Copyright  ©  2014  Splunk  Inc.  

Joe  Goldberg  –  Product  MarkeAng,  Splunk  Gary  Mikula  –  Senior  Director  InformaAon  Security,  FINRA  Sivakanth  Mundru  –  Product  Manager,  AWS    

Building  a  cloud-­‐based  SIEM  with  Splunk  Cloud  and  AWS  

Disclaimer  

2  

During  the  course  of  this  presentaAon,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cauAon  you  that  such  statements  reflect  our  current  expectaAons  and  

esAmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  

please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaAon  are  being  made  as  of  the  Ame  and  date  of  its  live  presentaAon.  If  reviewed  aVer  its  live  presentaAon,  this  presentaAon  may  not  contain  current  or  accurate  informaAon.  We  do  not  assume  any  obligaAon  to  update  any  forward-­‐looking  statements  we  may  make.  In  addiAon,  any  informaAon  about  our  roadmap  outlines  our  general  product  direcAon  and  is  subject  to  change  at  any  Ame  without  noAce.  It  is  for  informaAonal  purposes  only,  and  shall  not  be  incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaAon  either  to  develop  the  features  or  funcAonality  described  or  to  

include  any  such  feature  or  funcAonality  in  a  future  release.  

Agenda  

3  

! Splunk  for  security  and  cloud  offerings  !   AWS  CloudTrail  !   FINRA  using  Splunk  Cloud  as  a  SIEM  !   Demo  of  Splunk  App  for  Enterprise  Security  &  AWS  CloudTrail  

Splunk  for  Security  and  Cloud  Offerings  

IT  OperaAons  

Security  and  Compliance  

Digital  Intelligence  

App  Dev  and  App  Mgmt.  

Developer  Pla[orm  (REST  API,  SDKs)  

Business  AnalyAcs  

Industrial  Data  and  Internet  of  Things  

Small  Data.  Big  Data.  Huge  Data.  

Use  Cases  for  Machine  Data  AnalyAcs  

5  

Core  Use  Cases   Emerging  Use  Cases  Today’s  Focus  

Aug  08  06:09:13  acmesep01.acmetech.com  Aug  09  06:17:24  SymantecServer  acmesep01:  Virus  found,Computer  name:  ACME-­‐002,Source:  Real  Time  Scan,Risk  name:  Hackerremotetool.rootkit,Occurrences:  1,C:/Documents  and  Sejngs/smithe/Local  Sejngs/Temp/evil.tmp,"""",Actual  acAon:  QuaranAned,Requested  acAon:  Cleaned,  Ame:  2009-­‐01-­‐23  03:19:12,Inserted:  2009-­‐01-­‐23  03:20:12,End:  2009-­‐01-­‐23  03:19:12,Domain:  Default,Group:  My  Company\ACME  Remote,Server:  acmesep01,User:  smithe,Source  computer:    ,Source  IP:  10.11.36.20  

Aug  08  08:26:54  snort.acmetech.com  {TCP}  10.11.36.20:5072  -­‐>  10.11.36.26:443  itsec  snort[18774]:    [1:100000:3]  [ClassificaAon:  PotenAal  Corporate  Privacy  ViolaAon]    Credit  Card  Number  Detected  in  Clear  Text  [Priority:  2]:  

{"requestParameters":  {"duraAonSeconds":  43200},  "responseElements":  {"credenAals":  {"sessionToken":  "AQoDYXdzEPP///==",  "accessKeyId":  "ASIAJWQDLBKDOAKEWNIQ",  "expiraAon":  "Nov  13,  2013  5:22:32  AM"},  "eventSource":  "sts.amazonaws.com",  "sourceIPAddress":  “10.11.36.1",  "eventTime":  "2013-­‐11-­‐12T17:22:32Z",  "userIdenAty":  {Administrator:root",  "principalId":  "930458123955",  "accountId":  "930458123955",  "type":  "Root"},  "eventName":  "GetSessionToken",  "userAgent":  "signin.amazonaws.com"}  

6  

Machine  Data  Contains  CriAcal  Insights  Sources  

Time  Range  

Intrusion  Detec2on  

Endpoint  Security  

AWS    CloudTrail  

All  three  occurring  within  a  24-­‐hour  period  

Example  Correla0on  –  Data  Loss  

Source  IP  

Source  IP  

Source  IP  Data  Loss  

Default  Admin  Account  

Malware  Found  

Big  Data  SIEM  –  All  Data  is  Security  Relevant  

OSes  

Service  Desk  

Storage  

CloudTrail  Email   Web  

Call    Records  

Network  Flows  

DHCP/  DNS  

Hypervisor  Custom  Apps  

Industrial  Control  

Badges  

Databases  

Mobile   Intrusion    DetecAon  

Firewall  

Data  Loss  PrevenAon  

AnA-­‐Malware  

Vulnerability  Scans  

Tradi0onal  SIEM  

AuthenAcaAon  

7  

Top  Splunk  Security  Use  Cases  A  SIEM  Plus  Much  More  

Security  &                    Compliance  ReporAng  

Real-­‐Ame  Monitoring  of  

Known  Threats  

Real-­‐Ame  Monitoring  of  Unknown  Threats  

Incident  InvesAgaAons  &  Forensics  

Splunk  Can  Complement  OR  Replace  an  ExisAng  SIEM  

Insider    Threat  

Fraud  detecAon  

8  

Over  2800  Global  Security  Customers  

9  

Leading  Big  Data  SIEM  (plus  more!)  

