Copyright © 2016 Splunk Inc. Splunk for Operational Security Intelligence SplunkLive Melbourne 2016 James Overman, Sr SE
SplunkLive Melbourne Splunk for Operational Security Intelligence
Apr 14, 2017
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Copyright©2016SplunkInc.
SplunkforOperationalSecurityIntelligence
SplunkLiveMelbourne2016JamesOverman,Sr SE
22
> James Overman [email protected]
• Splunk Sales Engineer• Over 20 years in IT infrastructure & security
• CISSP • Worked for leading security integrators and vendors
whoami
3
LEGALNOTICEDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Agenda
SplunkSecurityOverview
ThreatIntelligence(vialookups)
TheCommoninformationmodel
TacklingAdv.Windowsattacks via6EventIDs
"Bestof"Securityrelatedsplunkbaseapps
5
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-Trends Report2012/2013/2014
100%Validcredentialswereused
40Average#ofsystems accessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotified byexternalentity
Newapproachtosecurityoperationisneeded
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multiple tools&activities
• Newevasiontechniques
• Fusionofpeople,process,&technology
• Contextualandbehavioral
• Rapidlearningandresponse
• Shareinfo&collaborate
• Analyzealldataforrelevance
• LeverageIOC&ThreatIntel
THREAT AttackApproach SecurityApproach
6
TECHNOLOGY
PEOPLE
PROCESS
NewapproachtosecurityoperationisneededTHREAT AttackApproach
Analytics-drivenSecurity
SecurityApproach
7
TECHNOLOGY
PEOPLE
PROCESS
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multiple tools&activities
• Newevasiontechniques
8
AllDataisSecurityRelevant=BigData
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
9
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
10
PutitAllTogether– SecurityMaturityLevelq APTdetection/hunting(killchainmethod)q Counterthreatautomationq ThreatIntelligence aggregation(internal&external)q Frauddetection – ATO,account abuse,q Insiderthreatdetection
q ReplaceSIEM@lowerTCO,increasematurityq AugmentSIEM@increasecoverage&agilityq Compliancemonitoring,reporting,auditingq Logretention,storage,monitoring,auditing
q Continuousmonitoring/evaluationq Incidentresponseandforensicinvestigationq Eventsearching,reporting,monitoring&correlationq Rapidlearningloop,shortendiscover/detect cycleq Rapidinsightfromalldata
q Fraudanalystq Threatresearch/Intelligenceq Malwareresearchq CyberSecurity/Threat
q SecurityAnalystq CSIRTq Forensicsq Engineering
q Tier1Analystq Tier2Analystq Tier3Analystq Audit/Compliance
SecurityOperationsRoles/Functions
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoringandAlerting
SecuritySituationalAwareness
Real-timeRiskInsight
Fraud Detection
Insider Threat
Advanced Threat
Detection
Security & Compliance Reporting
Incident Analysis & Investigations
Real-time Monitoring & Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Security & Compliance Reporting
Incident Analysis & Investigations
Real-time Monitoring & Alerting
12
ExampleofAdvancedThreatActivities
HTTP(web)session tocommand &controlserver
Remotecontrol,Stealdata,Persistincompany,Rentasbotnet
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf executes& unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exeCalc.exe
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
Emailstothetarget MAIL
Reademail,open attachment
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
Aug0806:09:13acmesep01.acmetech.comAug0906:17:24SymantecServeracmesep01:Virusfound,Computername:ACME-002,Source:RealTimeScan,Riskname:Hackertool.rootkit,Occurrences: 1,C:/DocumentsandSettings/smithe/LocalSettings/Temp/evil.tmp,"""",Actualaction:Quarantined,Requestedaction:Cleaned,time:2009-01-2303:19:12,Inserted: 2009-01-2303:20:12,End:2009-01-2303:19:12,Domain: Default,Group:MyCompany\ACMERemote,Server:acmesep01,User:smithe,Sourcecomputer:,SourceIP:10.11.36.20
Aug0808:26:54snort.acmetech.com{TCP}10.11.36.20:5072 ->10.11.36.26:443 itsecsnort[18774]:[1:100000:3] [Classification:PotentialCorporatePrivacyViolation]CreditCardNumberDetectedinClearText[Priority:2]:
20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-inaccountforadministeringthecomputer/domainDomain=ACME-2975EBInstallDate=NULLLocalAccount= IP:10.11.36.20TrueName=AdministratorSID=S-1-5-21-1715567821-926492609-725345543500SIDType=1Status=Degradedwmi_type=UserAccounts
13
Monitoring&AlertingSources
Allthreeoccurringwithina24-hourperiod
ExampleCorrelation– DataLoss
SourceIP
SourceIP
SourceIPDataLoss
DefaultAdminAccount
MalwareFound
TimeRange
IntrusionDetection
EndpointSecurity
WindowsAuthentication
14
JobContinues– NeedtoPerformIncidentInvestigation
Creditcardtransmitted
Adminaccountused
Hackertoolfound
EndpointSecurity
IntrusionDetection
15
IncidentAnalysis&Investigation
• Ofteninitiatedbyanalertinanotherproduct
• Investigationrequiringrapidadhocsearchingacrossdataovertime
• Needalltheoriginaldatainoneplaceandafastwaytosearchittoanswer:– Whathappened andwasitafalsepositive?
