SlideShare a Scribd company logo

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!

Download as PPTX, PDF
H
Harry McLaren

The document provides an overview of a Splunk User Group meeting focused on security, including updates on Splunk's SOAR platform, Phantom, and a breakdown of the endpoint data model. Discussions included the importance of automation in security operations, current challenges, and new features in the Phantom platform. The meeting also highlighted the Splunk Security Essentials app, which offers analytics to evaluate security monitoring maturity and identify gaps in coverage.

Data & Analytics
Related topics:
Threat Hunting
1 of 47
Downloaded 53 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Security-focused Splunk User Group
© 2019 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Phantom Update (Splunk's SOAR Platform) from Tom Wise • Endpoint Data Model Breakdown from Adam Thomson • Showcase of Security Essentials Beta Features from Harry McLaren
© 2019 SPLUNK INC. Hosted by ECS Security Elite Splunk Partner - UK – Security / IT Operations / Managed Services (SOC / Splunk) – Splunk Revolution Award & Splunk Partner of the Year
© 2019 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
© 2019 SPLUNK INC. Phantom Update (SOAR Platform) Tom Wise
© 2019 SPLUNK INC. SOARing with Phantom 4.x Phantom 4.x Update & Demo
© 2019 SPLUNK INC. $WHOAMI ▶ Tom Wise • Senior Security Consultant @ ECS Security – 3 Years • Splunk Consultant – 2 ½ Years • Phantom Security Solutions Engineer – 6 Months • Phantom & Splunk Trainer – ~ 1 Year
© 2019 SPLUNK INC. The Why
© 2019 SPLUNK INC. Why SOAR? The key drivers for a SOAR Implementation are: • Resource Shortages (#1) • ~1 – 1.5 Million Security Professionals required to reduce the global shortage. • Staffing issues such as retention, motivation, drive the above concern. • Escalating Volume of Alerts / Alert Fatigue • Multiple, “Static Consoles” / Vendors Used for Investigation • Improvement to Speed of Detection • Rising Costs Due to All of the Above
© 2019 SPLUNK INC. Why We Can SOAR Now ▶ Security Products are being designed with extensive API capabilities • Beware buggy API’s. ▶ More Cloud-Based services providing context to events: • Reputation Services, Sandboxes, Threat Intelligence Feeds, etc. ▶ Uplift in DevOps capability in the industry driving IT Automation. • Not just in Security but all areas of IT. ▶ Python and other robust programming languages.
© 2019 SPLUNK INC. Aren’t We Already Automating? ▶ YES! ▶ Tools out there have the necessary capability to automate : • Blocking on firewalls, proxies, NAC solutions • Quarantine endpoints via NAC, EDR • Remove messages from mailboxes • Remove files from endpoints, file servers, kill processes ▶ Not many organisations are automating & orchestrating these processes together, and there is almost always a human involved in every process. • No true combined approach
© 2019 SPLUNK INC. The What
© 2019 SPLUNK INC.
© 2019 SPLUNK INC. Case & Ticket Management Threat Intelligence Management Orchestration & Automation Case & Ticket Manageme nt Workflow Engine SOA R A fully-capable SOAR platform maintains all information and enriched data gathered from automated and orchestrated activities and can provide a detailed audit log of all actions taken during the response.
© 2019 SPLUNK INC. Automation & Orchestration Automation: Setting up a single task to run on its own – automating one thing. This single task can be anything from launching a web server, stopping a service, etc. Or, automating the creation of a workflow. Orchestration: Automatically execute a larger workflow or process comprising of manual and automated steps. “You can’t build an Orchestra with a Single Wood Instrument” - Unknown Threat Intelligence Management Case & Ticket Management Orchestration & Automation Workflow Engine SOA R
