Der Weg in den vollautomatisierten SOC Betrieb

© 2021 SPLUNK INC.
Der Weg in den
vollautomatisierten SOC
Betrieb
Splunk for Security
Udo Götzen, CISSP
Staff Sales Engineer
Beginn 16:30 Uhr

© 2021 SPLUNK INC.
Der Weg in den
vollautomatisierten SOC
Betrieb
Splunk for Security
Udo Götzen, CISSP
Staff Sales Engineer

© 2021 SPLUNK INC.
Die Security Data Journey
Der Weg zum vollautomatisierten SOC
Security Logging
& Investigation
●Aufbau einer investigativen
Datenplattform
●Korrelation von Ereignissen
●Überwachung von
spezifischen Security Use
Cases
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten

© 2021 SPLUNK INC.
Data
Lakes
Master Data
Management
ETL
Point Data
Management
Solutions
Data
Silos
IT
Security
IoT
Biz
Analytics
The
Data-to-Everything
Platform for
Machine Data
© 2021 SPLUNK INC.

© 2021 SPLUNK INC.
IT/OT Operations
Server, Network, App, DBs
Business
Analytics
Business Units
Up to 80% of the total
data commonly indexed
for Security is critical to
enable IT Ops use case
Up to 50% of the total
data commonly
indexed for IT Ops can
be leveraged to
enable Business
Analytics use cases
Up to 80% of the
total data commonly
indexed for IT Ops is
critical for App Dev to
produce faster
release cycles with
less errors
Application Development / DevOps
Testers, Developers
Helvetia
Dark Data
Security
SOC, Security Analysts
Data to Everything Platform
A main benefit of the Splunk platform is the data reuse across Security,
IT/OT Operations and Business

© 2021 SPLUNK INC.
Die 1. Etappe der Sicherheitsreise
Empfehlungen, welche Datenquellen erfasst werden sollten
Netzwerk Endpunkt Authentifizierung Web-Aktivitäten
Die Einsicht in den Netzwerkverkehr
ist für jedes Sicherheitsteam
entscheidend. In diesem frühen
Stadium ist es vorrangig, zu sehen,
welche Arten von Datenverkehr in
Ihrem Netzwerk bestehen. Es ist
wichtig, sowohl den erlaubten
Datenverkehr als auch die
Kommunikationsversuche zu sehen,
die blockiert wurden.
Endpunktprotokolle ergänzen die
Netzwerktransparenz und geben
Aufschluss über bösartige Aktivitäten,
wie z. B. die Ausführung von Malware,
einen Insider, der eine nicht
autorisierte Aktivität durchführt, oder
einen Angreifer, der sich in Ihrem
Netzwerk aufhält. Im ersten Schritt ist
es wichtig, diese Daten von Servern
aller Betriebssystemen zu erfassen (in
einer späteren Etappe sind Daten der
Desktops und Notebooks
unverzichtbar).
Authentifizierungsprotokolle können
Ihnen sagen, wann und von wo aus
Benutzer auf Ihre Systeme und
Anwendungen zugreifen. Da die
meisten erfolgreichen Angriffe
schließlich die Verwendung gültiger
Anmeldedaten beinhalten, sind diese
Daten entscheidend, um zwischen
einer gültigen Anmeldung und einer
Kontoübernahme zu unterscheiden.
Viele Angriffe beginnen damit, dass
ein Benutzer eine bösartige Website
besucht, oder enden damit, dass
wertvolle Daten auf eine Website
transferiert werden, die der Angreifer
kontrolliert. Die Transparenz
darüber, wer wann auf welche Seiten
zugreift, ist für die Untersuchung
entscheidend.
Beispiele:
• Palo Alto Networks
• Cisco
• Check Point
• Fortinet
Beispiele:
• Windows Event Logs
• Linux System Logs
• Linux Auditd
• Mac System Logs
Beispiele:
• Windows Active Directory
• Cloud Identity & Access
Management (IAM)
Beispiele Next Gen Firewall-
Verkehrsfilter:
• Palo Alto Networks
• Cisco
• Check Point
• Fortinet
Web Proxy:
• Bluecoat
• Websense

© 2021 SPLUNK INC.
Splunk Security Essentials
Identify Bad Guys:
• 850+ security analytics methods
• Free on Splunkbase – use on Splunk Enterprise
• Target external and insider threats
• Advanced threat detection, compliance, and
more
• Scales from small to massive companies
• Data source onboarding guidance
• MITRE ATT&CK and Kill Chain mappings
• Save from app, send hits to ES / UBA
Solve use cases you can today for free,
then use Splunk UBA for advanced ML detection.
https://splunkbase.splunk.com/app/3435/

© 2021 SPLUNK INC.
Security Logging
& Investigation
Datenplattform
●Überwachung von
Cases
Analyse-
gestütztes SIEM
●Plattformübergreifende
Korrelation mit Ende-zu-Ende
Sichtbarkeit
●Proaktive Überwachung
●analysegestütztes
Framework
●Risikobasierte Alarmierung
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten

© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response

© 2021 SPLUNK INC.
Notable Events and Incident Review
▶ STREAMLINE INCIDENT MGMT PROCESS
• Consolidated incident management allows
effective lifecycle management of security
incidents.
▶ RAPID DECISION MAKING SUPPORT
• Automatically aligns all security context together
for fast incident qualification and provides
predefined analysis paths.
▶ REFINE SECURITY MGMT PROCESS
• Investigation management and customizations
to support complex process integration
requirements.

