SlideShare a Scribd company logo

Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods

Download as PPTX, PDF
Splunk, profile picture
Splunk

The document is an introduction presentation for security analytics methods using Splunk. It discusses forward-looking statements and outlines the agenda which includes an overview of Splunk Security Essentials, a demo/walkthrough of the app, and an end-to-end scenario example. It also summarizes key analytics methods like general security searches, time series analysis using standard deviation, and first time seen events.

Technology
1 of 58
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
© 2019 SPLUNK INC. Intro to Security Analytics Methods Start: 13:30 Udo Götzen Staff Sales Engineer | CISSP Security SME
During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward- Looking Statements © 2019 SPLUNK INC.
© 2019 SPLUNK INC. Who Are You? • Maybe a user of Splunk Security Essentials? • All Levels of Splunk Experience • You probably like security Technical Business New to Splunk Years of Splunk YOU
© 2019 SPLUNK INC. Key Takeaways from This Session 1) Improved ability to detect potentially suspicious activity 2) Free, powerful out-of-the-box security analytics methods
© 2019 SPLUNK INC. Agenda 1) Security Analytics 101 2) Splunk Security Essentials (SSE) Overview 3) SSE Demo/Walk Through 4) End-to-End Scenario 5) Wrap Up
© 2019 SPLUNK INC. Splunk Security Pillars and Portfolio • Universal indexing • Petabyte scale • Multi-schema • Search, alert, report, visualize • Broad support Machine Learning Toolkit (MLTK) Data Analytics Operations ES CONTENT UPDATE ADAPTIVE RESPONSE ADAPTIVE OPERATIONS FRAMEWORK
© 2019 SPLUNK INC. Common Security Challenges Malicious Insiders Commodity Malware Advanced External Attackers
© 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
© 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
© 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
© 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
© 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
© 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
© 2019 SPLUNK INC. Splunk Security Essentials Overview
© 2019 SPLUNK INC. Splunk Security Essentials Identify Bad Guys: • 450+ security analytics methods • Free on Splunkbase – use on Splunk Enterprise • Target external and insider threats • Advanced threat detection, compliance, and more • Scales from small to massive companies • Data source onboarding guidance • MITRE ATT&CK and Kill Chain mappings • Save from app, send hits to ES / UBA Solve use cases you can today for free, then use Splunk UBA for advanced ML detection. https://splunkbase.splunk.com/app/3435/
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Splunk Security Essentials App — Runs on Splunk Enterprise QUICK EASY FREE
© 2019 SPLUNK INC. Security Journey — Data-Driven Approach Stage 6 Stage 5 Stage 4 Stage 3 Stage 2 Stage 1 Advanced Detection Apply sophisticated detection mechanisms including machine learning Automation & Orchestration Establish a consistent and repeatable security operation capability Enrichment Augment security data with intelligence sources to better understand the context and impact of an event Expansion Collect additional high fidelity data sources like endpoint activity and network metadata to drive advanced attack detection Normalization Apply a standard security taxonomy and add asset and identity data Collection Collect basic security logs and other machine data from your environment
© 2019 SPLUNK INC. Data Onboarding Guides • AWS CloudTrail + VPC Flow • Cisco ASA • Linux Security Logs • Microsoft Sysmon • Microsoft Office 365 • Palo Alto Networks • Stream DNS • Symantec AV • Windows Security
© 2019 SPLUNK INC. SSE Demo
© 2019 SPLUNK INC. Getting Started with Splunk Security Essentials • Download from apps.splunk.com • Install on your Search Head, standalone Splunk server, or even a laptop • Browse use cases that match your needs • Data Source Check shows other use cases for your existing data • Evaluate free tools to meet gaps, such as Microsoft Sysmon – (links inside the app)
© 2019 SPLUNK INC. Open the Splunk Security Essentials App First Open Splunk Security Essentials Then Open Use Cases
© 2019 SPLUNK INC. Pre-requisite Checks • For those just starting out, it can be hard to know what data you need • Every use case comes with pre-req checks to show if you have the data • If you don’t, follow the links
© 2019 SPLUNK INC. Or Check EVERYTHING • Data Source Check tells you what’s possible • Runs all pre-req checks Click “Start Searches”
© 2019 SPLUNK INC. Create Posture Dashboards Run the data source check first Allow it to complete the check Then click “Create Posture Dashboards” button
© 2019 SPLUNK INC. Posture Dashboards (cont’d) If You Don’t Have Live Data Yet, Click “Demo Datasets” Number of Available Visualizations will Update Accordingly
© 2019 SPLUNK INC. Posture Dashboards (cont’d) Select Desired Visualization Category (or Categories) Select Non-Default Searches if Desired Generate Selected Dashboards!
© 2019 SPLUNK INC. Posture Dashboards (cont’d) • Essential Account Security – Data sources include General Authentication, Windows 10, and Active Directory • Essential Host Security – Data sources include Windows Endpoint, Anti-virus • Essential Network Security – Data sources include Firewall, Next- Gen Firewall, and Web Proxy
© 2019 SPLUNK INC. Take a Minute to Review Use Cases • Read through a few of the use cases • Filter for use cases you care about
© 2019 SPLUNK INC. Let’s Start With a Simple Example Click on “Concentration of Hacker Tools by Filename”
© 2019 SPLUNK INC. Concentration of Hacker Tools by Filename • A search you might not think of, but is easy to use • Input: CSV file with suspicious filenames • Input: Process launch logs (Windows, Sysmon, Carbon Black, etc.) • Looks for those file names concentrated in a short period of time
