Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor*...
Transcript of Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor*...
![Page 1: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/1.jpg)
Copyright © 2014 Splunk Inc.
David Veuve SE, Splunk
Security Ninjutsu Using Splunk for CorrelaEon, Anomaly DetecEon and Response AutomaEon
![Page 2: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/2.jpg)
Who Am I?
2
! David Veuve – Sales Engineer for Major Accounts in Northern California
! [email protected] ! Former Splunk Customer (For 3 years, 3.x through 4.3) ! Security Guy ! Primary author of Splunk Search Usage app ! Primary area of Splunk ExperEse: Search Language ! Stands on the shoulders of giants
![Page 3: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/3.jpg)
Disclaimer
3
During the course of this presentaEon, we may make forward looking statements regarding future events or the expected performance of the company. We cauEon you that such statements reflect our current expectaEons and
esEmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaEon are being made as of the Eme and date of its live presentaEon. If reviewed a^er its live presentaEon, this presentaEon may not contain current or accurate informaEon. We do not assume any obligaEon to update any forward looking statements we may make. In addiEon, any informaEon about our roadmap outlines our general product direcEon and is subject to change at any Eme without noEce. It is for informaEonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaEon either to develop the features or funcEonality described or to
include any such feature or funcEonality in a future release.
![Page 4: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/4.jpg)
Agenda • Visibility – Analysis – AcEon in Four Scenarios 1. Threat List IntegraEon leads to Firewall Blocks 2. Anomaly DetecEon leads to Opening a Ticket 3. Behavioral Profiling leads to Manager ConfirmaEon 4. Visual CorrelaEon of Security Indicators
4
![Page 5: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/5.jpg)
Being Covered 1. Tools and Searches and Demos 2. All of these examples and concepts come from actual customer requirements and actual customer deployments. No smoke and mirrors.
3. Github with data gens and accoutrement at end of presentaEon
5
![Page 6: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/6.jpg)
Who Are You? 1. Security Engineer / SOC Analyst / Threat Analyst / Someone Technical Who Cares about Security
2. Splunk skill level is basic-‐advanced 3. No Enterprise Security required (though it can make things easier at scale)
6
![Page 7: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/7.jpg)
Visibility – Analysis – AcEon • Framework for evaluaEng data and responding Splunk • Applies to all exisEng frameworks, as it’s the Splunk side of the loop. • For example, Let’s look at the lateral movement secEon of the kill chain. (Not familiar with the kill chain? It’s a great way to understand the phases of an agack. Check the URL below.)
• Visibility: What data will let you detect Lateral Movement? • Analysis: What will you do to that data to come to a decision? • Ac2on: What will you do in response to that decision?
– Can we automate all of this? • Kill Chain: hgp://www.lockheedmarEn.com/content/dam/lockheed/data/corporate/documents/LM-‐White-‐Paper-‐Intel-‐Driven-‐Defense.pdf
7
![Page 8: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/8.jpg)
Scenario One
C&C DetecEon and Blocking
![Page 9: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/9.jpg)
Command and Control DetecEon and Blocking • New threat list intel (or any other source of detecEng agackers) has become available, and we are trying to block any outbound Command and Control.
• The formal firewall policy can’t be pushed except every Wed night and Sunday night – not fast enough.
• Goal: Take in the firewall logs, leverage our available intelligence to detect C&C behavior, and then block the desEnaEons, all in near realEme.
• Visibility: Firewall Logs, Threat Intel Sources • Analysis: IntersecEon (lookup) of the two • Ac2on: Apply dynamic firewall blocks
9
![Page 10: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/10.jpg)
What / Where is Threat Intelligence
10
! A feed of known bad IPs/DNS Names/MD5s/URLs/etc from a vendor or non-‐profit that specializes in discovering Indicators of Compromise.
