Copyright  ©  2012  Splunk  Inc.  

Paul  Pang  Chief  Security  Strategist,  APAC  &  Japan

Risk-‐‑‒based  Security  Analytics  for  Effective  APT  Defense

Security  Analytics  Methodology!   Correlation（Patterns  between  different  kind  of  logs）

–  Incident  investigation  scenario（  carried  out  manually  until  now?）–  Tracking  of  unauthorized  access（What  is  the  impact  and  damage?）

–  Monitoring  any  critical  asset  is  accessed  by  external  dangerous  site.

!   Statistical（Analysis  of  the  same  type  of  log,  big  data）–  Baselining  of  normal  activity（Average・Max・Min）–  Abnormality  detection  （Rare  outliners）–  Comparison  of  time  series（Time・Season・Case  Pattern）

2  

Fraud Detection

Insider Threat

Advanced Threat

Detection

Security & Compliance Reporting

Incident Analysis &

Investigations

Real-time Monitoring & Alerting

Security Intelligence Use Cases

Splunk provides solutions that address SIEM use cases and more

Tradi;onal  SIEM  (Security  Log  Focus)   Next  Gen  SOC  (All  machine  data)  

New  Types  of  Security  Guru  

4  

Mul$ple  roles  with  different  background,  skills,  pay  levels,  personali$es  

SOC  Manager  

SOC  Admin  &  Architect  

Project  Manager  

Tier  1  Analyst  

Tier  2  Analyst  

Forensics  Specialist  

Malware  Engineer  

Counter-­‐Intel  

!  On-­‐the-­‐job  training  and  mentoring,  and  external  training  &  cer;fica;ons  !  Opera;ng  hours  and  SOC  scope  play  key  role  in  driving  headcount  !   Tier3  Analyst  focus  on  NG  SOC  technology  such  as  Risk-­‐based  analy;cs,  APT  Hun;ng,  Threat  Intelligence  …  

Tier  3  Analyst  (CSIRT)  Key  APT  Hunter  

All  Data  is  Security  Relevant  =  Big  Data  

5  

Security  Relevant  Data  All  Security  Relevant  Data  

•  “Non-­‐security”  user  and  machine  generated  data  behind  creden;als.  Includes  “Unknown”  threats.    

•  AD,  OS,  DNS,  DHCP,  email,  proxy,  badge,  industrial  control  systems,  etc.  

 

•  “Security”  data,  or  alerts  from  point  security  products.  “Known”  threats.  

•  Firewall,  an;-­‐malware,  IDS,  DLP,  vulnerability  scan  

Tradi;onal  SIEM  

Proac;ve  Security  Monitoring  and  Forensics  

6  

Splunk  allows  us  to  quickly  consolidate  and  correlate  disparate  log  sources,  enabling  previously  imprac;cal  monitoring  and  response  scenarios.  

“  

”  !  Enabled  proac;ve  threat  assessment,  mi;ga;on  planning,  incident  trending  with  analysis,  security  architecture,  incident  detec;on  and  response  

!  Delivered  a  centralized  view  into  user  ac;vi;es  and  in-­‐scope  systems  

Dave  Schwartzburg  Computer  Security  Incident    Response  Team  

7  

0-­‐day  detec;on  :  Real  ;me  Anomalty  Detec;on  (Machine  Learning  -­‐  Protected  by  Maths)  

8  

CSIRT  Logging  Deployment  

9  

•  25 indexers / 7 clusters •  HA, load balanced, & scalable

•  Index up to 1TB/day

•  150TB storage

Correlation  Analytic  Example

10

•  WAF  >  Web  (HTTP  Server)  >  Web  App

–  WAF  alerts  detected,  what  is  the  effect  to  the  previous  Web  server  application?

–  Based  on  the  same  source  IP  address  or  time  range  as  a  "key",  aggregating  and  grouping  corresponding  logs

–  Real  time  display  the  following  information  to  the  security  admin  as  a  single  incident  :  ê WAF  alerts  content  (WAF  log)ê  HTTP  URL  request  (Web  Server  log）ê  Response  from  Application  Server  (Application  log）

131.178.233.243  -­‐  -­‐  [24/Jun/2014  12:29:01:183]  "GET  /category.screen?category_id=FLOWERS&JSESSIONID=SD5SL6FF7ADFF6  HTTP  1.1"  200  308  "hpp://www.myflowershop.com/product.screen?product_id=K9-­‐CW-­‐01"  "Mozilla/5.0  (Macintosh;  U;  Intel  Mac  OS  X  10_6_3;  en-­‐US)  AppleWebKit/533.4  (KHTML,  like  Gecko)  Chrome/5.0.375.38  Safari/533.4"  701  

