Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Understanding Security Issues as Pa2erns in Data

Mark Seward, Director, Security and Compliance Marke=ng

© Copyright Splunk 2011 2 The 2nd Annual Splunk Worldwide Users’ Conference

A ShiA in A2ack Vectors

Known signatures

based threats and a2acks

Time Today 1998

Unknown behavior based

a2acks

1998

Data Explosion (‘Big-‐data’)

2005

Dat

a Vo

lum

e

The increasing number of a2ack signatures

Splunk meets the challenge of detec=ng pa2ern-‐based behaviors in a ‘Big-‐data’ context


ü  A move to a behavioral approach demands more emphasis on people and less on pure technology

ü  Behavioral approaches to security require a con=nuous applica=on of human observa=on and judgment

ü  Allows the analyst is to take the “actor view” to understanding the goals and methods of persistent adversaries

ü  Requires you to baseline pa2erns of normal or expected behavior; select thresholds and triggers that will alert administrators to suspicious ac=vi=es

Beyond Signatures and Rules: People Trump Technology in a Behavioral Approach

Implemen=ng a Pa2ern-‐based Strategy

for Security


ü  Splunk supports pa2ern modeling and adapta=on for security for insider threats, fraud scenarios, and persistent adversaries

ü  Pa2erns enable a risk-‐based approach to an=cipate a2ack vectors and a2ack pa2erns and behaviors

Enabling a Pa2ern-‐based Strategy for Security

Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases

Gartner Research © 2010


App Mgmt

Web Analy/cs Security IT

Ops

Security Event Pa2erns in Context Augmented View Security Events ü  View the web analy=cs data pa2erns as

part of the web applica=on a2ack ü  Monitor changes in server/applica=on

performance (CPU) against a baseline as an indicator of an a2ack

ü  Understand authorized pa2erns of changes/ addi=ons to configura=ons and user accounts part of fraud surveillance

Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’


ü Rules View –  Breaking the speed limit –  If one or more of these things happen let me know –  Watches for only what is known –  No concept of what is ‘normal’

ü Pa2erns view –  Watches for rhythms in your data over =me against what is ‘normal’ (normal will not be sta=c)

–  Takes advantage of ‘weak signals’ from non-‐tradi=onal security data

–  Watches for what you don’t know –  Pa2erns + Analy=cs enables decisions

How is this Different from Tradi=onal SIEM?

Patterns allow for data to be viewed as a reflection of human

behavior over time

Analy=cs and data pa2erns in prac=ce


ü DoS a2acks at the network layer are massive floods of traffic from numerous sources, designed to overwhelm resources

ü DoS a2acks at the applica=on layer target layer-‐7 and the HTTP protocol

DoS A2acks

Recent


ü Source addresses usually spoofed – this also means no TCP session establishment possible

ü True iden=ty of source very difficult to obtain

ü A2acks of significance generally from a botnet ü TCP and UDP most common; ICMP happens as well

Common Anatomy of a Typical DoS


ü  Client issues an HTTP POST to a server ü  Client says “I’m going to post a gig of data.” ü  Client sends the Host a gig but only 1 byte – 1 minute ü  Service waits for the data transfer ü  Usually in just a couple of minutes – La Morte

HTTP Slow POST A2ack


Dashboard – HTTP Slow POST

Slow Post Attack


ü Host opens a connec=on to a server but doesn’t send a single byte ü Each connec=on =es/up an Apache process. ü Apache waits for the connec=on =me out to expire then closes the connec=on

ü Connec=ons fill up the Queue faster than they =me out ü Default connec=on queue for Apache is set to 511

Connec=on Exhaus=on Based A2acks


Dashboard – Connec=on Exhaus=on

Attacks detected


Example: Time-‐based Pa2ern-‐detec=on for Malware Ac=vity Discovery

Pa2ern: request for download immediately followed by more requests ü  Fast requests following the download of a

PDF, java, zip, or exe. If a download is followed by rapid requests for more files this is a poten=al indicator of a dropper.

