This document discusses how Splunk can be used for security analytics and threat detection. It describes how Splunk allows organizations to centrally gather and correlate security-related data from various sources like networks, endpoints, applications and threat intelligence feeds. This enables use cases like monitoring for known threats, detecting unknown threats, incident investigation and user behavior analytics. Advanced techniques like machine learning and user/entity behavior analytics are also discussed to help identify anomalous activity that could indicate security incidents or threats.
2. 2
Agenda
• Advanced
aCacks
are
hard
to
find
• How
to
use
Splunk
for
Security
• Most
common
use-‐cases
• How
to
add
value
to
exis>ng
data
• How
to
detect
new
threats
• User
Behavior
Analy>cs
• News
in
ES
4.0
3. Advanced
Threats
Are
Hard
to
Find
Cyber
Criminals
Na8on
States
Insider
Threats
Source:
Mandiant
M-‐Trends
Report
100%
Valid
creden>als
were
used
40
Average
#
of
systems
accessed
205
Median
#
of
days
before
detec>on
67%
Of
vic>ms
were
no>fied
by
external
en>ty
4. 4
Tradi>onal
approaches
are
not
good
enough
• Preven>on
of
breaches
will
fail!
• Invest
more
in
detec>on
• Gather
all
data
in
one
place
• Enrich
data
with
context
• Make
it
easy
to
search
in
the
data
• Make
it
easy
to
do
advanced
analy>cs
4
5. 5
SPLUNK FOR SECURITY
“Connects People and Data with Context and Extended Intelligence”
6. 6
Monitoring,
Correla8ons,
Alerts
Ad
Hoc
Search
&
Inves8gate
Custom
Dashboards
And
Reports
Analy8cs
And
Visualiza8on
Developer
PlaQorm
All
SOC
Needs
&
Personnel
Security
Intelligence
Pla[orm
6
Real-‐8me
Machine
Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/
DNS
Custom
Apps
Badges
Intrusion
Detec>on
Firewall
Data
Loss
Preven>on
An>-‐Malware
Vulnerability
Scans
Authen>ca>on
Storage
Industrial
Control
Mobile
Security
Intelligence
PlaQorm
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Applica8ons
External
Lookups
/
Enrichment
7. 7
Enables
Many
Security
Use
Cases
SECURITY
&
COMPLIANCE
REPORTING
REAL-‐TIME
MONITORING
OF
KNOWN
THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
&
FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
Security
Intelligence
PlaQorm
7
11. 11
Context
=
knowledge
around
the
data
" Importance
of
assets
and
iden>>es
" Is
this
a
bad
know
ip/domain/e-‐mail
" Should
user
access
the
SQL
server
" Should
server
communicate
X
" Make
data
easier
to
understand
12. 12
Data
from
An>-‐Virus/An>-‐Malware
" No
need
to
act
if
removed
" But
what
if;
– The
hosts
are
re-‐infected?
– Mul>ple
hosts
are
infected
in
short
>me
– If
the
CEO/CFO/CSIO
computer
are
infected?
– Host
are
the
webshop/Internetbank/important
system
– Other
sources
alerts
within
short
>meframe
12
18. Threat
intelligence
Auth
-‐
User
Roles,
Corp
Context
Host
Ac8vity/Security
Network
Ac8vity/Security
18
Advanced
Threat
Detec>on
&
Response
WEB
Conduct
Business
Create
addi8onal
environment
Gain
Access
to
system
Transac8on
MAIL
.pdf
Svchost.exe
Calc.exe
Events
that
contain
link
to
file
Proxy
log
C2
communica>on
to
blacklist
How
was
process
started?
What
created
the
program/process?
Process
making
C2
traffic
Web
Portal
.pdf
19. Threat
intelligence
Auth
-‐
User
Roles,
Corp
Context
Host
Ac8vity/Security
Network
Ac8vity/Security
Command
&
Control
Exploita8on
&
Installa8on
Delivery
MAIL
WEB
WEB
FW
Accomplish
Mission
Start
Anywhere,
Analyze
Up-‐Down-‐Across-‐Backwards-‐Forward
phishing
Download
from
infected
site
1
2
5
6
7
8
3
4
Iden>ty,
Roles,
Privileges,
Loca>on,
Behavior,
Risk,
Audit
scope,
Classifica>on,
etc.
• Third-‐Party
Threat
Intel
• Open
source
blacklist
• Internal
threat
intelligence
• Firewall
• IDS
/
IPS
• Vulnerability
scanners
• Web
Proxy
• NetFlow
• Network
• Endpoint
(AV/IPS/FW)
• Malware
detec>on
• PCLM
• DHCP
• OS
logs
• Patching
• Ac>ve
Directory
• LDAP
• CMDB
• Opera>ng
System
• Database
• VPN,
AAA,
SSO
23. 23
MAPPING
RATs
TO
ACTIONABLE
KILL-‐CHAIN
A
W
N
O
M
A
L
I
E
S
H
R
E
A
T
24. 24
CYBER
ATTACK
24
USER ACTIVITIES! RISK/THREAT DETECTION AREAS!
Peter and Sam access a malicious website. A
backdoor gets installed on their computers!