[06/24/14  12:29:23  UTC]  000000af  StorageApi        E  com.ibm.wps.policy.commands.StorageApi    logExcep;onGetPvsProper;es  EJQAB0061E:  An  ItemNotFoundExcep;on  occurred  in  method    logExcep;onGetPvsProper;es.com.ibm.portal.    WpsExcep;on:  EJQAB0061E:  An  ItemNotFoundExcep;on  occurred  in  method    logExcep;onGetPvsProper;es.at  (PolicyService.java:191)  

June  24  12:29:01  172.29.70.161  ASM:unit_hostname="asm232.labt.ts.f5net.com",management_ip_address="172.29.69.232",  web_applica;on_name="/Common/ASM_Class1",policy_name="AllViola;ons",policy_apply_date="2011-­‐09-­‐30  13:58:53”,viola;ons="Mandatory  HTTP  header  is  missing,Illegal  URL  length,Illegal  request  length,Illegal  header  length,IllegalURL”,support_id="1446599167164232350",request_status="alerted”,ip_client="131.178.233.243"  

11  

Sources  

Time  Range  

Applica$on  (WebSphere)  

Web  Server  (Apache)  

Web  App  Firewall  (F5  ASM)  

Trace  from  5  seconds  to  "WAF  →  Applica;on"  with  any  machine  data  between  1  minute  

Source  IP  

Machine  data  generated  in  each  layer

TimeRange    +  5s  

Incident  Review  based  on  aggregation  of  events  by  Splunk

12  

Source  IP

Time SourceType F5  WAF Host Web  Log Application  Log

Threat  intelligence  

Auth  -­‐  User  Roles  

Host    Ac$vity/Security  

Network    Ac$vity/Security  

13  

WEB  

Conduct  Business  

Create  addi$onal  environment  

Gain  Access    to  system  Transac$on  

MAIL  

.pdf   Svchost.exe  Calc.exe  

Events  that    contain  link  to  file  

Proxy  log  C2  communica;on    to  blacklist  

How  was    process  started?  

What  created  the  program/process?  

Process  making  C2  traffic  

Web  Portal  .pdf  

Advanced  Threat  Detec;on  and  Response  

Threat  intelligence  

Auth  -­‐  User  Roles  

Host    Ac$vity/Security  

Network    Ac$vity/Security  

Kill  Chain  Analysis  

14  

115.29.46.99/32,zeus_c2s  61.155.30.0/24,cymru_hpp  

{"domain":  "115.29.46.99",    "protocol":  6,    "ipv4":  "115.29.46.99",    "process_guid":  “3259531”,    "port":  443}  

dest_ip  cmdb_bu_owner  cmdb_applica;on_name  cmdb_system_owner  cmdb_app_lifecycle  cmdb_s_ox  cmdb_GLBA  cmdb_app_uses_ssn  cmdb_credit_card_data  cmdb_priority  cmdb_server_so{ware  cmdb_supported_by  cmdb_server_phase  cmdb_db_server  cmdb_db_name  cmdb_PCI  cmdb_PII  cmdb_safe_harbor  192.168.56.102  Sales  Laptop  chris.gilbert@bupercupgames.com  Produc;on  No  No  No  No  Tier  3  Windows7  Internal  Deployed  N  N/A  No    No    No  172.20.12.224  Marke;ng  Laptop  monte@demo.com  Produc;on  No  No  No  No  Tier  3  Windows7  Internal  Deployed  N  N/A  No    No    No  172.20.10.217  eCommerce  Laptop  modesto@demo.com  Staging  Yes  Yes  No  Yes  Tier  1  Windows7  Internal  Deployed  Y  Oracle  Yes  Yes  Yes  172.20.15.229  eCommerce  Laptop  modesto@demo.com  Staging  Yes  Yes  No  Yes  Tier  1  Windows7  Internal  Deployed  Y  Oracle  Yes  Yes  Yes    

{"ac;on":  "create",    "path":  ”…\Content.Outlook\Q2_commission.pdf”,  "process_guid":  “-­‐7751687”}  

