SplunkLive! Wien - Splunk für Security
0 likes303 views
The document discusses Splunk security solutions including Splunk Enterprise and Splunk User Behavior Analytics (UBA). It provides an agenda that includes a demo of the Zeus ES security product and a UBA demo. The document contains customer examples and testimonials about how Splunk has helped organizations replace inadequate SIEM tools and meet complex security needs. It highlights features for risk-based security, fast incident review, continuous monitoring, and visual investigations using the cyber kill chain model.
SplunkLive! Wien - Splunk für Security
- 1. Copyright © 2015 Splunk Inc. Security Session Alain Gutknecht Senior Sales Engineer alain@splunk.com
- 2. 2 Safe Harbor Statement During thecourseof this presentation, we may makeforward looking statementsregarding future events or the expected performance of the company. We caution you that such statements reflect our current expectationsand estimatesbased onfactors currently known to us and thatactual eventsor resultscould differ materially. For importantfactors that may cause actualresults to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 6. 6 Advanced Threats Are Hard to Find 6 Cyber Criminals Nation States Insider Threats Source: Mandiant M-Trends Report 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
- 8. 8 Solution: Splunk, The Engine For Machine Data 8 Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-Time Machine Data References – Coded fields, mappings, aliases Dynamic information – Stored in non-traditional formats Environmental context – Human maintained files, documents System/application – Available only using application request Intelligence/analytics – Indicators, anomaly, research, white/blacklist
- 9. 9 Fraud Detection Insider Threat Advanced Threat Detection Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting Security Intelligence Use Cases Splunk provides solutions that address SIEM use cases and more Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting
- 10. 10 1 0 Example Patterns of Fraud in Machine Data Industry Type of Fraud/Theft/Abuse Pattern Financial Services Account takeover Abnormally high number or dollar amounts of wire transfer withdrawals Healthcare Physician billing Physician billing for drugs outside their expertise area E-Tailing Account takeover Many accounts accessed from one IP Telecoms Calling plan abuse Customer making excessive amount of international calls on an unlimited plan Online Education Student loan fraud Student receiving federal loan has IP in “high-risk” overseas country and is absent from online classrooms and forums
- 11. 11 Insider Threat What To Look For Data Source Abnormally high number of file transfers to USB or CD/DVD OS Abnormally large amount of data going to personal webmail account or uploaded to external file hosting site Email / web server Unusual physical access attempts(after hours, accessing unauthorized area, etc) Physical badge records / AD Above actions + employee is on an internal watchlist as result of transfer / demotion / poor review / impending layoff HR systems / above User name of terminated employee accessing internal system AD / HR systems 11
- 12. 12 Example of Advanced Threat Activities 1 2 HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Conduct Business Create additional environment Gain Access to systemTransaction .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 13. 13 Connect the “Data-Dots” to See the Whole Story 1 3 Persist, Repeat Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, Exploit Installation Gain Trusted Access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat • Third-party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
- 14. 14 Threat intelligence Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery Accomplish Mission Security Ecosystem for Coverage and Protection Auth - User Roles, Corp Context
- 16. ZEUS Demo
- 27. Customer Example
- 30. 30 30 Splunk Enterprise is a well thought-out solution, designed from the outset for development and operation, and it delivers immediate results in a number of areas. “ SIEM General Project Manager, Finanz Informatik GmbH & Co. KG Challenges: Existing SIEM tools did not meet security needs – Different security information and event management (SIEM) solutions for the mainframe, network, Unix and Windows. – Difficult to correlate Security incidents accross variuos plaforms Enter Splunk: One unified solution – A single solution across platforms and functions means faster and more comprehensive investigation and resolution of security incidents – Guarantee Full protection of its customer data and at the same time reduce complexity, error rates and costs. – Alerts that identify security events, authorization violations or unusual patterns of queries. Splunk at Finanz Informatik “ “
- 31. 31 Replacing a SIEM @ Cisco 31 We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. ““ Gavin Reid, Leader, Cisco Computer Security Incident Response Team Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – Easy to index any type of machine data from any source – Over 60 users doing investigations, RT correlations, reporting, advanced threat detection – All the data + flexible searches and reporting = empowered team – 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data – Estimate Splunk is 25% the cost of a traditional SIEM
- 34. 34
- 39. 39
- 40. 40
- 41. 41
- 43. 43
- 44. 44
- 45. 45 Features in Enterprise Security 4.0 Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION COLLABORATION • Investigator Journal • Attack & Investigation Timeline • Open Solutions Framework • Framework App : PCI
- 47. UBA
- 49. 49 SECURITY ANALYTICS KILL-CHAIN HUNTER KEY WORKFLOWS - HUNTER § Investigate suspicious users, devices, and applications § Dig deeper into identified anomalies and threat indicators § Look for policy violations
- 52. 52 THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST § Quickly spot threats within your network § Leverage Threat Detection workflow to investigate insider threats and cyber attacks § Act on forensic details – deactivate accounts, unplug network devices, etc.
- 57. 57 INSIDER THREAT 5 7 USER ACTIVITIES RISK/THREAT DETECTION AREAS John logs in via VPN from 1.0.63.14 Unusual Geo (China) Unusual Activity Time3:00 PM Unusual Machine Access (lateral movement; individual + peer group) 3:15 PMJohn (Admin) performs an ssh as root to a new machine from the BizDev department Unusual Zone (CorpàPCI) traversal (lateral movement)3:10 PM John performs a remote desktop on a system as Administrator on the PCI network zone 3:05 PM Unusual Activity Sequence (AD/DC Privilege Escalation) John elevates his privileges for the PCI network Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIàcorp) 6:00 PM John (Adminàroot) copies all the negotiation docs to another share on the corp zone Unusual File Access (individual + peer group)3:40 PM John (Adminàroot) accesses all the excel and negotiations documents on the BizDev file shares Multiple Outgoing Connections Unusual VPN session duration (11h)11:35 PMJohn (Adminàroot) uses a set of Twitter handles to chop and copy the data outside the enterprise
- 58. 58 EXTERNAL ATTACK 5 8 USER ACTIVITIES RISK/THREAT DETECTION AREAS Peter and Sam access a malicious website. A backdoor gets installed on their computers Malicious Domain (AGD) Unusual Browser HeaderNov 15 Unusual Machine Access for Peter (lateral movement; individual + peer group)Dec 10The attacker logs on to Domain Controller via VPN with Peter’s stolen credentials from 1.0.63.14 Unusual Browser Header for Peter and SamNov 16 The attacker uses Peter and Sam’s backdoors to download and execute WCE to crack their password Nov 16 Beacons for Peter and Sam to www.byeigs.ddns.com Peter and Sam’s machines are communicating with www.byeigs.ddns.info Unusual Machine Access for Sam Unusual File Access for Sam (individual + peer group)) Dec 10 The attacker logs in as Sam and accesses all excel and negotiations docs on the BizDev shares Unusual Activity Sequence of Admin for Sam (AD/DC Privilege Escalation)Dec 10 The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Sam. Excessive Data Transmission for Peter Unusual VPN session durationJan 14The attacker VPNs as Peter, copies the docs to an external staging IP and then logs out after 3 hours.