Home >Technology >Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Date post:29-Jan-2015
View:129 times
Download:1 times
Share this document with a friend
This session will examine how Intuit is using Splunk to prevent fraud and conduct forensic analysis. We’ll show how Splunk helps Intuit monitor for known fraudsters and fraudulent patterns and then speeds forensic investigations to understand which systems may have been compromised.
  • 1. Understanding Security Issues as Pa2erns in Data Mark Seward, Director, Security and Compliance Marke=ng

2. A ShiA in A2ack Vectors Unknown Splunk meets Data Explosion behavior based the challenge Data Volume (Big-data) a2acks of detec=ng pa2ern-based behaviors in a Known Big-data signatures The increasing number context based threats of a2ack signatures and a2acks 19981998Time2005 TodayThe 2nd Annual Splunk Worldwide Users Conference2 Copyright Splunk 2011 3. Beyond Signatures and Rules: People Trump Technology in a Behavioral Approach A move to a behavioral approach demands more emphasis on people and less on pure technology Behavioral approaches to security require a con=nuous applica=on of human observa=on and judgment Allows the analyst is to take the actor view to understanding the goals and methods of persistent adversaries Requires you to baseline pa2erns of normal or expected behavior; select thresholds and triggers that will alert administrators to suspicious ac=vi=es The 2nd Annual Splunk Worldwide Users Conference3 Copyright Splunk 2011 4. Implemen=ng a Pa2ern-based Strategy for Security 5. Enabling a Pa2ern-based Strategy for Security Splunk supports pa2ern modeling and adapta=on for security for insider threats, fraud scenarios, and persistent adversaries Pa2erns enable a risk-based approach to an=cipate a2ack vectors and a2ack pa2erns and behaviors Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases Gartner Research 2010 The 2nd Annual Splunk Worldwide Users Conference 5 Copyright Splunk 2011 6. Security Event Pa2erns in Context Augmented View Security Events View the web analy=cs data pa2erns as part of the web applica=on a2ack App IT Web Security Mgmt Ops Analy/cs Monitor changes in server/applica=on performance (CPU) against a baseline as an indicator of an a2ack Understand authorized pa2erns of changes/ addi=ons to congura=ons and user accounts part of fraud surveillance Security is a Big Data Problem with no boundaries from on-premise to cloudThe 2nd Annual Splunk Worldwide Users Conference 6 Copyright Splunk 2011 7. How is this Dierent from Tradi=onal SIEM? Rules View Breaking the speed limit If one or more of these things happen let me know Watches for only what is known No concept of what is normal Pa2erns view Watches for rhythms in your data over =me against what is normal (normal will not be sta=c) Takes advantage of weak signals from non-tradi=onal security data Patterns allow for data to be Watches for what you dont know viewed as a reflection of human Pa2erns + Analy=cs enables decisions behavior over time The 2nd Annual Splunk Worldwide Users Conference 7 Copyright Splunk 2011 8. Analy=cs and data pa2erns in prac=ce 9. DoS A2acks DoS a2acks at the network layer are massive oods of trac from numerous sources, designed to overwhelm resources DoS a2acks at the applica=on layer target layer-7 and the HTTP protocol Recent The 2nd Annual Splunk Worldwide Users Conference 9 Copyright Splunk 2011 10. Common Anatomy of a Typical DoS Source addresses usually spoofed this also means no TCP session establishment possible True iden=ty of source very dicult to obtain A2acks of signicance generally from a botnet TCP and UDP most common; ICMP happens as well The 2nd Annual Splunk Worldwide Users Conference10 Copyright Splunk 2011 11. HTTP Slow POST A2ack Client issues an HTTP POST to a server Client says Im going to post a gig of data. Client sends the Host a gig but only 1 byte 1 minute Service waits for the data transfer Usually in just a couple of minutes La Morte The 2nd Annual Splunk Worldwide Users Conference 11 Copyright Splunk 2011 12. Dashboard HTTP Slow POST Slow Post AttackThe 2nd Annual Splunk Worldwide Users Conference 12 Copyright Splunk 2011 13. Connec=on Exhaus=on Based A2acks Host opens a connec=on to a server but doesnt send a single byte Each connec=on =es/up an Apache process. Apache waits for the connec=on =me out to expire then closes the connec=on Connec=ons ll up the Queue faster than they =me out Default connec=on queue for Apache is set to 511 The 2nd Annual Splunk Worldwide Users Conference13 Copyright Splunk 2011 14. Dashboard Connec=on Exhaus=on Attacks detectedThe 2nd Annual Splunk Worldwide Users Conference 14 Copyright Splunk 2011 15. Example: Time-based Pa2ern-detec=on for Malware Ac=vity Discovery Pa2ern: request for download immediately Splunk pa2ern search followed by more requests Time based transac=ons sorted by length Fast requests following the download of a source=proxy [search le=*.pdf OR PDF, java, zip, or exe. If a download is le=*.exe | dedup clien=p | table clien=p] followed by rapid requests for more les | transac=on maxspan=60s maxpause=5s this is a poten=al indicator