2
DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfuture
eventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose
containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.
Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.
Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeatures
orfunctionalitydescribedortoincludeanysuchfeatureorfunctionality inafuturerelease.
Agenda
• AnoverviewoftheSplunk securityuniverse• Usinglookup filestoenhanceyoursecurityposture - A.K.A.threatintelligence
• TheCommon informationmodel
• 6windowseventID’stotackleadvancedattacks• "Bestof"Securityrelatedsplunkbase apps
4
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-Trends Report2012/2013/2014
100%Validcredentialswereused
40Average#ofsystems accessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotified byexternalentity
Newapproachtosecurityoperationsisneeded
• Humandirected
• Goal-oriented
• Dynamic(adjusttochanges)
• Coordinated
• Multiple tools&activities
• Newevasiontechniques
• Fusionofpeople,process,&technology
• Contextualandbehavioral
• Rapidlearningandresponse
• Shareinfo&collaborate
• Analyzealldataforrelevance
• LeverageIOC&ThreatIntel
THREAT AttackApproach SecurityApproach
5
TECHNOLOGY
PEOPLE
PROCESS
6
AllDataisSecurityRelevant=BigData
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
7
TheSplunkPlatformforSecurityIntelligence
SPLUNKENTERPRISE(CORE)
Copyright©2014SplunkInc.
200+APPS SPLUNK FORSECURITY SPLUNK-BUILTAPPS
…
Streamdata
CiscoSecuritySuite
Windows/AD/Exchange
PaloAltoNetworks
FireEye
Bit9
DShield
DNS
OSSEC
8
PutitAllTogether– SecurityMaturityLevelq APTdetection/hunting(killchainmethod)q Counterthreatautomationq ThreatIntelligence aggregation(internal&external)q Frauddetection – ATO,account abuse,q Insiderthreatdetection
q ReplaceSIEM@lowerTCO,increasematurityq AugmentSIEM@increasecoverage&agilityq Compliancemonitoring,reporting,auditingq Logretention,storage,monitoring,auditing
q Continuousmonitoring/evaluationq Incidentresponseandforensicinvestigationq Eventsearching,reporting,monitoring&correlationq Rapidlearningloop,shortendiscover/detect cycleq Rapidinsightfromalldata
q Fraudanalystq Threatresearch/Intelligenceq Malwareresearchq CyberSecurity/Threat
q SecurityAnalystq CSIRTq Forensicsq Engineering
q Tier1Analystq Tier2Analystq Tier3Analystq Audit/Compliance
SecurityOperationsRoles/Functions
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoringandAlerting
SecuritySituationalAwareness
Real-timeRiskInsight
9
ExampleofThreatActivities- Zeus
HTTP(web)session tocommand &controlserver
Remotecontrol,Stealdata,Persistincompany,Rentasbotnet
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf executes& unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exeCalc.exe
AttackerhackswebsiteSteals.pdf files
WebPortal
Attackercreatesmalware,embed in.pdf,
Emailstothetarget MAIL
Reademail,open attachment
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
10
UseSplunktoFindEvidence
Searchhistorically- backintime Watchfornewevidence
Relatedevidencefromothersecuritydevices
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
11
AdvancedThreatDetection&Response
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf Svchost.exeCalc.exe
Eventsthatcontainlinktofile
ProxylogC2communicationtoblacklist
Howwasprocess started?
Whatcreatedtheprogram/process?
ProcessmakingC2traffic
WebPortal.pdf
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery
MAIL WEB WEB FW
AccomplishMission
Connectthe“Data-Dots”toSeetheWholeStory
phishing
Downloadfrominfectedsite
1
2
5
67 8
3
4
Identity,Roles,Privileges, Location,Behavior,Risk,Auditscope, Classification, etc.
ThreatIntelligenceData
EmailDataOr
WebData
HostorETDRData
WeborFirewallData
ThreatIntelligenceData
IdentityData
13
Connectthe“Data-Dots”toSeetheWholeStory
Persist,Repeat
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,IOC, attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,ExploitInstallation
GainTrustedAccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint (AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA, SSO
Threatintelligence
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery AccomplishMission
SecurityEcosystemforCoverageandProtection
Auth - UserRoles,CorpContext
16
TheChallenge:• IndustrysaysThreatIntelis
keytoAPTProtection• Managementwantsall
threatintelcheckedagainsteverysystem,constantly
• Don’t forgettokeepyour15+threatfeedsupdated
TheSolution:
Verizon2015DBIR
“…thepercentageofindicatorsuniquetoonlyone(outbound
destination)feed…isnorthof97%forthefeedswehavesampled…”
Threatlistaggregation=morecompleteintelligence
Whatcanyoudowithit?
*|lookupthreatlist srcip asclientipOUTPUTsrcip assrcip threat_type asthreat_type |statscountbyclientip srcip threat_type |whereclientip=srcip
Otheroptions?
• YoucoulduseSA-Splicefromsplunkbase – deprecated• Usecorrelationsearchestopopulatelookupfiles- outputlookup• LeverageKVstorelookups• EnterpriseSecurity
DataIngest+CommonInformationModel● You’vegotabunchofsystems…● Howtobringin:● NetworkAV● Windows+OSXAV● PCI-zoneLinuxAV● NetworkSandboxing● APTProtection
● CIM=DataNormalization
DataNormalizationisMandatoryforyourSOC
“Theorganizationconsumingthedatamustdevelopandconsistently
useastandardformatforlognormalization.”– JeffBollingeret.
al.,CiscoCSIRT
Yourfieldsdon’tmatch?Goodluckcreatinginvestigativequeries
• Pivotisanexcellentinterfacetoexploreadatasetyoudon’t knowyet– orforabusinessuser
• Tstats cansearchdistributed.tsidx files(acceleratedDM’s)
• Usethesearchterm– FROMdatamodel=<datamodelname>
• Forexample:• |tstats avg(foo)FROM
datamodel=buttercup_gamesWHEREbar=valuex
• Youshouldexpectdramaticallyfastersearchresultsusingthismethod
Tstatsand/orpivot– usethem!
• EasilythemostunderratedapponSplunkbase
• Turneveryhostonyournetwork intoanetworksniffer!
• Rapidlyrespondtosecurityeventsbycapturingdataatthesource
• Highlyconfigurabletocaptureonlydataofinterest
• BuildingblockforURLmanipulation
• CorrectlyparseURL’sandcomplicatedTLD’s
• Exploreentropyofdata
• AlsogreatforDNSinvestigation
• Thedomain aaaaa.com hasaShannonEntropyscoreof 1.8 (verylow)
• Thedomain google.com hasaShannonEntropyscoreof 2.6 (ratherlow)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com hasaShannon Entropyscoreof 3 (ratherhigh)
Copyright©2015SplunkInc.
PleasejointheSplunkSlackchannel!!!splunk-usergroups.slack.com#general#apac