Malicious Domain (AGD)!
Unusual Browser Header!Nov 15!
Unusual Machine Access for Peter!
(lateral movement; individual + peer group)!Dec 10!The attacker logs on to Domain Controller via
VPN with Peter’s stolen credentials from 1.0.63.14 !
Unusual Browser Header for Peter
and Sam!Nov 16!
The attacker uses Peter and Sam’s backdoors to
download and execute WCE to crack their password!
Nov 16! Beacons for Peter and Sam to
www.byeigs.ddns.com!
Peter and Sam’s machines are communicating
with www.byeigs.ddns.info!
Unusual Machine Access for Sam!
Unusual File Access for Sam !
(individual + peer group))!
Dec 10!
The attacker logs in as Sam and accesses all excel
and negotiations docs on the BizDev shares!
Unusual Activity Sequence of Admin for
Sam (AD/DC Privilege Escalation)!Dec 10!
The attacker steals the admin Kerberos ticket from
admin account and escalates the privileges for Sam.!
Excessive Data Transmission for Peter"
Unusual VPN session duration!Jan 14!The attacker VPNs as Peter, copies the docs to an
external staging IP and then logs out after 3 hours.!
25. 25
Splunk
User
Behavior
Analy8cs
(formerly
Caspida)
Advanced
Security
Analy0cs
UBA
SPLUNK
Data
Science
&
Decision
Engine
Automated
Threat
Detec>on
AD,
SSO
App,
DB
logs
Firewall,
IPS,
DLP
Ne[low,
PCAP
Threat
Feeds
UBA
threat
results
fed
into
Splunk
ES
Security
Analy8cs
&
Event
Repository
30. 30
New
Features
in
Enterprise
Security
4.0
Optimize multi-step
analyses to improve breach
detection and response
Extensible Analytics &
Collaboration
INVESTIGATION
COLLABORATION
• Inves>gator
Journal
• ACack
&
Inves>ga>on
Timeline
• Open
Solu>ons
Framework
• Framework
App
:
PCI
31. 31
ACack
&
Inves>ga>on
Timeline
Same
events
can
have
different
security
meanings,
based
on
sequence:
31
Track Actions
1" 3"2"
Analyst /
Investigator
Event 1 … 13:01:21
Event 2 … 13:42:17
Action 3
Note “Windows event”
What happened?
If event 1, then
event 2, then…
Ah – ha, that’s
how they got in.
Now what infected
the host?
Brut
Force
= Exfiltration
Login
Failure
Proxy
Event
Brut
Force
= Recon, Lateral Movement
Login
Failure
Login
Failure
Brut
Force
= Forgotten Password
32. 32
ACack
&
Inves>ga>on
Timeline
Methods
to
add
contents
into
>meline
:
32
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Notes:
Investigator’s notes inserted
in timeline
Track Actions
1" 3"2"
Incident Review
Incident :
Notable events from
Incident Review
Analyst /
Investigator
33. 33
ACack
&
Inves>ga>on
Timeline
Allows
collabora>on
between
mul>ple
analysts
33
UI Action History :
Search
UI Action History :
Viewed Dashboard
Edit Entry :
Analyst’s Memo
Collaborator entry
Tier 1
Tier 2
Analyst
Tier 2
Analyst
Collaborate
One Holistic view from
Collective Knowledge
34. 34
Inves>gator
Journal
-‐
Flow
Solution
• Track searches and activities to help them understand
actions taken and information seen
• Review activities at any point in the investigation
Action History
Action History
History includes all
the investigative
actions that
analysts have
taken in the Splunk
ES interface
Ad-hoc analysis
Hunting
Triage / Investigation
Track Actions
1" 3"2"
User Analysis
Actions
Problem
• Analyst searches / views /
actions are difficult to track
and require multiple tools
Analysis Sequence History
34
35. 35
Inves>gator
Journal
–
Details
• Streamlines multi-step analyses
and investigations
– Track searches and activities
– Review activities at any point
– Select and place into timeline for
temporal analysis
– Help remember searches, steps
taken, provide annotation support
35
Track Actions
1" 3"2"
Action History
37. 37
Extensible
Analy>cs
&
Collabora>on
Open Solutions Framework
• Create, access and extend ES
functionality
– Notable event framework
– Risk framework
– Threat intelligence framework
– Identity & asset framework
• Apps and content can be
imported and exported at any
time
37
Collaborate
38. 38
UBA
vs
ES
4.0
UBA
Enterprise
Security
• Keep
all
data
• Will
require
tuning
• Easy
to
create
new
searches,
dashboards,
correla>ons
etc
• Will
require
analy>c
resources
to
map
events
to
threats
• Possible
to
further
inves>gate
• Only
keep
data
around
anomaly
• Automa>cally
baseline
• Not
possible
to
customize
in
the
same
way
as
Enterprise
Security
• Will
map
anomalies
to
threats
• Limited
possibility
to
do
further
inves>ga>on
38
39. 39
Key
takeaways
• Preven>on
of
breaches
will
fail!
• Invest
more
in
detec>on
• Splunk
can
help
– Faster
– Easier
– More
– Less
labor
39