Building an Analytics Enables SOC
-
Upload
splunk -
Category
Technology
-
view
145 -
download
8
Transcript of Building an Analytics Enables SOC
2
SafeHarborStatementDuring the course of this presentation, wemaymake forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffermaterially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentationmay not contain current or accurate information. We do notassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytime without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.
33
> Dave Herrald [email protected]|@daveherrald
- Senior Security Architect, Splunk Security Practice
- 20+ years in IT and security-Information security officer, security architect, pen tester, consultant, SE, system/network engineer
- GIAC GSE #79, former SANS Mentor
#whoami
Agenda
4
Alookattraditionalsecurityoperations
1Bestpracticesandemergingtrends
2Thesecurityopstechnologystack
3SplunkandtheAnalyticsDrivenSOC
4
5
Splunk– LeaderinSecurityCompany(NASDAQ:SPLK)• Founded2004,firstsoftwarereleasein2006• HQ:SanFrancisco/RegionalHQ:London,HongKong• Over2,000employees,basedin12countries
BusinessModel/Products• Freedownloadtomassivescale• SplunkEnterprise,SplunkCloud,SplunkLight• SplunkEnterpriseSecurity,UserBehaviorAnalytics
12,000+Customers• Customersin100countries• 80+oftheFortune100• Largestlicense:Over1 Petabyteperday
6
Splunk:ThePlatformforMachineData
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
OnlineServices
WebProxy
DataLossPrevention
Storage Desktops
PackagedApplications
CustomApplications
Databases
CallDetailRecords
SmartphonesandDevices
FirewallAuthentication
Fileservers
Endpoint
ThreatIntelligence
Asset&CMDB
Employee/HRInfo
DataStoresApplications
ExternalLookups
Badgingrecords
Emailservers
VPN
7
SplunkSecuritySolutions
SECURITY&COMPLIANCEREPORTING
MONITORINGOFKNOWNTHREATS
ADVANCEDANDUNKNOWNTHREAT
DETECTION
INCIDENTINVESTIGATIONS&
FORENSICS
FRAUDDETECTION
INSIDERTHREAT
MORE…
SECURITYAPPS&ADD-ONS SPLUNKUSERBEHAVIORANALYTICS
Wiredata
Windows= SIEMintegration
RDBMS(any)data
SPLUNKENTERPRISESECURITY
SPLUNKAPPFORPCI
8
Source:EYGlobalInformationSecuritySurvey2015
9
How-toguides…
TraditionalSecurityOperations
11
TraditionalSecurityProgram:TheBigPicture
11
12
TraditionalSecurityProgram:TheBigPicture
12
It’scomplicated…
13
TraditionalSecurityCriticalPath
13
Risk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperations
(IncludesSOC)
SecurityOperations:partofthebiggerpicture…
14
TraditionalSOC
“Alerttriage”
“Alertpipeline”
15
WhatisaSOC?
● A place?● A personorateam?● A setofpractices?● Asetoftools?
16
SecurityOperations
Theorganizationalcapabilitytodetectandrespondtothreats.
17
ASOCbyanyothername…
Theorganizationalcapabilitytodetectandrespondtothreats.
● VSOC● CyberDefenseCenter● CyberFusionCenter● CybersecurityOperationCenter● MultifunctionNOC/SOC● CommandSOC● CrewSOC?https://www.gartner.com/doc/3479617
18
ThreeInterrelatedComponentsofSecurity
18
Process
PeopleTechnology
19
BottomLine
Technologyexiststoservepeopleandprocesses.
20
ChallengeswiththetraditionalSOC(1)
Efficacy
21
ChallengeswiththetraditionalSOC(2)
Staffing
22
ChallengeswiththetraditionalSOC(3)
Remember
this?
Risk&Compliance
SecurityArchitecture
SecurityEngineering
SecurityOperations
(IncludesSOC)
23
ChallengeswiththetraditionalSOC(3)
Silo-ization
24
ChallengeswiththetraditionalSOC(4)
Cost…andopportunitycost
TrendsinSecurityOperations
26
NewCapabilitiesintheSOC● AlertManagement● IncidentResponse● Toolchainengineering● Threatintelligence
(consumptionand creation)
● Threathunting● Vulnerabilitymanagement● Redteam
SOC++
AlertManagement
IR/CSIRT
ToolchainEngineering
ThreatintelHunting
Vuln.Management
RedTeam
27
WhatAboutManagedSecurityServices?● AlertManagement● IncidentResponse● Toolchainengineering● Threatintelligence
(consumptionand creation)
● Threathunting● Vulnerabilitymanagement● Redteam
SOC++
AlertManagement
IR/CSIRT
ToolchainEngineering
ThreatintelHunting
Vuln.Management
RedTeam
28
AutomationintheSOC
• Response– maybe• Contextgathering– definitely• Automate“Tier1”• Placesahighpremiumontoolchainintegration
29
ProcessesintheSOC
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
30
MaturingUseofThreatIntelligence
Threatlist+ rawnetwork data=DNS
webproxyemail
endpoint…
The“Threatlistwindtunnel”
31
EffectiveThreatIntelligenceConsumption
alerts+threatintel =insightHunting Newdetection
mechanism
32
Network(Meta)data
33
Network(Meta)data
NetFlow(orvariant)Succinct5-tuple+trafficsizeEasytm toanalyzeGoodcontextforbuckNopayload
PCAPVoluminousGroundtruthLotsofstorage/overheadUltimatecontextFullpayload
Stream/BroSuccinct5-tuple+trafficsizeEasilysearchable!