Subject:  new  commission  report  breakdown  From:  Jose  Dave  <jose.dave@butercupgames.com>  To:  <chris.gilbert@bupercupgames.com>  Content-­‐type:  mul;part/mixed;  Content-­‐type:  applica;on/pdf;  name=”Q2_commission.pdf"  

115.29.46.99  

115.29.46.99  

Q2_commission.pdf”  

”  Q2_commission.pdf”  

chris.gilbert@bupercupgames.com  192.168.56.102  

chris.gilbert@bupercupgames.com  

"process_guid":  “3259531”  "process_guid":  “-­‐7751687”  

"ac$on":  "create”    

Free  Threat  Feed  

Visual  Inves;ga;ons  for  All  Assets  and  Users  

17  

Statistical  Analytics  Example–  Baselining  user  activities  to  detect  abnormality

e.g.  1)  Counting  number  of  characters  in  the  "User-‐‑‒Agent"  in  WAF  or  HTTP  log

ê  Many  malware  seems  to  be  counterfeiting  the  "User-‐‑‒Agent”ê  Visualize  the  distribution  of  the  characters  pattern  and  number

e.g.  2)  Counting  number  of  characters  in  the  “HTTP  Request  URL”ê  Many  malware  sending  out  data  secretly  by  pretending  as  normal  Web  Request

18

Real  ;me  sta;s;cal  analy;cs  in  Splunk    !   Counting  “User_̲Agent”  Length

19  

Mozilla/4.0  (compatible;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR  1.1.4322)

Characters  count：74

UserAgent  content  inside  logs PatternLength Count

A  lot  of  web-­‐based  apack  are  using  VERY  long  URL  

20  

Mean  URL  length  for  128  Byte  looks    Normal    But  for  Max  URL  length  for  9KB  size,  it    looks  suspicious.    We  found  a  lot  of  LONG  URLs  which  is  trying  to  access  the  external  site  :    “hpp://103.7.28.187/pingd?type-­‐1&dm=  www.discouss.com.hk  …  “    A{er  verified  with  hpp://urlquery.net/report.php?id=2182484,  they  are  Tencent  QQ/wechat  Message.  The  long  hpp  packages  are  encrypted  SMS.    

Visualize  the  Pattern  in  Real  time

21  

件数

Count

1Risk-­‐based    security    

Security  Base  lining  and  Abnormal  Detec;on  

22  

Statistical  Analytics  Example  2  !   Prediction

–  Splunk  comes  with  Predication  library  to  calculate  the  future  of  number  and  numerical  range  from  data  transition

–  E.g.  predication  of  DoS  attack  if  pattern  is  exceeding  the  95  percentile.

–  Can  automate  the  alerts  when  it  exceeds  a  value  range  which  has  been  predicted

23  

WAF  event  detection  value  range  until  now

Future  value  range  based  on  prediction

Advance  Threat  Detec;on  example  :  New  Domain  Analysis  

24  

Iden;fy  unexpected  top  level  domain  

ac;vity  

Hosts  talking  to  recently  registered  domains  

Discover  outlier  ac;vity  to  newly  registered  

domains  

Determine  the  DNS  baseline  

25  

Mainframe  Data  

VMware  

Pla�orm  for  Machine  Data  

Easy  to  Adopt  Splunk  

Exchange   PCI  Security  

DB  Connect   Mobile  Forwarders   Syslog  /    TCP  /  Other  

Sensors  &  Control  Systems  

Rich  Ecosystem  of  Apps  

Across  Data  Sources,  Use  Cases  &  Consump$on  Models  

Stream  

26  

Further  Reading  ! www.splunk.com  

–  Whitepaper,  Splunk  and  the  SANS  Top  20  Cri;cal  Security  Controls  

 

! NIST.gov  –  FISMA  Compliance,  FAQ  on  

Con;nuous  Monitoring  

27  

Thank  You

28  

The  Splunk  Pla�orm  for  Security  Intelligence    

29  

200+    SECURITY  APPS   SPLUNK  FOR  ENTERPRISE  SECURITY  

SPLUNK  ENTERPRISE  (CORE)  

Copyright  ©  2014  Splunk  Inc.  

SPLUNK-­‐BUILT  APPS  

VENDOR   OPEN  SOURCE  COMMUNITY  

Wire  (NFT)  data  

SIEM  integra;on  

RDBMS  (any)  data  

Windows  (host/inf)  data  

Unix  &  Linux  data  

Exchange  (email,  inf)  data  

More…