SplunkLive! London 2016 Operational Security Intelligence

SecurityTrackOpera/onalSecurityIntelligence

2

SplunkLiveSecurityTrackToday  13:00-14:00: Opera-onalSecurityIntelligence  14:00-15:00: SplunkforEnterpriseSecurityfeaturingUser

BehaviorAnaly/cs  15:00-16:00: CloudBreach–Detec/onandResponse  16:00-17:00: HappyHour  17:00–19:30: SplunkLondonUserGroupMee8ng

ê RegisterandmoreInfo/Agenda:hOps://usergroups.splunk.com

Opera/onalizingSecurityIntelligence

MaOhiasMaierCISSP,CEH,ProductMarke/ngManager

4

WhoIam•  NowProductMarke/ngManagerEMEA•  7YearsConsultantSecurity+BigData•  3+YearsatSplunk,McAfee(IntelSecurity),TibcoLogLogic

•  workedwithtoporganiza/onsacrossindustriesadvisingcustomers

•  CISSP,Cer/fiedethicalHacker

5

Disclaimer

5

Duringthecourseofthispresenta/on,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecau/onyouthatsuchstatementsreflectourcurrentexpecta/onsandes/matesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresenta/onarebeingmadeasofthe/meanddateofitslivepresenta/on.Ifreviewedaceritslivepresenta/on,thispresenta/onmaynotcontaincurrentor

accurateinforma/on.Wedonotassumeanyobliga/ontoupdateanyforwardlookingstatementswemaymake.

Inaddi/on,anyinforma/onaboutourroadmapoutlinesourgeneralproductdirec/onandissubjecttochangeatany/mewithoutno/ce.Itisforinforma/onalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobliga/oneithertodevelopthefeatures

orfunc/onalitydescribedortoincludeanysuchfeatureorfunc/onalityinafuturerelease.

6

Agenda

Thesuperheroandthefishmarket–ashortstory

WhatisSecurityIntelligence

Forthebosses

DemosandExamples

7

hOps://i.y/mg.com/vi/4GmMNF1b0Lw/maxresdefault.jpg

8 hOp://www.technobuffalo.com/wp-content/uploads/2015/07/Xena.jpeg

9

hOps://epicheroism.files.wordpress.com/2013/09/kratos_god_of_war-1680x1050.jpg

10

hOp://www.entrust.com/wp-content/uploads/2013/02/Entrust-MobileDemo-RSA20131.jpg

13

hOp://www.123rf.com/photo_30266410_seaOle-july-5-customers-at-pike-place-fish-company-wait-to-order-fish-at-the-famous-seafood-market-.html

14

Lonehacker…

15

OrganizedCriminals

16

CrossingtheChasm

17

CrossingtheChasm

18

SecurityIntelligence

Informa/onrelevanttoprotec/nganorganiza/onfromexternalandinsidethreatsaswellastheprocesses,policiesandtoolsdesignedtogatherandanalyzethatinforma/on.

hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI

19

SecurityIntelligence

Informa/onrelevanttoprotec/nganorganiza/onfromexternalandinsidethreatsaswellastheprocesses,policiesandtoolsdesignedtogatherandanalyzethatinforma/on.


20

Intelligence

Ac/onableinforma/onthatprovidesanorganiza/onwithdecisionsupportandpossiblyastrategicadvantage.SIisacomprehensiveapproachthatintegratesmul/pleprocessesandprac/cesdesignedtoprotecttheorganiza/on.


21

Intelligence

Ac/onableinforma/onthatprovidesanorganiza/onwithdecisionsupportandpossiblyastrategicadvantage.SIisacomprehensiveapproachthatintegratesmul/pleprocessesandprac/cesdesignedtoprotecttheorganiza/on.


22

Opera/onalizingSecurityIntelligence

23

Connec/ngPeopleandDataThroughaNerveCenter

Opera-onalizingSecurityIntelligence

Risk-Based ContextandIntelligence

Connec-ngPeopleandData

24

25

Alerts

Alert1 Alert2

HostA HostB

Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved

Worth an Investigation? Which one to investigate first?

26

Requirements:RiskBasedAnaly/cs

27

Network Endpoint Access

DataSources

ThreatIntelligence

Persist,Repeat

ThreatIntelligence

Access/Iden-ty

Endpoint

Network

AOacker,knowrelay/C2sites,infectedsites,IOC,aOack/campaignintentandaOribu/on

Wheretheywentto,whotalkedtowhom,aOacktransmiOed,abnormaltraffic,malwaredownload

Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,aOack/malwarear/facts,patchinglevel,aOacksuscep/bility

Accesslevel,privilegedusers,likelihoodofinfec/on,wheretheymightbeinkillchain

•  Third-partythreatintel•  Open-sourceblacklist•  Internalthreatintelligence

•  Firewall,IDS,IPS•  DNS•  Email

•  Endpoint(AV/IPS/FW)•  Malwaredetec/on•  PCLM

•  DHCP•  OSlogs•  Patching

•  Ac/veDirectory•  LDAP•  CMDB

•  Opera/ngsystem•  Database•  VPN,AAA,SSO

DataSourcesRequired

•  Webproxy•  NetFlow•  Network

29

RiskBasedAnaly/cs

Network Endpoint AccessThreatIntelligence

  Rules/String/Regexmatching  Sta/s/caloutliersandanomalies  SessionandBehaviorprofiling  Scoringandaggrega-on

