36
Copyright © 2016 Splunk Inc. Splunk for Enterprise Security featuring User Behaviour Analytics SplunkLive Sydney 2016 Vlado Vajdic, Sr SE

SplunkLive Sydney Enterprise Security & User Behavior Analytics

Embed Size (px)

Citation preview

Page 1: SplunkLive Sydney Enterprise Security & User Behavior Analytics

Copyright©2016SplunkInc.

SplunkforEnterpriseSecurityfeaturing

UserBehaviourAnalytics

SplunkLive Sydney2016VladoVajdic,Sr SE

Page 2: SplunkLive Sydney Enterprise Security & User Behavior Analytics

22

> Vlado Vajdic [email protected]

• 1 year as a Splunk Sales Engineer• 15+ years in IT security• Trend Micro, RSA, ... , Sun Microsystems • First used Splunk in 2010• GCFA, but don’t take this against me

whoami

Page 3: SplunkLive Sydney Enterprise Security & User Behavior Analytics

3

LEGALNOTICEDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.

Page 4: SplunkLive Sydney Enterprise Security & User Behavior Analytics

4

Agenda

SplunkSecurityUpdate

EnterpriseSecurity4.2

UserBehaviorAnalytics2.3

Page 5: SplunkLive Sydney Enterprise Security & User Behavior Analytics

5

DataBreachesinAustralia

Page 6: SplunkLive Sydney Enterprise Security & User Behavior Analytics

6

2016CostofDataBreachStudyThecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalMaliciousorcriminalattacksweretheprimaryrootcausesofadatabreach.AveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponseDatabreachesinregulatedindustriesaremorecostly

Source: June2016

Page 7: SplunkLive Sydney Enterprise Security & User Behavior Analytics

7

AppServers

Network

ThreatIntelligence

Firewall

WebProxy

InternalNetworkSecurity

Endpoints

Splunk:theSecurityNerveCenterfortheEnterprise

Identity

Page 8: SplunkLive Sydney Enterprise Security & User Behavior Analytics

8

SplunkSolutions

VMware

PlatformforMachineData

Exchange PCISecurity

AcrossDataSources,UseCasesandConsumptionModels

ITSvcInt

SplunkPremiumSolutions EcosystemofApps

ITSI UBA

UBA

MainframeData

RelationalDatabases

MobileForwarders Syslog/TCP IoTDevices

NetworkWireData

Hadoop&NoSQL

Page 9: SplunkLive Sydney Enterprise Security & User Behavior Analytics

9

SplunkforSecurity

9

DETECTION OFCYBERATTACKS

INVESTIGATIONOFTHREATSAND

INCIDENTS

OPTIMIZEDINCIDENT

RESPONSE ANDBREACHANALYSIS

DETECTION OFINSIDERTHREATS

SECURITY&COMPLIANCEREPORTING

SPLUNKUBA SPLUNKES

Page 10: SplunkLive Sydney Enterprise Security & User Behavior Analytics

Threat Intelligence Identity and CloudEndpointNetwork

SplunkSecurityEcosystem

Page 11: SplunkLive Sydney Enterprise Security & User Behavior Analytics

WhatisSplunkEnterpriseSecurity?