10  

Gartner    SIEM  MQ  

Best  SIEM  &    Enterprise  Security  Solu2on  

Best    SIEM  

Cloud  Offerings  For  Security  and  Compliance  

•  App  for  AWS  CloudTrail  –  FREE  

•  Splunk  App  for  Enterprise  Security  

Applica2ons  

•  Splunk  Enterprise  as  a  service  

•  Full  app,  SDK,  API,  pla[orm  support  

SaaS  

•  Self-­‐deploy  in  cloud  or  on-­‐premises  

•  Centralized  view  across  cloud  and  on-­‐premises  

•  Splunk  Enterprise  and  Hunk  AMIs  

•  Accelerate  deployment  in  AWS  

Amazon  Machine  Images  (AMI)  

SoEware  

11  

AWS  CloudTrail  

Amazon Confidential

Agenda

•  Overview and Use cases

•  Regional availability and support for AWS services

•  Event payload review

•  Aggregation of log files across accounts and services

Amazon Confidential

Customers are making API

calls...

On a growing set of services around

the world…

CloudTrail is continuously recording API

calls…

And delivering log files to customers

CloudTrail – Overview

Amazon Confidential

Use Cases Enabled By CloudTrail

•  Security Analysis v  Use log files as an input into log management and analysis solutions to perform security

analysis and to detect user behavior patterns

•  Track Changes to AWS Resources v  Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,

Amazon VPC security groups and Amazon EBS volumes.

•  Troubleshoot Operational Issues v  Quickly identify the most recent changes made to resources in your environment

•  Compliance Aid

v  Easier to demonstrate compliance with internal policies and regulatory standards

Amazon Confidential

CloudTrail Regional Availability

Amazon Confidential

Services Supported by CloudTrail

Amazon Confidential

•  Who made the API call? •  When was the API call made?

•  What was the API call?

•  What were the resources that were acted up on in the API call?

•  Where was the API call made from?

What’s in a CloudTrail Event?

Amazon Confidential

•  Records detailed information for all AWS identity types v  Root user v  IAM user v  Federated user v  Role

•  Information includes

v  Friendly user name v  AWS AccessKeyId v  12 digit AWS account number v  Amazon Resource Name (ARN) v  Session context and issuer information, if applicable v  invokedBy section identifies the AWS service making request on behalf of

the user

Who Made the API Call?

Amazon Confidential

•  IAM user Bob making an API call

"userIdentity": { "accessKeyId": "AKEXAMPLE123EJVA", "accountId": “123456789012", "arn": "arn:aws:iam::123456789012:user/Bob",

"principalId": "AIEXAMPLE987ZKLALD3HS", "type": "IAMUser",

"userName": “Bob" }

Who Made the API Call?

Amazon Confidential

•  Federated user Alice making an API call

"userIdentity":{ "type":"FederatedUser", "principalId":"123456789012:Alice", "arn":"arn:aws:sts::123456789012:federated-user/Alice", "accountId":"123456789012", "accessKeyId":"ASEXAMPLE1234WTROX8F", "sessionIssuer":{ "type":"IAMUser",

"accountId":"123456789012", "userName":“Bob" } }

Who Made the API Call?

Amazon Confidential

•  Time and Date of the event in ISO 8601 format

"eventTime": "2013-10-23T23:30:42Z“ •  Event time is captured on the service host where the API call is

executed

•  Event time is NOT the time log file is written to S3

When Was the API Call Made?

Amazon Confidential

What Was the API Call? What Resources Were Acted Up On?

•  API call and the service the API call belongs to.

"eventName": "RunInstances" "eventSource": "EC2"

•  Request parameters provided by the requester and Response

elements returned by the AWS service

•  Response elements for read only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation

Amazon Confidential

•  Apparent IP address of the requester making the API call •  Records the apparent IP address of the requester when making API calls

from AWS Management Console •  AWS region to which the API call was made. Global services ( Examples: IAM/STS) will be recorded as us-east-1

"sourceIPAddress": "54.234.127.135", "awsRegion": "us-east-1“

Where Was the API Call Made From and To?

