From Students…

…to Professionals

The Capstone Experience

Project PlanDetecting Security Threats from User

Authentication Patterns

Team SymantecStephen Alfa

Keerthana KolisettyRobert Novak

Abby UrbanskiXiaoyo Wu

Department of Computer Science and EngineeringMichigan State University

Spring 2018

Functional Specifications

• The goal of the project is to provide VIP customers a Splunk add-on and an AWS AMI to visualize various operational and security trend information present in log data and analyze it in near real-time

• Both applications should alert users when suspicious or malicious activity is detected

• Launching and deployment of both of those applications should be frictionless

The Capstone Experience Team Symantec Project Plan Presentation 2

Design Specifications

• Create easy to read graphs and charts to represent authentication dataoSuccessful vs Failed

oDevice Types

oAuthentications over time

• Create premade graphics and searches and allow users to choose which ones to display.

• Highlight patterns that could reveal suspicious or malicious activity

The Capstone Experience Team Symantec Project Plan Presentation 3

Process Flow

The Capstone Experience Team Symantec Project Plan Presentation 4

Installation of Splunk/ELK

User puts in Certificate in

Splunk/ELK UI

User puts certificate in VIP Reference Client

Splunk/ELK takes in log

data file

The log data is stored as a CSV/JSON file

VIP Reference client pulls VIP log data pertaining to the

certificate

Security Dashboard is

created in Splunk/ELK

Operational Dashboard is

created in Splunk/ELK

Screen Mockup: Pie Chart Panel

The Capstone Experience Team Symantec Project Plan Presentation 5

Screen Mockup: Bar Graph Panel

The Capstone Experience Team Symantec Project Plan Presentation 6

Screen Mockup: Dashboard in Splunk

The Capstone Experience Team Symantec Project Plan Presentation 7

Screen Mockup: Dashboard in ELK

The Capstone Experience Team Symantec Project Plan Presentation 8

Technical Specifications

•SOAP (Simple Object Access Protocol) API

•Java

•VIP Reporting Service Client (REST API)

•JavaScript, HTML

•SPL (Search Processing Language)

The Capstone Experience Team Symantec Project Plan Presentation 9

System Architecture

The Capstone Experience 10Team Symantec Project Plan Presentation

System Components

• Hardware Platforms

▪ Amazon Web Services

oAmazon Machine Images

▪ Software Platforms / Technologies

▪ Splunk

▪ Elasticsearch, Logstash, Kibana (ELK)

The Capstone Experience Team Symantec Project Plan Presentation 11

Risks

The Capstone Experience Team Symantec Project Plan Presentation 12

Risks• Ability to Detect suspicious patterns▪ There is a wide range of threats to detect and want to avoid false flags▪ Consult with experienced security advisor and identify possible threats

• Test Data▪ Real VIP data is necessary to identify accurate threat patterns▪ Get MSU’s VIP data

• Consistency between Splunk and ELK▪ Making sure that functionality is consistent between both platforms▪ Develop both applications concurrently

• AWS Servers▪ The possibility of deploying the ELK applications on the AWS server▪ Use AWS documentation and use online resources

Questions?

The Capstone Experience Team Symantec Project Plan Presentation 13

?

? ??

?

?

?

?

?