Copyright © 2012 Splunk Inc. Paul Pang Chief Security Strategist, APAC & Japan Riskbased Security Analytics for Effective APT Defense
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright © 2012 Splunk Inc.
Paul Pang Chief Security Strategist, APAC & Japan
Risk-‐‑‒based Security Analytics for Effective APT Defense
Security Analytics Methodology! Correlation(Patterns between different kind of logs)
– Incident investigation scenario( carried out manually until now?)– Tracking of unauthorized access(What is the impact and damage?)
– Monitoring any critical asset is accessed by external dangerous site.
! Statistical(Analysis of the same type of log, big data)– Baselining of normal activity(Average・Max・Min)– Abnormality detection (Rare outliners)– Comparison of time series(Time・Season・Case Pattern)
2
Fraud Detection
Insider Threat
Advanced Threat
Detection
Security & Compliance Reporting
Incident Analysis &
Investigations
Real-time Monitoring & Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Tradi;onal SIEM (Security Log Focus) Next Gen SOC (All machine data)
New Types of Security Guru
4
Mul$ple roles with different background, skills, pay levels, personali$es
SOC Manager
SOC Admin & Architect
Project Manager
Tier 1 Analyst
Tier 2 Analyst
Forensics Specialist
Malware Engineer
Counter-‐Intel
! On-‐the-‐job training and mentoring, and external training & cer;fica;ons ! Opera;ng hours and SOC scope play key role in driving headcount ! Tier3 Analyst focus on NG SOC technology such as Risk-‐based analy;cs, APT Hun;ng, Threat Intelligence …
Tier 3 Analyst (CSIRT) Key APT Hunter
All Data is Security Relevant = Big Data
5
Security Relevant Data All Security Relevant Data
• “Non-‐security” user and machine generated data behind creden;als. Includes “Unknown” threats.
• AD, OS, DNS, DHCP, email, proxy, badge, industrial control systems, etc.
• “Security” data, or alerts from point security products. “Known” threats.
• Firewall, an;-‐malware, IDS, DLP, vulnerability scan
Tradi;onal SIEM
Proac;ve Security Monitoring and Forensics
6
Splunk allows us to quickly consolidate and correlate disparate log sources, enabling previously imprac;cal monitoring and response scenarios.
“
” ! Enabled proac;ve threat assessment, mi;ga;on planning, incident trending with analysis, security architecture, incident detec;on and response
! Delivered a centralized view into user ac;vi;es and in-‐scope systems
Dave Schwartzburg Computer Security Incident Response Team
7
0-‐day detec;on : Real ;me Anomalty Detec;on (Machine Learning -‐ Protected by Maths)
8
CSIRT Logging Deployment
9
• 25 indexers / 7 clusters • HA, load balanced, & scalable
• Index up to 1TB/day
• 150TB storage
Correlation Analytic Example
10
• WAF > Web (HTTP Server) > Web App
– WAF alerts detected, what is the effect to the previous Web server application?
– Based on the same source IP address or time range as a "key", aggregating and grouping corresponding logs
– Real time display the following information to the security admin as a single incident : ê WAF alerts content (WAF log)ê HTTP URL request (Web Server log)ê Response from Application Server (Application log)
131.178.233.243 -‐ -‐ [24/Jun/2014 12:29:01:183] "GET /category.screen?category_id=FLOWERS&JSESSIONID=SD5SL6FF7ADFF6 HTTP 1.1" 200 308 "hpp://www.myflowershop.com/product.screen?product_id=K9-‐CW-‐01" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-‐US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.38 Safari/533.4" 701
[06/24/14 12:29:23 UTC] 000000af StorageApi E com.ibm.wps.policy.commands.StorageApi logExcep;onGetPvsProper;es EJQAB0061E: An ItemNotFoundExcep;on occurred in method logExcep;onGetPvsProper;es.com.ibm.portal. WpsExcep;on: EJQAB0061E: An ItemNotFoundExcep;on occurred in method logExcep;onGetPvsProper;es.at (PolicyService.java:191)
June 24 12:29:01 172.29.70.161 ASM:unit_hostname="asm232.labt.ts.f5net.com",management_ip_address="172.29.69.232", web_applica;on_name="/Common/ASM_Class1",policy_name="AllViola;ons",policy_apply_date="2011-‐09-‐30 13:58:53”,viola;ons="Mandatory HTTP header is missing,Illegal URL length,Illegal request length,Illegal header length,IllegalURL”,support_id="1446599167164232350",request_status="alerted”,ip_client="131.178.233.243"
11
Sources
Time Range
Applica$on (WebSphere)
Web Server (Apache)
Web App Firewall (F5 ASM)
Trace from 5 seconds to "WAF → Applica;on" with any machine data between 1 minute
Source IP
Machine data generated in each layer
TimeRange + 5s
Incident Review based on aggregation of events by Splunk
12
Source IP
Time SourceType F5 WAF Host Web Log Application Log
Threat intelligence
Auth -‐ User Roles
Host Ac$vity/Security
Network Ac$vity/Security
13
WEB
Conduct Business
Create addi$onal environment
Gain Access to system Transac$on
.pdf Svchost.exe Calc.exe
Events that contain link to file
Proxy log C2 communica;on to blacklist
How was process started?