© 2021 SPLUNK INC.
How To Populate Asset & Identities
Long
Term
Success
User Lifecycle Management /
CMDB / HR System
1
2
3
Active Directory / LDAP / DHCP
Automated building and learning through indexed events
Nmap / Vulnerability Scanner
CSV Upload / Maintaining it in the
GUI

© 2021 SPLUNK INC.
Risk Framework
EXPOSE RISK FACTORS TO
ANALYSTS
• Rationalize and analyze behaviors and
relationships across all data.
• Investigate risk factors to anticipate
threats and prevent future threats.
ABILITY TO PRIORITIZE / DECIDE
BASED ON RISK
• Transparent evidence translate to
quantitative numbers.
• Ability map scores to different objects
including events and aggregate based
on a criteria.
(Functions, Business units, Physical
Quantitative metrics are applied to distinguish importance of certain situation for
advanced detection
+80
Asset Identity
Other
Attributes
TOTAL
RISK SCORE
Occurrence of
matching correlations
searches

© 2021 SPLUNK INC.
Alert Volumes Are Overwhelming SOCs
• Abandoned alerts
• Suppressed alerts
• Slow detection / response
• Analyst burnout
Over 40% of orgs receive 10,000+ alerts per day; experience 50%+ false positives

© 2021 SPLUNK INC.
But What Alternatives Do SOCs Have?
Alert Directly from
Analytics
Tune Analytics
Analytics/
Correlations
Alert Fatigue
There are no perfect correlation searches; alert fatigue seems inevitable

© 2021 SPLUNK INC.
2018: Risk-Based Alerting to the Rescue
Observation
Analytics/
Correlations
Dramatically reduce alert volumes while increasing analyst productivity and efficiency
Risk
Index

© 2021 SPLUNK INC.
2018: Risk-Based Alerting to the Rescue
Analytics/
Correlations
Dramatically reduce alert volumes while improving your security posture
Risk
Index Risk Notable
Alerting
Risk
Score
Mitre
ATT&CK
Tactic
BU
Outliers
Observation

© 2021 SPLUNK INC.
How Does This Look in Practice?
Traditionally, the events below would be considered too noisy and would be
abandoned
Potential
spearphishing
observed
Suspicious
command
disabling controls
Suspicious Powershell
observed
AWS ACLs opened
up all access
AWS user
provisioning
observed
AWS buckets
created
AWS permanent
creation observed
6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM

© 2021 SPLUNK INC.
How Does This Look in Practice?
With risk-based alerting, these events become context that informs high-fidelity alerts
Risk Notable
Generate alert for any user or system that
exceeds a risk score of 100 in a 24 hour
period
Aggregated user risk score >100
ALERT
With one click, view all
of the risk events that
contribute to the alert
Potential
spearphishing
observed
10 pts
Suspicious
command
disabling controls
15 pts
Suspicious Powershell
observed
20 pts
AWS ACLs opened
up all access
10 pts
AWS user
provisioning
observed
15 pts
AWS buckets
created
15 pts
AWS permanent
creation observed
20 pts
6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM

© 2021 SPLUNK INC.
Threat Intelligence Framework
Finding hidden IOCs using comprehensive threat intelligence mappings
• Multiple
sources
• Multiple
transmission
types
• Multiple
transports
• Multiple data
formats
INTEL SOURCES
1. IP
2. Emails
3. URLs
4. Files names/
hashes
5. Processes
names
6. Services
7. Registry entries
8. X509
Certificates
9. Users
CATEGORIZE
Index, Extract,
Categorize
Manage / Audit
threat sources
• List status
• List mgmt.
• List location
COLLECT MANAGE
Data Management
SEARCH
Ad-hoc search,
analyze,
investigate,
prioritize
Data Search
CORRELATE
Match all IOCs in
existing log data
Generate alert for
any matches
KSI and trends
Security Dashboard
Correlation Data /
Notable Events

© 2021 SPLUNK INC.
Analytic Story Details
Story description and information
Top bar contains metadata around the Analytic Story, right
window shows association to various security frameworks,
and the description and narrative explain what it’s about
Run the searches in the story
Clicking ’Run Analytics’ runs all the
searches in the story and gives you a
count of the number of results returned

© 2021 SPLUNK INC.
Analytic Story Details
Configure in ES
Takes you to the associated
’Edit Correlation Search’
page in ES
Search Details
This is the area you can see the
exact search, related details, and
optionally run it
More searches
The associated contextual,
investigative, and supporting searches
are all available here as well
Search Metadata
Information on data models used
and examples of Technologies that
can provide the necessary data
© 2018 SPLUNK INC.