© 2019 SPLUNK INC. Applying to Live Data Click Live Data See a Live Search
© 2019 SPLUNK INC. An Advanced Splunk Search • Phishing is a big risk • Many approaches to mitigating with Splunk Click on ‘Emails with Lookalike Domains’ From Journey Select Stage 4 From Data Sources, Filter to Email Logs
© 2019 SPLUNK INC. A Phishing Search Larger Than Your Pond • A very long search you don’t have to run • Detects typos, like company.com → campany.com • Supports subdomains for typo detection • Detects suspicious subdomains, like company.com → company.yourithelpdesk.com
© 2019 SPLUNK INC. What About Baselines Splunk can also build baselines easily Let’s look at a Time Series Spike This detects anomalies via Standard Deviation From Data Sources, Filter to Print Server Logs Then, Increase in Pages Printed
© 2019 SPLUNK INC. What is Standard Deviation? • A measure of the variance for a series of numbers User Day One Day Two Day Three Day Four Avg Stdev Jane 100 123 79 145 111.75 28.53 Jack 100 342 3 2 111.75 160.23 User Day Five # StDev from Average … aka How Unusual? Jane 500 13.6 Jack 500 2.42
© 2019 SPLUNK INC. Increase in Pages Printed • Our search looks for printer logs • Sums per day, per user • Note the tooltips everywhere! Click “Detect Spikes” to find outliers
© 2019 SPLUNK INC. Want to Learn That SPL for Yourself? • Just click Show SPL to see how the search works • Learn this once… it applies to all time series spikes! • (Or just use the app)
© 2019 SPLUNK INC. Want to Schedule That Search? • Want to use that search? • Just click Schedule Alert • Searches will auto send to ES Risk or UBA if you have either • Or just email to yourself
© 2019 SPLUNK INC. What Else Do You Have For Me? • We can use baseline to find new combinations too • This can help with any noisy search you have today Then, Authentication Against a New Domain Controller
© 2019 SPLUNK INC. Authentication Against a New DC • This search uses stats earliest() and latest() per User, DC • If the earliest() is recent, it’s anomalous • This works for any combination! Click “Detect New Values” for outliers
© 2019 SPLUNK INC. Example Scenario
© 2019 SPLUNK INC. Apply Splunk to Real Life Scenario • Actor: – Malicious Insider (because it’s hardest) • Motivation: – Going to work for competitor • Target: – Accounts, Opportunities, Contacts in Salesforce • Additional Target: – Sales Proposals in Box • Exfiltration: – Upload to a remote server Malicious Insider • Jane Smith, Director of Finance – * Photo of Splunker, not an actual malicious insider
© 2019 SPLUNK INC. Monitoring Challenges • No proxy • No standard file servers • No agents on laptop • Cloud Services with their own APIs • How would you detect that?
© 2019 SPLUNK INC. Set Up Collect Relevant Logs • Ingest Salesforce Event Log File – https://splunkbase.splunk.com/app/1931/ • Ingest Box Data – https://splunkbase.splunk.com/app/2679/ Install Splunk Security Essentials • https://splunkbase.splunk.com/app/3435/ Configure Analytics • e.g., schedule Salesforce.com searches • e.g., build a custom Box use case About 1 Hour of Work
© 2019 SPLUNK INC. Example Salesforce.com Searches • New clients accessing SFDC API • High-risk activity • 1st-time peer group query of sensitive data • New sensitive tables being queried • Other searches indicating potential exfil
© 2019 SPLUNK INC. Targeting Our Search • Our Malicious Insider, Jane Smith, also downloaded some proposals from Box • Finding Box downloads spikes is easy, but we want focus on the Proposal Folder • We will use the Detect Spikes assistant to help us
© 2019 SPLUNK INC. “My Environment is So Custom” • Do you want to build your own detections like this? • What if your environment is totally custom? • No product has ever worked out of the box, and that’s why you like Splunk, right? • We’ve got you covered. Click Advanced, then “Detect Spikes”
© 2019 SPLUNK INC. • | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time • Looking for “count” by “user” with “6” standard deviations
© 2019 SPLUNK INC. • | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time • Looking for “count” by “user” with “6” standard deviations Got Her!
© 2019 SPLUNK INC. Operationalize! • Save / schedule the alert – send to Splunk Enterprise Security or UBA – Or send via email to analyst
© 2019 SPLUNK INC. Wrap Up
© 2019 SPLUNK INC. What Did We Cover? 1) Splunk Security Essentials teaches you new detection use cases 2) Easy to operationalize – standalone or with Splunk Enterprise Security and UBA 3) Makes it easy to customize use cases 4) As you advance, look to ES or UBA to improve threat detection, and ES and Phantom to accelerate containment, investigation, and response
© 2019 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
© 2019 SPLUNK INC. Go Get Started With Splunk Security Essentials! • Download from apps.splunk.com • Find use cases that match your needs • Data Source Check shows other use cases for your existing data • Evaluate free tools to meet gaps, such as Microsoft Sysmon – (links inside the app)
© 2019 SPLUNK INC. The Splunk Platform
© 2019 SPLUNK INC. Agenda Splunk Discovery Köln 17. Januar 2020 09:00–10:30 Keynote und Demo – Die Data-to-Everything Plattform 10:30–11:00 Pause Tech Track (Jupiter I+II) Business Track (Saturn I+II) 11:00–11:45 Mit der Splunk Plattform Daten in Mehrwert umwandeln ROI in Datenprojekten (in English) 11:45–12:30 Abenteuer bei Monitoring und Troubleshooting Kunden Use Cases 12:30–13:30 Mittagessen 13:30–14:15 Security Analytics Methoden Die Zukunft von Security Operations 14:15–15:00 Splunk Incident Response, Orchestrierung und Automation Die Zukunft von ITOA – von Monitoring zu Observability 15:00–15:30 Pause 15:30–16:15 Kunden Use Case: TÜV Trust IT 16:15–17:00 Networking Drinks
Thank You © 2019 SPLUNK INC.