© 2019 SPLUNK INC. Threat Intelligence Case & Ticket Management Orchestration & Automation Threat Intelligence Manageme nt Workflow Engine SOA R Threat Intelligence is organised, analysed and refined information about potential or current attacks that threaten an organisation. A good SOAR platform can access multiple feeds to add enrichment and maintain a view of the threat landscape.
© 2019 SPLUNK INC. Work Flow Engine Workflow is a part of SOAR but if it’s the only element required, then a fully-capable SOAR platform is not required. Threat Intelligence Management Orchestration & Automation Workflow Engine Case & Ticket Management SOA R
© 2019 SPLUNK INC. The How-to
© 2019 SPLUNK INC. Where to Start? ▶ Event Enrichment: • Using SOAR to enrich tickets with information from the same integration(s) every time, saving analysts time doing repetitive lookups. ▶ Artifact Extraction and Detonation: • Take files from EDR systems, Emails, and other methods, then pass them to a sandbox for detonation and subsequent report retrieval. ▶ Containment/Eradication: • Approval and Initiation can be done by an analyst or left to the automation. • Interact with EDR, AD, NAC, and many more to assist in the containment and eradication of Threats/Events.
© 2019 SPLUNK INC. New to Phantom 4.2
© 2019 SPLUNK INC. What’s New? ▶ Custom Code Blocks….(FINALLY!) ▶ Multiple Prompts ▶ Playbook Copy and Save As.. ▶ Playbook Metadata ▶ Mission Control / UI Improvements ▶ Clustering Improvements ▶ Unprivileged Install
© 2019 SPLUNK INC. DEMO
© 2019 SPLUNK INC. What’s Coming? ▶ Mission Control: Summary View ▶ Custom Statuses ▶ Custom Severity ▶ Custom CEF Fields ▶ New HUD ▶ Whitelists for Case Access ▶ Evidence Marking ▶ Automate on Case Data
© 2019 SPLUNK INC. Questions?
© 2019 SPLUNK INC. Endpoint Data Model Breakdown Adam Thomson
© 2019 SPLUNK INC. ▶ A Data Model is a hierarchically structured search-time mapping of knowledge about one or more datasets – Splunk docs. ▶ In other words: • Multiple Data Sources combined together to make a single data set • Or a method of making data from different origins appear to have the same meaning • For example, taking logs from multiple Firewall vendors which may ship with a different field names and unifying them so that all log sources can be searched using the same syntax What is a Datamodel?
© 2019 SPLUNK INC. ▶ In context of security, most Data Models which ship with Splunk tend to shy away from endpoint data, we have great coverage of of network traffic along with IDS/Malware alerts ▶ Historically, the only Data Models which reference endpoint like data included Application State and Change Analysis ▶ However these barely scratched the surface of endpoint data Current State of Data Models
© 2019 SPLUNK INC. ▶ The Endpoint Data Model has been built based on the the Application State and Change Analysis Data Model, except with extra information you’d expect to receive from your EDR solution such as: • Parent/Child Process relationships, process hashes, integrity levels etc ▶ Rather than creating one large model it has been broken down into five separate datasets for increased performance covering the following area’s: • Ports, Processes, Services, Filesystem and Registry Introducing the Endpoint Data Model
© 2019 SPLUNK INC. ▶ Ports • Source and destination ports, state, protocol, creation time, destination ▶ Processes • Action, process, parent process, process hash, process path, destination ▶ Services • Service path, hash and executable name, description, service DLL path, hash and signature, destination ▶ File System • File access, creation and modification times, destination, user ▶ Registry • Registry Hive, Registry Value Text, status, process ID, destination Data Set Break Down
