security crawl walk run presentation mckay v1 2017

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

crawl|walk|run

Splunk for Security

Dimitri McKay | Staff Security Architect | Splunk

© 2017 SPLUNK INC.

During the course of this presentation, we may make forward-looking statements regarding future events or

the expected performance of the company. We caution you that such statements reflect our current

expectations and estimates based on factors currently known to us and that actual events or results could

differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live

presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

information. We do not assume any obligation to update any forward-looking statements we may make. In

addition, any information about our roadmap outlines our general product direction and is subject to change

at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

or other commitment. Splunk undertakes no obligation either to develop the features or functionality

described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United

States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

© 2017 SPLUNK INC.

AgendaSplunk Level Set

Intro Maturity Crawl Walk Run Summary

© 2017 SPLUNK INC.

IntroMaturity

Technology

PeopleProcess

3 equal parts make a mature security program

© 2017 SPLUNK INC.

Maturity of a Security Program

Search and

Investigate

Proactive

Monitoring

and Alerting

Security

Situational

Awareness

Real-time

Risk Insight

Proactive

Reactive

- Reactive security

- Limited visibility

- Limited data-sources

- Data spread across

multiple silos

- Specific data-sources

captured

- Realtime monitoring for

specific basic use cases

- Simple correlation alerts

in use

- Monitoring in real-time.

- High fidelity correlation in use.

- Basic automation for

enrichment.

- Threat data plays a heavy role

in security processes.

- Risk framework used to

prioritize activity.

- Automation is used to reduce

noise and threat.

- Breaches identified in real-time

and thwarted before exfil.

© 2017 SPLUNK INC.

https://github.com/swannman/ircapabilities

https://creativecommons.org/licenses/by/4.0/



© 2017 SPLUNK INC.

CrawlHow do I get started?

© 2017 SPLUNK INC.

200+ APPS

The Splunk Platform for Security Intelligence

Splunk Enterprise (CORE)

Stream data

Cisco

Security Suite

Windows/ AD/

Exchange

Palo Alto

Networks

FireEye

Bit9

DShield

DNS

OSSEC

Splunk-built AppsSplunk for Security

http://www.google.com/url?sa=i&rct=j&q=windows+image&source=images&cd=&cad=rja&docid=z3myVEI98mnMeM&tbnid=HNR7NeVJvUk-4M:&ved=0CAUQjRw&url=http://calibre-ebook.com/download&ei=mm8FUs3kCYe_igLupoHwDQ&bvm=bv.50500085,d.cGE&psig=AFQjCNHH3naLLWaYwHjBrfxvMl0XaMZUUg&ust=1376174358242651

http://www.google.com/url?sa=i&rct=j&q=windows+image&source=images&cd=&cad=rja&docid=z3myVEI98mnMeM&tbnid=HNR7NeVJvUk-4M:&ved=0CAUQjRw&url=http://calibre-ebook.com/download&ei=mm8FUs3kCYe_igLupoHwDQ&bvm=bv.50500085,d.cGE&psig=AFQjCNHH3naLLWaYwHjBrfxvMl0XaMZUUg&ust=1376174358242651

© 2017 SPLUNK INC.

Step one?

Download Splunk. :)

© 2017 SPLUNK INC.

But, consider starting with these top 5 data sources…

© 2017 SPLUNK INC.

#1 Windows

Splunk Add-on for

Microsoft Windows

© 2017 SPLUNK INC.

► Authentication:

- Success/ Failures

- New account logons

- Unused accounts

- Anomalous logins

► Endpoint changes:

- New applications/ processes

- New ports

- New services

Windows Use Cases

#1 Windows

Splunk Add-on for

Microsoft Windows

© 2017 SPLUNK INC.

#2 Linux

Splunk Add-on for

Unix and Linux

Add-on for Auditd

© 2017 SPLUNK INC.

#2 Linux

Splunk Add-on for

Unix and Linux

Add-on for Auditd

► Authentication:

- Success/ Failures

- New account logons

- Unused accounts

- Anomalous logins

► Endpoint changes:

- New applications/ processes

- New ports

- New services

Linux Use Cases

© 2017 SPLUNK INC.

#3 Firewalls

Splunk Add-on for

Juniper, Cisco,

Palo Alto, etc.

© 2017 SPLUNK INC.

#3 Firewalls

Splunk Add-on for

Juniper, Cisco,

Palo Alto, etc.

► Top categories

► Top apps consuming bandwidth

► Top protocol use

► Top bandwidth consumers

► Top threats by user/host/src

► Top blocked executables

► Top vulnerabilities / vulnerable machines

► Top targets

► Top actions

► Top malware

Firewall Use Cases

© 2017 SPLUNK INC.

#4 AWS + Cloud

ServicesAdoption of Cloud in

the Security space

© 2017 SPLUNK INC.

#4 AWS + Cloud

ServicesAdoption of Cloud in

the Security space

► Network ACLs

► Security groups

► IAM activity

► S3 data events

► VPC activity/traffic/security analysis

► Cloudfront/ELB/S3 Traffic Analysis

► Top user activity

► Top resource activity

AWS/Cloud Use Cases

© 2017 SPLUNK INC.

#5Anti-virus

Symantec and McAfee

antivirus suites

© 2017 SPLUNK INC.

