Copyright © 2015 Splunk Inc.

Hands-On Security

ES Guided Tour

Denver, August 2015

Copyright © 2014 Splunk Inc.

Name: Hyatt Meeting

Access Code: Splunk2015

3

Safe Harbor StatementDuring the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.

4

Agenda

What is the Splunk App for Enterprise Security?Guided Tour– General Overview– Common Information Model– Incident Response Exercise– Creating a Correlation Search

Questions?

5

These won’t work…

*** This is a hands-on session ***

Please use your individual URLs and creds.

Want a walkthrough document?Email brodsky@splunk.com

7

Thank you!

David Veuve

Machine Data contains a definitive record of all Human <-> Machine

&Machine <-> Machine

Interaction

Splunk is a very effective platform to collect, store, and analyze all of that data.

MainframeData

VMware

Platform for Machine Data

Splunk Solutions > Easy to Adopt

Exchange PCISecurity

DB Connect MobileForwarders Syslog / TCP / Other

Sensors & Control Systems

Rich Ecosystem of Apps

Across Data Sources, Use Cases and Consumption Models

Stream

9

Rapid Ascent in the Gartner MQ for SIEM

10

2012 20132011

2015: The only one that moved along the “vision” axis!

12

ES Fast Facts• Version 3.3 of the product is shipping now

• We release at least twice a year and add lots of new content

• Content ideas come from industry experts, market analysis, focus groups, internal

brainstorming, but most importantly YOU

• All of the great things about Splunk carry through into ES – this makes it flexible,

scalable, fast, and customizable. It leverages everything cool about Splunk.

• ES has its own development team, dedicated support, services practice, and

training courses

ES Guided Tour

14

Log in with your credentials. Use any modern web browser (works better with non-IE).

15

Click on Security PostureClick

Launch page for all major sections of ES app

ES Content dropdownsSplunk app context

Security Posture

17

Key Security Indicators

Notable Event info

sparklines

editable

Common Information Model

19

Bring up a new tab to http://splunkbase.com and search for “common information model”. Click the first link that comes up.

Search

20

Type “Fireeye Add On” into this search box and press enter.

Search

21

Click

22

CIM Compliant!

23

Navigate to Security Domains -> Endpoint -> Malware Center

Click

24

Click on “Mal/Packer” barClick

Various ways to filter data

KSIs and rest of dash Malware specific

25

Raw data coming from Sophos

Various ways to filter data

Click back button

Click

26

Click on “Hacktool.Rootkit” bar

Click

27

Raw data coming from SEP/SAV

Same dashboard, different data source

28

Click on Search -> Pivot

Click

29

29 (20 shown) Security-relevant data models from CIM

Click on Malware

Click

30

Click “>” next to Malware Attacks

Click

31

CIM attributes related to malware

Click Malware Attacks to pivot

Click

32

Filter Timeframe to Last 60 Minutes

Change

Total count of attacks

Change to over Time (area)

Click

33

The time range we selected

Split out by signature with add color

Click

34

SCROLL to signature

Click

35

Can save as report, dashboard panel

36

Review security domains available

Click

37

“Access” domain

Click Back

Click

38

“Endpoint” domain

Click Back

Click

39

“Network” domain

Click Back

Click

40

“Identity” domain

Click Back

Click

41

Searches that rely on this data model

How much of ES can I use?

What else could I onboard?

(more) searches that rely on this data model

Instructor Only

Risk Analysis

43

Click “Risk Analysis”

Click

44

Filterable

KSIs specific to RiskRisk assigned to system, user or other

Sort by object type, scrollClick

45

Page through to see other objectsClick

Recent risk assignment and sources

sorted

46

Can ad-hoc risk onto object

Threat Activity

48

Click “Threat Activity”Click

49

Filterable, down to IoC

KSIs specific to Threat

Category of IoCsMost active threat source

Scroll down… Scro

ll

50

Specifics about recent threat matches

51

Configure -> Data Enrichment -> Threat Intelligence Downloads

Click

52

Open-source and commercial threat sources

TAXII support

Click “sans”Click

53

URL to retrieve data from

Weight used for “risk”

How often (12h)

How to parse

Click back button

Click

54

Click “Threat Artifacts”

Click

55

Artifact Categories – click different tabs…

STIX feed

Custom feed

56

Click “Threat Intelligence Audit”

Click

57

Status of downloadsDate of last update

Details on download

58

Review the Advanced Threat content

Click

Reports

60

Click “Reports”

Click

61

Over 330 reports to use or customize

Filter (try “malware”)

Incident Response Workflow

63

Click “Security Posture”

Click

64

Click “Threat Activity Seen from Endpoint – Zeus Demo” – you may have to go to page 2 or 3 to see this event.

