Splunk for Security
1 like326 views
This document discusses how Splunk User Behavior Analytics (UBA) uses machine learning and behavioral analytics to detect threats. It provides an overview of how UBA analyzes logs from various systems to detect anomalies and threats across the kill chain. The document explains that UBA reduces events for SOC analysts to investigate by 99.99% and provides key workflows for threat detection and security analytics/hunting of threats. It provides an example of how UBA could detect a potential insider threat involving a user elevating privileges and potentially exfiltrating sensitive documents.
Splunk for Security
- 1. Copyright © 2014 Splunk Inc. Splunk for Security Continuous Monitoring and Analytics-‐Driven Security for Modern Threats Simon O’Brien, Security SME, ANZ
- 2. SPLUNK FOR SECURITY Connecting People and Data, with Context and Extended Intelligence
- 3. The Ever-‐Changing Threat Landscape 3 67% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-‐Trends Report 2012/2013/2014
- 5. New approach to security operation is needed • Human directed • Goal-‐oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 5 TECHNOLOGY PEOPLE PROCESS
- 6. New approach to security operation is needed THREAT Attack Approach Analytics-‐driven Security Security Approach 6 TECHNOLOGY PEOPLE PROCESS • Human directed • Goal-‐oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques
- 7. • Continuously Protect the business against: ê Data Breaches ê Malware ê Fraud ê IP Theft • Comply with audit requirements • Provide enterprise Visibility 7 Security & Compliance Top Splunk Benefits • 70% to 90% improvement with detection and research of events • 70% to 95% reduction in security incident investigation time • 10% to 30% reduction in risks associated with data breaches, fraud and IP theft • 70% to 90% reduction in compliance labor Top Goals
- 8. 8 All Data is Security Relevant = Big Data Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti-‐ Malware Vulnerability Scans Traditional Authentication
- 9. 9 Solution: Splunk, The Engine For Machine Data Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-‐Time Machine Data References – Coded fields, mappings, aliases Dynamic information – Stored in non-‐traditional formats Environmental context – Human maintained files, documents System/application – Available only using application request Intelligence/analytics – Indicators, anomaly, research, white/blacklist
- 10. 10 The Splunk Platform for Security Intelligence SPLUNK ENTERPRISE (CORE) Copyright © 2014 Splunk Inc. 200+ APPS SPLUNK FOR SECURITY SPLUNK-‐BUILT APPS … Stream data Cisco Security Suite Windows/ AD/ Exchange Palo Alto Networks FireEye Bit9 DShield DNS OSSEC
- 11. Connecting the “data-‐dots” via multiple/dynamic relationships Persist, Repeat Threat intelligence Auth -‐ User Roles Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, file hashes, IOC, attack/campaign intent and attribution Where they went, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, exploit installation Gain trusted access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat 11
- 12. Security Intelligence Use Cases SECURITY & COMPLIANCE REPORTING REAL-‐TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Complement, replace and go beyond traditional SIEMs 12
- 13. Splunk Enterprise Security Risk-‐Based Analytics Visualize and Discover Relationships Enrich Security Analysis with Threat Intelligence 13 The artist formerly known as the ‘app for’
- 14. Splunk Enterprise Security – 5 Releases in 21 Months 14 Q3 2014 Q4 2014 Q2 2015 ES 3.1 •Risk Framework •Guided Search •Unified Search Editor •Threatlist Scoring •Threatlist Audit ES 4.0 • Breach Analysis • Integration with Splunk UBA • Splunk Security Framework ES 3.0 ES 3.2 •Protocol Intelligence (Stream capture) •Semantic Search (Dynamic Thresholding) ES 3.3 •Threat Intel framework •User Activity Monitoring •Content Sharing •Data Ingestion Q4 2015
- 15. DEMO!
- 16. PLAY DEMO 16
- 18. 18
- 19. Copyright © 2014 Splunk Inc. Splunk User Behavior Analytics for threat detection
- 20. BIG DATA DRIVEN SECURITY ANALYTICS MACHINE LEARNING A NEW PARADIGM DATA-‐SCIENCE DRIVEN BEHAVIORAL ANALYTICS
- 21. What does Splunk UBA do? 21 SIEM Firewall, AD, DLP AWS, VM Cloud, Mobile End point, Host, App, DB logs Netflow, PCAP Threat Feeds Next-Gen Data Science-driven Threat Detection Application for SOC Analysts Kill Chain Detection Ranked Threat Review Actions & Resolution 99.99% event reduction Security Analytics
- 22. SPLUNK UBA MACHINE LEARNING BEHAVIOR ANALYTICS ANOMALY DETECTION THREAT DETECTION SECURITY ANALYTICS 22
- 23. THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST § Quickly spot threats within your network § Leverage Threat Detection workflow to investigate insider threats and cyber attacks § Act on forensic details – deactivate accounts, unplug network devices, etc.
- 24. SECURITY ANALYTICS KILL-‐CHAIN HUNTER KEY WORKFLOWS -‐ HUNTER § Investigate suspicious users, devices, and applications § Dig deeper into identified anomalies and threat indicators § Look for policy violations
- 25. Threat Example 25 John logs in via VPN from 1.0.63.14 at 3pm John elevates his privileges for the PCI network John performs a remote desktop on a system as Administrator on the PCI network zone John (Admin) performs an ssh as root to a new machine in the BizDev department John (Adminàroot) accesses the folder with all the excel and negotiations documents on the BizDev file shares John (Adminàroot) copies all the negotiation docs to another share on the corpzone John (Adminàroot) uses a set of Twitter handles to chop and copy the data outside the enterprise Time Unusual Geo for John (China) Unusual Activity Time Unusual Zone (CorpàPCI) traversal for John (lateral movement) Unusual Machine Access (lateral movement; individual + peer group) Unusual File Access (individual + peer group) Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIàcorp) for John Multiple Outgoing Connections Unusual VPN session duration (11h) John 3:00 PM 3:05 PM 3:15 PM 3:40 PM 6 PM 11:35 PM Unusual Activity Sequence (AD/DC Privilege Escalation) 3:10 PM User Activities Risk/Threat Detection Areas
- 28. DEMO!