Tune-ableAdaptivefidelityCustomizablePayloadelements
34
ThreatHunting(ActiveDefense)
…effortbyanalystswhopurposelysetouttoidentifyandcounteractadversariesthatmayalreadybeintheenvironment.
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
35
HowareSOCTeamsHunting?
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
● Startwithahypothesis thatconsiders:§ Assets(oftencrownjewels)§ Threats§ Vulnerabilities§ Countermeasures
● Requireslotsofdata● Flexibleplatformtoask/answerquestions● Datascience/ML/Analytics
36
HowareSOCTeamsHunting?
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
Mostimportant,huntersareinnovativeanalystswhounderstandtheirthreatlandscapeandtheirorganizationwellenoughtoasktherightquestionsandfindtheanswers.
37
DataScience,ML,andAnalytics
TheSecurityOperationsToolchain
39
LogDataPlatform• Singlesourceoftruth• Retentionandintegrity• Anydatasource• Easycorrelation• Automation/integration• Performantandscalable• Fullfidelity
• Normalized?• Hunting• Forensicinvestigation• Alerting• Dashboards• Visualization• Analytics(ML?)
DataNormalizationisMandatoryforyourSOC
“Theorganizationconsumingthedatamustdevelopandconsistently
useastandardformatforlognormalization.”– JeffBollingeret.
al.,CiscoCSIRT
Yourfieldsdon’tmatch?Goodluckcreatinginvestigativequeries
41
AssetInventoryandIdentityData
Oftenmultiplesourcesofrecord– that’sOK• CMDB,Vuln scans,Passivedetection,DHCP,NAC• Activedirectory,LDAP,IAM
NetworkdiagramsCategorization• PCI,ICS,Administrative,Default,
ComprehensiveyetlightweightandeasytomaintainMustbeeasytocorrelatetologdata
42
CaseandInvestigationManagement• Ticketingsystem• Workflow• Supportsprioritization• Supportscollaborativeinvestigation• Providesmetrics• Supportsautomation• Auditable
43
CommonSOCDataSources• Firewall• Networkmetadata• Authentication• Server• Windows/Linux
• Endpoint• EDR,AV,HD/RAMimages
• IDS/IPS• VPN• Application• Threatintel• Vulnerability• AssetsandIdentities
SplunkastheSecurityOperationsNerveCenter
45
SplunkastheSecurityOperationsNerveCenter
46
1.AdoptanAdaptiveSecurityArchitecture
ToPrevent,Detect,Respond andPredictneed:- Correlationacrossallsecurityrelevantdata- Insights fromexistingsecurityarchitectures- Advancedanalyticstechniquessuchasmachinelearning
PlatformforOperationalIntelligence
4000+AppsandAdd-Ons
SplunkSecuritySolutions
47
2.ThreatIntelligence– SplunkThreatIntelFrameworkAutomatically collect,aggregateandde-duplicatethreatfeedsfromabroadsetofsources
SupportforSTIX/TAXII,OpenIOC,Facebookandmore
BuildyourowndatatocreateyourownThreatIntel
OutoftheboxActivity andArtifact dashboards
Prioritize,contextualizeandanalyzethreatsandremediate
LawEnforcementFeeds
ISACFeed
AgencyFeeds
CommercialService
CommunityFeed
Open-SourceFeed
OtherEnrichmentServices
• Monitorandtriagealerts• Determineimpactonnetwork,assets
• Useforanalysis/IR• Collect/provideforensics• Usetohunt/uncover/linkevents
• Shareinfowithpartners
48
3.UseAdvancedAnalytics– NativeMLandUBASimplifydetectionandfocusonrealalerts
Accelerateanomalyandthreatdetection– minimizeattacksandinsiderthreat
UseMachineLearningtoolkit- solutionstosuityourworkflow
PremiumMachinelearningsolution- UserBehaviorAnalytics– FlexibleworkflowsforSOCManager,SOCanalystandHunter/InvestigatorwithinSIEM
49
4.ProactivelyHuntandInvestigate- Considerations● Organizationalmaturity
● Domainandproductexperience
● Tools:Network,Endpoint,ThreatIntel,Access
● Securityrelevantdata,historical,rawdata● Flexibilityandadhoc
50
5.Automatewheneverfeasible
App Servers
Network
ThreatIntelligence
Firewall
InternalNetworkSecurity Endpoints
Userulesandmachinelearningtoautomateroutineaspectsofdetectionandinvestigation
Extractinsights fromexistingsecuritystackbyuseofcommoninterface
Takeactionswithconfidenceforfaster decisionsandresponseAutomateanyprocessalongthecontinuousmonitoring,response&analyticscycle
SplunkAdaptiveResponse
51
WhatisSplunkEnterpriseSecurity?