Amazon Confidential

•  Detailed and Descriptive error codes and error messages, recorded only when errors occur. Examples v  Client error code: TagLimitExceeded v  Server error code: Internal Error v  Authorization failure: UnauthorizedOperation

•  Authorization Failure Example “eventName": “TerminateInstances", “errorCode": “UnauthorizedOperation”, “errorMessage”:”You are not authorized to perform this operation”

Client Errors, Server Errors & Authorization Failures

Amazon Confidential

•  Optionally, CloudTrail will publish SNS notification of each new log file

•  Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action

•  Does not require you to continuously poll S3 to check whether new log files were delivered

•  Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis

SNS Notifications for Log File Delivery

Amazon Confidential

   

 

•  Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket

•  Detailed log file name helps identify the contents of the log file, regardless of where they are stored

•  Time stamp of the log file is the event time of the first event in chronological order

•  In the rare event of duplicate file delivery, unique identifier in the file name prevents overwriting log files

Aggregate Log Files Across Regions and Accounts

Amazon Confidential

FINRA  using  Splunk  Cloud  as  a  SIEM

FINRA Splunk Presentation � Copyright 2014FINRA

Who We Are n  FINRA—the Financial Industry Regulatory Authority—is an

independent, non-governmental regulator for all securities firms doing business with the public in the United States

n  FINRA protects investors by regulating brokers and brokerage firms and by monitoring trading on U.S. stock markets

n  FINRA monitor over 6 billion shares traded on the stock market each day

n  FINRA handles more ‘big data’ on a daily basis than the Library of Congress or Visa®—to build a holistic picture of the trading market

n  FINRA – Deter, Detect, Discipline

FINRA Splunk Presentation � Copyright 2014FINRA

So You Want to Own a SIEM?

Now Double It

FINRA Splunk Presentation � Copyright 2014FINRA

n  Wanted ALL logs Centralized

n  Enterprise Resource

n  Maintenance <<< Analytics

n  Push Changes Centrally

n  Integrated into Process Flow

n  Ease/Flexibility in Reporting

n  Avoid Hidden Costs

n  Relational DB Independent

n  Tech Refreshes Hurt

What We Learned Owning a SIEM

FINRA Splunk Presentation � Copyright 2014FINRA

Where We Are: Splunk Cloud n  Offload HW/SW Worries

n  Can Collect Anything

n  Widened Our User Base

n  Granular AC

n  Easily Duplicated All Reporting & Alerting

n  Vendors Give Us Apps

n  Great User Community

n  Easily Determine Actual Costs

FINRAVPC’S

SplunkCloudVPC’s

FINRADATA  CENTERS

AWS

FINRA Splunk Presentation � Copyright 2014FINRA

Why the AWS CloudTrail Application? n  FINRA Moving Applications into the Cloud

n  AWS is Currently FINRA’s Primary Cloud Provider

n  Data Collection via AWS s3 Bucket Objects Not Trivial

n  CloudTrail Captures Everything, Well Almost…

n  Splunk App for AWS Allows for Filtering

n  Fully Extracted & Tagged AWS CloudTrail Records in an Easy, Flexible UI

n  CloudTrail is Transactional

FINRA Splunk Presentation � Copyright 2014FINRA

FINRA Use Cases Ad-Hoc Queries/Reporting

n  Who Spun Up/Terminated that ec2

n  Show me Everything Done by Role ‘X’ Yesterday

Alerting

n  Has Anyone Used the Root Account

n  Does the Security Group Contain a Class ‘A’

Compliance & Governance

n  Do the Policies Adhere to FINRA Standards** �  Notify When to Re-Run Compliance

FINRA Splunk Presentation � Copyright 2014FINRA

AWS CloudTrail Overview

FINRA Splunk Presentation � Copyright 2014FINRA

Use Case: Ensure User Permissions in the Cloud

FINRA Splunk Presentation � Copyright 2014FINRA

How We Do It

SPLUNK  SAVED  SEARCH:iam_change_detection  (daily) Cron

AWS  Identity  Access  and  

Management

AWS  CloudTrail

AWS  S3  Buckets

aws_daily_check.py aws_monthly_check.py

Compliance  Results

Subversion

Search  API  calling  records  for  CreateRole,  PutRolePolicy,  

DeleteRolePolicyAWS  IAM  Compliance  Dashboard

Finra  Cloudpass

Overview of FINRA AWS Compliance System

AWS  SNS

FINRA Splunk Presentation � Copyright 2014FINRA

Executive Summary

FINRA Splunk Presentation � Copyright 2014FINRA

Remediation Report

FINRA Splunk Presentation � Copyright 2014FINRA

Demo  of  Splunk  App  for  Enterprise  Security  &  AWS  CloudTrail      

Resources  

!   Splunk  Cloud  –  h|p://www.splunk.com/cloud  

!   Splunk  App  for  AWS  CloudTrail  –  h|p://apps.splunk.com/app/1274/    

!   Splunk  App  for  Enterprise  Security  –  h|p://www.splunk.com/view/enterprise-­‐security-­‐app/SP-­‐CAAAE8Z  

41  

FINRA Splunk Presentation � Copyright 2014FINRA

Q&A

THANK  YOU