A Risk Based Approach to Security Detection and Investigation by Kelby Shelton

© 2020 SPLUNK INC.
A Risk Based Approach to
Security Detection and
Investigation
April 2020
Kelby Shelton - Consulting Solutions Engineer
kelbys@splunk.com

During the course of this presentation, we may make forward‐looking statements
regarding future events or plans of the company. We caution you that such statements
reflect our current expectations and estimates based on factors currently known to us
and that actual events or results may differ materially. The forward-looking statements
made in the this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, it may not contain current or
accurate information. We do not assume any obligation to update
any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only,
and shall not be incorporated into any contract or other commitment. Splunk undertakes
no obligation either to develop the features or functionalities described or to include any
such feature or functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the
United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020
Splunk Inc. All rights reserved
Forward-
Looking
Statements
© 2020 SPLUNK INC.

© 2020 SPLUNK INC.
Agenda 1) Define the Problem
2) Define the Solution
3) RBA In Action
4) Customer Success
5) Road to Adoption
Text Placeholders:
See slide 46 for more information on how to
format multiple levels of text.

© 2020 SPLUNK INC.
Define the
Problem

© 2020 SPLUNK INC.
Correlation Searches Notable Queue
Typical Enterprise Security Strategy
● Vendor Alert: Anomalous
Login
● Malware Detection
● Suspicious Powershell
● Low: Anomalous Login
● Critical: Malware Detection
● High: Suspicious Powershell

© 2020 SPLUNK INC.
What about these?
ML/AI
EDR
UBA
NDR
Palo
Cisco
AWS
Microsoft

© 2020 SPLUNK INC.
Manual Correlation
Visibility Gaps
Requires Many Analysts
High Noise
Huge Whitelists
Slow time to deploy new use-cases

© 2020 SPLUNK INC.
The Ideal Solution
Decrease tuning time
Deploy use-cases faster
Scaleable with Analysts
Improved Fidelity
Built-in Correlation
Standard Framework
A better strategy

© 2020 SPLUNK INC.
Define the
Solution

© 2020 SPLUNK INC.
A New Enriched Data Set
Security Datasets Correlation Searches Risk Index

© 2020 SPLUNK INC.
Risk Index
Filled with
security
related data
A New Kind of Notable Raw Logs
Azure ATP
NDREDR
Accelerated
Data Models

© 2020 SPLUNK INC.
Align Correlation
Searches to MITRE
Attribute Risk to
Assets and/or
Identities
The Risk Based Approach
Send to Risk Index
Step 1 Step 2 Step 3
Alert on Anomalies
Step 4

© 2020 SPLUNK INC.
RBA in
Action

© 2020 SPLUNK INC.
Align Correlation Search to Mitre
Excessive Failed Logins
| from datamodel:"Authentication"."Failed_Authentication"
| stats values(tag) as "tag",dc(user) as
"user_count",dc(dest) as "dest_count",count by "app","src"
| where 'count'>=6
Step 1

© 2020 SPLUNK INC.
Do Your Research -
MITRE TACTIC - Brute Force
Also opens up new possibilities
T1003 - Credential Dumping
T1075 - Pass the Hash
T1110 - Password Spraying

© 2020 SPLUNK INC.
Align Correlation Search to Mitre
Map it to Mitre
| eval mitre_id="T1110"
Appending multiple (optional):
| eval mitre_id=mvappend("T1110","T1003")
...continued

© 2020 SPLUNK INC.
Attribute Risk to Asset or Identity
Risk Framework accepts a “risk_object” of type “system”,”user”,”other”
| eval risk_object=src, risk_object_type="system"
| appendpipe [| eval risk_object=user,
risk_object_type="user"]
Add an analyst message
| eval risk_message=count." authentication failures from
".user_count." unique users originating from "".risk_object
Attribution