30

Alerts

Alert1 Alert2

HostA HostB



31

Example-Situa/onDay1

• HostA:IDSSignatureTriggers

• Source:NetworkIDS

Day5

• HostA:AVSystemTriggers

• Source:An/Virus

Day10

• HostA:Mul/plefailedloginsfromthishost

• Source:Ac/veDirectory

Day20

• HostA:accessingunusualnetworksegments

• Source:NetworkTrafficCorrela/on

32

Context:RiskScoringDay1

• HostA:IDSSignatureTriggers

• Source:NetworkIDS

Day5

• HostA:AVSystemTriggers

• Source:An/Virus

Day10

• HostA:Mul/plefailedloginsfromthishost

• Source:Ac/veDirectory

Day20

• HostA:accessingunusualnetworksegments

• Source:NetworkTrafficCorrela/on

RiskScoreHostA:0+10

RiskScoreHostA:10+30

RiskScoreHostA:40+30

RiskScoreHostA:70+5

33

Demo1

34

Requirements:ContextandIntelligence

35

ContextandIntelligence  Integrateacrosstechnologies  Automatedcontextmatching  Automatedcontextacquisi/on  Postprocessingandpostanalysis

ThreatIntelligence

Asset&CMDB

API/SDKIntegra-ons

DataStores

Applica-ons

36

Alerts

Alert1 Alert2

HostA HostB



37

Alerts

Alert1 Alert2

HostA HostB


RiskScoreHostA:75 RiskScoreHostB:5


38

Alerts

Alert1 Alert2

HostA HostB


RiskScoreHostA:75 RiskScoreHostB:5

SystemOwner:JuergenKloppLoca/on:Liverpool

SystemOwner:DonaldDuckDepartment:Duckburg

Confiden/alityLevel:High Confiden/alityLevel:Low


39

SplunkSample:

40 hOp://www.entrust.com/wp-content/uploads/2013/02/Entrust-MobileDemo-RSA20131.jpg

41

Requirements:Connec/ngDataandPeople

42

Connec/ngPeopleandData  Humanmediatedautoma/on  Sharingandcollabora/on  Freeforminves-ga-on–humanintui-on  Interactwithviewsandworkflows  Anydata,alldata

Automa/on Collabora/on Inves/ga/on Workflows Alldata

43

Demo2

44

VisualInves/ga/ons–KillChain

Opera-onalizingSecurityIntelligence

Risk-Based ContextandIntelligence

Connec-ngPeopleandData

45

46

SECURITYUSECASES

In

SECURITY&COMPLIANCEREPORTING

REAL-TIMEMONITORINGOFKNOWNTHREATS

MONITORINGOFUNKNOWN,ADVANCEDTHREATS

INCIDENTINVESTIGATIONS&FORENSICS

INSIDERTHREAT

46

SplunkCanComplementORReplaceanExis/ngSIEM

INSIDERTHREAT

47

SPLUNKFORSECURITY

47

SECURITYAPPS&ADD-ONS SPLUNKAPPFORPCI

SIEM SecurityAnaly/cs Fraud,ThecandAbuse

PlaqormforSecurityServices

SPLUNKUSERBEHAVIORANALYTICS

Wiredata

Windows= SIEMintegra/on

RDBMS(any)data

SPLUNKENTERPRISESECURITY

49

Adap/veResponseRemedia/nguseraccounttakeover

Detect:•  MaliciousLogons

Respond:•  ResetPassword

OrchestrateAutoma/on

51

SPLUNK IS THE NERVE CENTER

51

App Endpoint/Server

Cloud

ThreatIntelligence

Firewall

WebProxy

InternalNetworkSecurity

Iden/ty

Network

52

Connec/ngPeopleandDataThroughaNerveCenter

53

GesngStarted

SplunkEnterpriseFree

Download

EnterpriseSecurityCloud

Trial

SplunkUBAProofofValue

54

SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS

•  5000+IT&BusinessProfessionals•  3daysoftechnicalcontent•  165+sessions•  80+CustomerSpeakers•  35+AppsinSplunkAppsShowcase•  75+TechnologyPartners•  1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks

•  NEWhands-onlabs!•  Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!

The7thAnnualSplunkWorldwideUsers’Conference

PLUSSplunkUniversity•  Threedays:Sept24-26,2016•  GetSplunkCer/fiedforFREE!•  GetCPEcreditsforCISSP,CAP,SSCP•  SavethousandsonSplunkeduca/on!

55

CrossingtheChasm

56

ThankYou@MaOhias_by

SplunkLive! London 2016 Operational Security Intelligence

Technology

Transcript of SplunkLive! London 2016 Operational Security Intelligence