© 2019 SPLUNK INC. ▶ Windows Sysmon: Now fully CIM compliant! • Recommended Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config ▶ EDR Solution Logs: Carbon Black, Tanium, Falcon Endpoint Protection ▶ Scripted Inputs: Output from commands such as netstat, ps, etc. What Data?
© 2019 SPLUNK INC. ▶ Excellent Visibility at the Endpoint • High Fidelity Alerts to assist with hunting and forensics • Identify Instillation, Persistence, Lateral Movement techniques • What tools were being used • Searching for Hashes from IOC’s or Threat Intel ▶ What can we look for? • New Services/Daemons starting • Abnormal Registry Key modifications • Unusual processes or services being launched along with their connections/hashes • New listening ports established • New files in places they shouldn’t (WindowsSystem32…) Benefits What can we achieve with Endpoint Data?
© 2019 SPLUNK INC. ▶ Utilize the accelerated Data Model for: • Running frequent searches over Endpoint Data with little overhead on performance • Carrying out endpoint forensics efficiently ▶ The ESCU app now ships with a variety of more advanced use cases based on the endpoint data model, giving you a good insight into endpoint activity with little engineering work required. For example: • Credential Dumping • Command & Control • Lateral Movement Benefits Why use the Data Model?
© 2019 SPLUNK INC. Before Endpoint Data Model
© 2019 SPLUNK INC. And Now...
© 2019 SPLUNK INC. ▶ Base64 Command • https://splunkbase.splunk.com/app/1922/ ▶ Sysmon TA & Add-on • https://docker.pkg.github.com/splunk/TA-microsoft-sysmon • https://splunkbase.splunk.com/app/1914/ ▶ Common Information Model • https://splunkbase.splunk.com/app/1621/ ▶ ES Content Update App • https://splunkbase.splunk.com/app/3449/ Resources
© 2019 SPLUNK INC. Showcase of Security Essentials [Beta] Features Harry McLaren (Inspired by Johan Bjerke)
© 2019 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Member of SplunkTrust (MVP) ● Leader of the Splunk User Group Edinburgh ● @cyberharibu
© 2019 SPLUNK INC. ▶ Initial Version (1.0) Released January 7, 2017 ▶ Latest Version (2.4.1) Released April 23, 2019 ▶ 37,692 Downloads ▶ 389 Examples Splunk Security Essentials App Overview How Splunk’s analytics-driven security can be used!
© 2019 SPLUNK INC. ▶ ~100 Examples w/ full SPL + Docs ▶ Prescriptive Journey Splunk Security Essentials Provides a Journey Forward and Helps You Show Outcomes
© 2019 SPLUNK INC. Analyzes your environment for data availability and displays content you can enable. New rich UI for finding the most valuable content ✓ Find opportunities for data re-use easily ✓ Get content selection in just 2-3 clicks ✓ Highlight gaps in coverage ✓ Maps active and available content against MITRE ATT&CK Framework and Cyber Kill Chain ✓ Shows maturity against the Security Journey Analytics Advisor for SSE Key Features
© 2019 SPLUNK INC. ▶ The app delivers analytics that can be used to gather status, assess gaps and plan next steps in security monitoring maturity. Analytics Advisor for SSE Key Features MITRE Mapping Security Journey Maturity Click through to SSE Content view MITRE ATT&CK Navigator Sankey Flow Cyber Kill Chain Mapping
© 2019 SPLUNK INC. Example outcomes Content “what-if” scenarios + Planned Data sources Possible today
© 2019 SPLUNK INC. Example outcomes Current MITRE ATT&CK Mapping
© 2019 SPLUNK INC. Example outcomes Possible MITRE ATT&CK Mapping
© 2019 SPLUNK INC. Analytics Advisor on Splunkbase
© 2019 SPLUNK INC. Demo
© 2019 SPLUNK INC. ▶ Splunk Security Essentials App Download & Instructions https://splunkbase.splunk.com/app/3435/ ▶ How to Install Splunk Security Essentials https://youtu.be/RVUmSsS-81M ▶ Introducing Analytics Advisor to Splunk Security Essentials https://www.splunk.com/blog/2019/04/25/introducing-analytics-advisor-to-splunk- security-essentials.html ▶ Using Security Essentials 2.4: Analytics Advisor https://www.splunk.com/blog/2019/05/15/using-security-essentials-2-4-analytics- advisor.html Resources