More Related Content

PPTX
The Risks and Rewards of AI
Splunk
 
PPTX
Splunk4Leaders
Splunk
 
PPTX
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
PPTX
Introduction into Security Analytics Methods
Splunk
 
PPTX
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
PPTX
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
PPTX
Best Practices for Forwarder Hierarchies
Splunk
 
The Risks and Rewards of AI
Splunk
 
Splunk4Leaders
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
Introduction into Security Analytics Methods
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
Best Practices for Forwarder Hierarchies
Splunk
 

What's hot (20)

PPTX
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk
 
PPTX
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
PPTX
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
PPTX
Accelerate incident Response Using Orchestration and Automation
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Worst Splunk practices...and how to fix them
Splunk
 
PPTX
How to justify the economic value of your data investment
Splunk
 
PPTX
Splunk Platform 2020 & Beyond
Splunk
 
PPTX
Einführung in Security Analytics Methoden
Splunk
 
PPTX
Make Your SOC Work Smarter, Not Harder
Splunk
 
PPTX
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
PPTX
Best Practices for Splunk Deployments
Splunk
 
PPTX
Machine Learning in Action
Splunk
 
PPTX
Adventures in Monitoring and Troubleshooting
Splunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
PPTX
What's New with the Latest Splunk Platform Release
Splunk
 
PPTX
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
PPTX
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Splunk
 
PPTX
Drive More Value from your SOC Through Connecting Security to the Business
Splunk
 
PPTX
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Willkommen!
Splunk
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Worst Splunk practices...and how to fix them
Splunk
 
How to justify the economic value of your data investment
Splunk
 
Splunk Platform 2020 & Beyond
Splunk
 
Einführung in Security Analytics Methoden
Splunk
 
Make Your SOC Work Smarter, Not Harder
Splunk
 
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
Best Practices for Splunk Deployments
Splunk
 
