SkyiD - SplunkConf · accessing 30-40 Sky services AUTH & SESSION MANAGMENT SERVICES laptop 10...

SkyiD Securing Customer Facing Apps Heineken Cup Rugby

Greetings! I’m Mark Debney

3

laptop

The Shape of BSkyB

4

SkyiD

5

SkyiD within BSkyB

SUBSCRIBERS

30 million SkyiD accounts, accessing 30-40 Sky services

AUTH & SESSION MANAGMENT SERVICES

laptop

6

The SkyiD Security Team

Identity Incidents Investigations

7

So What About SkyiD and Splunk?

CAPACITY VS

SECURITY

Despicable Me 2

Capacity Monitoring capacity of the applications and the physical estate

9

Real Time Performance Reporting to Every Service & Ops Team

Capacity and Business Need

SUBSCRIBERS

30 million SkyiD accounts, accessing 30-40 Sky services

AUTH & SESSION MANAGMENT SERVICES

laptop

10

Capacity and SkyiD Applications

FREQUENCY

SPEED

ENDURANCE

11

Traffic Profile of SkyiD Applications

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success

Failure

12

Measuring the Authentication Transaction

StopWatch > end to end performance

13

Capacity and the Physical Estate

PHYSICAL RESOURCES CONSISTENCY

14

Holistic view of infrastructure

Managing Physical Capacity

SUBSCRIBERS

30 million SkyiD accounts, accessing 30-40 Sky services

AUTH & SESSION MANAGMENT

SERVICES

laptop

Security The Walking Dead

16

Dedicated SkyiD Security Team

Team Composition

Devs QA Application teams DevOps

17

Easy to Detect Attacks

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success Failure

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Normal

Success Failure

Brute Force Attack

18

Single Service Attacks

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success

Failure

19

A Closer Look

23:00 0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success

Failure

20

False Positive

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success

Failure Sign up

21

A Closer Look

0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00

Success Failure Sign up

22

Elements and Indicators of Attacks

USERNAME ServiceName

INTERNAL IP

DATE

TIME

Successful

InvalidCredentials

errorCode aliasType

HTTP Status Codes

UR

L

User A

gent

Country code

Java Call

23

Behavior Based Rules

Next Actions: Compare attributes across multiple transactions

Historical logs for the user and IP

USERNAME

TIME

Country code

24

Tools of the Security Team

Visualization Behavior Based Rules Preventative Controls

25

Best Practice

REMOVE NOISE START SMALL AND BUILD

REVIEW AND UPDATE

26

Get visibility into your physical estate; it will set your team free

Understand end-to-end transactions relate that back to business needs

Gain insight into your transactions, tweak logging, determine what to log and what that data means

Look for a range of attack indicators, compare against normal to determine good/bad traffic profiles

Use simple detections to create complex behavior based rules

What You Can Start Doing

Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday

Geek out, share ideas with Enterprise Security developers Red Team / Blue Team - Challenge your skills and learn new tricks Mon-Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM

Learn, share and hack

Birds of a feather- Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room