More Related Content

PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
PPTX
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
PPTX
Hunting Hard & Failing Fast (ScotSoft 2019)
Harry McLaren
 
PPTX
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
PPTX
SOC Fundamental Roles & Skills
Harry McLaren
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PPTX
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
PPTX
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
SOC Fundamental Roles & Skills
Harry McLaren
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 

What's hot (20)

PPTX
Splunk Webinar: Splunk App for Palo Alto Networks
Georg Knon
 
PPTX
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
PDF
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
PDF
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
PPTX
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PPTX
Splunk Enterprise Security
Splunk
 
PPTX
Danfoss - Splunk for Vulnerability Management
Splunk
 
PPTX
Big Data For Threat Detection & Response
Harry McLaren
 
PPTX
Financial Services Forum_New York, May 17, 2017
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
PDF
Machine Data 101
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
PDF
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk
 
PDF
Zenith Live - Security Lab - Phantom
Zscaler
 
PPTX
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
PPTX
Delivering New Visibility and Analytics for IT Operations
Splunk
 
PPTX
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
PPTX
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
Splunk Webinar: Splunk App for Palo Alto Networks
Georg Knon
 
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
Splunk Enterprise Security
Splunk
 
Danfoss - Splunk for Vulnerability Management
Splunk
 
Big Data For Threat Detection & Response
Harry McLaren
 
Financial Services Forum_New York, May 17, 2017
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Machine Data 101
Splunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk
 
Zenith Live - Security Lab - Phantom
Zscaler
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
Delivering New Visibility and Analytics for IT Operations
Splunk
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
Ad

Similar to Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App! (20)

PDF
Machine Data Is EVERYWHERE: Use It for Testing
TechWell
 
PPTX
Machine Data 101: Turning Data Into Insight
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
PDF
Why we decided on RSA Security Analytics for network visibility
Recruit Technologies
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
What's New with the Latest Splunk Platform Release
Splunk
 
PPTX
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
PPTX
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
PDF
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
PPTX
Splunk und Multi-Cloud
Splunk
 
PPTX
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
PDF
Common Security Misconception
Matthew Ong
 
PPTX
CMAA_KSORENSEN
Karl Sorensen
 
PPTX
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
PPTX
Splunk and Multicloud
Splunk
 
PPTX
Splunk and Multicloud
Splunk
 
PPTX
The 5 Biggest Data Myths in Telco: Exposed
Cloudera, Inc.
 
PPTX
Introduction into Security Analytics Methods
Splunk
 
Machine Data Is EVERYWHERE: Use It for Testing
TechWell
 
Machine Data 101: Turning Data Into Insight
Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
Why we decided on RSA Security Analytics for network visibility
Recruit Technologies
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
What's New with the Latest Splunk Platform Release
Splunk
 
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Splunk und Multi-Cloud
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Common Security Misconception
Matthew Ong
 
CMAA_KSORENSEN
Karl Sorensen
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Splunk and Multicloud
Splunk
 
Splunk and Multicloud
Splunk
 
The 5 Biggest Data Myths in Telco: Exposed
Cloudera, Inc.
 
Introduction into Security Analytics Methods
Splunk
 
Ad

More from Harry McLaren (17)

PPTX
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
PPTX
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
PPTX
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
PPTX
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
PPTX
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
PPTX
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
PPTX
Securing the Enterprise/Cloud with Splunk at the Centre
Harry McLaren
 
PPTX
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
PPTX
Deconstructing SIEM
Harry McLaren
 
PPTX
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
PPTX
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 
PPTX
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
PPTX
Splunk User Group Edinburgh - November Event
Harry McLaren
 
PPTX
Splunk User Group Edinburgh - September Event
Harry McLaren
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
Securing the Enterprise/Cloud with Splunk at the Centre
Harry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
Deconstructing SIEM
Harry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
Splunk User Group Edinburgh - November Event
Harry McLaren
 
Splunk User Group Edinburgh - September Event
Harry McLaren
 

Recently uploaded (20)

PPT
Quality review (1)_presentation of this 21
abobaker13
 
PPTX
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
PDF
Introduction to Business Data Analytics.
jamalmumthaj
 
PPTX
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
PPT
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PPTX
05. PRACTICAL GUIDE TO MICROSOFT EXCEL.pptx
macomputermacomputer
 
PPTX
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
PDF
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
PPTX
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
PPTX
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
PPTX
Global journeys: estimating international migration
Office for National Statistics
 
PPTX
Computer network topology notes for revision
BatoolRawat
 
PDF
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
 
PPTX
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
PPTX
ALIMENTARY AND BILIARY CONDITIONS 3-1.pptx
chepkoitcheruiyot
 
PDF
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
Quality review (1)_presentation of this 21
abobaker13
 
MODULE 8 - DISASTER risk PREPAREDNESS.pptx
AceAquino4
 
Introduction to Business Data Analytics.
jamalmumthaj
 
oil_refinery_comprehensive_20250804084928 (1).pptx
TusharPrajapati65
 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
Miokarditis (Inflamasi pada Otot Jantung)
NandaAndini1
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
05. PRACTICAL GUIDE TO MICROSOFT EXCEL.pptx
macomputermacomputer
 
