Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

This session will examine how Intuit is using Splunk to prevent fraud and conduct forensic analysis. We’ll show how Splunk helps Intuit monitor for known fraudsters and fraudulent patterns and then speeds forensic investigations to understand which systems may have been compromised.

Transcript of Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Understanding  Security  Issues  as  Pa2erns  in  Data  

Mark  Seward,  Director,  Security  and  Compliance  Marke=ng  

A  ShiA  in  A2ack  Vectors  

Known  signatures  

based  threats  and  a2acks  

Time Today 1998

Unknown  behavior  based  



Data  Explosion  (‘Big-­‐data’)  



a Vo



The  increasing  number  of  a2ack  signatures  

Splunk  meets  the  challenge  of  detec=ng    pa2ern-­‐based  behaviors  in  a  ‘Big-­‐data’  context  

ü  A  move  to  a  behavioral  approach  demands  more  emphasis  on  people  and  less  on  pure  technology  

ü  Behavioral  approaches  to  security  require  a  con=nuous  applica=on  of  human  observa=on  and  judgment  

ü  Allows  the  analyst  is  to  take  the  “actor  view”  to  understanding  the  goals  and  methods  of  persistent  adversaries  

ü  Requires  you  to  baseline  pa2erns  of  normal  or  expected  behavior;  select  thresholds  and  triggers  that  will  alert  administrators  to  suspicious  ac=vi=es  

Beyond  Signatures  and  Rules:  People  Trump  Technology  in  a  Behavioral  Approach  

Implemen=ng  a    Pa2ern-­‐based  Strategy  

for  Security  

ü  Splunk  supports  pa2ern  modeling  and  adapta=on  for  security  for  insider  threats,  fraud  scenarios,  and  persistent  adversaries  

ü  Pa2erns  enable  a  risk-­‐based  approach  to  an=cipate  a2ack  vectors  and  a2ack  pa2erns  and  behaviors  

Enabling  a  Pa2ern-­‐based  Strategy  for  Security  

Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases

Gartner Research © 2010

App    Mgmt  

Web  Analy/cs   Security  IT    


Security  Event  Pa2erns  in  Context  Augmented  View  Security  Events  ü  View  the  web  analy=cs  data  pa2erns  as  

part  of  the  web  applica=on  a2ack  ü  Monitor  changes  in  server/applica=on  

performance  (CPU)  against  a  baseline  as  an  indicator  of  an  a2ack  

ü  Understand  authorized  pa2erns  of  changes/  addi=ons  to  configura=ons  and  user  accounts  part  of  fraud  surveillance  

Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’

ü Rules  View  –  Breaking  the  speed  limit    –  If  one  or  more  of  these  things  happen  let  me  know    –  Watches  for  only  what  is  known  –  No  concept  of  what  is  ‘normal’  

ü Pa2erns  view  –  Watches  for  rhythms  in  your  data  over  =me    against  what  is  ‘normal’  (normal  will  not  be  sta=c)    

–  Takes  advantage  of  ‘weak  signals’  from  non-­‐tradi=onal    security  data  

–  Watches  for  what  you  don’t  know  –  Pa2erns  +  Analy=cs  enables  decisions  

How  is  this  Different  from  Tradi=onal  SIEM?  

Patterns allow for data to be viewed as a reflection of human

behavior over time

Analy=cs  and  data  pa2erns  in  prac=ce  

ü DoS  a2acks  at  the  network  layer  are  massive  floods  of  traffic  from  numerous  sources,  designed  to  overwhelm  resources  

ü DoS  a2acks  at  the  applica=on  layer  target  layer-­‐7  and  the  HTTP  protocol  

DoS  A2acks  


ü Source  addresses  usually  spoofed  –  this  also  means  no  TCP  session  establishment  possible  

ü True  iden=ty  of  source  very  difficult  to  obtain  

ü A2acks  of  significance  generally  from  a  botnet  ü TCP  and  UDP  most  common;  ICMP  happens  as  well  

Common  Anatomy  of  a  Typical  DoS  

ü   Client  issues  an  HTTP  POST  to  a  server  ü   Client  says  “I’m  going  to  post  a  gig  of  data.”  ü   Client  sends  the  Host  a  gig  but  only  1  byte  –  1  minute  ü   Service  waits  for  the  data  transfer  ü   Usually  in  just  a  couple  of  minutes  –  La  Morte  

HTTP  Slow  POST  A2ack  

Dashboard  –  HTTP  Slow  POST  

Slow Post Attack

ü Host  opens  a  connec=on  to  a  server  but  doesn’t  send  a  single  byte  ü Each  connec=on  =es/up  an  Apache  process.  ü Apache  waits  for  the  connec=on  =me  out  to    expire  then  closes  the  connec=on  

ü Connec=ons  fill  up  the  Queue  faster  than  they  =me  out  ü Default  connec=on  queue  for  Apache  is  set  to  511  

Connec=on  Exhaus=on  Based  A2acks  

Dashboard  –  Connec=on  Exhaus=on  

Attacks detected

Example:  Time-­‐based  Pa2ern-­‐detec=on    for  Malware  Ac=vity  Discovery  

Pa2ern:    request  for  download  immediately  followed  by  more  requests  ü  Fast  requests  following  the  download  of  a  

PDF,  java,  zip,  or  exe.  If  a  download  is  followed  by  rapid  requests  for  more  files  this  is  a  poten=al  indicator  of  a  dropper.  

