Post on 16-Jul-2015
Copyright © 2014 Splunk Inc.
Splunk for Security
Analy<cs Driven Security for Higher Educa<on
James Brodsky
SE/Security SME, Splunk
• Splunk for Security (20 min) • EDU Case Studies (20 min) • Demonstra<on of the Splunk App for Enterprise Security (15 min, <me permiKng)
• Q & A
Agenda
3
Why Splunk for Security?
Machine Data contains a DEFINITIVE RECORD of all Human to Machine and Machine to
Machine Interac<on.
Splunk ingests, stores, and analyzes all of that data at scale.
4
Advanced Threats Are Hard to Find Cyber Criminals
Na.on States
Insider Threats
4
Source: Mandiant M-‐Trends Report 2012/2013/2014
100% Valid creden<als were used
40 Average # of systems accessed
229 Median # of days before detec<on
67% Of vic<ms were no<fied by external en<ty
5
A`ackers & Threats have Changed & Matured
5
• Goal-‐oriented
• Human directed
• Mul<ple tools, steps & ac<vi<es
• New evasion techniques
• Coordinated
• Dynamic, adjust to changes
People • Outsider (organized crime, compe<tor,
na<on/state) • Insiders (contractor, disgruntled employee)
Technology • Malware, bots, backdoors, rootkits, zero-‐day • Exploit kits, password dumper, etc.
Threat
Process • A`ack Lifecycle, mul<-‐stage, remote controlled • Threat marketplaces – buy and rent
6
Modern Security Programs Need More than Technology
6
People • Outsider (organized crime, compe<tor,
na<on/state) • Insiders (contractor, disgruntled employee)
Technology • Malware, bots, backdoors, rootkits, zero-‐day • Exploit kits, password dumper, etc.
Threat Technology • Firewall, An<-‐malware, AV, IPS, etc. • An<-‐spam, etc.
Solu.on
Process • A`ack Lifecycle, mul<-‐stage, remote controlled • Threat marketplaces – buy and rent
Human Intui.on and Observa.on Coordina.on, Collabora.on and Counter Measures
7
New approach to security opera<ons is needed
7
• Goal-‐oriented
• Human directed
• Mul<ple tools & ac<vi<es
• New evasion techniques
• Coordinated
• Dynamic (adjust to changes)
Threat
• Analyze all data for relevance
• Contextual and behavioral
• Rapid learning and response
• Leverage IOC & Threat Intel
• Share info & collaborate
• Fusion of technology, people & process
• Who is working on Saturdays?
• Who is badging into areas that they’re not supposed to be in?
• Who accessed that server with admin privs over the past year?
• What countries are genera<ng the most inbound traffic? Outbound?
• Which firewalls are passing ports that we’ve never seen before?
• What endpoints are exhibi<ng beaconing behavior?
• What countries are we communica<ng with that we don’t do business in/have students registered in?
• What vulns are found on my network and what’s been trying to exploit them?
• Who’s accessing our resources with the same creden<als but from different states or countries, at the same <me?
• Who is accessing our compe<tor websites and what’s the risk associated with that?
• Which servers are querying DNS far more than they ever normally do today?
• Which users have downloaded content from known phishing URLs?
• Whose HR data has changed aper being infected by malware/visi<ng a phishing link?
What ques<ons could you ask?
