SlideShare a Scribd company logo

SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT

Splunk, profile picture
Splunk

The document discusses the use of Splunk by the Swisscom CSIRT for various security applications, detailing their data insights platform and the technical infrastructure behind it. It highlights several specific use cases such as typosquatting domain monitoring and automated binary triage using Sysmon and VirusTotal. The Swisscom CSIRT utilizes Splunk to enhance their incident response capabilities and improve overall security operations through efficient data analysis and visualization.

Technology
Related topics:
Enhancing Customer ExperienceThreat Intelligence
1 of 20
Downloaded 56 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Splunk for Security Use Cases of the Swisscom CSIRT Florian Leibenzeder, 08.05.2018
2 About me >Working in IT Security for 18 years >Senior role & deputy head in the Swisscom CSIRT >Management tasks & duties but also still on the techie side >Fun fact: We don't have time for a fun fact J
Swisscom Facts & Figures 2017 400 Enterprise customers with oursourcing services 2,047 Mio Fixed access lines 1,467 Mio TV access lines 2,449 Mio Broadband access lines >Revenue: 11.66 Mrd >EBITDA: 4.3 Mrd >Employees: 20,500 >Net Profit: 1.57 Mrd 6,637 Mio Mobile access lines
> Splunking since 2006! Several independant platforms have evolved into the central Splunk Data Insights platform > Three-tier, data center redundant platform – total net storage: 1.8 Peta Byte > Indexer cluster: – 96 cluster nodes (each 56 CPU cores, 512 GB RAM) > 20 Intermediate/heavy forwarders (Linux VMs on ESX) > Main search head cluster: – 8 cluster nodes (each 80 CPU cores, 1 TB RAM, 500 GB storage) > Number of Splunk users: ca. 1400 > Number of services on the platform: ca. 170 > Data volume per day: ca. 6 TB Splunk@Swisscom Facts & Figures 2018
Data Insights Platform powered by Splunk Enterprise Center of Competence DevOps Approach DevOps – Delivery Model Intelligent IT Operations Security & Compliance Industrial Data & IoT Sample Use-Cases Building Blocks Analytics Platform Service Data Sources • DevOps Process Mon. • Application Mon. • Container Mon. • Capacity Planning • Infrastructure / OS • Network Wire(less) • Messaging • IAM / Security • Security Analytics • SOC / CSIRT • Compliance • Fraud • Diagnostic & Mon. • Predictive Mainten. • Asset Performance • Device Security Business Analytics • Product Analytics • Business Process • Customer Experience • Digital Marketing Splunk@Swisscom – the Data Insights Platform ProvidedasaservicebyourSplunkDevOpssquad Cloud Services Database ApplicationsNetwork Services FirewallWeb Services Endpoint Messaging SecurityServers Threat IntelAnti Malware IAM
Customer Need > Acquire Data > Aggregate > Analyse, normalize > Pattern & triggers > Visualisation > Optimize > Steer > Automate Customer Success Acquire AnalyseAct > Reactive to proactive > Optimized analytics > Trend analysis > Increase quality > Customer experience > Significance The Swisscom Data Insights Method Fromdatatovalue–providedSwisscominternallyandtoEnterprisecustomers
Swisscom Computer Security Incident Response Team Duties and areas of expertise How we use Splunk Swisscom CSIRT Threat Intelligence Vulnerability Management Abuse Management Project Support Incident Response Threat Hunting Goal: > Build meaningful, actionable Splunk content that enables efficient CSIRT operations Let's see some examples!
Use Case Typosquatting Domain Monitoring
Need: > Monitor the use of typosquatted Swisscom domains for mail and proxy traffic and be able to analyze them quickly Prerequisites: > Generate typosquatting domain lists (using tools urlcrazy, dnstwist and manual tuning) -> list of ca. 6300 domains Challenge: > Proxy Logs: up to 200 Mio events per day -> up to 5000 EPS peaks -> lookup against 6'300 typo domains – Dashboard with ad-hoc searches would take ages to populate Approach > Summarize domains first and use those summaries for typo-domain matching and further analysis content Result and benefit > Extremely fast monitoring and analysis dashboard > Summaries support several other use cases Typosquatting Domain Monitoring Or:issomeonetryingtophishus?
Typosquatting Domain Monitoring Buildingthesummaries 1. Parse aggregated domains with the help of URL Toolbox App 2. Write summary -> 500-600K events per day (compared to 200 Mio raw events). The parsed domain summaries enables various statistics and high-perfomance search use cases on domains 3. Now match against our typo-domain lookup -> results in 0-30 hits per search run 4. Use map command to pull raw events for typo-domain matches 5. Summarize them -> 300-500 events a day > Here comes the SPL slide of the presentation. And a rather basic one J
> Based on the summaries > Loads within seconds Typosquatting Domain Monitoring AnalysisDashboard
Use Case: Sysmon and Virustotal for automated binary triage …and subsequent analysis workflows
What‘s needed to get started? > Good understanding of Sysmon capabilities AND tuned Sysmon configuration – How to go from Responding to hunting with Sysinternals Sysmon (Marc Russinovic, RSA Conf 2017) Intro to Sysmon and its use for Security by the author of Sysmon. – Advanced Incident Detection and Threat Hunting using Sysmon (Tom Ueltschi (Swiss Post), 29th FIRST Conf 2017) Lots of resources, use cases and technical deep dives – SwiftOnSecurity Symon-Config Very good starting point to build your own Sysmon config > Sysmon event collection from workplace systems in Splunk – We use native Windows Event Forwarding to 2 Windows VMs with Splunk UF to collect Sysmon events from > 25'000 clients à about 80-100 Mio events a day. > Some Sysmon summary indexing or a custom data model for performance – We use two summaries with decreasing information detail Yet another Sysmon Use Case Plentyofexcellentmaterialandusecasesforsysmonavailableonline
> Around 10'000 unique binaries run daily in our workplace environment. Several hundred of them for the first time. -> We wanted an automated first triage for all of them which also supports our threat hunting and incident response with very fast analysis capabilities > Use Case Foundation: Distinct Binaries List (DBL) Initially created and now daily incremented summary of unique binaries (md5 hashes) run in our workplace environment, enriched with first_seen & last_seen timestamps and Virustotal data (private VT API license needed) > Harness the power of Splunk SPL: One single nightly Splunk scheduled search Result & Benefit: > CISRT Incident Manager on Duty gets a quick overview of potential threats and unwanted binaries in our environment and can start or assign further investigations. Sysmon and Virustotal for automated binary triage Usecaseneedandapproach Read DBL Search all unique binaries from yesterday Update DBL: append new binaries and update last_seen timestamps for known ones Virustotal Lookup for new binaries Enrich DBL with VT info for new binaries Generate HipChat notification to CSIRT
Sysmon and Virustotal for automated binary triage TheHipChatnotification > Sysmon Daily Stats send as HipChat notification (HipChat Room Notification Alert App) Links to Splunk Analsyis Dashboard
Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities
Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard Link to Virustotal Search Results of md5 hash > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities
Open inline drill-down panel with event details Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard Open inline drill-down panel with event details > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities Drill-down to Process Hierarchy Analysis dashboard
Sysmon and Virustotal for automated binary triage Drill-downtoProcessHierarchyAnalyisDashboard-Top > Gets host, filename and event timestamp +/- 5min from Hash Hunting Dashboard > Sankey visualization of process hierachies related to the binary OnMouseOver shows parent process -> child process each with complete command line
20 That's all folks! Questions?