Introduction to Knowledge Engineering Part 1
busyprogrammersguide
 
.pdf is not working space design for the following data for the following dat...
jerinjoy242
 
iec ppt-1 pptx icmr ppt on rehabilitation.pptx
thirishadevan81
 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
STUDY DESIGN details- Lt Col Maksud (21).pptx
AyeshaAsha11
 
Global journeys: estimating international migration
Office for National Statistics
 
Computer network topology notes for revision
BatoolRawat
 
Recruitment and Placement PPT.pdfbjfibjdfbjfobj
Alka392097
 
DISORDERS OF THE LIVER, GALLBLADDER AND PANCREASE (1).pptx
chepkoitcheruiyot
 
ALIMENTARY AND BILIARY CONDITIONS 3-1.pptx
chepkoitcheruiyot
 
Clinical guidelines as a resource for EBP(1).pdf
MashalKhan626345
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!

  • 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Security-focused Splunk User Group
  • 2. © 2019 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Phantom Update (Splunk's SOAR Platform) from Tom Wise • Endpoint Data Model Breakdown from Adam Thomson • Showcase of Security Essentials Beta Features from Harry McLaren
  • 3. © 2019 SPLUNK INC. Hosted by ECS Security Elite Splunk Partner - UK – Security / IT Operations / Managed Services (SOC / Splunk) – Splunk Revolution Award & Splunk Partner of the Year
  • 4. © 2019 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
  • 5. © 2019 SPLUNK INC. Phantom Update (SOAR Platform) Tom Wise
  • 6. © 2019 SPLUNK INC. SOARing with Phantom 4.x Phantom 4.x Update & Demo
  • 7. © 2019 SPLUNK INC. $WHOAMI ▶ Tom Wise • Senior Security Consultant @ ECS Security – 3 Years • Splunk Consultant – 2 ½ Years • Phantom Security Solutions Engineer – 6 Months • Phantom & Splunk Trainer – ~ 1 Year
  • 8. © 2019 SPLUNK INC. The Why
  • 9. © 2019 SPLUNK INC. Why SOAR? The key drivers for a SOAR Implementation are: • Resource Shortages (#1) • ~1 – 1.5 Million Security Professionals required to reduce the global shortage. • Staffing issues such as retention, motivation, drive the above concern. • Escalating Volume of Alerts / Alert Fatigue • Multiple, “Static Consoles” / Vendors Used for Investigation • Improvement to Speed of Detection • Rising Costs Due to All of the Above
  • 10. © 2019 SPLUNK INC. Why We Can SOAR Now ▶ Security Products are being designed with extensive API capabilities • Beware buggy API’s. ▶ More Cloud-Based services providing context to events: • Reputation Services, Sandboxes, Threat Intelligence Feeds, etc. ▶ Uplift in DevOps capability in the industry driving IT Automation. • Not just in Security but all areas of IT. ▶ Python and other robust programming languages.
  • 11. © 2019 SPLUNK INC. Aren’t We Already Automating? ▶ YES! ▶ Tools out there have the necessary capability to automate : • Blocking on firewalls, proxies, NAC solutions • Quarantine endpoints via NAC, EDR • Remove messages from mailboxes • Remove files from endpoints, file servers, kill processes ▶ Not many organisations are automating & orchestrating these processes together, and there is almost always a human involved in every process. • No true combined approach
  • 12. © 2019 SPLUNK INC. The What
  • 14. © 2019 SPLUNK INC. Case & Ticket Management Threat Intelligence Management Orchestration & Automation Case & Ticket Manageme nt Workflow Engine SOA R A fully-capable SOAR platform maintains all information and enriched data gathered from automated and orchestrated activities and can provide a detailed audit log of all actions taken during the response.
  • 15. © 2019 SPLUNK INC. Automation & Orchestration Automation: Setting up a single task to run on its own – automating one thing. This single task can be anything from launching a web server, stopping a service, etc. Or, automating the creation of a workflow. Orchestration: Automatically execute a larger workflow or process comprising of manual and automated steps. “You can’t build an Orchestra with a Single Wood Instrument” - Unknown Threat Intelligence Management Case & Ticket Management Orchestration & Automation Workflow Engine SOA R