© 2021 SPLUNK INC.
Splunk Adaptive Response Framework
WAF & App
Security
Orchestration
Network
Threat
Intelligence
Internal Network
Security
Identity and Access
Endpoints
Firewall
Web Proxy

© 2021 SPLUNK INC.
Security Logging
& Investigation
Datenplattform
●Überwachung von
Cases
Automatisieren und
Reagieren
●Automatisierung und
Orchestrierung
●Ausführen von Playbooks
●Einholen von Security Kontext
●Schnelleres Reagieren
●Abwehrmaßnahmen stärken
●Zusammenarbeit intensivieren
Analyse-
gestütztes SIEM
Sichtbarkeit
Framework
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten

© 2021 SPLUNK INC.
SOAR for Security Operation
Faster execution through the loop yields better security
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED MANUAL (TODAY)
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics

© 2021 SPLUNK INC.
How SOAR Solves Security Operations Problems
Too
Many
Alerts
Clear 80% of alerts
with no human
interaction
Phantom automates
security alerts so your
team can go from
overwhelmed to in-
control
Limited
Resource
s
Force multiply
your team
Automate repetitive
tasks so you can
do more with the
people you already
have
Lack of
Process
Establish SOPs to
be more effective
Phantom has case
management built-in
to help customers
build operational rigor
Spee
d
From 30 mins to
40 seconds
Phantom
orchestration and
automation makes
everything work
faster
Cost
s
Definitive ROI and
hard cost savings
Phantom saves your
team time, headache,
and makes your
current tools work
better
Too Many
Siloed Products
Unlock value from
previous investments
Phantom orchestrates
workflows and response
across all your products
so that each one is
actively participating in
your defense strategy

© 2021 SPLUNK INC.
SOAR
Maestro
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
Playbook

© 2021 SPLUNK INC.
How it Works
Automated Malware
Investigation
• “Automation with Phantom
enables us to process
malware email alerts in
about 40 seconds vs.
30 minutes or more.”
— Adam Fletcher, CISO
A Phantom Case Study
SANDBOX QUERY RECIPIENTS
USER PROFILE
HUNT FILE
HUNT FILE
FILE REPUTATION
FILE ASSESSMENT
RUN PLAYBOOK
“REMEDIATE"
EMAIL ALERT

© 2021 SPLUNK INC.
Security Logging
& Investigation
Datenplattform
●Überwachung von
Cases
Automatisieren und
Reagieren
●Automatisierung und
Orchestrierung
●Ausführen von Playbooks
●Einholen von Security Kontext
●Schnelleres Reagieren
●Abwehrmaßnahmen stärken
●Zusammenarbeit intensivieren
Analyse-
gestütztes SIEM
Sichtbarkeit
Framework
Collaborative SOC
●vollautomatisiertes Security
Operations Center
●Zusammenführung von SIEM-,
UEBA- und SOAR-
Technologien
●Effektive Kommunikation und
Zusammenarbeit
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten

© 2021 SPLUNK INC.
Act
Security Nerve Center
Endpoints
Threat
Intelligence
Network
Web Proxy
Firewall
Identity and Access
WAF and
App Security
Cloud
Security
Mobile
SOAR
SIEM
Analyze
Monitor
Investigate

© 2021 SPLUNK INC.
Security Portfolio
• Risky Behavior Detection
• Entity Profiling, Scoring
• Kill chain, Graph analysis
Enterprise Security
Detect, Investigate &
Response
• Single pane of glass
• Security Metrics & Incident
Response
• Adaptive Response
• Collaboration
Splunk Enterprise
Investigate
Realm of
Known
Human-
driven
Splunk UBA
Detect
Realm of
Unknown
ML-
driven
• Log Aggregation
• Rules, statistics, correlation
• Ad hoc searches and data pivot

© 2021 SPLUNK INC.
Wertgewinn mit Splunk
70%
Zeitverkürzung bei
der Recherche von
Sicherheitsereignisse
n durch Korrelation
30%
Reduzierung des
Risikos in
Verbindung mit IP-
Diebstahl,
Datenschutzverletzu
ngen und Betrug
80%
Reduzierung des
Zeitaufwands für die
manuelle
Berichterstattung
über die Compliance
80%
Reduzierung des
Zeitaufwands für
manuelle,
routinemäßige
Sicherheitsaufgaben
Im Durchschnitt erfahren die Kunden signifikante Verbesserungen bei der Erkennung,
Triage und Untersuchung von Vorfällen, was das Gesamtrisiko reduziert.

© 2021 SPLUNK INC.
https://events.splunk.com/security_workshops_de
Enterprise Security Hands-On
Workshop
Risk-Based Alerting Hands-On
Workshop

Der Weg in den vollautomatisierten SOC Betrieb

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Der Weg in den vollautomatisierten SOC Betrieb

Similar a Der Weg in den vollautomatisierten SOC Betrieb (20)

Más de Splunk

Más de Splunk (20)

Der Weg in den vollautomatisierten SOC Betrieb