This document contains an agenda and overview for a presentation on using Splunk for operational security intelligence. The presentation discusses using lookup files to enhance security posture with threat intelligence, the common information model for ingesting and normalizing security data from various sources, investigating specific Windows event IDs to tackle advanced attacks, and highlighting popular security-related apps from Splunkbase. The document also contains disclaimers about forward-looking statements and a roadmap being subject to change.

1. Copyright © 2015 Splunk Inc.
Splunk for Operational
Security Intelligence
sob@splunk.com

2. 2
Disclaimer
During the course of this presentation, we may make forward looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.

3. Agenda
• An overview of the Splunk security universe
• Using lookup files to enhance your security posture - A.K.A. threat intelligence
• The Common information model
• 6 windows event ID’s to tackle advanced attacks
• "Best of" Security related splunkbase apps

4. 4
Advanced Threats Are Hard to Find
Cyber Criminals
Nation States
Insider Threats
Source: Mandiant M-Trends Report 2012/2013/2014
100%
Valid credentials were used
40
Average # of systems accessed
229
Median # of days before detection
67%
Of victims were notified by
external entity

5. New approach to security operations is needed
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process, &
technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
THREAT Attack Approach Security Approach
5
TECHNOLOGY
PEOPLE
PROCESS

6. 6
All Data is Security Relevant = Big Data
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Traditional
Authentication

7. 7
The Splunk Platform for Security Intelligence
SPLUNK ENTERPRISE (CORE)
Copyright © 2014 Splunk Inc.
200+ APPS SPLUNK FOR SECURITY SPLUNK-BUILT APPS
…
Stream data
Cisco
Security
Suite
Windows/
AD/ Exchange
Palo Alto
Networks
FireEye
Bit9
DShield
DNS
OSSEC

8. 8
Put it All Together – Security Maturity Level
q APT detection/hunting (kill chain method)
q Counter threat automation
q Threat Intelligence aggregation (internal & external)
q Fraud detection – ATO, account abuse,
q Insider threat detection
q Replace SIEM @ lower TCO, increase maturity
q Augment SIEM @ increase coverage & agility
q Compliance monitoring, reporting, auditing
q Log retention, storage, monitoring, auditing
q Continuous monitoring/evaluation
q Incident response and forensic investigation
q Event searching, reporting, monitoring & correlation
q Rapid learning loop, shorten discover/detect cycle
q Rapid insight from all data
q Fraud analyst
q Threat research/Intelligence
q Malware research
q Cyber Security/Threat
q Security Analyst
q CSIRT
q Forensics
q Engineering
q Tier 1 Analyst
q Tier 2 Analyst
q Tier 3 Analyst
q Audit/Compliance
Security Operations Roles/Functions
Reactive
Proactive
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight

9. 9
Example of Threat Activities - Zeus
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
Emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

10. 10
Use Splunk to Find Evidence
Search historically - back in time Watch for new evidence
Related
evidence
from other
security
devices

11. Threat intelligence
Auth - User Roles,
Corp Context
Host
Activity/Security
Network
Activity/Security
11
Advanced Threat Detection & Response
WEB
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
MAIL
.pdf Svchost.exeCalc.exe
Events that
contain link to file
Proxy log
C2 communication
to blacklist
How was
process started?
What created the
program/process?
Process making
C2 traffic
Web
Portal.pdf

12. Threat intelligence
Auth - User Roles,
Corp Context
Host
Activity/Security
Network
Activity/Security
Command & ControlExploitation & InstallationDelivery
MAIL WEB WEB FW
Accomplish Mission
Connect the “Data-Dots” to See the Whole Story
phishing
Download
from
infected site
1
2
5
6
7
8
3
4
Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc.
Threat Intelligence Data
Email Data
Or
Web Data
Host or ETDR Data
Web or Firewall Data
Threat Intelligence Data
Identity Data

