2. 2
Why we purchased Splunk.
Easier to Implement
– Lower cost of ownership
– 3rd party tools adopting and designing apps to integrate.
– Provided expansive value compared to other SIEMS.
– Dashboards- 10 tools, 1 dashboard – Visuals vs. Logs
Entry level employees can quickly understand and navigate.
Online Training.
User Groups and support
Create a Dashboard- http://www.splunk.com/view/SP-CAAAGXD
Create an Alert- http://www.splunk.com/view/SP-CAAANZJ
Put SOP’s into alerts- so entry level SOC knows what to do!
Drive down your “TTC” Time to Contain.
3. 3
One of the many uses….
Vulnerability and Patch Management
– Systems in DMZ’s unpatched.
– Orphaned Systems in DMZ ( tomcattomcat- telnet)
– Systems with IP reuse
– Systems never hardened or patched
– Systems with no Asset ID (Incident Response fail)
– Systems in production that belong in Test networks
– Firewall rules never reviewed.
– Systems just added to the network with default
Admin Credentials.
– The deeper in the hole we dug, the more we found
This wasn’t just bad practices, this was cultural and a HUGE risk to the organization.
-- The value of our clean up and assessment was quickly realized when…
5. 5
Drill down capability and trending
IPS- Identify what our PANS are calling the CVE and drill down for intel on blocking of activity.
- Has anyone tried to exploit the vulnerability? Are our mitigating preventative controls actually working?
- Pivot off intel from attackers and dig deeper. Single tool for all devices in layered defense.
- YOU CAN have at your fingertips all the answers in minutes where before Splunk it could take hours to aggregate.
6. 6
Phishing… How we use Splunk
Stats of Phishing…
Verizon’s 2015 Data Breach Investigations Report (DBIR)
• Over 60% of all espionage cases involved phishing attacks
• 82 Seconds-average for success in a phishing attack
• 23% of recipients open phishing messages
• 11% click on attachments
“ I swear I didn’t click anything” -
Splunk allows you to quickly piece
together bits of activities to identify the
sequence of events that lead to the
incident. * Root Cause*
• Confirm open attachments or link C2’s
• Use Splunk for DNS Queries
7. WHAT DOES A MALICIOUS EMAIL COST THE COMPANY…..?
Use Case Examples
Spear Phishing Taxonomy 1 User infected 300 Users infected
Introduction into the Environment
1. Spear Phish email sent 0 0
2. User receives email (Clicks link/Send Email to HD/ Notifies SOC/Calls HD) 10 3000
3. Service Desk Reviews Email and sends it to SOC 1 300
4. Service Desk Receives Phone Call from User to determine actions 8.5 2550
5. SOC Analyst Analyses Email (if links/attachment => Further Action Required 1 100
Spear Phishing Analysis
6. Soc Opens a Case 10 15
7. SOC Reviews link/attachments on malware station for validity 20 20
8. SOC Conducts DNS Search 10 30
9. SOC Conducts Ironport Search 10 30
10. SOC Creates Splunk Rules from Malware Properties 10 10
11. IRT Leverages FireEye to prevent future attacks 10 10
12. SOC Creates Remedy Ticket for FW/DNS/ Websense Blocks 20 20
13. Unix Support Staff vets Request and completes block action 30 30
14. SOC Creates blocking Rules in Ironport 10 10
15. SOC runs Script to Identify Unique Email Recipients 10 10
16. Exchange Team Removes Spear Phish email from All User's Inboxes identified by SOC 30 60
17. IRT Conducts FPC/ other tools Traffic Analysis 40 40
Identification of Malware
18. Splunk Beacon from rule identifies user clicked link of attachment 5 1500
19. IRT conducts Further Analysis 120 120
20. IRT user traced back to IP/machine 25 7500
21. SOC creates Remedy ticket to reimage users' machines 5 1200
22. SOC creates Remedy ticket to block by MAC address (30% of the time) 0.9 2.1
23. SOC pust user or machine in appropriate NP ACCESS OU (10% of the time) 0.5 150
24. Local Desktop Team tracks down machine 20 6000
25. Network Team Blocks machine by MAC(30% of the time) 0.6 180
26. Customer Down time (2 days avg.) 2880 864000
27. Desktop Team reimages machine (copy files, decrypt, reimage, encrypt)( 5 hr avg) 300 90000
28. Desktop Team returns machine to user (ship,send/walkover, etc.) 20 6000
29. Network Team Releases MAC Block (30% of the time) 0.6 180
30. SOC Releases Machine/user from OU (10% of the time) 1 300
31. SOC Closes Case (All data is entered and verified) 20 90
32. continuous monitoring 0 0
Total in Minutes 3629 983457
Total Cost $3,942.65 $1,068,427.79
Summary of Costs
1 User 300 Users
Threat Mitigation
Soc $155.35 $3,777.69
IRT $211.25 $8,309.17
Support Staff
Service Desk $10.29 $3,087.50
Exchange Team $32.50 $65.00
Desktop Support $368.33 $110,500.00
Unix Support $32.50 $32.50
Network $1.30 $390.00
IT Costs $811.53 $126,161.86
End User Customer $3,130.83 $939,250.00
Total Cost $4,753.88 $1,191,573.72
Fixed/Sunk Costs Incremental Costs
x = 1 x = 300
Threat Mitigation
SOC $109.42 $45.93 12.23
IRT $184.17 $27.08 27.08
Support Staff
Service Desk $32.50 $0.00 0
Exchange Team $32.50 $0.00 0.11
Desktop Support $1.08 $9.21 10.29
Unix Support $0.00 $368.33 368.33
Network $0.00 $1.30 3.3
IT Costs $359.67 $451.86 419.34
End User Customer $2.17 $3,128.67 3130.33
Total Cost $361.84 $3,580.53 $3,549.67
Summary (x = users infected)
Formula
When x = 0 361.83
When x = 1 358035x+361.83
When x = 300 3550.17x+361.83
Increasing the # of infected users dilutes costs by $30.35/Inf
8. 8
Threat INTEL And Incident Response
APT and other Threat Feeds are Fed into Splunk-
Conditional Trigger alerts
DHSDSIE- Alerting for hits when:
• DNS- C2’s
• Websense
• MailGateway, ( phishing IOC’s)
• BIT9 – Hash
• FireEye YARA signature
• IPS - 0 days (adobe)
• WAF’s aggregate Recon by origin and
persistence.
Create an Alert- http://www.splunk.com/view/SP-CAAANZJ