43
Copyright © 2016 Splunk Inc. Enterprise Security & UBA Overview SplunkLive 2016 Jon Harris, Sr SE Security Splunk Guy

SplunkLive Perth Enterprise Security & User Behavior Analytics

Embed Size (px)

Citation preview

Page 1: SplunkLive Perth Enterprise Security & User Behavior Analytics

Copyright©2016SplunkInc.

EnterpriseSecurity&UBAOverview

SplunkLive 2016JonHarris,Sr SE

SecuritySplunkGuy

Page 2: SplunkLive Perth Enterprise Security & User Behavior Analytics

2

> Jon Harris [email protected]

• 6 months at Splunk• Senior SE (focus on security)• 15+ years in IT and security• Worked for leading IT Security vendors• Software development background

whoami

Page 3: SplunkLive Perth Enterprise Security & User Behavior Analytics

3

LEGALNOTICESDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.

Page 4: SplunkLive Perth Enterprise Security & User Behavior Analytics

4

Agenda

SplunkSecurityUpdate

EnterpriseSecurity4.2

UserBehaviorAnalytics2.3

Page 5: SplunkLive Perth Enterprise Security & User Behavior Analytics

5

DataBreachesinAustralia

Page 6: SplunkLive Perth Enterprise Security & User Behavior Analytics

6

2016CostofDataBreachStudy

Thecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalAveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponse

Source: June2016

Page 7: SplunkLive Perth Enterprise Security & User Behavior Analytics

7

AdvancedThreatsAreHardtoFind

CyberCriminals

NationStates

InsiderThreats

Source:MandiantM-Trends Report2012/2013/2014

100%Validcredentialswereused

40Average#ofsystems accessed

229Median#ofdaysbeforedetection

67%Ofvictimswerenotified byexternalentity

Page 8: SplunkLive Perth Enterprise Security & User Behavior Analytics

Machinedatacontainsadefinitiverecordofallinteractions

Splunkisaveryeffectiveplatformtocollect,store,andanalyse allofthatdata

Human Machine

Machine Machine

Page 9: SplunkLive Perth Enterprise Security & User Behavior Analytics

9

AppServers

Network

ThreatIntelligence

Firewall

WebProxy

InternalNetworkSecurity

Endpoints

SplunkastheSecurityNerveCenter

Identity

Page 10: SplunkLive Perth Enterprise Security & User Behavior Analytics

10

SplunkSolutions

VMware

PlatformforMachineData

Exchange PCISecurity

AcrossDataSources,UseCasesandConsumptionModels

ITSvcInt

SplunkPremiumSolutions EcosystemofApps

ITSI UBA

UBA

MainframeData

RelationalDatabases

MobileForwarders Syslog/TCP IoTDevices

NetworkWireData

Hadoop&NoSQL

Page 11: SplunkLive Perth Enterprise Security & User Behavior Analytics

11

SplunkforSecurity

11

DETECTION OFCYBERATTACKS

INVESTIGATIONOFTHREATSAND

INCIDENTS

OPTIMISEDINCIDENT

RESPONSE ANDBREACHANALYSIS

DETECTION OFINSIDERTHREATS

SECURITY&COMPLIANCEREPORTING

SPLUNKUBA SPLUNKES

Page 12: SplunkLive Perth Enterprise Security & User Behavior Analytics

Threat Intelligence Identity and CloudEndpointNetwork

SplunkSecurityEcosystem

Page 13: SplunkLive Perth Enterprise Security & User Behavior Analytics

WhatisSplunkES?

Page 14: SplunkLive Perth Enterprise Security & User Behavior Analytics

14

PlatformforMachineData

SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity

SecurityandComplianceReporting

MonitorandDetect

InvestigateThreatsandIncidents

AnalyzeandOptimizeResponse

Page 15: SplunkLive Perth Enterprise Security & User Behavior Analytics

What’sNewSplunkEnterpriseSecurityv4

Page 16: SplunkLive Perth Enterprise Security & User Behavior Analytics

16

AttackandInvestigationTimelines

Addingcontenttotimeline:

Action History

Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event

Suppressed

Investigator Memo

Memo :- Investigator’s memos inserted in desired timeline

Incident Review

Incident :- Notable events from Incident Review

Analyst /Investigator

Page 17: SplunkLive Perth Enterprise Security & User Behavior Analytics

17

Prioritise andSpeedInvestigations

Centralised incident reviewcombining risk andquicksearch

Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly

Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.