! Great sources of Open Source Threat Intel include: – Emerging Threats: hgp://rules.emergingthreats.net/ – I-‐Blocklist: hgps://www.iblocklist.com/lists.php – MalwareDomains: hgp://www.malwaredomains.com/ – Zeus Tracker: hgps://zeustracker.abuse.ch/
! Many great commercial enEEes too (generally beger ranking / quality): – Norse (Splunk Partner), iSight Partners, Verizon iDefense, Commercial
Versions of most of the above, and many many more
![Page 11: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/11.jpg)
Visibility Palo Alto Networks Firewall Log
Sep 15 19:02:06 1,2014/09/15 19:02:06,0004C104559,TRAFFIC,end,1,2014/09/15 19:02:05,10.2.2.14,206.16.215.101,206.16.216.158,214.34.245.101,Internet Traffic,,, salesforce-‐base,vsys1,Trust,Untrust,ethernet1/8,ethernet1/2,MyLogForwarding,2014/09/15 19:02:05,24238,1,61845,443,57339,443,0x400000,tcp,allow,1275,761,514,14,2014/09/15 19:01:31,5,any,0,358477769,0x0, 10.0.0.0-‐10.255.255.255, United States,0,8,6
11
ConnecEon End Date
Src and Dest IPs Firewall Rule
ApplicaEon To/From Zone Dest Port
Threat Intel Lookup: bad_ip,threat_intel_source 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_hgp
![Page 12: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/12.jpg)
Analysis
• First, we want to pull out all firewall traffic coming from inside our network, going outside our network.
• Then, we want to cross-‐reference that data with our Threat Intel list. This is accomplished in the Splunk world via a lookup.
• Finally, we want to pull just the logs that have Threat Intel
12
index=pan_logs sourcetype=pan_traffic src=“10.*” dest!=“10.*” | lookup ThreatIntel dest | search ThreatList=*
Name of our lookup, and the key field
Name of our lookup, and the key field
Data held in Lookup Table
![Page 13: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/13.jpg)
Analysis -‐ Challenges
13
! Performance – you get lots of traffic, maybe you have lots of threat intel entries. – SoluEon: Enterprise Security is built to solve this problem at scale. – Alternate SoluEon: data models help substanEally with the first half. You
can fragment the lookups if you get to very high numbers. ! MulEple Threat Lists – DeprioriEze Open source threat list vs Premium threat list – SoluEon: Enterprise Security has this fixed as well with deduping and
prioriEzing – Alternate SoluEon: | inputlookup Premium| append [|inputlookup
OpenSource] | munge | outputlookup MyList
![Page 14: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/14.jpg)
Analysis – Value Adds
14
! Strength of AutomaEon in Splunk is high fidelity alerts. ! This was a simple example, but you could also make it more impressive by tracking whether the IP is in the US:
! AlternaEvely, you could look to see whether that parEcular host had a recent malware event:
| join host [| `tstats` count from datamodel=Malware by Malware_Agacks.dest | stats count by Malware_Agacks.dest | rename Malware_Agacks.dest as host]
![Page 15: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/15.jpg)
AcEon • PANBlock! (Or other Network Response, see below) • Challenges:
– Many organizaEons fear automaEc response due to potenEal for downEme ê SoluEon: Start with high confidence alerts and limited list of assets, verify success.
ê Alternate SoluEon: Don’t go automaEc response. This works through the UI too.
– You don’t run Palo Alto Networks ê SoluEon: While PAN/Splunk have made this work out of the box, this has been implemented many Emes with a number of products, Incl but not limited to: – Cisco Border Router: Expect Script to block – Check Point: R80 Rest Interface (Talk to me if you want to do this, I want in)
15
![Page 16: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/16.jpg)
AcEon – Example Customer Workflow
16
![Page 17: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/17.jpg)
Demo – Palo Alto Logs
17
![Page 18: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/18.jpg)
Demo – Threat Lookup
18
![Page 19: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/19.jpg)
Demo – Threat Lookup – Table View
19
![Page 20: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/20.jpg)
Demo – Add panblock
20
![Page 21: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/21.jpg)
Where to Learn More About PAN Blocking
21
! Have a Palo Alto device and like this parEcular feature? Visit – Docs: hgps://live.paloaltonetworks.com/docs/DOC-‐6593 – App Page: hgp://apps.splunk.com/app/491/
! Or beger yet, go see those talks: – AutomaEc Malware DetecEon, Analysis and MiEgaEon in Splunk
Jose Hernandez, SoluEons Security Architect, Splunk You just missed it! Get the PDF and watch the video later
– MiEgaEng Cybersecurity Risk with Palo Alto Networks and Splunk Marc Benoit, Sr. Director, Palo Alto Networks Breakout Session: 10/09/2014, 2:15-‐3:15
![Page 22: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/22.jpg)
Scenario Two
Anomaly DetecEon EssenEals
![Page 23: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/23.jpg)
Anomaly DetecEon EssenEals • File audiEng is a common pracEce, and it can be accomplished quickly and easily in Splunk.
• It becomes harder at scale, but data model acceleraEon helps. • UlEmately, by conquering anomaly detecEon, you can more effecEvely find the difficult to detect in your systems.