of a dropper. clien=p | eval Length=len(_raw) | sort - Length The 2nd Annual Splunk Worldwide Users Conference 15 Copyright Splunk 2011 16. Example: Pa2erns of Beaconing Hosts to Command and Control Pa2ern: Splunk pa2ern search APT malware beacons to command Watching for hosts that talk to the same and control at specic intervals URL at the same interval every day | streamstats current=f last(_=me) as next_=me by site | eval gap = next_=me - _=me | stats count avg(gap) var(gap) by site What youd be looking out for are sites that have a low var(gap) value. The 2nd Annual Splunk Worldwide Users Conference 16 Copyright Splunk 2011 17. Other Pa2ern Uses Fraud Hand o to Intuit 18. Intuit, Financial Services Division Jaime Rodriguez, Senior Fraud Analyst, Intuit 19. Jaime Rodriguez Securing banks and nancial ins=tu=ons since 1999 Presented and keynoted at numerous Informa=on Security conferences all around the US. Contributor to a variety of open-source projects related to many of todays most popular security tools. Fraud teams goal is to provide fraud analysis on aproactive basis--were currently reactive. The 2nd Annual Splunk Worldwide Users Conference19 Copyright Splunk 2011 20. IntuitFinancial Services Division One of largest providers of outsourced online nancial management solu=ons Serving 1800+ nancial ins=tu=ons and 4 million+ end customers Applica=ons include: - Consumer and business internet banking - Electronic bill payment and presentment - Personal online nancial management - Website hos=ng and development for nancial ins=tu=ons The 2nd Annual Splunk Worldwide Users Conference 20 Copyright Splunk 2011 21. All of Your Data Is Security Relevant Indexing our infrastructure: - Cisco Firewalls - Snort - App logs, WebSense - TippingPoint, IPS Integra=ng data from outside partners: - Known fraud rings - Bad IP addresses - Bad actors The 2nd Annual Splunk Worldwide Users Conference 21 Copyright Splunk 2011 22. Splunk Speeds Remedia=on Splunk provides a single view Previously had customized parser Role-based access provides Searches conducted in batch secure views into data taking 3+ hours via chron job Customer service and banking Reports came in piecemeal across customer teams can begin 5000 emails with dierent syntax queries on their ownno wai=ng Only sophis=cated (aka highly- for access/ permissionno highly paid) users could track pa2erns paid engineer required Results in 5 minutes The 2nd Annual Splunk Worldwide Users Conference22 Copyright Splunk 2011 23. From Reac=ve to Proac=ve Using Splunk for historical analysis New fraud pa2erns iden=ed drive reviews of past 30 day / 90 day / all =me periods As pa2erns emerge we build alerts when evidence of similar pa2erns of known fraudsters emerge (SMS, email) Showing monthly trending Weve modied our logs to be2er capture and expose the informa=on we need to see The 2nd Annual Splunk Worldwide Users Conference 23 Copyright Splunk 2011 24. Splunk for the Ops Team Outages unacceptable OAen caused by unauthorized change Splunk tracks changes to pinpoint issues for remedia=on Monitoring throughput and access for each nancial ins=tu=on - Usages stats good for re-sell/ upsell Dashboards show system health and performanceexecs love visibility The 2nd Annual Splunk Worldwide Users Conference 24 Copyright Splunk 2011 25. Truth From The Trenches: Wire Transfers Watching fraudster in real-=meseeing $5M, $7M, $8M wire a2empts Splunk exposed every element of our infrastructure that he touched Next we could correlate ac=vi=es based on =me to understand his pa2ern of ac=vity The 2nd Annual Splunk Worldwide Users Conference25 Copyright Splunk 2011 26. Truth from the Trenches: Geoloca=on We no=ced a similar fraud pa2ern across 15 banks Then we mapped them to see they were within 15 miles of one another Fraud was coming from one data processing vendor who they all shared The 2nd Annual Splunk Worldwide Users Conference 26 Copyright Splunk 2011 27. The World of Compliance FFIEC Federal Financial Institutions Exam Council Ensures nancial organizations follow uniform principles, standards and methods of reporting Splunk empowers auditors to askand us to quickly and easily answerany questionSAS70 Certication of standard controls, communications mechanisms and monitoring procedures Required by may nancial services clients Subset of Sarbanes Oxley CompliancePCI PCI: Payment card industry data security Standard Promotes trust with customers Required by various payment card providersThe 2nd Annual Splunk Worldwide Users Conference 27 Copyright Splunk 2011 28. Ge~ng Started Just get startedSplunk is great out of the box for quick and dirty analysis It only gets be2er when you customize it Demo Splunk to otherspeople are amazed at how much data and depth we can get based on pivo=ng Follow the install guide! Consider how youll expandand plan in advance for that expansion Move to 4.2---its fast! The 2nd Annual Splunk Worldwide Users Conference 28 Copyright Splunk 2011 29. Ques=ons? August 15, 2011 odriquez, Intuit Jaime R

Popular Tags:
of 29/29
Understanding Security Issues as Pa2erns in Data Mark Seward, Director, Security and Compliance Marke=ng
Embed Size (px)