More Related Content

PPTX
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PDF
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk
 
PPTX
SplunkLive! Zurich 2018: Integrating Metrics and Logs
Splunk
 
PDF
SplunkLive! Zurich 2018: MARVES GmbH
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
Splunk
 
SplunkLive! Zurich 2018: Integrating Metrics and Logs
Splunk
 
SplunkLive! Zurich 2018: MARVES GmbH
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 

What's hot (20)

PPTX
SplunkLive! Paris 2018: Event Management Is Dead
Splunk
 
PPTX
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
PPTX
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
PPTX
SplunkLive! Zurich 2018: Get More From Your Machine Data with Splunk & AI
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
PPTX
SplunkLive! Zurich 2018: Monitoring the End User Experience with Splunk
Splunk
 
PPTX
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Paris 2018: Plenary Session
Splunk
 
PPTX
Splunk for Enterprise Security Featuring UBA
Splunk
 
PPTX
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
PPTX
Splunk für Security
Splunk
 
PDF
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
PPTX
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
PDF
SplunkLive! Munich 2018: Siemens Security Use Case
Splunk
 
SplunkLive! Paris 2018: Event Management Is Dead
Splunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
SplunkLive! Zurich 2018: Get More From Your Machine Data with Splunk & AI
Splunk
 
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
SplunkLive! Zurich 2018: Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Paris 2018: Plenary Session
Splunk
 
Splunk for Enterprise Security Featuring UBA
Splunk
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
Splunk für Security
Splunk
 
SplunkLive! Frankfurt 2018 - Customer Presentation: Bosch Cyber Defense Center
Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
SplunkLive! Munich 2018: Siemens Security Use Case
Splunk
 
Ad

Similar to SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT (20)

