Copyright  ©  2014  Splunk  Inc.

Splunk for  Security

Continuous  Monitoring  and  Analytics-­‐Driven  Security  for  Modern  Threats

Simon  O’Brien,  Security  SME,  ANZ

SPLUNK FOR SECURITYConnecting People and Data, with Context and Extended Intelligence

The  Ever-­‐Changing  Threat  Landscape

3

67%Victims  notified  by  external  entity

100%Valid  credentials

were  used

229Median  #  of  days  before  detection

Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014

CYBERCRIMINALS

MALICIOUSINSIDERS

NATIONSTATES

4

New  approach  to  security  operation  is  needed

• Human  directed

• Goal-­‐oriented

• Dynamic  (adjust  to  changes)

• Coordinated

• Multiple   tools  &  activities

• New  evasion  techniques

• Fusion  of  people,  process,  &  technology

• Contextual  and  behavioral

• Rapid  learning  and  response

• Share  info  &  collaborate

• Analyze  all  data  for  relevance

• Leverage  IOC  &  Threat  Intel

THREAT Attack  Approach Security  Approach

5

TECHNOLOGY

PEOPLE

PROCESS

New  approach  to  security  operation  is  neededTHREAT Attack  Approach

Analytics-­‐driven  Security

Security  Approach

6

TECHNOLOGY

PEOPLE

PROCESS

• Human  directed

• Goal-­‐oriented

• Dynamic  (adjust  to  changes)

• Coordinated

• Multiple   tools  &  activities

• New  evasion  techniques

• Continuously Protect the  business  against:

ê Data  Breaches  ê Malware  ê Fraud  ê IP  Theft

• Comply with  audit  requirements• Provide  enterprise  Visibility

7

Security  &  ComplianceTop  Splunk  Benefits

• 70%  to 90%  improvement  with  detection  and  research  of  events

• 70%  to 95%  reduction   in  security  incident  investigation  time

• 10%  to 30%  reduction   in  risks  associated  with  data  breaches,  fraud  and  IP  theft

• 70%  to 90%  reduction   in  compliance  labor

Top  Goals

8

All  Data  is  Security  Relevant  =  Big  Data

Servers

Storage

DesktopsEmail Web

TransactionRecords

NetworkFlows

DHCP/  DNS

HypervisorCustom  Apps

PhysicalAccess

Badges

Threat  Intelligence

Mobile

CMDB

Intrusion  Detection

Firewall

Data  Loss  Prevention

Anti-­‐Malware

VulnerabilityScans

Traditional

Authentication

9

Solution:  Splunk,  The  Engine  For  Machine  Data

Online  Services

Web  Services

Servers

SecurityGPS  

Location

Storage

Desktops Networks

Packaged  Applications

CustomApplications

Messaging

TelecomsOnline  Shopping  Cart

Web  Clickstreams

Databases

Energy  Meters

Call  Detail  Records

Smartphones  and  Devices

RFID

DeveloperPlatform

Report  and  

analyze

Custom  dashboards

Monitor  and  alert

Ad  hoc  search

Real-­‐TimeMachine  Data

References – Coded   fields,  mappings,  aliasesDynamic  information   – Stored   in  non-­‐traditional   formatsEnvironmental   context   – Human  maintained   files,  documentsSystem/application   – Available  only  using  application   requestIntelligence/analytics   – Indicators,   anomaly,  research,   white/blacklist

10

The  Splunk  Platform  for  Security  Intelligence  

SPLUNK  ENTERPRISE  (CORE)

Copyright  ©  2014  Splunk  Inc.

200+  APPS SPLUNK FOR  SECURITY SPLUNK-­‐BUILT  APPS

…

Stream  data

Cisco  Security  Suite

Windows/  AD/  Exchange

Palo  Alto  Networks

FireEye

Bit9

DShield

DNS

OSSEC

Connecting  the  “data-­‐dots”  via  multiple/dynamic  relationships

Persist,  Repeat

Threat  intelligence

Auth -­‐ User  Roles

Host  Activity/Security

Network  Activity/Security

Attacker,  know  relay/C2  sites,  infected  sites,  file  hashes,   IOC, attack/campaign  intent  and  attribution

Where  they  went,  who  talked  to  whom,  attack  transmitted,  abnormal  traffic,  malware  download

What  process   is  running  (malicious,   abnormal,  etc.)  Process  owner,  registry  mods,   attack/malware  artifacts,  patching  level,   attack  susceptibility

Access  level,  privileged  users,  likelihood   of  infection,  where  they  might  be  in  kill  chain  