• Visibility: Carbon Black Logs • Analysis: System DistribuEon, accelerated via Data Models • Ac2on: Security Incident CreaEon
23
![Page 24: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/24.jpg)
What is Standard DeviaEon?
24
! A measure of the variance for a series of numbers. ! One file is opened on 100, 123, 79, and 145 hosts per day – average of 111.75 and a standard deviaEon of 28.53.
! Another file is opened on 100, 342, 3 and 2 hosts per day – average of 111.75, but a stdev of 160.23.
![Page 25: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/25.jpg)
Visibility – Log Examples
25
{"acEon": "write", "Emestamp": 1410911994, "path": "c:\\Program Files\\Splunk\\bin\\splunk-‐perfmon.exe", "type": "filemod", "process_guid": 36661217281}
![Page 26: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/26.jpg)
How To Accelerate
26
• AcceleraEon facilitates beger and broader analysis. • Splunk has a few ways of acceleraEng content: • Report AcceleraEon • Data Model AcceleraEon • TSCollect • Summary Indexing • Pre-‐processing of logs
• Check out Gerald Kanapathy’s Session on Friday: Title: Splunk Search AcceleraEon Technologies Speaker: Gerald Kanapathy, Sr. Director Product Management, Splunk When: 10/09/2014, 10:30 AM – 11:30 AM
![Page 27: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/27.jpg)
Analysis – Create Data Model
27
Create a data model and accelerate
![Page 28: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/28.jpg)
Analysis – Create Pivot Search
28
• Create a baseline pivot search and Open in Search. • In this case, split dc(host) by path • Add a filter for criEcal paths
![Page 29: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/29.jpg)
Analysis – Create AddiEonal StaEsEcs
29
Add addiEonal stats command on top of accelerated Pivot search.
![Page 30: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/30.jpg)
Analysis – Only Show Suspect Entries
30
![Page 31: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/31.jpg)
AcEon – Create a New Incident
31
! Will work with essenEally any EckeEng system, maybe via a scripted alert. – Every TickeEng System Accepts Emails too!
! Known to work with: – Remedy: hgp://wiki.splunk.com/Community:Use_Splunk_alerts_with_scripts_to_create_a_Ecket_in_your_EckeEng_system – ServiceNow: hgp://answers.splunk.com/answers/47086/service-‐now-‐Ecket-‐generaEon-‐via-‐splunk-‐alerts.html – PagerDuty: hgp://www.pagerduty.com/docs/guides/splunk-‐integraEon-‐guide/ – ArcSight: hgps://apps.splunk.com/app/1847/ – Q1 – NetCool – Anything AccepEng Email – Anything Scriptable: hgp://docs.splunk.com/DocumentaEon/Splunk/6.1.3/alert/ConfiguringScriptedAlerts
![Page 32: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/32.jpg)
Demo – ModificaEons of Exec Files in System32
32
![Page 33: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/33.jpg)
Scenario Three
Behavioral Anomaly DetecEon
![Page 34: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/34.jpg)
Behavioral Anomaly DetecEon • DetecEng known bad is great, but leaves you vulnerable. • Augment with syntheEc checks of sensiEve systems. • StaEsEcs can consume all your Eme
– Generally easiest to leverage so^ approval (e.g., emails to managers) with standard deviaEon.
– AddiEonally, use hard enforcement for large deviaEon (e.g., FW isolaEon)
• In this scenario, we are a hospital tracking paEent chart opens. • Visibility: CharEng System Logs • Analysis: Frequency Analysis by User, Role, etc. • Ac2on: Email the employees’ manager to invesEgate
34
![Page 35: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/35.jpg)
What is Standard DeviaEon?
35
! A measure of the variance for a series of numbers. In this case, let’s say chart opens.
! Over a few days, Jane opens 100, 123, 79, and 145 charts per day with an average of 111.75 and a standard deviaEon of 28.53.
! Over the same period, Jack opens 100, 342, 3 and 2 charts per day, also with an average of 111.75, but a stdev of 160.23.
! When Jack and Jane both open 500 records some day, that will be 13.6 standard deviaEons (z=13.6) for Jane but only 2.42 for Jack.
