Post on 13-Apr-2017
Copyright © 2015 Splunk Inc.
John Stoner Security Strategist
Splunk for Security -‐Your Very Own Splunk
ES Sandbox!
2
Disclaimer
2
During the course of this presentaIon, we may make forward looking statements regarding future events or the expected performance of the company. We cauIon you that such statements reflect our current expectaIons and esImates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentaIon are being made as of the Ime and date of its live presentaIon. If reviewed aRer its live presentaIon, this presentaIon may not contain current or
accurate informaIon. We do not assume any obligaIon to update any forward looking statements we may make.
In addiIon, any informaIon about our roadmap outlines our general product direcIon and is subject to change at any Ime without noIce. It is for informaIonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaIon either to develop the features
or funcIonality described or to include any such feature or funcIonality in a future release.
3
What’s a sandbox?
3
4
What’s a sandbox?
4
• A 100% free, fully featured 15 day trial of Splunk products: Cloud, Light, or ES
• Hosted in AWS • AuthenIcates off of your Splunk account • Has sample data for you to play with • Supports onboarding of your own data
Today’s session: A hands-‐on ac6vity with your very own Enterprise Security sandbox!
5 5
Let’s create a sandbox
7 7
hAps://www.splunk.com/getsplunk/es_sandbox
8 8
9 9
10 10
11 11
12 12
13
Let’s fix a few things! • Saved Search Enablement • Choose a Timezone (Eastern Time) • CorrelaIon Search Enablement
13
14 14
Click Here We want to fix this
15 15
Click Here
16 16
Click Here
Type “30m” and click green
magnifying glass
1
3
Click Here
2
17 17
Click Here
18 18
Click Here
19 19
Pick “Eastern Time”, and save
20 20
21 21
Click Here
22 22
Click Here
23 23
Click Here
24 24
Type “High” to filter
25 25
Click “Enable” for “High or Cri6cal Priority Host with
Malware Detected”
26 26
Click Here
What’s ES anyway?
Machine data contains a definiIve record of all interacIons
Splunk is a very effecIve pladorm to collect, store, and analyze all of that data
Human Machine
Machine Machine
29
Mainframe Data
VMware
Pladorm for Machine Data
Exchange PCI Security
RelaIonal Databases
Mobile Forwarders Syslog / TCP / Other
Sensors & Control Systems
Wire Data
Mobile Intel
Splunk Premium Apps Rich Ecosystem of Apps
MINT
Splunk SoluIons > Easy to Adopt Across Data Sources, Use Cases & ConsumpIon Models
30
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-‐2015. Gartner does not endorse any vendor, product or service depicted in its research publicaIon and not advise technology users to select only those vendors with the highest raIngs or other designaIon. Gartner research publicaIons consist of the opinions of Gartner’s research organizaIon and should not be construed as statements of fact. Gartner disclaims all warranIes, express or implied, with respect to this research, including any warranIes of merchantability or fitness for a parIcular purpose.
2015 Leader and the only vendor to improve its visionary posiIon
2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player
2015
31
App Servers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network Security
Endpoints
The image cannot be displayed. Your computer may not have
Splunk as the Security Nerve Center
32
ES Fast Facts ● Current version: 3.3 in the sandbox, 4.0 was released at the end of
October! ● Two releases per year ● Content comes from industry experts, market analysis, but most
importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and
customizable ● ES has its own development team, dedicated support, services
pracIce, and training courses
4.0 not in sandbox…yet
Security Posture
34
Security Posture
34
How do you start and end your day?
35
Key Security Indicators
Sparklines
Editable
How do we get data in?
37
Data comes from…
You can actually do this in the sandbox, if you want.
38
Data Ingest + Common InformaIon Model You’ve got a bunch of systems…
● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-‐zone Linux AV ● Network Sandboxing ● APT ProtecIon
● CIM = Data Normaliza6on
Copyright © 2015 Splunk Inc.
NORMALIZATION?!?
Copyright © 2015 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.
41
Data NormalizaIon is Mandatory for your SOC
“The organizaIon consuming the data must develop and consistently
use a standard format for log normalizaIon.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck crea6ng inves6ga6ve queries
42
43
Free. Supported. Fully documented.
44
CIM Compliant!
Risk Analysis
46
What To Do First? ● Risk provides context ● Risk helps direct analysts
“Risk Analysis is my favorite dashboard for my SOC analysts!”