© 2020 SPLUNK INC.
Attribute Risk to Asset or Identity
Static
| eval risk_score=30
Dynamic (using a lookup and an equation)
| eval risk_score = <score> * ( <risk_object_priority> * 0.25) + 1 )
*Where <score> is a number 0-100 and <risk_object_priority> is a number 0-4
Scoring

© 2020 SPLUNK INC.
Send to Risk Index
Pros
● Supports Throttling
Cons
● Must be blank to support multiple
risk objects
| sendalert risk
Pros
● Easy to understand
● Supports multiple risk objects
Cons
● No throttling
● Requires non-overlapping
searches (example:
earliest=1h@h latest=@h
| collect index=risk
Pros
● Simplest
● Easy to understand
● Supports multiple risk objects
Cons
● No throttling
● Requires non-overlapping
searches (example:
earliest=1h@h latest=@h
Three Methods

© 2020 SPLUNK INC.
Put It Together
| from datamodel:"Authentication"."Failed_Authentication"
| stats values(tag) as "tag",dc(user) as
"user_count",dc(dest) as "dest_count",count by "app","src"
| where 'count'>=6
| eval risk_object=src, risk_object_type="system"
| eval risk_message=count." authentication failures from
".user_count." unique users from "".risk_object
| sendalert risk param._risk_score=50

© 2020 SPLUNK INC.
John Doe - Suspicious Email: 25
Jane Smith - Possible C2 Traffic: 30
WORKSTATION1 - Anomalous Login: 35
John Doe - Malware Detection: 50
DC1 - Malware Detection: 125
Jane Smith - Suspicious Email: 25
WORKSTATION1 - Suspicious Powershell: 70
Jane Smith - Suspicious Powershell: 55
| from datamodel:Risk
| stats sum(risk_score) as total
values(*) as * by risk_object
| where total>100
Alert on Anomalies
A change on perspective
Risk Index RiskNotable - Greater than 100 within 24 hours

© 2020 SPLUNK INC.
Alert on Anomalies
...continued
Jane Smith WORKSTATION1 DC1
● Jane Smith received a suspicious
email from phishy.com
● Suspicious powershell executed
on Jane Smith’s computer
● Possible C2 Traffic from Jane
Smith’s computer to
abcdefghi1234.ru
● Suspicious powershell executed
on WORKSTATION1
● Multiple login failures on
WORKSTATION1
● Malware Detection
Total Risk Score: 110 Total Risk Score: 105 Total Risk Score: 125

© 2020 SPLUNK INC.
Demo Environment
1) FruitFly Mac Malware 2) Advanced Persistent Threat
Two Scenarios

© 2020 SPLUNK INC.
Customer
Success

© 2020 SPLUNK INC.
“RBA has changed how we fundamentally operate,
raising visibility into the cumulative risk related to
behaviors and allowing us to focus on the most
impactful events”
Brandon Cass
Cyber Defense Operations Manager
Texas
Instruments

© 2020 SPLUNK INC.
“As an early contributor of the RBA process and as a
Threat Hunter in a mid-sized enterprise, we increased
our detections by 300%, reduced our security alerts by
50%, aligned with MITRE ATT&CK, and achieved a 60%
true positive rate in the SOC in less than a year without
increasing the size of the security team by leveraging a
risk based approach”
Stuart McIntosh
CTO
Outpost
Security

© 2020 SPLUNK INC.
“Before implementing RBA, we saw a 7.07% True
Positive Rate. In quarter two of 2019 we were able to
maintain a 33% True Positive Rate using the RBA
system while also onboarding 29 new correlation
searches. RBA has empowered our small security
operations team to scale with evolving threats.”
Cybersecurity Incident Response Team
Children’s
Mercy

© 2020 SPLUNK INC.
Resources
SANS SIEM Summit
SANS Content: We Need to Talk about the Elephant in the SOC
Splunk .Conf 2018
SEC 1479 - Say Goodbye to Your big Alert Pipeline , and Say Hello to Your New Risk-Based Approach
Splunk .Conf 2019
SEC 1556 – Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT&CK Framework
SEC 1803 – Modernize and Mature Your SOC with Risk-Based Alerting
SEC 1538 - Getting started with Risk-Based Alerting and MITRE
SEC 1908 – Tales from a Threat Team: Lessons and Strategies for Succeeding with a Risk-Based Approach
Talks and Presentations