Click

65

Throttling turned off for purposes of exercise

66

Check the checkbox next to the event matching your timerange

Click

Click “edit all selected” after you’ve selected the event

Click

67

Fill out Status: In Progress. Urgency: High. Owner: <your persona>. Comment: <whatever you want>.

Populate

Click

68

Event updated

Click “>”Click

69

Recent activity on event

Ownership

Data from asset framework

70

Drill down on “115.29.46.99” and select Domain Dossier

Click

Click

Pivot off of everything. Go internal or external. Customize.

71

Oh look! China!

Click back to Incident Review

Click

72

Drill down on “115.29.46.99” and select “Web Search as destination”

Click

Click

73

Lots of dataMalicious IP, TCP instead of HTTPS…

Only one internal address, that’s good…

Change to 24 hours

Change

Click back to Incident Review

Click

74

Drill down on “cgilbert-DC3A297.buttercupgames.com” and select Asset Investigator

Click

Click

75

Data from asset framework

Configurable Swimlanes

Darker=more events

All happened at ~same time

Change to “Today” if needed

Change

76

Select “Exec File Activity” vertical bar

Select

77

“calc.exe” running out of the user profile? Hmmm….

Drill into the raw events

Click

78

Raw events from Microsoft Sysmon

Splunk automatic field extraction

Type “calc” at end of search and hit enter

Add “calc” to search

79

Raw term search highlighting

Click “>” to see event field mapping

Click

80

Parent/child relationship. Calc.exe was dropped by PDF Reader.

Looks like Chris Gilbert was reading his email and opened an attachment.

Scroll to other event Scroll

81

Click “>” to see event field mapping

Click

82

Parent/child relationship. svchost.exe was dropped by calc.exe.

Click on Image name

Click

83

Click “New search”

Click

84

New search for unique pattern in the data…

Click “DestinationIp”

Click

85

There’s our malicious IP!

We now know that something calling itself “svchost.exe” dropped by something calling itself “calc.exe” which was in turn dropped by our PDF reader, upon opening weapolized PDF, is communicating to a “known bad” IP address.

Scroll down…

Scro

ll

86

Click “threat_intel_source”

Clic

k

There’s the threat source it maps to

We could take this further by investigation of email logs, or wire data from Chris’s laptop, or access logs to determine how this PDF got stolen, but in the interest of time let’s update our event…

Click back to Incident Review

Click

87

Select event and “Edit all selected”

Click

Click

88

Fill out Status: Pending. Urgency: Low. Owner: <your persona>. Comment: <whatever you want>.

Populate

Click

89

Event updated

Click “>”Click

90

Click down arrow

Click

91

Scroll and choose “Reimage Workstation…”

Click

92

Hit the green button…

Click

Totally fake! But also totally possible.

Click back to Incident Review

Click

93

Click “Incident Review Audit”Click

94

Recent review activity appears in the panels

Click a reviewer name Click

95

Detailed review activity scoped to the reviewer you clicked on.

Creating a Correlation Search

97

Select “Zeus Demo”

Click

98

Select More -> Reports

Select

99

Click “Open in Search” for the “Successful Portal Brute Force” report

Click

100

Returns data if we see a lot of logon attempts and then access to portal admin pages from a single IP on a known threat list

101

We COULD select this text, copy it, and use it in a correlation search…but let’s make it easy.

Select

102

Go back to the Enterprise Security app

Click

103

Select “Custom Searches” under Configure -> General

Select

104

~200 correlation searches, KSIs, Swimlanes, etc

Click “new”

Select

105

Click “Correlation Search”

Select

106

We’re going to fill out this form…but sit tight.

107

Second half of the form after scroll down

How to assign risk

Other actions of interest (like Stream Capture)

108

Click the link!

Click

Then click save…

Click

109

Return to Incident Review

Click

110

Search for events owned by you (remove All)

Search

Note custom description

Q & A(next slides please…)

The 6th Annual Splunk Worldwide Users’ ConferenceSeptember 21-24, 2015 The MGM Grand Hotel, Las Vegas

• 50+ Customer Speakers• 50+ Splunk Speakers • 35+ Apps in Splunk Apps Showcase• 65 Technology Partners

• 4,000+ IT & Business Professionals• 2 Keynote Sessions • 3 days of technical content (150+ Sessions)• 3 days of Splunk University

– Get Splunk Certified– Get CPE credits for CISSP, CAP, SSCP, etc.– Save thousands on Splunk education!

112

Register at: conf.splunk.com

113

We Want to Hear your Feedback!

After the Breakout Sessions concludeText Splunk to 878787

And be entered for a chance to win a $100 AMEX gift card!