12
From Alert Based to Analy<cs Driven Security
Tradi.onal Alert-‐based Approach
Time & Event based
Data reduc<on
Event correla<on
Detect a`acks
Needle in a haystack
Power Users, Specialist
12
Addi.onal Analysis Approach
..and phase, loca<on, more…
Data inclusion
Mul<ple/dynamic rela<onships
Detect a`ackers
Hay in a haystack
Everyone -‐ Analy<cs-‐enabled Team
14
2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compa<ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The opera<on completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsop\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-‐PC\Printers\{}\ NeverSeenbefore" data_type""
2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,, hacker@neverseenbefore.com , Please open this a`achment with payroll informa<on,, ,2013-‐08-‐09T22:40:24.975Z
Spear-‐phishing – Advanced Analy<cs Sources
Time Range
Endpoint Logs
Web Proxy
Email Server
All three occurring within a 24-‐hour period
User Name
User Name
Rarely seen email domain
Rarely visited web site
User Name Rarely seen service
15
Servers
Storage
Desktops Email Web
Transac<on Records
Network Flows
DHCP/ DNS
Hypervisor Custom Apps
Physical Access
Badges
Threat Intelligence
Mobile
CMDB
Intrusion Detec<on
Firewall
Data Loss Preven<on
An<-‐Malware
Vulnerability Scans
Authen<ca<on
15
All Machine Data is Security Relevant
16
Servers
Storage
Desktops Email Web
Transac<on Records
Network Flows
DHCP/ DNS
Hypervisor Custom Apps
Physical Access
Badges
Threat Intelligence
Mobile
CMBD
Intrusion Detec<on
Firewall
Data Loss Preven<on
An<-‐Malware
Vulnerability Scans
Authen<ca<on
16
All Machine Data is Security Relevant
Tradi.onal SIEM
18
Report and
analyze
Custom dashboards
Monitor and alert
Ad hoc search
18
Developer PlaQorm
Machine Data Real-‐.me or Batch
Online Services Web
Services
Servers Security GPS
Loca<on
Storage Desktops
Networks
Packaged Applica<ons
Custom Applica<ons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Datacenter
Private Cloud
Public Cloud
External Lookups
Kill Chain Analysis Across Technology/Devices
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica.ons
19
Connec<ng the “data-‐dots” via mul<ple/dynamic rela<onships
Persist, Repeat
Threat intelligence
Auth -‐ User Roles
Host Ac.vity/Security
Network Ac.vity/Security
A`acker, know relay/C2 sites, infected sites, IOC, a`ack/campaign intent and a`ribu<on
Where they went to, who talked to whom, a`ack transmi`ed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process owner, registry mods, a`ack/malware ar<facts, patching level, a`ack suscep<bility
Access level, privileged users, likelihood of infec<on, where they might be in kill chain
Delivery, exploit installa.on
Gain trusted access
Exfiltra.on Data Gathering Upgrade (escalate) Lateral movement
Persist, Repeat
19
20
Kill Chain Demo Link:
h`ps://splunkevents.webex.com/splunkevents/lsr.php?RCID=beec1404b8b7ca27ae25bb418a906259
20
22
Where did this info come from? • ASU, Duke, and [pres<gious private university in Boston] have all acknowledged use of Splunk publicly
• Security has been a driving factor for adop<on for all three • I cannot do these jus9ce – they are mere highlights. I thank the Splunkers from these universi9es profusely
• NONE OF THESE SCHOOLS OFFICIALLY ENDORSE SPLUNK. They have shared this informa9on in the spirit of collabora9on.
• Visit below URL for slides and recordings:
h`p://conf.splunk.com 22
33 33
• Wordstats – Search for data that has significant “shannon entropy” – good for finding, for example, DGA domains
• Phishing Lookup – Compare URLs found in data for known phishing sites
• Sen<ment Analysis – Analyze phrases found in data (such as tweets) and determine if they are posi<ve or nega<ve
• SPLICE – Consume IOCs in STIX, CybOX, OpenIOC formats and compare your data to filenames, hashes, domains, URLs, etc found within
Other Li`le-‐Known Security Apps
39 39
DMCA Viola<on Repor<ng • DMCA Viola<ons regularly sent via email from industry representa<ves
• Use Splunk to figure out who had that IP address during the <mestamp given (dashboard form searches)
• Use DB Connect or API query of student/employee database to match IP to MAC, and iden<fy system owner
• No<fy system owner of copyright viola<on
We can automate much of this, too.