PPTX
SplunkLive! Splunk for Security
Splunk
 
PPTX
Broadcom Customer Presentation
Splunk
 
PPTX
10(?) holiday gifts for the SOC who has everything
Ryan Kovar
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PPTX
SplunkLive! - Splunk for Security
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Hands-On Security - Disrupting the Kill Chain
Splunk
 
PPTX
Enterprise Security and User Behavior Analytics
Splunk
 
PPTX
Splunk for Security - Hands-On
Splunk
 
PPTX
Threat Hunting with Splunk Hands-on
Splunk
 
PDF
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
PPTX
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
PDF
Rapidly Improving Security Posture - CanDeal
Splunk
 
PPTX
SplunkLive! Warsaw 2016 - Cisco
Splunk
 
PDF
Threat Hunting
Splunk
 
PDF
Analytics Driven SIEM Workshop
Splunk
 
PDF
Splunk workshop-Threat Hunting
Splunk
 
SplunkLive! Splunk for Security
Splunk
 
Broadcom Customer Presentation
Splunk
 
10(?) holiday gifts for the SOC who has everything
Ryan Kovar
 
Threat Hunting with Splunk
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
Threat Hunting with Splunk
Splunk
 
Splunk for Security Breakout Session
Splunk
 
SplunkLive! - Splunk for Security
Splunk
 
Threat Hunting with Splunk
Splunk
 
Hands-On Security - Disrupting the Kill Chain
Splunk
 
Enterprise Security and User Behavior Analytics
Splunk
 
Splunk for Security - Hands-On
Splunk
 
Threat Hunting with Splunk Hands-on
Splunk
 
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
Rapidly Improving Security Posture - CanDeal
Splunk
 
SplunkLive! Warsaw 2016 - Cisco
Splunk
 
Threat Hunting
Splunk
 
Analytics Driven SIEM Workshop
Splunk
 
Splunk workshop-Threat Hunting
Splunk
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Encapsulation theory and applications.pdf
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Approach and Philosophy of On baking technology
30anthuong17
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