Delivery,  exploit  installation

Gain  trusted  access

ExfiltrationData  GatheringUpgrade  (escalate)Lateral  movement

Persist,  Repeat

11

Security  Intelligence  Use  Cases

SECURITY  &                    COMPLIANCE  REPORTING

REAL-­‐TIME  MONITORING  OF  KNOWN  THREATS

DETECTING  UNKNOWN  THREATS

INCIDENT  INVESTIGATIONS  &  FORENSICS

FRAUD  DETECTION

INSIDER  THREAT

Complement,  replace  and  go  beyond  traditional  SIEMs12

Splunk Enterprise  Security

Risk-­‐Based  Analytics

Visualize  and  Discover  Relationships

Enrich  Security  Analysis  with  

Threat  Intelligence

13

The  artist  formerly  known  as  the  ‘app  for’

Splunk  Enterprise  Security  – 5  Releases  in  21  Months

14

Q3 2014 Q4 2014 Q2 2015

ES  3.1•Risk  Framework•Guided  Search•Unified  Search  Editor• ThreatlistScoring• Threatlist Audit

ES  4.0• Breach  Analysis• Integration  with  Splunk  UBA• Splunk   Security  Framework

ES  3.0

ES  3.2•Protocol  Intelligence  (Stream capture)• Semantic  Search  (Dynamic  Thresholding)

ES  3.3• Threat  Intel  framework•User  Activity  Monitoring•Content  Sharing•Data  Ingestion

Q4 2015

DEMO!

PLAY  DEMO

16

17

https://www.splunk.com/getsplunk/es_sandbox

18

Copyright  ©  2014  Splunk  Inc.

Splunk User  Behavior  Analytics  for  threat  detection  

BIG  DATA  DRIVEN

SECURITYANALYTICS

MACHINELEARNING

A  NEW  PARADIGM

DATA-­‐SCIENCE  DRIVEN  BEHAVIORAL  ANALYTICS

What  does  Splunk UBA  do?

21

SIEM

Firewall, AD, DLP

AWS, VMCloud, Mobile

End point, Host, App, DB logs

Netflow, PCAP

Threat Feeds

Next-Gen Data Science-driven Threat Detection

Application for SOC Analysts

Kill Chain Detection

Ranked Threat Review

Actions & Resolution99.99%  event  reduction

Security Analytics

SPLUNK UBA

MACHINE  LEARNING

BEHAVIOR  ANALYTICS

ANOMALY  DETECTION

THREAT  DETECTION

SECURITY  ANALYTICS

22

THREAT  DETECTION

KEY  WORKFLOWS  – SOC  ANALYSTSOC  ANALYST

§ Quickly  spot  threats  within  your  network

§ Leverage  Threat  Detection  workflow  to  investigate  insider  threats  and  cyber  attacks    

§ Act  on  forensic  details  – deactivate  accounts,  unplug  network  devices,  etc.

SECURITY  ANALYTICS

KILL-­‐CHAIN

HUNTER

KEY  WORKFLOWS  -­‐ HUNTER

§ Investigate  suspicious  users,  devices,  and  applications

§ Dig  deeper  into  identified  anomalies  and  threat  indicators

§ Look  for  policy  violations

Threat  Example

25

John  logs  in  via VPN  from  1.0.63.14  at  3pm  

John  elevates  his  privileges  for  the  PCI  network

John  performs  a  remote  desktop  on  a  system  as  Administrator  on  the  PCI  network  zone

John  (Admin) performs  an  ssh as  root  to  a  new  machine  in  the  BizDev department  

John  (Adminàroot) accesses  the  folder  with  all  the  excel  and  negotiations  documents  on  the  BizDev file  shares

John  (Adminàroot) copies  all  the  negotiation  docs  to  another  share  on  the  corpzone

John (Adminàroot) uses  a  set  of  Twitter  handles  to  chop  and  copy  the  data  outside  the  enterpriseTim

e

Unusual   Geo   for   John  (China)

Unusual   Activity  Time

Unusual   Zone   (CorpàPCI) traversal  for   John  (lateral  movement)

Unusual   Machine   Access  (lateral   movement;   individual  +  peer   group)

Unusual   File  Access  (individual  +  peer   group)

Excessive   Data  Transmission(individual  +  peer   group)

Unusual   Zone   combo   (PCIàcorp) for   John  

Multiple   Outgoing   Connections

Unusual   VPN  session   duration   (11h)

John

3:00 PM

3:05 PM

3:15 PM

3:40 PM

6 PM

11:35 PM

Unusual   Activity  Sequence  (AD/DC   Privilege   Escalation)

3:10 PM

User Activities Risk/Threat Detection Areas

DEMO!

Thank  you!

29 sob@splunk.com