#5Anti-virus

Symantec and McAfee

antivirus suites

► Top risks detected

► Top processes blocked

► Top viruses / spyware detected

► Malware client version reports

► Malware virus definitions version reports

► Host changes / modifications

Anti-virus Use Cases

© 2017 SPLUNK INC.

With these top 5 data sources you manage…

► Detection of Possible Brute Force Attacks

► Detection of Insider Threat

► Expected Host/Log Source Not Reporting

► Unusual Login Behavior

► Unexpected Events Per Second (EPS) from Log Sources

► Detection of Anomalous Ports, Services and Unpatched Devices

► More…

http://resources.infosecinstitute.com/top-6-seim-use-cases/#gref

© 2017 SPLUNK INC.

Use Cases + AppsDive into more advanced use cases

© 2017 SPLUNK INC.

Next, Dive Into More Advanced Use CasesSecurity Intelligence Use Cases

Security &

Compliance

Reporting

Real-time

Monitoring of

Known Threats

Root Cause

AnalysisAction

AlertingIncident

Investigations

& Forensics

© 2017 SPLUNK INC.

Splunk Security EssentialsAccess and Network Domain

Access Domain• Authentication Against a New Domain Controller

• First Time Logon to New Server

• Significant Increase in Interactively Logged On

Users

• Geographically Improbable Access (Superman)

• Increase in # of Hosts Logged into

• New AD Domain Detected

• New Interactive Logon from a Service Account

• New Local Admin Account

• New Logon Type for User

• Short Lived Admin Accounts

• Significant Increase in Interactive Logons

Network Domain• Detect Algorithmically Generated Domains

• Remote PowerShell Launches

• Source IPs Communicating with Far More Hosts

Than Normal

• Sources Sending Many DNS Requests

• Sources Sending a High Volume of DNS Traffic

© 2017 SPLUNK INC.

Splunk Security Essentials for Ransomware

The following are the Use Cases included in this app

1. Fake Windows Processes

2. Malicious Command Line Executions

3. Monitor AutoRun Reported Registry Keys

4. Monitoring Successful Backups

5. Monitor Successful Windows Update

6. Monitoring Unsuccessful Backups

7. Monitor Successful Windows Update

8. Ransomware extensions

9. Ransomware Note Files

10. Ransomware Vulnerabilities

11. SMB traffic Allowed

12. Spike in SMB traffic

13. Detect TOR Traffic

© 2017 SPLUNK INC.

CIS Critical Security Controls

The CIS Critical Security Controls app

for Splunk was designed to provide a

consolidated, easily-extensible

framework for baseline security “best-

practices” based on the Top 20 Critical

Security Controls published by the

Center for Internet Security.

Framework for Baseline Security

© 2017 SPLUNK INC.

Splunk Enterprise SecurityAnalytics SIEM

Monitoring | Reporting | Alerting

• 50,000 foot view of of the organization’s security

posture

• Out of the box dashboards, reports, correlated

alerts, and incident response workflows

• Significant Increase in Interactively Logged On

Users

• Detect unusual activities by leveraging statistical

analysis, dynamic thresholds, and anomaly

detection.

• Verify privileged access and detect unusual

activity by applying user- and asset-based context

to all Cloud, on-premises and hybrid machine

data to monitor user and asset activities.

Threat | Case Management

• Leverage threat feeds from a broad set of

sources, including free threat intelligence feeds,

third party subscriptions, law enforcement, FS-

ISAC , STIX/TAXII, the Department of Homeland

Security’s (DHS) Automated Indicator Sharing

(AIS), Facebook ThreatExchange, internal and

shared dataRemote PowerShell Launches

• Manage alerts/cases and investigations in one

place, with the ability to pivot between data

sources to decrease remediate and investigation

time, thereby reducing risk.

© 2017 SPLUNK INC.

Splunk UBA + Enterprise SecurityUnsupervised Machine Learning

Business Risk | Machine Learning

• Detects insider threats using out-of-the-box

purpose-built but extensible unsupervised machine

learning (ML) algorithms

• Provides context around the threat via ML driven

anomaly correlation and visual mapping of stitched

anomalies over various phases of the attack

lifecycle (Kill Chain View)

• Increases SOC efficiency with rank-ordered threats

and supporting evidence

• Prioritize assets and identities based on criticality to

the business, which then prioritizes alerts and case

management as the most important events bubble

to the surface.

High Fidelity Alerting + Orchestration

• By integrating UBA with Enterprise Security, high

fidelity alerts are then fed into a central location for

remediation.

• Alerts are also then actionable, allowing Splunk to

orchestrate and automate a response via a single

common interface for retrieval, sharing, and

response in multi-vendor environments. Examples

of those responses might be segregating a host off

of a network, re-setting a users password, pushing

out antivirus definitions to machines with out of date

updates, or blocking IPs and URLs found in threat

lists.

The Platform

PLATFORM

Analy

tics,

Aw

are

ness &

Action

The Platform

PLATFORM

SOLUTIONS

Analy

tics,

Aw

are

ness &

Action

Vendor Apps | Community Apps | Use Case Apps | Showcase Apps

The PlatformIncident

Investigations

and

Forensics

Security

and

Compliance

Real-Time

Monitoring

Root

Cause

Analysis

Automation

And

Orchestration

Reporting

And

Alerting

PLATFORM

USE CASES

SOLUTIONS

Analy

tics,

Aw

are

ness &

Action

Vendor Apps | Community Apps | Use Case Apps | Showcase Apps

security crawl walk run presentation mckay v1 2017

Software