51
EnterpriseSecurityAssetandIdentity
Correlation
NotableEvent
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
AcollectionofFrameworks
52
SplunkSecurityPartnershttps://www.splunk.com/partners/
CustomerSuccess
54
BuildinganIntelligenceDrivenSOCChallenges• ExistingSIEMnotadequate- struggledtobringinappropriatedata• Unabletoperformadvancedinvestigations,severescale/performanceissues• LookingtobuildanewSOCwithmodernsolution
CustomerSolution• Centralizedloggingofallrequiredmachinedataatscaleandfullvisibility• Retainallrelevantdatafrom10+datasources whichisusedby25+SOC/CSIRTusers• Tailoredadvancedcorrelationsearches&IRworkflow• Fasteranddeeperincidentinvestigations• GreaterSOCefficiencies - allSOC/CSIRTworkingoffsameUI/data• Executivedashboardstomeasureandmanagerisk
54
55
CitywideSOCforsituationalawarenessChallenges• Slowresponsestosecurityincidents
• Inadequatesituationalawarenessofsecurityevents
• Limitedthreatintelligence
• Disparatelogsfromover40departmentsweredifficulttoaggregate
CustomerSolution:SplunkCloudwithEnterpriseSecurity• Real-time,citywide,24/7networksurveillance
• Strongerprotectionofdigitalassetsandinfrastructure
• Sharedthreatintelligencewithfederalagencies
• Reducedheadcountandloweroperationalcosts
56
BuildaninsourcedSOCinmonthsChallenges• Widerangeofsecurityrequirements
– Internalaudits(financial,PCI)– Protectinternalinfoandassets– Cloudfirewall,DDOS
• CulturalandOrganizational– Securitynotapriority,OutsourcedSecOps– Informationhoardinganddatasilos
CustomerSolution:SplunkEnterpriseSecurity• Changedculture- securityfirstmindsetwithcontrols
• Detect,preventandrespondtoattacksinownenvironment,with24/7securityanalysisofcustomers
• Rapiddetectionanddeepinvestigation
• DetectWebAppattacks,discovercompromisedcards
57
MaturingSOCChallenges• LegacySIEM:Unstable,Inflexible,Clunky
• Limitedskilledresources
• Highfalsenegativeandfalsepositive
CustomerSolution:SplunkCloudwithEnterpriseSecurity• Developedprocesses:Ruleset,naming
• SOCprocess:Playbook,training,automateddocumentation
• EnabledSOCtoidentifypatternsofbehaviorinasingleeventratherthanbebombardedbythousandsoflow-valueincidents
Wrappingup
FreeCloudTrial
FreeSoftwareDownload
FreeEnterpriseSecurity
Sandbox
Getstartedinminutes– splunk.com
1 32
Copyright©2016SplunkInc.
• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers
PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP
SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM
The8th AnnualSplunkWorldwideUsers’Conference
Copyright©2016SplunkInc.
62
CanIplayBOTS?
62
Yes!
• RSAConference2017
• Splunk.conf2017
• Online/continuous?Staytuned
Newscenariosanddatasets
63
ResourcesCitedHowtoPlan,Design,OperateandEvolveaSOC
https://www.gartner.com/doc/3479617CraftingtheInfoSecPlaybook
https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406SplunkSOCAdvisoryServices
https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdfTenStrategiesofaWorld-ClassCybersecurityOperationsCenter
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdfMaturingWorkday’sSOCwithSplunk
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdfTheFiveCharacteristicsofanIntelligenceDrivenSecurityOperationsCenter
https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-centerTheWho,What,Where,When,WhyandHowofEffectiveThreatHunting
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
ExploringtheFrameworksofSplunkEnterpriseSecurityhttps://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf
Thankyou!
[email protected]|@daveherrald