Enterprise Security and User Behavior Analytics
2 likes1,754 views
Splunk Enterprise Security 4.5 provides security information and event management (SIEM) and a security intelligence platform. It includes features like adaptive response to extend analytics-driven decisions and automation, and glass tables to enhance visual analytics. Glass tables allow security teams to create custom visualizations that reflect their workflows and gain visibility across their security ecosystem. The update also includes improvements to detection, investigation, and response times through automation and correlation searches.
Enterprise Security and User Behavior Analytics
- 1. Copyright © 2016 Splunk Inc. Enterprise Security and UBA Overview
- 2. 2 Agenda Splunk Portfolio Update Enterprise Security 4.5 User Behavior Analytics 3.0
- 3. VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Across Data Sources, Use Cases and Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 4. 4 Splunk Releases 4 Splunk Enterprise and Splunk Cloud 6.5 Enterprise Security 4.5 ES User Behavior Analytics 3.0 UBA
- 5. 5 5 Splunk Security Vision Security Markets SIEM and Compliance Security Analytics (supervised and unsupervised) Fraud and Business Risk Managed Security and Intelligence Services Splunk Security Intelligence Framework Workflow/collaboration, case management, content/intelligence syndication and Ecosystem brokering
- 6. 6 Enterprise Security Provides: SIEM and Security Intelligence Platform for security operations/command centers Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches, dynamic baselines 6
- 7. 7 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – enriches Splunk Enterprise Security (SIEM) Functions: baselines behavior from log data and other data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 7
- 8. Copyright © 2016 Splunk Inc. Enterprise Security 8
- 9. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 10. 10 Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Four Years in a Row as a Leader Furthest overall in Completeness of Vision Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases
- 11. 11 11 Splunk scores highest in 2016 Critical Capabilities for SIEM* report in all three Use Cases *Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
- 12. 12 App Servers Network Threat Intelligence Firewall Web Proxy Internal Network Security Endpoints Splunk as the Security Nerve Center Identity
- 13. 13 Splunk Enterprise Security: Fast Facts ● Current version: 4.5 released on October 12, 2016 ● Two major releases per year ● Content comes from industry experts, market analysis, but most importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and customizable ● ES has its own development team, dedicated support, services practice, and training courses
- 14. The best part of ES is free! ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
- 15. Copyright © 2016 Splunk Inc. NORMALIZATION?!?
- 16. Copyright © 2016 Splunk Inc. NORMALIZATION?!? Relax. This is therefore, CIM gets applied at SEARCH TIME.
- 17. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
- 18. 18 Splunk Enterprise Security – SIEM and Security Intelligence 18 Q4 2014 Q2 2015 Q4 2015 ES 3.2 • Protocol Intelligence • Semantic Search ES 4.1 • Behavior Anomalies • Risk and Search in Incident Review • Facebook ThreatExchange ES 3.3 • Threat Intel Framework • User Activity Monitoring • Content Sharing • Data Ingestion ES 4.0 • Breach Analysis • Integration with Splunk UBA • Enterprise Security Framework Q2 2016 ES 4.2 • Adaptive Response enablement • Performance • Actions Dashboard • Search Driven Lookup Q3 2016
- 19. 19 SIEM Criteria for Enterprises Logging and Deployment Splunk Solution Real-time event data collection Splunk Enterprise Scalable architecture, deployment flexibility A Splunk Enterprise Log management, Search and Ad hoc Search Splunk Enterprise SIEM Capabilities Splunk Solution Incident Response and Management Splunk Enterprise Security User monitoring Splunk Enterprise Security Advanced Analytics Splunk Enterprise Security Threat intelligence and Business Context Splunk Enterprise Security Real-time Monitoring Splunk Enterprise Security Advanced Threat Defense Splunk Enterprise Security Data and application monitoring Splunk Enterprise and Enterprise Security Deployment and Support Flexibility Splunk Enterprise and Enterprise Security Based on Gartner Research Document : 2016 Critical Capabilities for SIEM