Machine Learning in Action
Splunk
 
Adventures in Monitoring and Troubleshooting
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Splunk
 
Drive More Value from your SOC Through Connecting Security to the Business
Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Ad

Similar to Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods (20)

PPTX
Introduction into Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
Splunk
 
PPTX
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PDF
Splunk for security
Greg Hanchin
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PPTX
Level Up Your Security Skills in Splunk Enterprise
Splunk
 
PDF
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
PDF
Analytics Driven SIEM Workshop
Splunk
 
PPTX
20190123 LSEC CTI - Machine Learning in Infosec
Dominique Dessy
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPTX
Splunk Enterprise Security
Splunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
PPTX
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
Introduction into Security Analytics Methods
Splunk
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
Splunk
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Splunk for security
Greg Hanchin
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
Level Up Your Security Skills in Splunk Enterprise
Splunk
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
Analytics Driven SIEM Workshop
Splunk
 
20190123 LSEC CTI - Machine Learning in Infosec
Dominique Dessy
 
Splunk-Presentation
PrasadThorat23
 
Splunk Enterprise Security
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods

  • 1. © 2019 SPLUNK INC. Intro to Security Analytics Methods Start: 13:30 Udo Götzen Staff Sales Engineer | CISSP Security SME
  • 2. During the course of this presentation, we may make forward‐looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward- Looking Statements © 2019 SPLUNK INC.
  • 3. © 2019 SPLUNK INC. Who Are You? • Maybe a user of Splunk Security Essentials? • All Levels of Splunk Experience • You probably like security Technical Business New to Splunk Years of Splunk YOU
  • 4. © 2019 SPLUNK INC. Key Takeaways from This Session 1) Improved ability to detect potentially suspicious activity 2) Free, powerful out-of-the-box security analytics methods
  • 5. © 2019 SPLUNK INC. Agenda 1) Security Analytics 101 2) Splunk Security Essentials (SSE) Overview 3) SSE Demo/Walk Through 4) End-to-End Scenario 5) Wrap Up
  • 6. © 2019 SPLUNK INC. Splunk Security Pillars and Portfolio • Universal indexing • Petabyte scale • Multi-schema • Search, alert, report, visualize • Broad support Machine Learning Toolkit (MLTK) Data Analytics Operations ES CONTENT UPDATE ADAPTIVE RESPONSE ADAPTIVE OPERATIONS FRAMEWORK
  • 7. © 2019 SPLUNK INC. Common Security Challenges Malicious Insiders Commodity Malware Advanced External Attackers
  • 8. © 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
  • 9. © 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
  • 10. © 2019 SPLUNK INC. Analytics Methods General Security Analytics Searches Time Series Analysis with Standard Deviation First Time Seen Powered by Stats Types of Use Cases
  • 11. © 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
  • 12. © 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
  • 13. © 2019 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules Alert Creation Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything
  • 14. © 2019 SPLUNK INC. Splunk Security Essentials Overview
  • 15. © 2019 SPLUNK INC. Splunk Security Essentials Identify Bad Guys: • 450+ security analytics methods • Free on Splunkbase – use on Splunk Enterprise • Target external and insider threats • Advanced threat detection, compliance, and more • Scales from small to massive companies • Data source onboarding guidance • MITRE ATT&CK and Kill Chain mappings • Save from app, send hits to ES / UBA Solve use cases you can today for free, then use Splunk UBA for advanced ML detection. https://splunkbase.splunk.com/app/3435/
  • 17. © 2019 SPLUNK INC. Splunk Security Essentials App — Runs on Splunk Enterprise QUICK EASY FREE
