61
Copyright © 2016 Splunk Inc. Splunk for Operational Security Intelligence SplunkLive Melbourne 2016 James Overman, Sr SE
| Date post: | 14-Apr-2017 |
| Category: |
Data & Analytics |
| Upload: | splunk |
| View: | 233 times |
| Download: | 3 times |
Copyright©2016SplunkInc.
SplunkforOperationalSecurityIntelligence
SplunkLiveMelbourne2016JamesOverman,Sr SE
22
> James Overman [email protected]
• Splunk Sales Engineer• Over 20 years in IT infrastructure & security
• CISSP • Worked for leading security integrators and vendors
whoami
3
LEGALNOTICEDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Agenda
SplunkSecurityOverview
ThreatIntelligence(vialookups)
TheCommoninformationmodel
TacklingAdv.Windowsattacks via6EventIDs
"Bestof"Securityrelatedsplunkbaseapps
5
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-Trends Report2012/2013/2014
100%Validcredentialswereused
40Average#ofsystems accessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotified byexternalentity
Newapproachtosecurityoperationisneeded
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multiple tools&activities
• Newevasiontechniques
• Fusionofpeople,process,&technology
• Contextualandbehavioral
• Rapidlearningandresponse
• Shareinfo&collaborate
• Analyzealldataforrelevance
• LeverageIOC&ThreatIntel
THREAT AttackApproach SecurityApproach
6
TECHNOLOGY
PEOPLE
PROCESS
NewapproachtosecurityoperationisneededTHREAT AttackApproach
Analytics-drivenSecurity
SecurityApproach
7
TECHNOLOGY
PEOPLE
PROCESS
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multiple tools&activities
• Newevasiontechniques
8
AllDataisSecurityRelevant=BigData
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
9
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
10
PutitAllTogether– SecurityMaturityLevelq APTdetection/hunting(killchainmethod)q Counterthreatautomationq ThreatIntelligence aggregation(internal&external)q Frauddetection – ATO,account abuse,q Insiderthreatdetection
q ReplaceSIEM@lowerTCO,increasematurityq AugmentSIEM@increasecoverage&agilityq Compliancemonitoring,reporting,auditingq Logretention,storage,monitoring,auditing
q Continuousmonitoring/evaluationq Incidentresponseandforensicinvestigationq Eventsearching,reporting,monitoring&correlationq Rapidlearningloop,shortendiscover/detect cycleq Rapidinsightfromalldata
q Fraudanalystq Threatresearch/Intelligenceq Malwareresearchq CyberSecurity/Threat
q SecurityAnalystq CSIRTq Forensicsq Engineering
q Tier1Analystq Tier2Analystq Tier3Analystq Audit/Compliance
SecurityOperationsRoles/Functions
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoringandAlerting
SecuritySituationalAwareness
Real-timeRiskInsight
Fraud Detection
Insider Threat
Advanced Threat
Detection
Security & Compliance Reporting
Incident Analysis & Investigations
Real-time Monitoring & Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Security & Compliance Reporting
Incident Analysis & Investigations
Real-time Monitoring & Alerting
12
ExampleofAdvancedThreatActivities
HTTP(web)session tocommand &controlserver
Remotecontrol,Stealdata,Persistincompany,Rentasbotnet
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf executes& unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exeCalc.exe
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
Emailstothetarget MAIL
Reademail,open attachment
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
Aug0806:09:13acmesep01.acmetech.comAug0906:17:24SymantecServeracmesep01:Virusfound,Computername:ACME-002,Source:RealTimeScan,Riskname:Hackertool.rootkit,Occurrences: 1,C:/DocumentsandSettings/smithe/LocalSettings/Temp/evil.tmp,"""",Actualaction:Quarantined,Requestedaction:Cleaned,time:2009-01-2303:19:12,Inserted: 2009-01-2303:20:12,End:2009-01-2303:19:12,Domain: Default,Group:MyCompany\ACMERemote,Server:acmesep01,User:smithe,Sourcecomputer:,SourceIP:10.11.36.20
Aug0808:26:54snort.acmetech.com{TCP}10.11.36.20:5072 ->10.11.36.26:443 itsecsnort[18774]:[1:100000:3] [Classification:PotentialCorporatePrivacyViolation]CreditCardNumberDetectedinClearText[Priority:2]:
20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-inaccountforadministeringthecomputer/domainDomain=ACME-2975EBInstallDate=NULLLocalAccount= IP:10.11.36.20TrueName=AdministratorSID=S-1-5-21-1715567821-926492609-725345543500SIDType=1Status=Degradedwmi_type=UserAccounts
13
Monitoring&AlertingSources
Allthreeoccurringwithina24-hourperiod
ExampleCorrelation– DataLoss
SourceIP
SourceIP
SourceIPDataLoss
DefaultAdminAccount
MalwareFound
TimeRange
IntrusionDetection
EndpointSecurity
WindowsAuthentication
14
JobContinues– NeedtoPerformIncidentInvestigation
Creditcardtransmitted
Adminaccountused
Hackertoolfound
EndpointSecurity
IntrusionDetection
15
IncidentAnalysis&Investigation
• Ofteninitiatedbyanalertinanotherproduct
• Investigationrequiringrapidadhocsearchingacrossdataovertime
• Needalltheoriginaldatainoneplaceandafastwaytosearchittoanswer:– Whathappened andwasitafalsepositive?