65
A large university in the Northeast… • Student needed more <me to prep for an exam, so decided to e-‐mail in a bomb threat to campus security. “I’m going to blow up the science building…”
• He did this via Tor so as to remain anonymous. • Campus security worked with security team and FBI to inves<gate, using Splunk. How?
65
66
Search Ideas • What can provide us with what students are searching? • Proxy logs, Wire Data • Needle in a haystack – who has been searching for “anonymous email” over the past week?
• Once we have an IP or a MAC or both, then con<nue inves<ga<on – we will use DHCP logs, AP logs, and correla<ng with several structured data sources.
66
67
Search Terms against Wire or Proxy Data
67
• Where else did they go? If we see them “disappear” perhaps h`ps? Tor?
68
Search Terms against Wire or Proxy Data
68
• Downloaded Tor. But we have a MAC address and an IP address…let’s use those to dig further…
70
Search Terms against AP logs
70
• Just search the hostname or the MAC we found against AP logs. We can link to residence hall…
71
Mapping it out • Where is the residence hall? Simple lookup: provide Splunk with lat/lon of all access points…
71
72
Who is it? • All users of campus network have to register MAC addresses, so…use Splunk DB Connect (DBX) to a`ach to data warehouse…
72
10:DD:B1:B7:EB:A8,jbombalot@myschool.edu,jbrodsky-‐mbp15,jb45478
73
Who is it? • Now we have context in our search results.
73
• Let’s correlate network ID with another DB of student info.
74
In sum… • Proxy logs or wire data allowed us to look for suspicious search terms and find an IP address doing those searches.
• DHCP logs and AP logs allowed us to find a MAC address associated with those searches.
• Linking the AP logs with geographic data allows us to see where the user was.
• Linking the MAC address with registra<on database lets us find a “network ID” that registered the device doing the searching.
• Linking network ID with student database allows us to see informa<on about student.
74
Leverage a rich Eco System
79
Security Intelligence pla�orm
200+ SECURITY APPS/ADD-ONS
SPLUNK FOR ENTERPRISE SECURITY
Cisco WSA, ESA, ISE, SF
Palo Alto Networks
FireEye DShield
DNS
OSSEC
VENDOR COMMUNITY
CUSTOM APPS Symantec
ADDITIONAL SPLUNK APPS
…
Threat Stream
Customer and Industry Recogni<on
80
2800 Security Customers Leader in Gartner SIEM MQ
Splunk
Industry Awards
81
Analy<cs Driven Security – Empowering People and Data
A security intelligence pla�orm should enable any Security Program to leverage Technology, Human Exper<se, and Business/IT Processes in the most effec<ve way to deliver on security
81
82
Why Splunk?
Integrated, Holis.c & Open
• Single product & data store • All original machine data is
indexed and searchable • Open pla�orm with API, SDKs,
+500 Apps
Flexible & Empowering
• Schema on read • Search delivers accurate, faster
inves<ga<ons and detec<on • Powerful visualiza<ons and
analy<cs help iden<fy outliers
Simplicity, Speed and Scale
• Fast deployment + ease-‐of-‐use = rapid <me-‐to-‐value
• Runs on commodity hardware, virtualized and/or in the cloud
• Scales as your needs grow
All Your Data in One Place: Increases Collabora<on and Partnership, Eliminates Silos & Delivers Proven ROI
83 83
Tradi<onal SIEM Splunk Next Steps
• Info, data sheets, white papers, recorded demos at: Ø Splunk.com > Solu<ons > Security Ø Splunk.com > Solu<ons > Compliance Ø conf.splunk.com for full EDU presenta<ons
• Try Splunk for free! Ø Download Splunk at www.splunk.com Ø Go to Splunk.com > Community > Documenta<on > Search Tutorial Ø In 30 minutes will have imported data, run searches, created reports Ø Security Apps at h`ps://apps.splunk.com/
• Contact sales team at Splunk.com > About Us > Contact