ES4.1

Page 18: SplunkLive Perth Enterprise Security & User Behavior Analytics

18

ExpandedThreatIntelligence ES4.1

SupportsFacebookThreatExchange

Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes

Usewithadhocsearchesandinvestigations

ExtendsSplunk’s ThreatIntelligenceFramework

Page 19: SplunkLive Perth Enterprise Security & User Behavior Analytics

ESDemo

Page 20: SplunkLive Perth Enterprise Security & User Behavior Analytics

WhatisSplunkUBA?

Page 21: SplunkLive Perth Enterprise Security & User Behavior Analytics

21

WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES

LACKOFRESOURCES(SECURITY EXPERTISE)

LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES

PROBLEM?

Page 22: SplunkLive Perth Enterprise Security & User Behavior Analytics

22

ENTERPRISE SECURITYOPSCHALLENGES

THREATS

RESOURCES

EFFICIENCYExternal,Insiders,Hidden

And/OrUnknown

AvailabilityofSecurityExpertise

LackofAlertPrioritisation&ExcessiveFalsePositives

Page 23: SplunkLive Perth Enterprise Security & User Behavior Analytics

23

SplunkUserBehavioural AnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS

PlatformforMachineData

BehaviourBaselining&Modelling

UnsupervisedMachineLearning

Real-Time&BigDataArchitecture

Threat&AnomalyDetection

SecurityAnalytics

Page 24: SplunkLive Perth Enterprise Security & User Behavior Analytics

24

SplunkUBA: TECHNOLOGY

ANOMALYDETECTION THREATDETECTION

UNSUPERVISEDMACHINELEARNING

BEHAVIOURMODELING

REALTIME&BIGDATAARCHITECTURE

Page 25: SplunkLive Perth Enterprise Security & User Behavior Analytics

25

MULTI-ENTITYBEHAVIOURALMODEL

USERCENTRIC DEVICECENTRIC

APPLICATION CENTRIC PROTOCOLCENTRIC

Page 26: SplunkLive Perth Enterprise Security & User Behavior Analytics

26

MULTI-ENTITYBEHAVIOURALMODEL

APPLICATION

USER

HOST

NETWORK

DATA

Page 27: SplunkLive Perth Enterprise Security & User Behavior Analytics

27

EVOLUTION

COMPLEX

ITY

RULES- THRESHOLDPOLICY- THRESHOLD

POLICY- STATISTICS

UNSUPERVISEDMACHINELEARNING

POLICY- PEERGROUPSTATISTICS

SUPERVISEDMACHINELEARNING

LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS

Page 28: SplunkLive Perth Enterprise Security & User Behavior Analytics

28

DESIGNEDFORA

HUNTERANALYSTANOMALYDETECTION

APPLYINGMLAGAINST

BEHAVIOURBASELINES

Page 29: SplunkLive Perth Enterprise Security & User Behavior Analytics

29

DESIGNEDFORASOCANALYST

THREATDETECTION

ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION

Page 30: SplunkLive Perth Enterprise Security & User Behavior Analytics

30

WebGateway

ProxyServer

Firewall

Box,Salesforce,Dropbox,otherSaaS

apps

MobileDevices

Anti-Malware

ThreatIntelligence

DATA SOURCESforUBA

ActiveDirectory/Windows

SingleSign-on

HR- Identity

VPN

DNS,DHCP

Identity/Auth SaaS/MobileSecurityControls

ExternalThreatFeeds

Activity(N-S,E-W)

KEY OPTIONAL

DLP

AWSCloudTrail

Endpoint

IDS,IPS,AV

Page 31: SplunkLive Perth Enterprise Security & User Behavior Analytics

31

SplunkUBAandSplunkESIntegration

SIEM,Hadoop

Firewall,AD,DLP

AWS,VM,Cloud,Mobile

End-point,App,DB logs

Netflow,PCAP

ThreatFeeds

DATASOURCES

DATASCIENCEDRIVEN

THREATDETECTION

99.99%EVENTREDUCTION

UBA

MACHINELEARNINGIN

SIEMWORKFLOW

ANOMALY-BASEDCORRELATION

101111101010010001000001111011111011101111101010010001000001111011111011

Page 32: SplunkLive Perth Enterprise Security & User Behavior Analytics

What’sNewinUBA2.x

Page 33: SplunkLive Perth Enterprise Security & User Behavior Analytics

33

Create customthreatsusing60+anomalies.

Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.

Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.

Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.

Detection:CustomThreatModelingFramework UBA2.2

Page 34: SplunkLive Perth Enterprise Security & User Behavior Analytics

34

Detection:EnhancedSecurityAnalytics

Visibilityandbaselinemetricsarounduser,device,applicationandprotocol

30+newmetrics

USERCENTRIC DEVICECENTRIC

APPLICATION CENTRIC PROTOCOLCENTRIC

DetailedVisibility,UnderstandNormalBehaviour

UBA2.2

Page 35: SplunkLive Perth Enterprise Security & User Behavior Analytics

35

Behavioural AnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting

35

DetectandInvestigatefasterusingMLintegratedwithSIEM

Page 36: SplunkLive Perth Enterprise Security & User Behavior Analytics

36

USERCENTRICTop-NusersbynumberoftransactionsTop-Nusersbylogin/logoutactivityLogin/LogoutactivityovertimeAverage daily/weekly/monthly/yearlylogin/logoutcountNumberoffailedlogins(global)Top-NusersforfailedloginsFailedloginsovertimeAverage daily/weekly/monthly/yearlyfailedlogincountsTop-NusersbydatatransferAverage daily/weekly/monthly/yearlydatatransferforusersTop-NusersbysessioncountTop-NusersbysessionlengthAverage sessiondurationofusers

DEVICECENTRIC

APPLICATION /SESSIONCENTRICPROTOCOLCENTRIC

Top-Nservers byactivity(numberoftransactions)Top-Nservers bylogin/logoutactivityTop-Nservers forfailedloginsFailedloginsovertimeTop-NdestinationdevicesbydatatransferTop-Nservers bydatatransferAverage daily/weekly/monthly/yearlydatatransferforserversTop-Nsourcedevicesbysessioncount

TotalsessionscountTotalsessionscountovertimeTotalsessionscountbydevice-type(AD,VPN,SSH)Average sessionscountdaily,weekly,monthly,yearly)Average globalsessiondurationAverage sessionsdurationovertime(daily,weekly,monthly,yearly)

HTTPTrafficbyapplication-type(Protocol)Top-NdomainsbytrafficTop-Ndomainsbyactivity(numberofevents)Top-NclientmachinesbytrafficHTTPtrafficovertime(day,week,month,year)Average daily,weekly,monthly,yearlyhttptraffic

Page 37: SplunkLive Perth Enterprise Security & User Behavior Analytics

UBADemo

Page 38: SplunkLive Perth Enterprise Security & User Behavior Analytics

38

SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS

• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks

• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!

The7th AnnualSplunkWorldwideUsers’Conference

PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!

Page 39: SplunkLive Perth Enterprise Security & User Behavior Analytics

ThankYou!

Page 40: SplunkLive Perth Enterprise Security & User Behavior Analytics

Appendix

Page 41: SplunkLive Perth Enterprise Security & User Behavior Analytics

41

DesktopsEmail WebThreat

Intelligence

StorageHypervisor BadgesMobile

Servers DHCP/DNS PhysicalAccess

CMDB

TransactionRecords

NetworkFlows

CustomApps

Traditional

IntrusionDetection

Data LossPrevention

Anti-Malware

Firewall VulnerabilityScans

Authentication

AllDataisSecurityRelevant

Services

WebClickstreams

Cloud

Printers

Page 42: SplunkLive Perth Enterprise Security & User Behavior Analytics

42

Protect GrowServe

MissionofGovernment

Defendagainstandreduceimpactof

externalandinsiderthreats

Meetmissiongoalsthrough operational

excellence

Ensureagilityandscalewhileembracing

innovation

Page 43: SplunkLive Perth Enterprise Security & User Behavior Analytics

43

Challenges:• Proactivehuntingofcyberadversaries

• Resource(analysts) constraints

• Cumbersomemalwaredetectionprocess

• Myopicvisibility intothenetwork

ValueDelivered:• Wentfromreactivetoproactive

• MadeTier1analystsimmediatelyeffective

• Holisticvisibility acrossnetwork

• Bonus:ITOperationstroubleshooting

• Validatesecuritydeployment decisions

WhiteHouseMilitaryOffice– FromHuntedtoHunter

“Splunk hashelpedustakeTier1securityanalystsandmakethemimmediatelyeffectivetodefendournetwork.”