! Z score = number of standard devia2ons away from average
![Page 36: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/36.jpg)
Visibility – Log Examples <audit_list><audit_version>1</audit_version> <event_dt_tm>2014-‐09-‐06 23:59:59.52</event_dt_tm> <outcome_ind>0</outcome_ind> <user_name>AHARVEY</user_name> <prsnl_id>117499</prsnl_id> <prsnl_name>Angel Harvey</prsnl_name> <role>DBA</role> <role_cd>24209801</role_cd><enterprise_site>HNAM</enterprise_site><audit_source>Test/Domain</audit_source><audit_source_type>600005</audit_source_type><network_acc_type>1</network_acc_type><network_acc_id>MTYVQ-‐ACTX03</network_acc_id><applicaEon>HNA: Powerchart</applicaEon><task>RUN PowerView Preferences</task><request>cps_ens_ppa</request><appl_ctx>346793285</appl_ctx><perform_cnt>69</perform_cnt><event_list><event_name>Maintain Person</
event_name> <event_type>Chart Access Log</event_type> […….]</audit_list>
36
![Page 37: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/37.jpg)
Analysis • Core Metric: Chart Opens Per Day, Per Employee • Dimensions to Compare:
– Over Eme for the same user, others with same Etle – Others with the same Etle in the same city or with the same years of experience
• Why MulEple Dimensions? 1. Comparing mulEple metrics reduces false posiEves. 2. Provides more context. 3. If I open 25 Emes as many charts, but so does every other nurse in my facility
because we’re under inspecEon, that should be evident.
• What about performance? – Good point! Data Models turn this into a 30 seconds per 5M events search on my
laptop. Tscollect is manual but turns it into a quarter second search.
37
![Page 38: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/38.jpg)
Analysis – Basic
38
index=cerner | eval EmployeeID=spath(_raw, "audit_list.prsnl_id") | eval EmployeeName = […] | eval RecordNum= […]
| bucket _Eme span=1d | stats dc(RecordNum) as NumRecords by EmployeeName, EmployeeID, _Eme | stats first(NumRecords) avg(NumRecords) stdev(NumRecords) by EmployeeName, EmployeeID | where ‘first(NumRecords)’ > ‘avg(NumRecords)’ + ‘stdev(NumRecords)’ * 6
! Basic Data Set ! Field Munging ! Pull the number of stats per
employee, per day ! Pull the average, standard
deviaEon, and most recent daily number per employee
! Find instances where the most recent number is more than 6 standard deviaEons away from the average
![Page 39: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/39.jpg)
Demo
39
40 minutes later…
![Page 40: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/40.jpg)
How To Accelerate
40
• AcceleraEon facilitates beger and broader analysis. • Splunk has a few ways of acceleraEng content: • Report AcceleraEon • Data Model AcceleraEon • TSCollect • Summary Indexing • Pre-‐processing of logs
• Check out Gerald Kanapathy’s Session on Friday: Title: Splunk Search AcceleraEon Technologies Speaker: Gerald Kanapathy, Sr. Director Product Management, Splunk When: 10/09/2014, 10:30 AM – 11:30 AM
![Page 41: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/41.jpg)
Analysis – AcceleraEon
41
index=cerner | eval Role=spath(_raw, "audit_list.role") | eval RoleID = […] | eval EmployeeID= […] | eval EmployeeName = […] | eval PaEentNum= […]
| bucket _Eme span=1d | stats dc(PaEentNum) as NumRecords by EmployeeName, EmployeeID, Role, RoleID _Eme
| lookup HR_IS.csv EmployeeID
| tscollect retain_events=t Cerner
! Basic Data Set ! Field Munging
! Stats split by as many dimensions as required, but not more.
! Lookup occurs a^er stats
! Store the results in a local tsidx (could also do this with datamodels)
![Page 42: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/42.jpg)
Analysis – Find StaEsEcal Outliers Pt 1
42
| tstats local=t first(NumCharts) as Recent_NumCharts avg(NumCharts) as Avg_NumCharts stdev(NumCharts) as Stdev_NumCharts from Cerner groupby EmployeeName, EmployeeID, Username, Role, RoleID, City, YearsAtCompany
| join type=outer RoleID [| tstats local=t avg(NumCharts) as Role_Avg_NumCharts stdev(NumCharts) as Role_Stdev_NumCharts from Cerner groupby Role, RoleID ]
! How many charts is typical (and what is the standard deviaEon) for this person. Also, how many did they open yesterday?
! How many chart opens is standard for people in this role?