  • 18. © 2019 SPLUNK INC. Security Journey — Data-Driven Approach Stage 6 Stage 5 Stage 4 Stage 3 Stage 2 Stage 1 Advanced Detection Apply sophisticated detection mechanisms including machine learning Automation & Orchestration Establish a consistent and repeatable security operation capability Enrichment Augment security data with intelligence sources to better understand the context and impact of an event Expansion Collect additional high fidelity data sources like endpoint activity and network metadata to drive advanced attack detection Normalization Apply a standard security taxonomy and add asset and identity data Collection Collect basic security logs and other machine data from your environment
  • 19. © 2019 SPLUNK INC. Data Onboarding Guides • AWS CloudTrail + VPC Flow • Cisco ASA • Linux Security Logs • Microsoft Sysmon • Microsoft Office 365 • Palo Alto Networks • Stream DNS • Symantec AV • Windows Security
  • 20. © 2019 SPLUNK INC. SSE Demo
  • 21. © 2019 SPLUNK INC. Getting Started with Splunk Security Essentials • Download from apps.splunk.com • Install on your Search Head, standalone Splunk server, or even a laptop • Browse use cases that match your needs • Data Source Check shows other use cases for your existing data • Evaluate free tools to meet gaps, such as Microsoft Sysmon – (links inside the app)
  • 22. © 2019 SPLUNK INC. Open the Splunk Security Essentials App First Open Splunk Security Essentials Then Open Use Cases
  • 23. © 2019 SPLUNK INC. Pre-requisite Checks • For those just starting out, it can be hard to know what data you need • Every use case comes with pre-req checks to show if you have the data • If you don’t, follow the links
  • 24. © 2019 SPLUNK INC. Or Check EVERYTHING • Data Source Check tells you what’s possible • Runs all pre-req checks Click “Start Searches”
  • 25. © 2019 SPLUNK INC. Create Posture Dashboards Run the data source check first Allow it to complete the check Then click “Create Posture Dashboards” button
  • 26. © 2019 SPLUNK INC. Posture Dashboards (cont’d) If You Don’t Have Live Data Yet, Click “Demo Datasets” Number of Available Visualizations will Update Accordingly
  • 27. © 2019 SPLUNK INC. Posture Dashboards (cont’d) Select Desired Visualization Category (or Categories) Select Non-Default Searches if Desired Generate Selected Dashboards!
  • 28. © 2019 SPLUNK INC. Posture Dashboards (cont’d) • Essential Account Security – Data sources include General Authentication, Windows 10, and Active Directory • Essential Host Security – Data sources include Windows Endpoint, Anti-virus • Essential Network Security – Data sources include Firewall, Next- Gen Firewall, and Web Proxy
  • 29. © 2019 SPLUNK INC. Take a Minute to Review Use Cases • Read through a few of the use cases • Filter for use cases you care about
  • 30. © 2019 SPLUNK INC. Let’s Start With a Simple Example Click on “Concentration of Hacker Tools by Filename”
  • 31. © 2019 SPLUNK INC. Concentration of Hacker Tools by Filename • A search you might not think of, but is easy to use • Input: CSV file with suspicious filenames • Input: Process launch logs (Windows, Sysmon, Carbon Black, etc.) • Looks for those file names concentrated in a short period of time
  • 32. © 2019 SPLUNK INC. Applying to Live Data Click Live Data See a Live Search
  • 33. © 2019 SPLUNK INC. An Advanced Splunk Search • Phishing is a big risk • Many approaches to mitigating with Splunk Click on ‘Emails with Lookalike Domains’ From Journey Select Stage 4 From Data Sources, Filter to Email Logs
  • 34. © 2019 SPLUNK INC. A Phishing Search Larger Than Your Pond • A very long search you don’t have to run • Detects typos, like company.com → campany.com • Supports subdomains for typo detection • Detects suspicious subdomains, like company.com → company.yourithelpdesk.com
  • 35. © 2019 SPLUNK INC. What About Baselines Splunk can also build baselines easily Let’s look at a Time Series Spike This detects anomalies via Standard Deviation From Data Sources, Filter to Print Server Logs Then, Increase in Pages Printed
  • 36. © 2019 SPLUNK INC. What is Standard Deviation? • A measure of the variance for a series of numbers User Day One Day Two Day Three Day Four Avg Stdev Jane 100 123 79 145 111.75 28.53 Jack 100 342 3 2 111.75 160.23 User Day Five # StDev from Average … aka How Unusual? Jane 500 13.6 Jack 500 2.42
  • 37. © 2019 SPLUNK INC. Increase in Pages Printed • Our search looks for printer logs • Sums per day, per user • Note the tooltips everywhere! Click “Detect Spikes” to find outliers
  • 38. © 2019 SPLUNK INC. Want to Learn That SPL for Yourself? • Just click Show SPL to see how the search works • Learn this once… it applies to all time series spikes! • (Or just use the app)
