Insider Threat Visualization - HITB 2007, Kuala Lumpur
-
date post
18-Oct-2014 -
Category
Technology
-
view
1.054 -
download
3
description
Transcript of Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization
Raffael Marty GCIA CISSPChief Security Strategist Splunkgt
Hack In The Box - September 07 - Malaysia
Who Am IChief Security Strategist and Product Manager SplunkgtManager Solutions ArcSight IncIntrusion Detection Research IBM Research
httpthorcryptojailnetIT Security Consultant PriceWaterhouse CoopersOpen Vulnerability and Assessment Language (OVAL) boardCommon Event Expression (CEE) founding memberPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
2
AppliedSecurity
Visualization
2008
AgendaConvicted
Visualization
Log Data Processing
Data to Graph
AfterGlow and Splunk
Insider Threat
Insider Detection Process
Precursors
Scoring
Watch Lists
3
GoalInsider Detection Using
Visualization
Itrsquos Not That Easy
4
ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex
5
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Who Am IChief Security Strategist and Product Manager SplunkgtManager Solutions ArcSight IncIntrusion Detection Research IBM Research
httpthorcryptojailnetIT Security Consultant PriceWaterhouse CoopersOpen Vulnerability and Assessment Language (OVAL) boardCommon Event Expression (CEE) founding memberPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
2
AppliedSecurity
Visualization
2008
AgendaConvicted
Visualization
Log Data Processing
Data to Graph
AfterGlow and Splunk
Insider Threat
Insider Detection Process
Precursors
Scoring
Watch Lists
3
GoalInsider Detection Using
Visualization
Itrsquos Not That Easy
4
ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex
5
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
AgendaConvicted
Visualization
Log Data Processing
Data to Graph
AfterGlow and Splunk
Insider Threat
Insider Detection Process
Precursors
Scoring
Watch Lists
3
GoalInsider Detection Using
Visualization
Itrsquos Not That Easy
4
ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex
5
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Itrsquos Not That Easy
4
ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex
5
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
ConvictedIn February of 2007 a fairly large information leak case made the news The scientist Gary Min faces up to 10 years in prison for stealing 16706 documents and over 22000 scientific abstracts from his employer DuPont The intellectual property he was about to leak to a DuPont competitor Victrex was assessed to be worth $400 million There is no evidence Gary actually turned the documents over to Victrex
5
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
DuPont CaseHow It Could Have Been Prevented
6
Whatrsquos the answer
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
DuPont Case
Log Collection
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
DuPont CaseSimple Solution
8
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
DuPont CaseMore Generic Solution
9
user
server
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Visualization Questions
bull Who analyzes logsbull Who uses visualization for log analysisbull Who is using AfterGlowbull Have you heard of SecVizorgbull What tools are you using for log
analysis
10
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Visualization
Increase Eciency
Answer questions you didnrsquot even know of
Make Informed Decisions
Quickly understand thousands of data entries Facilitate communication Increase response time through improved
understanding
11
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Threat Visualizationbull Huge amounts of data
bull More and other data sources than for the traditional security use-casesbull Insiders often have legitimate access to machines and data You need to log
more than the exceptionsbull Insider crimes are often executed on the application layer You need
transaction data and chatty application logsbull The questions are not known in advance
bull Visualization provokes questions and helps find answersbull Dynamic nature of fraud
bull Problem for static algorithmsbull Bandits quickly adapt to fixed threshold-based detection systemsbull Looking for any unusual patterns
12
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Visual
Jun 17 094230 rmarty ifup Determining IP information for eth0Jun 17 094235 rmarty ifup failed no link present Check cableJun 17 094235 rmarty network Bringing up interface eth0 failedJun 17 094238 rmarty sendmail sendmail shutdown succeededJun 17 094238 rmarty sendmail sm-client shutdown succeededJun 17 094239 rmarty sendmail sendmail startup succeededJun 17 094239 rmarty sendmail sm-client startup succeededJun 17 094339 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 094542 rmarty last message repeated 2 timesJun 17 094547 rmarty vmnet-dhcpd DHCPINFORM from 1721648128Jun 17 095602 rmarty vmnet-dhcpd DHCPDISCOVER from 000c29b7b247 via vmnet8Jun 17 095603 rmarty vmnet-dhcpd DHCPOFFER on 1721648128 to 000c29b7b247 via vmnet8NH
Visualizing Log Data
13
Parsing
Interpret DataKnow Data FormatsRe-use donrsquot re-invent Find parsers at httpsecvizorgq=node8
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Charts - Going Beyond Excel
bull Multi-variate graphs- Link Graphs
- TreeMaps
- Parallel Coordinates
14
10001
101202
UDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Beyond The Boring Defaults For Link Graphs
15
10001
101202
NameSIP DIP
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Link Graph Shake Up[] [119232] RPC portmap UDP proxy attempt []
[Classification Decode of an RPC Query] [Priority 2]
0604-155628219753 192168109032859 -gt 19216810255111
UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen148 DF
Len 120
16
1921681090 portmap 19216810255 1921681090 19216810255 111
1921681090 32859 111 RPC portmap 1921681090 19216810255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