- 20. SplunkEnterpriseSecuritysupportsall SIEM usecases MONITOR REPORT ANALYZE INVESTIGAT E RESPOSE COLLABORATE DETECT ALERT ReportAd hoc Search Analyz e Collect Store Pre-defined views and rules Correlation rules, thresholds Analysis investigation & context enrichment Enterprise- wide coordination & response SIEM Security Ops Management Alert & incident management, policy based rules, out-of-box security rules & analysis Data Platform Collect, Index data for search and analysis, visualization. Dynamic adhoc and statistical analysis FUNCTIONS
- 21. 21 AUTOMATION VISUALIZATION ISUALIZATION DETECTION What’s new in Enterprise Security 4.5? Adaptive Response Glass Tables Extend Analytics-driven Decisions and Automation Enhance Visual Analytics With Glass Table Views Use connected intelligence for security operations to gain full visibility and responsiveness across your security ecosystem Create custom visualizations that reflect your workflows, topology, detect, investigate and respond sequences with dashboards, summary views with relevant context to suit your needs
- 22. 22 Adaptive Response: Analytics-driven Decisions, Automate • Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation times • Improve operational efficiency using workflow-based context with automated and human-assisted decisions • Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners
- 23. 23 Accelerate Detection, Investigation and Response • Use the correlation search builder to configure and automate and attach the results to notable events • In incident review, configure and execute responses and queries across the security ecosystem • Use the actions dashboard to search and review responses taken and their results
- 24. 24 Adaptive Response Actions (Examples) AUTOMATION Category - Information gathering, Information conveyance, Permissions control Task - Create, Update, Delete, Allow, Block Subject – what will be acted upon (network, endpoint, etc) Vendor – providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc
- 25. 25 Insight from Across Ecosystem Effectively leverage security infrastructure to gain a holistic view Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel 1. Palo Alto Networks 2. Anomali 3. Phantom 4. Cisco 5. Fortinet 6. Threat Connect 7. Ziften 8. Acalvio 9. Proofpoint 10. CrowdStrike 11. Symantec (Blue Coat) 12. Qualys 13. Recorded Future 14. Okta 15. DomainTools 16. Cyber Ark 17. Tanium 18. Carbon Black 19. ForeScout
- 26. 26 Glass Tables to Enhance Visual Analytics • Simplify analysis by understanding the impact of security metrics within a logical or physical Glass Table view • Improve response times with nested views to display what’s important or relevant • Optimize workflow with drill-down to the supporting criteria of the metric
- 27. 27 Simplify Analysis with Custom Views of Security Metrics • Custom visualizations that reflect workflows, topology, detect, investigate and respond sequences with dashboards, summary • Views with relevant context to suit your needs Example: Threat KPI Glass Table
- 28. Copyright © 2016 Splunk Inc. ES Questions? 28
- 29. Copyright © 2016 Splunk Inc. Splunk User Behavior Analytics Anurag Gurtu (Dir. Product Marketing)
- 30. 30 DISCLAIMER During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 31. 31 TECHNOLOGY EVOLUTION 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS
- 32. 32 SO, WHAT IS THE COMPROMISED / MISUSED CREDENTIALS OR DEVICES LACK OF RESOURCES (SECURITY EXPERTISE) LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES PROBLEM?
- 33. 33 EXTERNAL ATTACK USER ACTIVITY Peter and Sam access a compromised website - backdoor gets installed The attacker uses Peter’s stolen credential and VPNs into Domain Controller The attacker uses the backdoors to download and execute WCE – password cracker Peter’s and Sam’s devices begin communicating with CnC The attacker logs in as Sam and accesses sensitive documents from a file share The attacker steals the admin Kerberos ticket and escalates the privileges for Sam The attacker uses Peter’s VPN credential to connect, copies the docs to an external staging server, and logs out after three hours Day 1 . . Day 2 . . Day N
- 34. 34 INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
- 35. 35 Splunk Premium Security Solutions Extensible Analytics & Collaboration Enable Rapid Investigations Automated Analysis & Machine Learning SPLUNK ENTERPRISE SECURITY SPLUNK USER BEHAVIOR ANALYTICS
- 36. 36 WHAT IS SPLUNK UBA? Splunk User Behavior Analytics (Splunk® UBA) is an out-of-the- box solution that helps organizations find known, unknown, and hidden threats using data science, machine learning, behavior baseline and peer group analytics.