47 47
Under Advanced Threat click “Risk Analysis”
48 48
KSIs specific to risk
System, User, or Other
SCROLL
49 49
The source of risk score
The score per object
The details
50 50
Risk comes from correlaIon searches or from ad-‐hoc
Threat Intelligence
52 52 Ayack Map
The Challenge: • Industry says Threat Intel is
key to APT ProtecIon • Management wants all
threat intel checked against every system, constantly
• Don’t forget to keep your 15+ threat feeds updated
The SoluIon:
53
Verizon 2015 DBIR
“”…the percentage of indicators unique to only one (outbound
desInaIon) feed…is north of 97% for the feeds we have sampled…”
Threat list aggrega6on = more complete intelligence
54 54
Under Advanced Threat click “Threat Ac6vity”
55 55
SCROLL
KSIs specific to threat
56 56
Threat categories
Threat specifics
57 57
We know about this. Let me tell you the fix.
58 58
Checkbox any line in the “Threat Ac6vity Details”
59 59
Click “Advanced Filter”
60 60
Click “Save” Done on each dashboard with a yellow triangle, this will fix ANY dash with “ppf” error.
61 61
Click Configure, “Data Enrichment” and then “Threat Intelligence
Downloads”
62 62
Various community threat lists
Local ones too
TAXII support
63 63
Click “Malware Domains”
64 64
Various community threat lists
Local ones too
TAXII support
Weight used for risk scoring
Interval
SCROLL for addi6onal config
65 65
Various community threat lists
Local ones too
TAXII support
Hit “back” buAon twice
66 66
Click “Threat Intelligence Audit” under Audit
67 67
Status of downloads
Details including errors
68 68
Click “Threat Ar6facts” under Advanced Threat
69 69
STIX/TAXII feed
Browse through the tabs…
More Advanced Threat
71 71
STIX/TAXII feed
Browse through the tabs…
Inves6gate on your own 6me: Advanced Threat capabili6es worth your while…and all areas
under Security Domains
AddiIonal Reports
73
Auditors / Management / Compliance Says… ● Can you show me <Typical Report>?
● ReporIng is easy in Splunk ● But we have more than 300 standard reports too
74
Click “Reports” under Search
75
Almost 330 reports to use/customize
Incident Response Workflow
77
Click “High or Cri6cal Priority Host with Malware Detected”
78
Checkbox Select the first event
Highly filterable and tag-‐able
79
Click “Edit All Selected”
80
Fill out Status/Owner/Comment, Click Save
Would contain all of your users
81
Confirm that event updates
Click “>” under Ac6ons to see what you can do with
the event
82
Click “>” to view more details on the event
83
Last comment and link to review all acIvity
Every field “pivot-‐able”
84
AutomaIc ayribuIon for asset data
85
Pivot internally within ES, or externally. Customizable.
Drill to Asset Inves6gator
86
Asset data
Customizable Swimlanes
Selectable Time
87
Hold down CTRL or CMD and click mul6ple bars
aligned ver6cally
88
Summarized info from “candlesIcks” selected
Drill to search, make a notable event, share a link
89
Select one or two red “Malware AAacks” bars
90
Drill to search
91
Raw log data in the Search interface is only a click away.
92
“Browser Tab” back to Incident Review
93
Edit the event again and add some more comments…
94
Feel free to add whatever you wish here…click save
95
View the review ac6vity for the event
96
97
Click on “Incident Review Audit” under Audit Many aspects of ES are
audited within the product
98
More users will make this more interesIng…
99
Click on Iden6ty Inves6gator
100
Type “htrapper” in search and click search
Set to “Last 24 hours”
2
1
101
InformaIon about this idenIty
Lookups
103
Select “Data Enrichment”, “Lists and Lookups” under
Configure
104
Many lookups to provide addiIonal context to your data
105
Click on “Demonstra6on Iden66es”
106
We want to add “naughtyuser” to this list because it is showing up in our data.
SCROLL
107
Select last row, right click, and choose “Insert row
below.”
Add whatever you want, but make sure the first column says “naughtyuser”
When done click save
Extra credit: Check your work in IdenIty Center
2
1
108
Ayack & InvesIgaIon Timeline – New to 4.0 Methods to add contents into Imeline :
Action History
Actions : • Search Run • Dashboard Viewed • Panel Filtered • Notable Status Change • Notable Event
Suppressed
Investigator Memo
Memo : - Investigator’s memos inserted in desired timeline
Incident Review
Incident : - Notable events from Incident Review
Analyst / Investigator
109
Next Steps… Play in your ES Sandbox for 15 days Explore some of the areas we didn’t get to cover today
Ask quesIons of your account team An ES 4.0 sandbox should be available soon, help yourself to another sandbox to see the new features
A two hour version of this talk is available at conf.splunk.com
109