TreeMaps
17
All Network TrafficUDP TCP
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
What is this
SNMP
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
TreeMaps Explained
18
UDP TCP
Conguration Hierarchy Protocol
8020
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
SNMP
Conguration Hierarchy Protocol -gt Service
Size CountColor Service
Treemap2 (httpwwwcsumdeduhciltreemap)
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Whatrsquos Splunk1 Universal Real Time Indexing
2 Ad-hoc Search amp Navigation
3 Distributed Federate Search
4 Interactive Alerting amp Reporting
5 Knowledge Capture amp Sharing
19
The IT Search Engine
navigatesearch reportalert share
Database
App Server
Web Server
Switch
Firewall
Router
logs congurations
metricstraps amp alerts stack traces
messagesscripts amp code
activity reports
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled
fontsize=10 width=1 height=1fixedsize=true]
edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation EncrytionaannaPatent AccessaatharuyPing
AfterGlow
20
CSV FileParser AfterGlow Graph
LanguageFileGrapher
httpafterglowsourceforgenet
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Why AfterGlowbull Translates CSV into graph description
bull Define node and edge attributes
- color
- size
- shape
bull Filter and process data entries
- threshold filter
- fan-out filter
- clustering
21
Fan Out 3
Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Cluster
colorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
AfterGlow - Splunk
22
Demosplunk ltcommandgtsplunk search ldquoltsearch commandgtrdquo -admin ltusergtltpassgt
splunk search ipfw | elds + SourceAddress DestinationAddress -auth adminchangeme | awk lsquoprintfrdquossnrdquo$1$2rsquo | afterglow -t -b 2 | neato -Tgif -o testgif
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Threat Definition
Current or former employee or contractor who
bull intentionally exceeded or misused an authorized level of access to networks systems or data in a manner that
bull targeted a specific individual or affected the security of the organizationrsquos data systems andor daily business operations
23
[CERT httpwwwcertorginsider_threat Definition of an Insider]
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Three Types of Insider Threats
24
Fraud InformationLeak
Sabotage
Information Theft is concerned with stealing of confidential or proprietary information This includes things like financial statements intellectual property design plans source code trade secrets etc
Sabotage has to do with any kind of action to harm individuals organizations organizational data systems or business operations
Fraud deals with the misuse of access privileges or the intentional excess of access levels to obtain property or services unjustly through deception or trickery
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Threat Detection
bull Understand who is behind the crimebull Know what to look forbull Stop insiders before they become a problem
25
bull Use precursors to monitor and profile usersbull Define an insider detection process to
analyze precursor activity
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursors
26
bull Accessing job Web sites such as monstercom
bull Sales person accessing patent filings
bull Printing files with resume in the file name
bull Sending emails to 50 or more recipients outside of the company
1105
3
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Files
27
Aug 31 155723 [68] ram kCGErrorIllegalArgument CGXGetWindowDepth Invalid window -1Aug 31 155806 [68] cmd loginwindow (0x5c07) set hot key operating mode to all disabledAug 31 155806 [68] Hot key operating mode is now all disabledAug 27 102139 ram comappleSecurityServer authinternal failed to authenticate user raaelmartyAug 27 102139 ram comappleSecurityServer Failed to authorize right systemlogintty by process usrbinsudo for authorization created by usrbinsudoApr 04 194529 rmarty Privoxy(b65ddba0) Request wwwgooglecomsearchq=password+cracker
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate List
28
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Roles
29
Legal
Engineer
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Insider Detection Process
bull Build List of Precursorsbull Assign Scores to Precursorsbull Apply Precursors to Log Filesbull Visualize Insider Candidate Listbull Introduce User Rolesbull Where Did the Scores Go
30
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Visualization for Insider Detectionbull Visualization as a precursor
- analyze data access per user role
- find anomalies in financial transactions
bull Documentation and communication of activity
bull Tuning and analyzing process output
- groups of users with similar behavior- groups of users with similar scores
31
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Process Improvementsbull Bucketizing precursors
- Minimal or no impact
- Potential setup for insider crime
- Malicious activity okay for some user roles
- Malicious activity should never happen
- Insider Act
bull Maximum of 20 points per bucket
bull Using watch lists to boost decrease scores for specific groups of users
- Input from other departments (HR etc)
32
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
0 20 60 80 100
Nothing toworry about just
yet
On a bad track ofgoing malicious
Very likelyhas malicious
intentions
MaliciousInsiders
Tiers of Insiders
33
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
The Insider Finally
34
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Summarybull Log visualization
bull Beyond the boring chart defaults
bull AfterGlow and Splunk
- The free way to understanding your data
bull Insider threat
bull Insider detection process
35
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog
Thank Youwwwsecvizorg
raffaelmartysplunkcomraffychblog