Page 12: SplunkLive Sydney Enterprise Security & User Behavior Analytics

PlatformforMachineData

SplunkEnterpriseSecurityAnalytics-drivenSecurity

SecurityandComplianceReporting

MonitorandDetectThreats

InvestigateThreatsandIncidents

OptimizeResponseusingWorkflows

Page 13: SplunkLive Sydney Enterprise Security & User Behavior Analytics

13

SecurityIntelligence

13

DeveloperPlatform

Reportand

analyze

Customdashboards

Monitorandalert

Adhocsearch

ThreatIntelligence

Asset&CMDB

EmployeeInfo

DataStoresApplications

OnlineServices

WebServices

SecurityGPS

Location

Storage

Desktops

Networks

PackagedApplications

CustomApplications

Messaging

TelecomsOnlineShoppingCart

WebClickstreams

Databases

EnergyMeters

CallDetailRecords

SmartphonesandDevices

Firewall

Authentication

ThreatIntelligence

Servers

Endpoint

DataEnrichment

Search-timeDataNormalization

Page 14: SplunkLive Sydney Enterprise Security & User Behavior Analytics

14

SplunkESintheGartnerSIEMMagicQuadrant

*Gartner,Inc.,SIEMMagicQuadrant2011-2015.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublicationandnotadvisetechnologyuserstoselectonlythosevendorswiththehighestratingsorotherdesignation.Gartnerresearchpublicationsconsistoftheopinions ofGartner’sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.

2015 - Leader(theonlyvendor toimproveitsvisionaryposition)

2014 - Leader

2013 - Leader

2012 - Challenger

2011 - NichePlayer

2015

Page 15: SplunkLive Sydney Enterprise Security & User Behavior Analytics

What’sNewSplunkEnterpriseSecurityv4

Page 16: SplunkLive Sydney Enterprise Security & User Behavior Analytics

16

BehavioralAnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting

16

DetectandInvestigatefasterusingMLintegratedwithSIEM

Page 17: SplunkLive Sydney Enterprise Security & User Behavior Analytics

17

AttackandInvestigationTimelines

Addingcontenttotimeline:

17

Action History

Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event

Suppressed

Investigator Memo

Memo :- Investigator’s memos inserted in desired timeline

Incident Review

Incident :- Notable events from Incident Review

Analyst /Investigator

Page 18: SplunkLive Sydney Enterprise Security & User Behavior Analytics

18

SplunkES- MSSPPartnersVerizon“Splunk isenablingournextgenerationplatform.Withthesenewcapabilities,wearearmingourclientswiththetoolsandsystemsnecessarytoshiftthebalanceandmakeitharderforcybercriminalstosucceed.”VinnyLee,DirectorofProductManagement,VerizonEnterpriseSolutions.

HerjavecGroup"Splunk’s solutionsarecuttingedge- changingthewaysecurityteamsoperateateverylevel.ThatiswhySplunk issuchakeycontributortooursecurityoperationscenterandmanagedservicespractice,”RobertHerjavec,FounderandCEO,HerjavecGroup.

Accenture“OuralliancewithSplunk isanotherstrongexampleofhowAccentureisimpactingourclients’businesseswith‘newIT.’”BhaskarGhosh,GroupChiefExecutive,AccentureTechnologyServices.

Page 19: SplunkLive Sydney Enterprise Security & User Behavior Analytics

ESDemo

Page 20: SplunkLive Sydney Enterprise Security & User Behavior Analytics

WhatisSplunkUBA?