13. 13
Connect the “Data-Dots” to See the Whole Story
Persist, Repeat
Threat intelligence
Auth - User Roles,
Corp Context
Host
Activity/Security
Network
Activity/Security
Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign
intent and attribution
Where they went to, who talked to whom, attack transmitted,
abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process
owner, registry mods, attack/malware artifacts, patching level,
attack susceptibility
Access level, privileged users, likelihood of infection, where they
might be in kill chain
Delivery, Exploit
Installation
Gain Trusted
Access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
• Third-party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall
• IDS / IPS
• Vulnerability scanners
• Web Proxy
• NetFlow
• Network
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating System
• Database
• VPN, AAA, SSO

14. Threat intelligence
Host
Activity/Security
Network
Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
Security Ecosystem for Coverage and Protection
Auth - User Roles,
Corp Context

15. Copyright © 2015 Splunk Inc.
Threat Intelligence

16. 16
The Challenge:
• Industry says Threat Intel is
key to APT Protection
• Management wants all
threat intel checked against
every system, constantly
• Don’t forget to keep your
15+ threat feeds updated
The Solution:

17. Verizon 2015 DBIR
“…the percentage of indicators
unique to only one (outbound
destination) feed…is north of 97%
for the feeds we have sampled…”
Threat list aggregation =
more complete intelligence

18. MORE ABOUT DATA MODELS?
So… you have a list (or hopefully many)?

19. What can you do with it?
* | lookup threatlist srcip as clientip OUTPUT srcip as srcip threat_type as threat_type | stats
count by clientip srcip threat_type | where clientip=srcip

20. Break it down by time?

21. Send me an alert!

22. Copyright © 2015 Splunk Inc.
Demo

23. Other options?
• You could use SA-Splice from splunkbase – deprecated
• Use correlation searches to populate lookup files - outputlookup
• Leverage KV store lookups
• Enterprise Security

24. 24
Various community
threat lists
Local ones too
TAXII support

25. Copyright © 2015 Splunk Inc.
The common
information model

26. Data comes from…

27. Data Ingest + Common Information Model
● You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization

28. Copyright © 2015 Splunk Inc.
NORMALIZATION?!?

29. Copyright © 2015 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.

30. A base Splunk
search, done for
you…
…which returns a
bunch of fields

31. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries

33. Free.
Supported.
Fully
documented.

34. Lots of apps
support CIM.

35. CIM Compliant!

36. Click “Data
models” under
settings

37. • Pivot is an excellent interface to explore a
dataset you don’t know yet – or for a business
user
• Tstats can search distributed .tsidx files
(accelerated DM’s)
• Use the search term – FROM
datamodel=<datamodelname>
• For example:
• | tstats avg(foo) FROM
datamodel=buttercup_games WHERE
bar=valuex
• You should expect dramatically faster search
results using this method
Tstats and/or pivot– use them!

38. Copyright © 2015 Splunk Inc.
Demo

39. Copyright © 2015 Splunk Inc.
Windows events

46. Copyright © 2015 Splunk Inc.
Security apps

47. • Easily the most underrated app on
Splunkbase
• Turn every host on your network into a
network sniffer!
• Rapidly respond to security events by
capturing data at the source
• Highly configurable to capture only data
of interest

48. Copyright © 2015 Splunk Inc.
Demo

49. • Building block for URL manipulation
• Correctly parse URL’s and complicated TLD’s
• Explore entropy of data
• Also great for DNS investigation
• The domain aaaaa.com has a Shannon
Entropy score of 1.8 (very low)
• The domain google.com has a Shannon
Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-
890209uC.4.com has a Shannon Entropy
score of 3 (rather high)

50. • Check your data aginst a
multiude of virus definition DB’s.
• Free
• Subscription
• 4 checks per hour

51. Copyright © 2015 Splunk Inc.
Please join the Splunk
Slack channel!!!
splunk-usergroups.slack.com
#general #apac
sob@splunk.com

52. Copyright © 2015 Splunk Inc.
Thankyou!
sob@splunk.com