Splunk  pa2ern  search  ü  Time  based  transac=ons  sorted  by  length    ü  source=proxy  [search  file=*.pdf  OR  

file=*.exe  |  dedup  clien=p  |  table  clien=p]  |  transac=on  maxspan=60s  maxpause=5s  clien=p  |  eval  Length=len(_raw)  |  sort  -­‐  Length  

Example:  Pa2erns  of  Beaconing  Hosts    to  Command  and  Control  

Pa2ern:  ü  APT  malware  ‘beacons’  to  command  

and  control  at  specific  intervals  

Splunk  pa2ern  search  ü  Watching  for  hosts  that  talk  to  the  same  

URL  at  the  same  interval  every  day    

ü  …  |  streamstats  current=f  last(_=me)  as  next_=me  by  site  |  eval  gap  =  next_=me  -­‐  _=me  |  stats  count  avg(gap)  var(gap)  by  site    

ü  What  you’d  be  looking  out  for  are  sites  that  have  a  low  var(gap)  value.  

Fraud  Hand  off  to  Intuit…  

Other  Pa2ern  Uses  

Intuit,    Financial  Services  Division  

Jaime  Rodriguez,  Senior  Fraud  Analyst,  Intuit  

Jaime  Rodriguez  ü Securing  banks  and  financial  ins=tu=ons  since  1999  ü Presented  and  keynoted  at  numerous  Informa=on  Security  conferences  all  around  the  US.  

ü Contributor  to  a  variety  of  open-­‐source  projects  related  to  many  of  today's  most  popular  security tools.

“Fraud team's goal is to provide fraud analysis on a proactive basis--we're currently reactive.”  

Intuit—Financial  Services  Division  ü One  of  largest  providers  of  outsourced  online  financial  management  solu=ons    ü Serving  1800+  financial  ins=tu=ons  and  4  million+  end  customers  ü Applica=ons  include:  - Consumer  and  business  internet  banking  - Electronic  bill  payment  and  presentment  - Personal  online  financial  management    - Website  hos=ng  and  development  for  financial  ins=tu=ons  

All  of  Your  Data  Is  Security  Relevant  ü Indexing  our  infrastructure:    - Cisco  Firewalls  - Snort  - App  logs,  WebSense  - TippingPoint,  IPS  

ü Integra=ng  data  from  outside  partners:    - Known  fraud  rings  - Bad  IP  addresses  - Bad  actors  

Splunk  Speeds  Remedia=on  

•  Previously  had  customized  parser  •  Searches  conducted  in  batch  taking  3+  hours  via  chron  job  

•  Reports  came  in  piecemeal  across  5000  emails  with  different  syntax  

•  Only  sophis=cated  (aka  highly-­‐paid)  users  could  track  pa2erns  

•  Splunk provides a single view

•  Role-­‐based  access  provides  secure  views  into  data  

•  Customer  service  and  banking  customer  teams  can  begin  queries  on  their  own—no  wai=ng  for  access/  permission—no  highly  paid  engineer  required  

•  Results  in  5  minutes  

From  Reac=ve  to  Proac=ve  ü Using  Splunk  for  historical  analysis  ü New  fraud  pa2erns  iden=fied  drive  reviews  of  past  30  day  /  90  day  /  all  =me  periods  

ü As  pa2erns  emerge  we  build  alerts  when  evidence  of  similar  pa2erns  of  known  fraudsters  emerge  (SMS,  email)  

ü Showing  monthly  trending  ü We’ve  modified  our  logs  to  be2er  capture  and  expose  the  informa=on  we  need  to  see  

Splunk  for  the  Ops  Team  ü Outages  unacceptable  ü OAen  caused  by  unauthorized  change  ü Splunk  tracks  changes  to  pinpoint  issues  for  remedia=on  ü Monitoring  throughput  and  access  for  each  financial  ins=tu=on  - Usages  stats  good  for  re-­‐sell/  upsell  

ü Dashboards  show  system  health  and  performance—execs  love  visibility  

Truth  From  The  Trenches:  Wire  Transfers  

ü Watching  fraudster  in  real-­‐=me—seeing  $5M,  $7M,  $8M  wire  a2empts  

ü Splunk  exposed  every  element  of  our  infrastructure  that  he  touched  

ü Next  we  could  correlate  ac=vi=es  based  on  =me  to  understand  his  pa2ern  of  ac=vity  

Truth  from  the  Trenches:  Geoloca=on  

ü We  no=ced  a  similar  fraud  pa2ern  across  15  banks  

ü Then  we  mapped  them  to  see  they  were  within  15  miles  of  one  another  

ü Fraud  was  coming  from  one  data  processing  vendor  who  they  all  shared  

The  World  of  Compliance  FFIEC •  Federal Financial Institutions Exam Council •  Ensures financial organizations follow uniform principles,

standards and methods of reporting •  Splunk empowers auditors to ask—and us to quickly and easily answer—any question

SAS70 •  Certification of standard controls, communications mechanisms

and monitoring procedures •  Required by may financial services clients •  Subset of Sarbanes Oxley Compliance

PCI •  PCI: Payment card industry data security Standard •  Promotes trust with customers •  Required by various payment card providers

Ge~ng  Started  ü Just  get  started—Splunk  is  great  out  of  the  box  for  quick  and  dirty  analysis  

ü It  only  gets  be2er  when  you  customize  it  ü Demo  Splunk  to  others—people  are  amazed  at  how  much  data  and  depth  we  can  get  based  on  pivo=ng    

ü Follow  the  install  guide!  ü Consider  how  you’ll  expand—and  plan  in  advance  for  that  expansion  

ü Move  to  4.2-­‐-­‐-­‐it’s  fast!  

August  15,  2011  


Jaime  Rodriquez,  Intuit