  • 39. © 2019 SPLUNK INC. Want to Schedule That Search? • Want to use that search? • Just click Schedule Alert • Searches will auto send to ES Risk or UBA if you have either • Or just email to yourself
  • 40. © 2019 SPLUNK INC. What Else Do You Have For Me? • We can use baseline to find new combinations too • This can help with any noisy search you have today Then, Authentication Against a New Domain Controller
  • 41. © 2019 SPLUNK INC. Authentication Against a New DC • This search uses stats earliest() and latest() per User, DC • If the earliest() is recent, it’s anomalous • This works for any combination! Click “Detect New Values” for outliers
  • 42. © 2019 SPLUNK INC. Example Scenario
  • 43. © 2019 SPLUNK INC. Apply Splunk to Real Life Scenario • Actor: – Malicious Insider (because it’s hardest) • Motivation: – Going to work for competitor • Target: – Accounts, Opportunities, Contacts in Salesforce • Additional Target: – Sales Proposals in Box • Exfiltration: – Upload to a remote server Malicious Insider • Jane Smith, Director of Finance – * Photo of Splunker, not an actual malicious insider
  • 44. © 2019 SPLUNK INC. Monitoring Challenges • No proxy • No standard file servers • No agents on laptop • Cloud Services with their own APIs • How would you detect that?
  • 45. © 2019 SPLUNK INC. Set Up Collect Relevant Logs • Ingest Salesforce Event Log File – https://splunkbase.splunk.com/app/1931/ • Ingest Box Data – https://splunkbase.splunk.com/app/2679/ Install Splunk Security Essentials • https://splunkbase.splunk.com/app/3435/ Configure Analytics • e.g., schedule Salesforce.com searches • e.g., build a custom Box use case About 1 Hour of Work
  • 46. © 2019 SPLUNK INC. Example Salesforce.com Searches • New clients accessing SFDC API • High-risk activity • 1st-time peer group query of sensitive data • New sensitive tables being queried • Other searches indicating potential exfil
  • 47. © 2019 SPLUNK INC. Targeting Our Search • Our Malicious Insider, Jane Smith, also downloaded some proposals from Box • Finding Box downloads spikes is easy, but we want focus on the Proposal Folder • We will use the Detect Spikes assistant to help us
  • 48. © 2019 SPLUNK INC. “My Environment is So Custom” • Do you want to build your own detections like this? • What if your environment is totally custom? • No product has ever worked out of the box, and that’s why you like Splunk, right? • We’ve got you covered. Click Advanced, then “Detect Spikes”
  • 49. © 2019 SPLUNK INC. • | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time • Looking for “count” by “user” with “6” standard deviations
  • 50. © 2019 SPLUNK INC. • | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time • Looking for “count” by “user” with “6” standard deviations Got Her!
  • 51. © 2019 SPLUNK INC. Operationalize! • Save / schedule the alert – send to Splunk Enterprise Security or UBA – Or send via email to analyst
  • 52. © 2019 SPLUNK INC. Wrap Up
  • 53. © 2019 SPLUNK INC. What Did We Cover? 1) Splunk Security Essentials teaches you new detection use cases 2) Easy to operationalize – standalone or with Splunk Enterprise Security and UBA 3) Makes it easy to customize use cases 4) As you advance, look to ES or UBA to improve threat detection, and ES and Phantom to accelerate containment, investigation, and response
  • 54. © 2019 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 55. © 2019 SPLUNK INC. Go Get Started With Splunk Security Essentials! • Download from apps.splunk.com • Find use cases that match your needs • Data Source Check shows other use cases for your existing data • Evaluate free tools to meet gaps, such as Microsoft Sysmon – (links inside the app)
  • 56. © 2019 SPLUNK INC. The Splunk Platform
  • 57. © 2019 SPLUNK INC. Agenda Splunk Discovery Köln 17. Januar 2020 09:00–10:30 Keynote und Demo – Die Data-to-Everything Plattform 10:30–11:00 Pause Tech Track (Jupiter I+II) Business Track (Saturn I+II) 11:00–11:45 Mit der Splunk Plattform Daten in Mehrwert umwandeln ROI in Datenprojekten (in English) 11:45–12:30 Abenteuer bei Monitoring und Troubleshooting Kunden Use Cases 12:30–13:30 Mittagessen 13:30–14:15 Security Analytics Methoden Die Zukunft von Security Operations 14:15–15:00 Splunk Incident Response, Orchestrierung und Automation Die Zukunft von ITOA – von Monitoring zu Observability 15:00–15:30 Pause 15:30–16:15 Kunden Use Case: TÜV Trust IT 16:15–17:00 Networking Drinks
  • 58. Thank You © 2019 SPLUNK INC.