Splunk pa2ern search ü  Time based transac=ons sorted by length ü  source=proxy [search file=*.pdf OR

file=*.exe | dedup clien=p | table clien=p] | transac=on maxspan=60s maxpause=5s clien=p | eval Length=len(_raw) | sort -‐ Length


Example: Pa2erns of Beaconing Hosts to Command and Control

Pa2ern: ü  APT malware ‘beacons’ to command

and control at specific intervals

Splunk pa2ern search ü  Watching for hosts that talk to the same

URL at the same interval every day

ü  … | streamstats current=f last(_=me) as next_=me by site | eval gap = next_=me -‐ _=me | stats count avg(gap) var(gap) by site

ü  What you’d be looking out for are sites that have a low var(gap) value.

Fraud Hand off to Intuit…

Other Pa2ern Uses

Intuit, Financial Services Division

Jaime Rodriguez, Senior Fraud Analyst, Intuit


Jaime Rodriguez ü Securing banks and financial ins=tu=ons since 1999 ü Presented and keynoted at numerous Informa=on Security conferences all around the US.

ü Contributor to a variety of open-‐source projects related to many of today's most popular security tools.

“Fraud team's goal is to provide fraud analysis on a proactive basis--we're currently reactive.”


Intuit—Financial Services Division ü One of largest providers of outsourced online financial management solu=ons ü Serving 1800+ financial ins=tu=ons and 4 million+ end customers ü Applica=ons include: - Consumer and business internet banking - Electronic bill payment and presentment - Personal online financial management - Website hos=ng and development for financial ins=tu=ons


All of Your Data Is Security Relevant ü Indexing our infrastructure: - Cisco Firewalls - Snort - App logs, WebSense - TippingPoint, IPS

ü Integra=ng data from outside partners: - Known fraud rings - Bad IP addresses - Bad actors


Splunk Speeds Remedia=on

•  Previously had customized parser •  Searches conducted in batch taking 3+ hours via chron job

•  Reports came in piecemeal across 5000 emails with different syntax

•  Only sophis=cated (aka highly-‐paid) users could track pa2erns

•  Splunk provides a single view

•  Role-‐based access provides secure views into data

•  Customer service and banking customer teams can begin queries on their own—no wai=ng for access/ permission—no highly paid engineer required

•  Results in 5 minutes


From Reac=ve to Proac=ve ü Using Splunk for historical analysis ü New fraud pa2erns iden=fied drive reviews of past 30 day / 90 day / all =me periods

ü As pa2erns emerge we build alerts when evidence of similar pa2erns of known fraudsters emerge (SMS, email)

ü Showing monthly trending ü We’ve modified our logs to be2er capture and expose the informa=on we need to see


Splunk for the Ops Team ü Outages unacceptable ü OAen caused by unauthorized change ü Splunk tracks changes to pinpoint issues for remedia=on ü Monitoring throughput and access for each financial ins=tu=on - Usages stats good for re-‐sell/ upsell

ü Dashboards show system health and performance—execs love visibility


Truth From The Trenches: Wire Transfers

ü Watching fraudster in real-‐=me—seeing $5M, $7M, $8M wire a2empts

ü Splunk exposed every element of our infrastructure that he touched

ü Next we could correlate ac=vi=es based on =me to understand his pa2ern of ac=vity


Truth from the Trenches: Geoloca=on

ü We no=ced a similar fraud pa2ern across 15 banks

ü Then we mapped them to see they were within 15 miles of one another

ü Fraud was coming from one data processing vendor who they all shared


The World of Compliance FFIEC •  Federal Financial Institutions Exam Council •  Ensures financial organizations follow uniform principles,

standards and methods of reporting •  Splunk empowers auditors to ask—and us to quickly and easily answer—any question

SAS70 •  Certification of standard controls, communications mechanisms

and monitoring procedures •  Required by may financial services clients •  Subset of Sarbanes Oxley Compliance

PCI •  PCI: Payment card industry data security Standard •  Promotes trust with customers •  Required by various payment card providers


Ge~ng Started ü Just get started—Splunk is great out of the box for quick and dirty analysis

ü It only gets be2er when you customize it ü Demo Splunk to others—people are amazed at how much data and depth we can get based on pivo=ng

ü Follow the install guide! ü Consider how you’ll expand—and plan in advance for that expansion

ü Move to 4.2-‐-‐-‐it’s fast!

August 15, 2011

Ques=ons?

Jaime Rodriquez, Intuit