- 37. Splunk User Behavioral Analytics Automated Detection of INSIDER THREATS AND CYBER ATTACKS Platform for Machine Data Behavior Baselining & Modelling Unsupervised Machine Learning Real-Time & Big Data Architecture Threat & Anomaly Detection Security Analytics
- 38. 38 INSIDER THREAT Day 1 . . Day 2 . . Day N John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Unusual Machine Access (Lateral Movement; Individual & Peer Group) Unusual Zone (CorpPCI) traversal (Lateral Movement) Unusual Activity Sequence Unusual Zone Combination (PCICorp) Unusual File Access (Individual & Peer Group) Multiple Outgoing Connections & Unusual SSL session duration
- 39. A Few CUSTOMER FINDINGS Malicious Domain Beaconing Activity Malware: Asprox Webshell Activity Pass The Hash Attack Suspicious Privileged Account activity Exploit Kit: Fiesta Lateral Movement Unusual Geo Location Privileged Account Abuse Access Violations IP Theft RETAIL HI-TECH MANUFACTURING FINANCIAL
- 40. PROXY SERVER FIREWALL WHAT DOES SPLUNK UBA NEED? ACTIVE DIRECTORY / DOMAIN CONTROLLER DNS, DHCP SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
- 41. 41 WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA “Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than the traditional rules-based approaches that don’t scale. We are pleased with the efficacy and efficiency of this solution as it makes the life of our SOC analysts’ way better.” Mark Grimse, VP IT Security, Rambus “A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk UBA to be one of the most advanced technologies within the behavioral analytics space.” Randolph Barr, CSO, Saba
- 42. 42 WHY SPLUNK UBA? THE MOST ADVANCED UEBA TECHNOLOGY THE LARGEST INVESTMENT IN MACHINE LEARNING A COMPLETE SOLUTION FROM SPLUNK DETECT THE UNKNOWNS IMPROVE SOC & HUNTER EFFICIENCY
- 43. 43 • 6000+ IT, Security and Business Professionals • 3 days of technical content • 180+ sessions + hands-on labs • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks PLUS Splunk University • Three days: Sept 23-25, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education! #splunkconf2017
Editor's Notes
- #4: The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – log search and analytics for small IT environments Hunk – for analytics on data in Hadoop The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- #5: For the purposes of this discussion we’ll be talking about and seeing Splunk ES 4.5 and UBA 3.0, running on top of our current release of Splunk Enterprise 6.5.
- #6: Splunk solutions provide capabilities across the modern security markets – from left to right – Splunk isn’t a traditional SIEM but provides SIEM capabilities via Enterprise Security. Enterprise Security also helps with various compliance regulations, and if you need a more specific approach to PCI we have a separate app just for that. Then we provide various methods for security analytics – nothing in Splunk is set in stone or tied down which is a major advantage over rigid SIEM technology. If you want to hunt through your data and create your own searches for analytics – go right ahead with Core Splunk and ES. If you’d rather have a fully curated, out of the box machine learning driven experience, or also want that – then that’s UBA. We are also finding that customers can and do leverage our platform to analyze for fraud and business risk. And finally, many of our partners are offering managed security services with our platform at the center.
- #7: Enterprise Security is a premium app designed to be used in a SOC or incident response group, and it provides SIEM-like functions on top of the Splunk Enterprise or Splunk Cloud platform.
- #8: UBA is very different – it is a standalone platform and doesn’t necessarily need the Splunk Enterprise platform to do what it does. We expect it to be used by SOC analysts and hunters. It is specifically designed to surface vetted threats about outside attackers and insiders, and it does this with a software appliance based approach.
- #10: Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- #11: Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
- #13: We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything. . There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
- #14: 3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models. Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless. Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable. Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem. ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
- #15: Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
- #16: …that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
- #17: …we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
- #18: It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the… -Date and Time -Type of action performed -Subsystem performing the action -Identifiers for the object requesting the action -Identifiers for the object providing the action -Status, outcome, or result of the action So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
- #26: Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and more Detect, investigate and respond by overcoming silos
- #36: A critical security concern for banks is fraud. So let’s hear how Orrstown Bank uses Splunk.
- #44: We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!