  • 16. © 2019 SPLUNK INC. Threat Intelligence Case & Ticket Management Orchestration & Automation Threat Intelligence Manageme nt Workflow Engine SOA R Threat Intelligence is organised, analysed and refined information about potential or current attacks that threaten an organisation. A good SOAR platform can access multiple feeds to add enrichment and maintain a view of the threat landscape.
  • 17. © 2019 SPLUNK INC. Work Flow Engine Workflow is a part of SOAR but if it’s the only element required, then a fully-capable SOAR platform is not required. Threat Intelligence Management Orchestration & Automation Workflow Engine Case & Ticket Management SOA R
  • 18. © 2019 SPLUNK INC. The How-to
  • 19. © 2019 SPLUNK INC. Where to Start? ▶ Event Enrichment: • Using SOAR to enrich tickets with information from the same integration(s) every time, saving analysts time doing repetitive lookups. ▶ Artifact Extraction and Detonation: • Take files from EDR systems, Emails, and other methods, then pass them to a sandbox for detonation and subsequent report retrieval. ▶ Containment/Eradication: • Approval and Initiation can be done by an analyst or left to the automation. • Interact with EDR, AD, NAC, and many more to assist in the containment and eradication of Threats/Events.
  • 20. © 2019 SPLUNK INC. New to Phantom 4.2
  • 21. © 2019 SPLUNK INC. What’s New? ▶ Custom Code Blocks….(FINALLY!) ▶ Multiple Prompts ▶ Playbook Copy and Save As.. ▶ Playbook Metadata ▶ Mission Control / UI Improvements ▶ Clustering Improvements ▶ Unprivileged Install
  • 22. © 2019 SPLUNK INC. DEMO
  • 23. © 2019 SPLUNK INC. What’s Coming? ▶ Mission Control: Summary View ▶ Custom Statuses ▶ Custom Severity ▶ Custom CEF Fields ▶ New HUD ▶ Whitelists for Case Access ▶ Evidence Marking ▶ Automate on Case Data
  • 24. © 2019 SPLUNK INC. Questions?
  • 25. © 2019 SPLUNK INC. Endpoint Data Model Breakdown Adam Thomson
  • 26. © 2019 SPLUNK INC. ▶ A Data Model is a hierarchically structured search-time mapping of knowledge about one or more datasets – Splunk docs. ▶ In other words: • Multiple Data Sources combined together to make a single data set • Or a method of making data from different origins appear to have the same meaning • For example, taking logs from multiple Firewall vendors which may ship with a different field names and unifying them so that all log sources can be searched using the same syntax What is a Datamodel?
  • 27. © 2019 SPLUNK INC. ▶ In context of security, most Data Models which ship with Splunk tend to shy away from endpoint data, we have great coverage of of network traffic along with IDS/Malware alerts ▶ Historically, the only Data Models which reference endpoint like data included Application State and Change Analysis ▶ However these barely scratched the surface of endpoint data Current State of Data Models
  • 28. © 2019 SPLUNK INC. ▶ The Endpoint Data Model has been built based on the the Application State and Change Analysis Data Model, except with extra information you’d expect to receive from your EDR solution such as: • Parent/Child Process relationships, process hashes, integrity levels etc ▶ Rather than creating one large model it has been broken down into five separate datasets for increased performance covering the following area’s: • Ports, Processes, Services, Filesystem and Registry Introducing the Endpoint Data Model
  • 29. © 2019 SPLUNK INC. ▶ Ports • Source and destination ports, state, protocol, creation time, destination ▶ Processes • Action, process, parent process, process hash, process path, destination ▶ Services • Service path, hash and executable name, description, service DLL path, hash and signature, destination ▶ File System • File access, creation and modification times, destination, user ▶ Registry • Registry Hive, Registry Value Text, status, process ID, destination Data Set Break Down