– Howdidthethreatgetin,wherehavetheygoneanddidtheystealanydata?
– Hasthisoccurredelsewhereinthepast?
• Takeresultsandturnthemintoareal-timesearch/alertifneeded
client=unknown[99.120.205.249]<160>Jan 2616:27(cJFFNMS
DHCPACK=ASCII from host=85.196.82.110
truncating integer value > 32 bits <46>JanASCII from client=unknown
January February March April
16
UseSplunktoFindEvidence
Searchhistorically- backintime Watchfornewevidence
Relatedevidencefromothersecuritydevices
17
UseSplunktoLinkEventsTogether
Malwaredownload
BlacklistedIP
Malwareexecutionandinstallation
Maliciouscommunication
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
18
AdvancedThreatDetection&Response
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf Svchost.exeCalc.exe
Eventsthatcontainlinktofile
ProxylogC2communicationtoblacklist
Howwasprocess started?
Whatcreatedtheprogram/process?
ProcessmakingC2traffic
WebPortal.pdf
19
Connectthe“Data-Dots”toSeetheWholeStory
Persist,Repeat
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,IOC, attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,ExploitInstallation
GainTrustedAccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint (AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA, SSO
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery
MAIL WEB WEB FW
AccomplishMission
Connectthe“Data-Dots”toSeetheWholeStory
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
Identity,Roles,Privileges, Location,Behavior,Risk,Auditscope, Classification, etc.
ThreatIntelligenceData
EmailDataOr
WebData
HostorETDRData
WeborFirewallData
ThreatIntelligenceData
IdentityData
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery
MAIL WEB WEB FW
AccomplishMission
StartAnywhere,AnalyzeUp-Down-Across-Backwards-Forward
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
Identity,Roles,Privileges, Location,Behavior,Risk,Auditscope, Classification, etc.
• Third-PartyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint(AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA, SSO
Threatintelligence
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery AccomplishMission
SecurityEcosystemforCoverageandProtection
Auth - UserRoles,CorpContext
Copyright©2016SplunkInc.
ThreatIntelligence
24AttackMap
TheChallenge:• IndustrysaysThreatIntelis
keytoAPTProtection• Managementwantsall
threatintelcheckedagainsteverysystem,constantly
• Don’t forgettokeepyour15+threatfeedsupdated
TheSolution:
Verizon2016DBIR
“…thepercentageofindicatorsuniquetoonlyone(outbound
destination)feed…isnorthof97%forthefeedswehavesampled…”
Threatlistaggregation=morecompleteintelligence
MOREABOUTDATAMODELS?
So…youhavealist?
Whatcanyoudowithit?
Souretype=access_combined clientip=*|lookup threatlist srcip asclientip OUTPUTsrcip assrcip threat_typeasthreat_type |statscountbyclientip srcip threat_type |whereclientip=srcip
Breakitdownbytime?
Sendmeanalert!
Copyright©2016SplunkInc.
Demo
Otheroptions?
• YoucoulduseSA-Splice fromsplunkbase• Usecorrelationsearchestopopulatelookup files - outputlookup• LeverageKVstorelookups• EnterpriseSecurity
32
Variouscommunitythreatlists
Localones too
TAXIIsupport
Copyright©2016SplunkInc.
Thecommoninformationmodel
Datacomesfrom…
YoucanactuallydothisintheSplunksandbox, ifyouwant.
DataIngest+CommonInformationModel● You’vegotabunchofsystems…● Howtobringin:● NetworkAV● Windows+OSXAV● PCI-zoneLinuxAV● NetworkSandboxing● APTProtection
● CIM=DataNormalization
Copyright©2016SplunkInc.
NORMALIZATION?!?
Copyright©2016SplunkInc.
NORMALIZATION?!?
Relax.Thisis
therefore,CIMgetsappliedatSEARCHTIME.
DataNormalizationisMandatoryforyourSOC
“Theorganizationconsumingthedatamustdevelopandconsistently
useastandardformatforlognormalization.”– JeffBollingeret.
al.,CiscoCSIRT
Yourfieldsdon’tmatch?Goodluckcreatinginvestigativequeries
Free.Supported.Fullydocumented.
Lotsofappssupport CIM.
CIMCompliant!
Click“Datamodels”undersettings
• Tstats cansearchdistributed .tsidx files
• Usethesearchterm– FROMdatamodel=<datamodelname>
• Forexample:• |tstatsavg(foo)FROM
datamodel=buttercup_games WHEREbar=valuex
• Youshould expectdramaticallyfastersearchresultsusingthismethod
Tstatsand/orpivot– usethem!
Copyright©2016SplunkInc.
Demo
Copyright©2016SplunkInc.
Windowsevents
Copyright©2016SplunkInc.
Securityapps
• EasilythemostunderratedapponSplunkbase
• Turneveryhostonyournetworkintoanetworksniffer!
• Rapidlyrespond tosecurityeventsbycapturingdataatthesource
• Highlyconfigurabletocaptureonlydataofinterest
Copyright©2016SplunkInc.
Demo
http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/
• Checkyourdataagainstamultitudeofvirusdefinition DB’s.
• Free
• Subscription
• 4checksperhour
60
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!
Related Documents