SplunkLive! Zurich 2018: Splunk for Security at Swisscom CSIRT

  • 1. Splunk for Security Use Cases of the Swisscom CSIRT Florian Leibenzeder, 08.05.2018
  • 2. 2 About me >Working in IT Security for 18 years >Senior role & deputy head in the Swisscom CSIRT >Management tasks & duties but also still on the techie side >Fun fact: We don't have time for a fun fact J
  • 3. Swisscom Facts & Figures 2017 400 Enterprise customers with oursourcing services 2,047 Mio Fixed access lines 1,467 Mio TV access lines 2,449 Mio Broadband access lines >Revenue: 11.66 Mrd >EBITDA: 4.3 Mrd >Employees: 20,500 >Net Profit: 1.57 Mrd 6,637 Mio Mobile access lines
  • 4. > Splunking since 2006! Several independant platforms have evolved into the central Splunk Data Insights platform > Three-tier, data center redundant platform – total net storage: 1.8 Peta Byte > Indexer cluster: – 96 cluster nodes (each 56 CPU cores, 512 GB RAM) > 20 Intermediate/heavy forwarders (Linux VMs on ESX) > Main search head cluster: – 8 cluster nodes (each 80 CPU cores, 1 TB RAM, 500 GB storage) > Number of Splunk users: ca. 1400 > Number of services on the platform: ca. 170 > Data volume per day: ca. 6 TB Splunk@Swisscom Facts & Figures 2018
  • 5. Data Insights Platform powered by Splunk Enterprise Center of Competence DevOps Approach DevOps – Delivery Model Intelligent IT Operations Security & Compliance Industrial Data & IoT Sample Use-Cases Building Blocks Analytics Platform Service Data Sources • DevOps Process Mon. • Application Mon. • Container Mon. • Capacity Planning • Infrastructure / OS • Network Wire(less) • Messaging • IAM / Security • Security Analytics • SOC / CSIRT • Compliance • Fraud • Diagnostic & Mon. • Predictive Mainten. • Asset Performance • Device Security Business Analytics • Product Analytics • Business Process • Customer Experience • Digital Marketing Splunk@Swisscom – the Data Insights Platform ProvidedasaservicebyourSplunkDevOpssquad Cloud Services Database ApplicationsNetwork Services FirewallWeb Services Endpoint Messaging SecurityServers Threat IntelAnti Malware IAM
  • 6. Customer Need > Acquire Data > Aggregate > Analyse, normalize > Pattern & triggers > Visualisation > Optimize > Steer > Automate Customer Success Acquire AnalyseAct > Reactive to proactive > Optimized analytics > Trend analysis > Increase quality > Customer experience > Significance The Swisscom Data Insights Method Fromdatatovalue–providedSwisscominternallyandtoEnterprisecustomers
  • 7. Swisscom Computer Security Incident Response Team Duties and areas of expertise How we use Splunk Swisscom CSIRT Threat Intelligence Vulnerability Management Abuse Management Project Support Incident Response Threat Hunting Goal: > Build meaningful, actionable Splunk content that enables efficient CSIRT operations Let's see some examples!
  • 9. Need: > Monitor the use of typosquatted Swisscom domains for mail and proxy traffic and be able to analyze them quickly Prerequisites: > Generate typosquatting domain lists (using tools urlcrazy, dnstwist and manual tuning) -> list of ca. 6300 domains Challenge: > Proxy Logs: up to 200 Mio events per day -> up to 5000 EPS peaks -> lookup against 6'300 typo domains – Dashboard with ad-hoc searches would take ages to populate Approach > Summarize domains first and use those summaries for typo-domain matching and further analysis content Result and benefit > Extremely fast monitoring and analysis dashboard > Summaries support several other use cases Typosquatting Domain Monitoring Or:issomeonetryingtophishus?
  • 10. Typosquatting Domain Monitoring Buildingthesummaries 1. Parse aggregated domains with the help of URL Toolbox App 2. Write summary -> 500-600K events per day (compared to 200 Mio raw events). The parsed domain summaries enables various statistics and high-perfomance search use cases on domains 3. Now match against our typo-domain lookup -> results in 0-30 hits per search run 4. Use map command to pull raw events for typo-domain matches 5. Summarize them -> 300-500 events a day > Here comes the SPL slide of the presentation. And a rather basic one J
  • 11. > Based on the summaries > Loads within seconds Typosquatting Domain Monitoring AnalysisDashboard
  • 12. Use Case: Sysmon and Virustotal for automated binary triage …and subsequent analysis workflows
  • 13. What‘s needed to get started? > Good understanding of Sysmon capabilities AND tuned Sysmon configuration – How to go from Responding to hunting with Sysinternals Sysmon (Marc Russinovic, RSA Conf 2017) Intro to Sysmon and its use for Security by the author of Sysmon. – Advanced Incident Detection and Threat Hunting using Sysmon (Tom Ueltschi (Swiss Post), 29th FIRST Conf 2017) Lots of resources, use cases and technical deep dives – SwiftOnSecurity Symon-Config Very good starting point to build your own Sysmon config > Sysmon event collection from workplace systems in Splunk – We use native Windows Event Forwarding to 2 Windows VMs with Splunk UF to collect Sysmon events from > 25'000 clients à about 80-100 Mio events a day. > Some Sysmon summary indexing or a custom data model for performance – We use two summaries with decreasing information detail Yet another Sysmon Use Case Plentyofexcellentmaterialandusecasesforsysmonavailableonline
  • 14. > Around 10'000 unique binaries run daily in our workplace environment. Several hundred of them for the first time. -> We wanted an automated first triage for all of them which also supports our threat hunting and incident response with very fast analysis capabilities > Use Case Foundation: Distinct Binaries List (DBL) Initially created and now daily incremented summary of unique binaries (md5 hashes) run in our workplace environment, enriched with first_seen & last_seen timestamps and Virustotal data (private VT API license needed) > Harness the power of Splunk SPL: One single nightly Splunk scheduled search Result & Benefit: > CISRT Incident Manager on Duty gets a quick overview of potential threats and unwanted binaries in our environment and can start or assign further investigations. Sysmon and Virustotal for automated binary triage Usecaseneedandapproach Read DBL Search all unique binaries from yesterday Update DBL: append new binaries and update last_seen timestamps for known ones Virustotal Lookup for new binaries Enrich DBL with VT info for new binaries Generate HipChat notification to CSIRT
  • 15. Sysmon and Virustotal for automated binary triage TheHipChatnotification > Sysmon Daily Stats send as HipChat notification (HipChat Room Notification Alert App) Links to Splunk Analsyis Dashboard
  • 16. Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities
  • 17. Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard Link to Virustotal Search Results of md5 hash > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities
  • 18. Open inline drill-down panel with event details Sysmon and Virustotal for automated binary triage SysmonHashHuntingDashboard Open inline drill-down panel with event details > Full list of first seen binaries from daily distinct binary summary > Dashboard also used for hunting & threat response (e.g. APT binary checks) > Extremely fast due to summaries > Drill-down capabilities Drill-down to Process Hierarchy Analysis dashboard
  • 19. Sysmon and Virustotal for automated binary triage Drill-downtoProcessHierarchyAnalyisDashboard-Top > Gets host, filename and event timestamp +/- 5min from Hash Hunting Dashboard > Sankey visualization of process hierachies related to the binary OnMouseOver shows parent process -> child process each with complete command line