What created the program/process?
Process making C2 traffic
Web Portal .pdf
Advanced Threat Detec;on and Response
Threat intelligence
Auth -‐ User Roles
Host Ac$vity/Security
Network Ac$vity/Security
Kill Chain Analysis
14
115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_hpp
{"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443}
dest_ip cmdb_bu_owner cmdb_applica;on_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_so{ware cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marke;ng Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes
{"ac;on": "create", "path": ”…\Content.Outlook\Q2_commission.pdf”, "process_guid": “-‐7751687”}
Subject: new commission report breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-‐type: mul;part/mixed; Content-‐type: applica;on/pdf; name=”Q2_commission.pdf"
115.29.46.99
115.29.46.99
Q2_commission.pdf”
” Q2_commission.pdf”
[email protected] 192.168.56.102
"process_guid": “3259531” "process_guid": “-‐7751687”
"ac$on": "create”
Free Threat Feed
Visual Inves;ga;ons for All Assets and Users
17
Statistical Analytics Example– Baselining user activities to detect abnormality
e.g. 1) Counting number of characters in the "User-‐‑‒Agent" in WAF or HTTP log
ê Many malware seems to be counterfeiting the "User-‐‑‒Agent”ê Visualize the distribution of the characters pattern and number
e.g. 2) Counting number of characters in the “HTTP Request URL”ê Many malware sending out data secretly by pretending as normal Web Request
18
Real ;me sta;s;cal analy;cs in Splunk ! Counting “User_̲Agent” Length
19
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Characters count:74
UserAgent content inside logs PatternLength Count
A lot of web-‐based apack are using VERY long URL
20
Mean URL length for 128 Byte looks Normal But for Max URL length for 9KB size, it looks suspicious. We found a lot of LONG URLs which is trying to access the external site : “hpp://103.7.28.187/pingd?type-‐1&dm= www.discouss.com.hk … “ A{er verified with hpp://urlquery.net/report.php?id=2182484, they are Tencent QQ/wechat Message. The long hpp packages are encrypted SMS.
Visualize the Pattern in Real time
21
件数
Count
1Risk-‐based security
Security Base lining and Abnormal Detec;on
22
Statistical Analytics Example 2 ! Prediction
– Splunk comes with Predication library to calculate the future of number and numerical range from data transition
– E.g. predication of DoS attack if pattern is exceeding the 95 percentile.
– Can automate the alerts when it exceeds a value range which has been predicted
23
WAF event detection value range until now
Future value range based on prediction
Advance Threat Detec;on example : New Domain Analysis
24
Iden;fy unexpected top level domain
ac;vity
Hosts talking to recently registered domains
Discover outlier ac;vity to newly registered
domains
Determine the DNS baseline
25
Mainframe Data
VMware
Pla�orm for Machine Data
Easy to Adopt Splunk
Exchange PCI Security
DB Connect Mobile Forwarders Syslog / TCP / Other
Sensors & Control Systems
Rich Ecosystem of Apps
Across Data Sources, Use Cases & Consump$on Models
Stream
26
Further Reading ! www.splunk.com
– Whitepaper, Splunk and the SANS Top 20 Cri;cal Security Controls
! NIST.gov – FISMA Compliance, FAQ on
Con;nuous Monitoring
27
Thank You
28
The Splunk Pla�orm for Security Intelligence
29
200+ SECURITY APPS SPLUNK FOR ENTERPRISE SECURITY
SPLUNK ENTERPRISE (CORE)
Copyright © 2014 Splunk Inc.
SPLUNK-‐BUILT APPS
VENDOR OPEN SOURCE COMMUNITY
Wire (NFT) data
SIEM integra;on
RDBMS (any) data
Windows (host/inf) data
Unix & Linux data
Exchange (email, inf) data
More…
Related Documents
