Post on 19-Aug-2015
Copyright © 2015 Splunk Inc.
Hands-On Security
ES Guided Tour
Denver, August 2015
Copyright © 2014 Splunk Inc.
Name: Hyatt Meeting
Access Code: Splunk2015
3
Safe Harbor StatementDuring the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
4
Agenda
What is the Splunk App for Enterprise Security?Guided Tour– General Overview– Common Information Model– Incident Response Exercise– Creating a Correlation Search
Questions?
5
These won’t work…
*** This is a hands-on session ***
Please use your individual URLs and creds.
Want a walkthrough document?Email brodsky@splunk.com
7
Thank you!
David Veuve
Machine Data contains a definitive record of all Human <-> Machine
&Machine <-> Machine
Interaction
Splunk is a very effective platform to collect, store, and analyze all of that data.
MainframeData
VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
DB Connect MobileForwarders Syslog / TCP / Other
Sensors & Control Systems
Rich Ecosystem of Apps
Across Data Sources, Use Cases and Consumption Models
Stream
9
Rapid Ascent in the Gartner MQ for SIEM
10
2012 20132011
2015: The only one that moved along the “vision” axis!
12
ES Fast Facts• Version 3.3 of the product is shipping now
• We release at least twice a year and add lots of new content
• Content ideas come from industry experts, market analysis, focus groups, internal
brainstorming, but most importantly YOU
• All of the great things about Splunk carry through into ES – this makes it flexible,
scalable, fast, and customizable. It leverages everything cool about Splunk.
• ES has its own development team, dedicated support, services practice, and
training courses
ES Guided Tour
14
Log in with your credentials. Use any modern web browser (works better with non-IE).
15
Click on Security PostureClick
Launch page for all major sections of ES app
ES Content dropdownsSplunk app context
Security Posture
17
Key Security Indicators
Notable Event info
sparklines
editable
Common Information Model
19
Bring up a new tab to http://splunkbase.com and search for “common information model”. Click the first link that comes up.
Search
20
Type “Fireeye Add On” into this search box and press enter.
Search
21
Click
22
CIM Compliant!
23
Navigate to Security Domains -> Endpoint -> Malware Center
Click
24
Click on “Mal/Packer” barClick
Various ways to filter data
KSIs and rest of dash Malware specific
25
Raw data coming from Sophos
Various ways to filter data
Click back button
Click
26
Click on “Hacktool.Rootkit” bar
Click
27
Raw data coming from SEP/SAV
Same dashboard, different data source
28
Click on Search -> Pivot
Click
29
29 (20 shown) Security-relevant data models from CIM
Click on Malware
Click
30
Click “>” next to Malware Attacks
Click
31
CIM attributes related to malware
Click Malware Attacks to pivot
Click
32
Filter Timeframe to Last 60 Minutes
Change
Total count of attacks
Change to over Time (area)
Click
33
The time range we selected
Split out by signature with add color
Click
34
SCROLL to signature
Click
35
Can save as report, dashboard panel
36
Review security domains available
Click
37
“Access” domain
Click Back
Click
38
“Endpoint” domain
Click Back
Click
39
“Network” domain
Click Back
Click
40
“Identity” domain
Click Back
Click
41
Searches that rely on this data model
How much of ES can I use?
What else could I onboard?
(more) searches that rely on this data model
Instructor Only
Risk Analysis
43
Click “Risk Analysis”
Click
44
Filterable
KSIs specific to RiskRisk assigned to system, user or other
Sort by object type, scrollClick
45
Page through to see other objectsClick
Recent risk assignment and sources
sorted
46
Can ad-hoc risk onto object
Threat Activity
48
Click “Threat Activity”Click
49
Filterable, down to IoC
KSIs specific to Threat
Category of IoCsMost active threat source
Scroll down… Scro
ll
50
Specifics about recent threat matches
51
Configure -> Data Enrichment -> Threat Intelligence Downloads
Click
52
Open-source and commercial threat sources
TAXII support
Click “sans”Click
53
URL to retrieve data from
Weight used for “risk”
How often (12h)
How to parse
Click back button
Click
54
Click “Threat Artifacts”
Click
55
Artifact Categories – click different tabs…
STIX feed
Custom feed
56
Click “Threat Intelligence Audit”
Click
57
Status of downloadsDate of last update
Details on download
58
Review the Advanced Threat content
Click
Reports
60
Click “Reports”
Click
61
Over 330 reports to use or customize
Filter (try “malware”)
Incident Response Workflow
63
Click “Security Posture”
Click
64
Click “Threat Activity Seen from Endpoint – Zeus Demo” – you may have to go to page 2 or 3 to see this event.