– Howdidthethreatgetin,wherehavetheygoneanddidtheystealanydata?
– Hasthisoccurredelsewhereinthepast?
• Takeresultsandturnthemintoareal-timesearch/alertifneeded
client=unknown[99.120.205.249]<160>Jan 2616:27(cJFFNMS
DHCPACK=ASCII from host=85.196.82.110
truncating integer value > 32 bits <46>JanASCII from client=unknown
January February March April
16
UseSplunktoFindEvidence
Searchhistorically- backintime Watchfornewevidence
Relatedevidencefromothersecuritydevices
17
UseSplunktoLinkEventsTogether
Malwaredownload
BlacklistedIP
Malwareexecutionandinstallation
Maliciouscommunication
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
18
AdvancedThreatDetection&Response
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf Svchost.exeCalc.exe
Eventsthatcontainlinktofile
ProxylogC2communicationtoblacklist
Howwasprocess started?
Whatcreatedtheprogram/process?
ProcessmakingC2traffic
WebPortal.pdf
19
Connectthe“Data-Dots”toSeetheWholeStory
Persist,Repeat
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,IOC, attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,ExploitInstallation
GainTrustedAccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint (AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA, SSO
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery
MAIL WEB WEB FW
AccomplishMission
Connectthe“Data-Dots”toSeetheWholeStory
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
Identity,Roles,Privileges, Location,Behavior,Risk,Auditscope, Classification, etc.
ThreatIntelligenceData
EmailDataOr
WebData
HostorETDRData
WeborFirewallData
ThreatIntelligenceData
IdentityData
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery
MAIL WEB WEB FW
AccomplishMission
StartAnywhere,AnalyzeUp-Down-Across-Backwards-Forward
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
Identity,Roles,Privileges, Location,Behavior,Risk,Auditscope, Classification, etc.
• Third-PartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA, SSO
Threatintelligence
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery AccomplishMission
SecurityEcosystemforCoverageandProtection
Auth - UserRoles,CorpContext
Copyright©2016SplunkInc.
ThreatIntelligence
24AttackMap
TheChallenge:• IndustrysaysThreatIntelis
keytoAPTProtection• Managementwantsall
threatintelcheckedagainsteverysystem,constantly
• Don’t forgettokeepyour15+threatfeedsupdated
TheSolution:
Verizon2016DBIR
“…thepercentageofindicatorsuniquetoonlyone(outbound
destination)feed…isnorthof97%forthefeedswehavesampled…”
Threatlistaggregation=morecompleteintelligence
MOREABOUTDATAMODELS?
So…youhavealist?
Whatcanyoudowithit?
Souretype=access_combined clientip=*|lookup threatlist srcip asclientip OUTPUTsrcip assrcip threat_typeasthreat_type |statscountbyclientip srcip threat_type |whereclientip=srcip
Breakitdownbytime?
Sendmeanalert!
Copyright©2016SplunkInc.
Demo
Otheroptions?
• YoucoulduseSA-Splice fromsplunkbase• Usecorrelationsearchestopopulatelookup files - outputlookup• LeverageKVstorelookups• EnterpriseSecurity
32
Variouscommunitythreatlists
Localones too
TAXIIsupport
Copyright©2016SplunkInc.
Thecommoninformationmodel
Datacomesfrom…
YoucanactuallydothisintheSplunksandbox, ifyouwant.
DataIngest+CommonInformationModel● You’vegotabunchofsystems…● Howtobringin:● NetworkAV● Windows+OSXAV● PCI-zoneLinuxAV● NetworkSandboxing● APTProtection
● CIM=DataNormalization
Copyright©2016SplunkInc.
NORMALIZATION?!?
Copyright©2016SplunkInc.
NORMALIZATION?!?
Relax.Thisis
therefore,CIMgetsappliedatSEARCHTIME.
DataNormalizationisMandatoryforyourSOC
“Theorganizationconsumingthedatamustdevelopandconsistently
useastandardformatforlognormalization.”– JeffBollingeret.
al.,CiscoCSIRT
Yourfieldsdon’tmatch?Goodluckcreatinginvestigativequeries
Free.Supported.Fullydocumented.
Lotsofappssupport CIM.
CIMCompliant!
Click“Datamodels”undersettings
• Tstats cansearchdistributed .tsidx files
• Usethesearchterm– FROMdatamodel=<datamodelname>
• Forexample:• |tstatsavg(foo)FROM
datamodel=buttercup_games WHEREbar=valuex
• Youshould expectdramaticallyfastersearchresultsusingthismethod
Tstatsand/orpivot– usethem!
Copyright©2016SplunkInc.
Demo
Copyright©2016SplunkInc.
Windowsevents
Copyright©2016SplunkInc.
Securityapps
• EasilythemostunderratedapponSplunkbase
• Turneveryhostonyournetworkintoanetworksniffer!
• Rapidlyrespond tosecurityeventsbycapturingdataatthesource
• Highlyconfigurabletocaptureonlydataofinterest
Copyright©2016SplunkInc.
Demo
http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/
• Checkyourdataagainstamultitudeofvirusdefinition DB’s.
• Free
• Subscription
• 4checksperhour
60
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!