© 2020 SPLUNK INC.
Risk Adoption Timeline
Key Milestones
Start First RR Home Dash First RN Full RBA
Typical Alerting Add Mitre Convert Multiple RR Continue Convert RR All RR Converted
Add Risk Attribution Build Dashboard Build Analyst View SOC Trained
Play with Scores SOC Training Tuning Dashboard
Triage Risk Notable Tuning Process
Red Teaming!
1 - 2 Months
3 Months
4-6+ Months
Current 1 - 2 Weeks

© 2020 SPLUNK INC.
`risk_score(risk_object_priority,risk_rule_impact,risk_rule_confidence)`
| eval risk_rule_impact =if(like($risk_rule_impact $,"%"),$risk_rule_impact $,"$risk_rule_impact$" ),
risk_rule_confidence =if(like($risk_rule_confidence $,"%"),$risk_rule_confidence $,"$risk_rule_confide
nce$")
| eval
temp_impact_num =case(risk_rule_impact =="info",20,risk_rule_impact =="low",40,risk_rule_impact =="medi
um",60,risk_rule_impact =="high",80,risk_rule_impact =="critical",100)
| eval
temp_confidence_num =case(risk_rule_confidence =="low",0.30,risk_rule_confidence =="medium",0.60,risk_
rule_confidence =="high",1.00)
| eval risk_score=(temp_impact_num * temp_confidence_num) *(($risk_object_priority $*.25)+1)
| fields - temp_impact_num ,temp_confidence_num

© 2020 SPLUNK INC.
`risk_object_priority(risk_object)`
| lookup asset_lookup_by_str asset AS $risk_object$ OUTPUT priority as asset_priority nt_host as temp_nt_host
| eval $risk_object$=case((risk_object_type="system" AND like(temp_nt_host,"%")),temp_nt_host,true(),risk_object)
| lookup identity_lookup_expanded identity AS $risk_object$ OUTPUT priority as identity_priority watchlist as
watchlist
| fillnull value="false" watchlist
| eval risk_object_priority=case(risk_object_type="system" AND
like(asset_priority,"%"),asset_priority,risk_object_type="system","unknown", risk_object_type="user" AND
like(identity_priority,"%"),identity_priority,risk_object_type="user","unknown")
| fields - asset_priority identity_priority temp_nt_host
| eval
risk_object_priority_num=case(watchlist="true",4,risk_object_priority=="low",1,risk_object_priority=="medium",2,risk_o
bject_priority=="high",3,risk_object_priority=="critical",4,true(),0.5)

© 2020 SPLUNK INC.
Risk Rule Home Dashboard
<form>
<label>Risk Index Overview</label>
<fieldset submitButton="false">
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<title>Risk Score by Object</title>
<search>
<query>| tstats values(source) as source sum(All_Risk.risk_score) as score from datamodel=Risk.All_Risk by All_Risk.risk_object _time span=24h | `drop_dm_object_name("All_Risk")` | table risk_object source score</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="score">
<colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
</table>
</panel>
</row>
<row>
<panel>
<table>
<title>Risk Score by Source</title>
<search>
<query>| tstats values(All_Risk.risk_object) as risk_object sum(All_Risk.risk_score) as score from datamodel=Risk.All_Risk by source _time span=24h | fields - _time</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="count">10</option>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="color" field="score">
<colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette>
<scale type="minMidMax"></scale>
</format>
</table>
</panel>
</row>
</form>

A Risk Based Approach to Security Detection and Investigation by Kelby Shelton

More Related Content

What's hot (20)

Similar to A Risk Based Approach to Security Detection and Investigation by Kelby Shelton (20)

Recently uploaded (20)

A Risk Based Approach to Security Detection and Investigation by Kelby Shelton