Click
65
Throttling turned off for purposes of exercise
66
Check the checkbox next to the event matching your timerange
Click
Click “edit all selected” after you’ve selected the event
Click
67
Fill out Status: In Progress. Urgency: High. Owner: <your persona>. Comment: <whatever you want>.
Populate
Click
68
Event updated
Click “>”Click
69
Recent activity on event
Ownership
Data from asset framework
70
Drill down on “115.29.46.99” and select Domain Dossier
Click
Click
Pivot off of everything. Go internal or external. Customize.
71
Oh look! China!
Click back to Incident Review
Click
72
Drill down on “115.29.46.99” and select “Web Search as destination”
Click
Click
73
Lots of dataMalicious IP, TCP instead of HTTPS…
Only one internal address, that’s good…
Change to 24 hours
Change
Click back to Incident Review
Click
74
Drill down on “cgilbert-DC3A297.buttercupgames.com” and select Asset Investigator
Click
Click
75
Data from asset framework
Configurable Swimlanes
Darker=more events
All happened at ~same time
Change to “Today” if needed
Change
76
Select “Exec File Activity” vertical bar
Select
77
“calc.exe” running out of the user profile? Hmmm….
Drill into the raw events
Click
78
Raw events from Microsoft Sysmon
Splunk automatic field extraction
Type “calc” at end of search and hit enter
Add “calc” to search
79
Raw term search highlighting
Click “>” to see event field mapping
Click
80
Parent/child relationship. Calc.exe was dropped by PDF Reader.
Looks like Chris Gilbert was reading his email and opened an attachment.
Scroll to other event Scroll
81
Click “>” to see event field mapping
Click
82
Parent/child relationship. svchost.exe was dropped by calc.exe.
Click on Image name
Click
83
Click “New search”
Click
84
New search for unique pattern in the data…
Click “DestinationIp”
Click
85
There’s our malicious IP!
We now know that something calling itself “svchost.exe” dropped by something calling itself “calc.exe” which was in turn dropped by our PDF reader, upon opening weapolized PDF, is communicating to a “known bad” IP address.
Scroll down…
Scro
ll
86
Click “threat_intel_source”
Clic
k
There’s the threat source it maps to
We could take this further by investigation of email logs, or wire data from Chris’s laptop, or access logs to determine how this PDF got stolen, but in the interest of time let’s update our event…
Click back to Incident Review
Click
87
Select event and “Edit all selected”
Click
Click
88
Fill out Status: Pending. Urgency: Low. Owner: <your persona>. Comment: <whatever you want>.
Populate
Click
89
Event updated
Click “>”Click
90
Click down arrow
Click
91
Scroll and choose “Reimage Workstation…”
Click
92
Hit the green button…
Click
Totally fake! But also totally possible.
Click back to Incident Review
Click
93
Click “Incident Review Audit”Click
94
Recent review activity appears in the panels
Click a reviewer name Click
95
Detailed review activity scoped to the reviewer you clicked on.
Creating a Correlation Search
97
Select “Zeus Demo”
Click
98
Select More -> Reports
Select
99
Click “Open in Search” for the “Successful Portal Brute Force” report
Click
100
Returns data if we see a lot of logon attempts and then access to portal admin pages from a single IP on a known threat list
101
We COULD select this text, copy it, and use it in a correlation search…but let’s make it easy.
Select
102
Go back to the Enterprise Security app
Click
103
Select “Custom Searches” under Configure -> General
Select
104
~200 correlation searches, KSIs, Swimlanes, etc
Click “new”
Select
105
Click “Correlation Search”
Select
106
We’re going to fill out this form…but sit tight.
107
Second half of the form after scroll down
How to assign risk
Other actions of interest (like Stream Capture)
108
Click the link!
Click
Then click save…
Click
109
Return to Incident Review
Click
110
Search for events owned by you (remove All)
Search
Note custom description
Q & A(next slides please…)
The 6th Annual Splunk Worldwide Users’ ConferenceSeptember 21-24, 2015 The MGM Grand Hotel, Las Vegas
• 50+ Customer Speakers• 50+ Splunk Speakers • 35+ Apps in Splunk Apps Showcase• 65 Technology Partners
• 4,000+ IT & Business Professionals• 2 Keynote Sessions • 3 days of technical content (150+ Sessions)• 3 days of Splunk University
– Get Splunk Certified– Get CPE credits for CISSP, CAP, SSCP, etc.– Save thousands on Splunk education!
112
Register at: conf.splunk.com
113
We Want to Hear your Feedback!
After the Breakout Sessions concludeText Splunk to 878787
And be entered for a chance to win a $100 AMEX gift card!