Page 21: SplunkLive Sydney Enterprise Security & User Behavior Analytics

21

ENTERPRISE SECURITYOPSCHALLENGES

21

THREATS

PEOPLE

EFFICIENCYExternal,Insiders,Hidden

And/OrUnknown

AvailabilityofSecurityExpertise

FalsePositives vsTruePositives

Page 22: SplunkLive Sydney Enterprise Security & User Behavior Analytics

22

SplunkUBA: TECHNOLOGY

ANOMALYDETECTION THREATDETECTION

UNSUPERVISEDMACHINELEARNING

BEHAVIOURMODELING

REALTIME&BIGDATAARCHITECTURE

Page 23: SplunkLive Sydney Enterprise Security & User Behavior Analytics

23

REAL-TIME,BIGDATAARCHITECTURE

SCALABLEARCHITECTURE

500MEVENTS/NODE/DAY

Page 24: SplunkLive Sydney Enterprise Security & User Behavior Analytics

24

MULTI-ENTITYBEHAVIORALMODEL

APPLICATION

USER

HOST

NETWORK

DATA

Page 25: SplunkLive Sydney Enterprise Security & User Behavior Analytics

25

EVOLUTION

COMPLEX

ITY

RULES- THRESHOLDPOLICY- THRESHOLD

POLICY- STATISTICS

UNSUPERVISEDMACHINELEARNING

POLICY- PEERGROUPSTATISTICS

SUPERVISEDMACHINELEARNING

LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS

Page 26: SplunkLive Sydney Enterprise Security & User Behavior Analytics

26

DESIGNEDFORA

HUNTERANALYSTANOMALYDETECTION

APPLYINGMLAGAINST

BEHAVIOURBASELINES

Page 27: SplunkLive Sydney Enterprise Security & User Behavior Analytics

27

DESIGNEDFORASOCANALYST

THREATDETECTION

ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION

Page 28: SplunkLive Sydney Enterprise Security & User Behavior Analytics

THREATSUNCOVERED

ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataloss

LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation

INSIDERTHREATS• Misuseofcredentials• IPtheft

2

MALWAREATTACKS• Hiddenmalwareactivity• AdvancedPersistentThreats(APTs)

BOTNETs,C&C• Malwarebeaconing• Dataexfiltration

USER&ENTITYBEHAVIORANALYTICS• Logincredentialabuse• Anomalousbehaviour

Page 29: SplunkLive Sydney Enterprise Security & User Behavior Analytics

WebGateway

ProxyServer

Firewall

Box,Salesforce,Dropbox,otherSaaS

apps

MobileDevices

Anti-Malware

ThreatIntelligence

DATA SOURCESforUBA

29

ActiveDirectory/Windows

SingleSign-on

HR- Identity

VPN

DNS,DHCP

Identity/Auth SaaS/MobileSecurityControls

ExternalThreatFeeds

Activity(N-S,E-W)

KEY OPTIONAL

DLP

AWSCloudTrail

Endpoint

IDS,IPS,AV

Page 30: SplunkLive Sydney Enterprise Security & User Behavior Analytics

30

DataFlows:SplunkES/UBA

APICONNECTOR

SYSLOG

FORWARDER

Explore Visualize ShareAnalyze Dashboards

RESULTS

THREAT &ANOMALYDATA

QUERY UBAREQUEST FOR

ADDITIONAL DETAILS

THREATS & ANOMALIES

RESULTS

QUERY

NOTABLEEVENTS

RISKSCORINGFRAMEWORK

WORKFLOWMANAGEMENT

Page 31: SplunkLive Sydney Enterprise Security & User Behavior Analytics

What’sNewinUBAv2

Page 32: SplunkLive Sydney Enterprise Security & User Behavior Analytics

32

ThreatModelingFramework

Create customthreatsusing60+anomalies.Examples:§ CompromisedAccount:Accessed

blacklisteddomainfollowedbyoutgoingconnection alongwithunusual geolocations

§ CompromisedDevice:Beaconingfollowedbyoutgoingconnections alongwithunusual geolocations

ThreatCustomizationusing MLgeneratedanomalies

EnhancedThreatDetection

32

Page 33: SplunkLive Sydney Enterprise Security & User Behavior Analytics

33

EnhancedThreatDetection

Visibilityandbaselinemetricsforusers,devices,applicationsandprotocols,dynamicpeergroups,assesstheindividualuserrisk,new/enhancedmodels:devicemodel,USBactivity,unusualactivitytime,lateralmovement,andunusualfileaccess

30+newmetrics

USERCENTRIC DEVICECENTRIC

APPLICATION CENTRIC PROTOCOLCENTRIC

33

Page 34: SplunkLive Sydney Enterprise Security & User Behavior Analytics

UBADemo

Page 35: SplunkLive Sydney Enterprise Security & User Behavior Analytics

35

SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS

• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks

• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!

The7th AnnualSplunkWorldwideUsers’Conference

PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!

Page 36: SplunkLive Sydney Enterprise Security & User Behavior Analytics

ThankYou!