![Page 43: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/43.jpg)
Analysis – Find StaEsEcal Outliers Pt 2
43
[… conEnued from previous slide …] | eval Personal_Z = abs(Recent_NumCharts-‐Avg_NumCharts)/Stdev_NumCharts | eval Role_Z = abs(Recent_NumCharts-‐Role_Avg_NumCharts)/Role_Stdev_NumCharts | eval Z_Min = min(Role_Z, Personal_Z) | where Z_Min > 6
! How unusual is this acEvity, for this person or versus others in this role? – Z score = how many StDev
away from average. – Consider other metrics, such as
years at the company, facility. – Goal is to capture normal
across dimensions, to idenEfy trends across organizaEon (e.g., a facility audit).
![Page 44: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/44.jpg)
AcEon • Email the Manager • This opEon is mostly just forma�ng. Join to the HR / LDAP database and uElize sendemail +
map. • Could also escalate big violaEons to the SOC or GRC. | lookup LDAPSearch sAMAccountManager as username OUTPUT manager | lookup LDAPSearch dn as manager OUTPUT mail as ManagerEmail “
44
| map maxsearches=100 search=“ | stats count | eval ManagerEmail=$ManagerEmail$ | eval EmployeeName=$EmployeeName$ | eval ZAvg = $Z_Avg$ | sendemail to=ManagerEmail sendresults=f subject=EmployeeName . \“ excess Chart Opens\” message=EmployeeName . \“ has opened more charts than normal (\“ . ZAvg . \“ stdev). _._Please Follow Up.\”
![Page 45: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/45.jpg)
Demo
45
![Page 46: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/46.jpg)
Scenario Four
Visual Event CorrelaEon
![Page 47: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/47.jpg)
Visual Event CorrelaEon • A^er conquering the essenEals of ge�ng some alert data, it’s important to be able to understand an agacker’s acEon plans. – Progress through kill chain – Movement toward criEcal assets – Et Cetera
• Easiest with Enterprise Security, but possible without
47
![Page 48: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/48.jpg)
Visibility – Log Examples • Anything. This should encompass all of your log sources, correlaEon rules, alerts, and etc.
• Ideally include operaEonal data here too (e.g., website response Eme change)
48
![Page 49: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/49.jpg)
Analysis • Examples thus far have centered around automated analysis, but Splunk is also a great tool for data visualizaEon and analysis.
• CapabiliEes here are virtually endless, but here are a few examples.
49
![Page 50: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/50.jpg)
AcEon • Need more informaEon? Enterprise Security has many built in work flow acEons to go pull more data.
• Go pull more informaEon from your Endpoint Threat DetecEon and Response app: – Tanium: hgp://apps.splunk.com/app/1862/ – Tripwire / nCircle ip360: Ask your SE – Bit9 / Carbon Black: hgps://www.bit9.com/soluEons/splunk/ – Many Others also exist
• File a Ecket with your EckeEng – Remedy: hgp://answers.splunk.com/answers/122019
• Open a new Notable Event in ES 50
![Page 51: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/51.jpg)
Demo – Separate Product Lines (ES)
51
![Page 52: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/52.jpg)
Demo – Kill Chain Swimlanes (ES)
52
![Page 53: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/53.jpg)
Demo – Visualizing By Priority
53
• While not as slick as the ES version, you can get much of the same value by leveraging mulEple reports on one dashboard, or with stacked column charts.
![Page 54: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/54.jpg)
Security is a Team Sport
![Page 55: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/55.jpg)
140+ security apps Splunk App for Enterprise Security
Splunk Security Intelligence Pla�orm
55
Palo Alto Networks
NetFlow Logic
FireEye
Blue Coat Proxy SG
OSSEC Cisco Security Suite
AcEve Directory
F5 Security
Juniper Sourcefire
![Page 56: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/56.jpg)
Talk to your neighbor We’re all in this together.
56
![Page 57: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/57.jpg)
Go Play With Data
57
Github with DataGens and searches: www.davidveuve.com/go/conf-‐security
![Page 58: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/58.jpg)
Shameless Plug
![Page 59: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/59.jpg)
Splunk Search Usage Splunk Search Usage and AdopEon Tracking, with security reports.
•
hgp://www.davidveuve.com/go/ssu 59
![Page 60: Security*Ninjutsu* - SplunkConf · PDF fileSecurity*Ninjutsu* * Using Splunkfor* Correlaon,*Anomaly* DetecEon*and* Response*Automaon* Who*Am*I?* 2!](https://reader034.fdocuments.net/reader034/viewer/2022050801/5a78b5787f8b9a83238b4843/html5/thumbnails/60.jpg)
THANK YOU