  • 30. © 2019 SPLUNK INC. ▶ Windows Sysmon: Now fully CIM compliant! • Recommended Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config ▶ EDR Solution Logs: Carbon Black, Tanium, Falcon Endpoint Protection ▶ Scripted Inputs: Output from commands such as netstat, ps, etc. What Data?
  • 31. © 2019 SPLUNK INC. ▶ Excellent Visibility at the Endpoint • High Fidelity Alerts to assist with hunting and forensics • Identify Instillation, Persistence, Lateral Movement techniques • What tools were being used • Searching for Hashes from IOC’s or Threat Intel ▶ What can we look for? • New Services/Daemons starting • Abnormal Registry Key modifications • Unusual processes or services being launched along with their connections/hashes • New listening ports established • New files in places they shouldn’t (WindowsSystem32…) Benefits What can we achieve with Endpoint Data?
  • 32. © 2019 SPLUNK INC. ▶ Utilize the accelerated Data Model for: • Running frequent searches over Endpoint Data with little overhead on performance • Carrying out endpoint forensics efficiently ▶ The ESCU app now ships with a variety of more advanced use cases based on the endpoint data model, giving you a good insight into endpoint activity with little engineering work required. For example: • Credential Dumping • Command & Control • Lateral Movement Benefits Why use the Data Model?
  • 33. © 2019 SPLUNK INC. Before Endpoint Data Model
  • 34. © 2019 SPLUNK INC. And Now...
  • 35. © 2019 SPLUNK INC. ▶ Base64 Command • https://splunkbase.splunk.com/app/1922/ ▶ Sysmon TA & Add-on • https://docker.pkg.github.com/splunk/TA-microsoft-sysmon • https://splunkbase.splunk.com/app/1914/ ▶ Common Information Model • https://splunkbase.splunk.com/app/1621/ ▶ ES Content Update App • https://splunkbase.splunk.com/app/3449/ Resources
  • 36. © 2019 SPLUNK INC. Showcase of Security Essentials [Beta] Features Harry McLaren (Inspired by Johan Bjerke)
  • 37. © 2019 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Member of SplunkTrust (MVP) ● Leader of the Splunk User Group Edinburgh ● @cyberharibu
  • 38. © 2019 SPLUNK INC. ▶ Initial Version (1.0) Released January 7, 2017 ▶ Latest Version (2.4.1) Released April 23, 2019 ▶ 37,692 Downloads ▶ 389 Examples Splunk Security Essentials App Overview How Splunk’s analytics-driven security can be used!
  • 39. © 2019 SPLUNK INC. ▶ ~100 Examples w/ full SPL + Docs ▶ Prescriptive Journey Splunk Security Essentials Provides a Journey Forward and Helps You Show Outcomes
  • 40. © 2019 SPLUNK INC. Analyzes your environment for data availability and displays content you can enable. New rich UI for finding the most valuable content ✓ Find opportunities for data re-use easily ✓ Get content selection in just 2-3 clicks ✓ Highlight gaps in coverage ✓ Maps active and available content against MITRE ATT&CK Framework and Cyber Kill Chain ✓ Shows maturity against the Security Journey Analytics Advisor for SSE Key Features
  • 41. © 2019 SPLUNK INC. ▶ The app delivers analytics that can be used to gather status, assess gaps and plan next steps in security monitoring maturity. Analytics Advisor for SSE Key Features MITRE Mapping Security Journey Maturity Click through to SSE Content view MITRE ATT&CK Navigator Sankey Flow Cyber Kill Chain Mapping
  • 42. © 2019 SPLUNK INC. Example outcomes Content “what-if” scenarios + Planned Data sources Possible today
  • 43. © 2019 SPLUNK INC. Example outcomes Current MITRE ATT&CK Mapping
  • 44. © 2019 SPLUNK INC. Example outcomes Possible MITRE ATT&CK Mapping
  • 45. © 2019 SPLUNK INC. Analytics Advisor on Splunkbase
  • 46. © 2019 SPLUNK INC. Demo
  • 47. © 2019 SPLUNK INC. ▶ Splunk Security Essentials App Download & Instructions https://splunkbase.splunk.com/app/3435/ ▶ How to Install Splunk Security Essentials https://youtu.be/RVUmSsS-81M ▶ Introducing Analytics Advisor to Splunk Security Essentials https://www.splunk.com/blog/2019/04/25/introducing-analytics-advisor-to-splunk- security-essentials.html ▶ Using Security Essentials 2.4: Analytics Advisor https://www.splunk.com/blog/2019/05/15/using-security-essentials-2-4-analytics- advisor.html Resources

Editor's Notes