicated All Reporting & Alerting
n Vendors Give Us Apps
n Great User Community
n Easily Determine Actual Costs
FINRAVPC’S
SplunkCloudVPC’s
FINRADATA CENTERS
AWS
FINRA Splunk Presentation � Copyright 2014FINRA
Why the AWS CloudTrail Application? n FINRA Moving Applications into the Cloud
n AWS is Currently FINRA’s Primary Cloud Provider
n Data Collection via AWS s3 Bucket Objects Not Trivial
n CloudTrail Captures Everything, Well Almost…
n Splunk App for AWS Allows for Filtering
n Fully Extracted & Tagged AWS CloudTrail Records in an Easy, Flexible UI
n CloudTrail is Transactional
FINRA Splunk Presentation � Copyright 2014FINRA
FINRA Use Cases Ad-Hoc Queries/Reporting
n Who Spun Up/Terminated that ec2
n Show me Everything Done by Role ‘X’ Yesterday
Alerting
n Has Anyone Used the Root Account
n Does the Security Group Contain a Class ‘A’
Compliance & Governance
n Do the Policies Adhere to FINRA Standards** � Notify When to Re-Run Compliance
FINRA Splunk Presentation � Copyright 2014FINRA
How We Do It
SPLUNK SAVED SEARCH:iam_change_detection (daily) Cron
AWS Identity Access and
Management
AWS CloudTrail
AWS S3 Buckets
aws_daily_check.py aws_monthly_check.py
Compliance Results
Subversion
Search API calling records for CreateRole, PutRolePolicy,
DeleteRolePolicyAWS IAM Compliance Dashboard
Finra Cloudpass
Overview of FINRA AWS Compliance System
AWS SNS
FINRA Splunk Presentation � Copyright 2014FINRA
Demo of Splunk App for Enterprise Security & AWS CloudTrail
Resources
! Splunk Cloud – h|p://www.splunk.com/cloud
! Splunk App for AWS CloudTrail – h|p://apps.splunk.com/app/1274/
! Splunk App for Enterprise Security – h|p://www.splunk.com/view/enterprise-‐security-‐app/SP-‐CAAAE8Z
41