Copyright  ©  2014  Splunk  Inc.  

Splunk  for  Security    

Analy<cs  Driven  Security  for  Higher  Educa<on  

 James  Brodsky  

 SE/Security  SME,  Splunk  

•  Splunk  for  Security  (20  min)  •  EDU  Case  Studies  (20  min)  •  Demonstra<on  of  the  Splunk  App  for  Enterprise  Security  (15  min,  <me  permiKng)  

•  Q  &  A  

Agenda  

3  

Why  Splunk  for  Security?  

Machine  Data  contains  a  DEFINITIVE  RECORD  of  all  Human  to  Machine  and  Machine  to  

Machine  Interac<on.    

Splunk  ingests,  stores,  and  analyzes  all  of  that  data  at  scale.  

4  

Advanced  Threats  Are  Hard  to  Find  Cyber  Criminals    

Na.on  States    

Insider  Threats    

4  

Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014  

100%    Valid  creden<als  were  used  

40    Average  #  of  systems  accessed  

229  Median  #  of  days  before  detec<on  

67%  Of  vic<ms  were  no<fied  by  external  en<ty  

5  

A`ackers  &  Threats  have  Changed  &  Matured  

5  

•  Goal-­‐oriented  

•  Human  directed  

•  Mul<ple  tools,  steps  &  ac<vi<es  

•  New  evasion  techniques  

•  Coordinated  

•  Dynamic,  adjust  to  changes  

People  •  Outsider  (organized  crime,  compe<tor,    

na<on/state)    •  Insiders  (contractor,  disgruntled  employee)  

Technology  •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day  •  Exploit  kits,  password  dumper,  etc.    

Threat  

Process  •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled  •  Threat  marketplaces  –  buy  and  rent  

6  

Modern  Security  Programs  Need  More  than  Technology  

6  

People  •  Outsider  (organized  crime,  compe<tor,    

na<on/state)    •  Insiders  (contractor,  disgruntled  employee)  

Technology  •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day  •  Exploit  kits,  password  dumper,  etc.    

Threat  Technology  •  Firewall,  An<-­‐malware,  AV,  IPS,  etc.    •  An<-­‐spam,  etc.  

Solu.on  

Process  •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled  •  Threat  marketplaces  –  buy  and  rent  

Human    Intui.on  and  Observa.on      Coordina.on,  Collabora.on  and  Counter  Measures  

7  

New  approach  to  security  opera<ons  is  needed  

7  

•  Goal-­‐oriented  

•  Human  directed  

•  Mul<ple  tools  &  ac<vi<es  

•  New  evasion  techniques  

•  Coordinated  

•  Dynamic  (adjust  to  changes)  

Threat  

•  Analyze  all  data  for  relevance  

•  Contextual  and  behavioral  

•  Rapid  learning  and  response  

•  Leverage  IOC  &  Threat  Intel  

•  Share  info  &  collaborate  

•  Fusion  of  technology,  people  &  process  

8  

Here’s  one  example  of  a  new  approach  

9  

But  it  should  be…  

10  

•  Who  is  working  on  Saturdays?  

•  Who  is  badging  into  areas  that  they’re  not  supposed  to  be  in?  

•  Who  accessed  that  server  with  admin  privs  over  the  past  year?  

•  What  countries  are  genera<ng  the  most  inbound  traffic?  Outbound?    

•  Which  firewalls  are  passing  ports  that  we’ve  never  seen  before?  

•  What  endpoints  are  exhibi<ng  beaconing  behavior?  

•  What  countries  are  we  communica<ng  with  that  we  don’t  do  business  in/have  students  registered  in?  

•  What  vulns  are  found  on  my  network  and  what’s  been  trying  to  exploit  them?  

•  Who’s  accessing  our  resources  with  the  same  creden<als  but  from  different  states  or  countries,  at  the  same  <me?  

•  Who  is  accessing  our  compe<tor  websites  and  what’s  the  risk  associated  with  that?  

•  Which  servers  are  querying  DNS  far  more  than  they  ever  normally  do  today?  

•  Which  users  have  downloaded  content  from  known  phishing  URLs?  

•  Whose  HR  data  has  changed  aper  being  infected  by  malware/visi<ng  a  phishing  link?  

What  ques<ons  could  you  ask?  

12  

From  Alert  Based  to  Analy<cs  Driven  Security  

Tradi.onal  Alert-­‐based  Approach  

Time  &  Event  based  

Data  reduc<on  

Event  correla<on  

Detect  a`acks  

Needle  in  a  haystack  

Power  Users,  Specialist  

12  

Addi.onal  Analysis  Approach  

..and  phase,  loca<on,  more…  

Data  inclusion  

Mul<ple/dynamic  rela<onships  

Detect  a`ackers  

Hay  in  a  haystack  

Everyone  -­‐  Analy<cs-­‐enabled  Team  

13  

14  

2013-­‐08-­‐09  16:21:38  10.11.36.29  98483  148  TCP_HIT  200  200  0  622  -­‐  -­‐  OBSERVED  GET  www.neverbeenseenbefore.com    HTTP/1.1  0  "Mozilla/4.0  (compa<ble;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR  2.0.50727;  InfoPath.1;  MS-­‐RTC  LM  8;  .NET  CLR  1.1.4322;  .NET  CLR  3.0.4506.2152;  )  User  John  Doe,"      

08/09/2013  16:23:51.0128event_status="(0)The  opera<on  completed  successfully.  "pid=1300  process_image="\John  Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“  registry_type  ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsop\Windows  NT\CurrentVersion\  Printers  Print\Providers\  John  Doe-­‐PC\Printers\{}\  NeverSeenbefore"  data_type""  

2013-­‐08-­‐09T12:40:25.475Z,,exch-­‐hub-­‐den-­‐01,,exch-­‐mbx-­‐cup-­‐00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,  hacker@neverseenbefore.com  ,  Please  open  this  a`achment  with  payroll  informa<on,,  ,2013-­‐08-­‐09T22:40:24.975Z  

Spear-­‐phishing  –  Advanced  Analy<cs  Sources  

Time  Range  

Endpoint  Logs  

Web  Proxy  

Email  Server  

All  three  occurring  within  a  24-­‐hour  period  

User  Name  

User  Name  

Rarely  seen  email  domain  

Rarely  visited  web  site  

User  Name   Rarely  seen  service  

15  

Servers  

Storage  

Desktops  Email   Web  

Transac<on  Records  

Network  Flows  

DHCP/  DNS  

Hypervisor  Custom  Apps  

Physical  Access  

Badges  

Threat  Intelligence  

Mobile  

CMDB  

Intrusion    Detec<on  

Firewall  

Data  Loss  Preven<on  

An<-­‐Malware  

Vulnerability  Scans  

Authen<ca<on  

15  

All  Machine  Data  is  Security  Relevant  

16  

Servers  

Storage  

Desktops  Email   Web  

Transac<on  Records  

Network  Flows  

DHCP/  DNS  

Hypervisor  Custom  Apps  

Physical  Access  

Badges  

Threat  Intelligence  

Mobile  

CMBD  

Intrusion    Detec<on  

Firewall  

Data  Loss  Preven<on  

An<-­‐Malware  

Vulnerability  Scans  

Authen<ca<on  

16  

All  Machine  Data  is  Security  Relevant  

Tradi.onal  SIEM  

17  

If  we  can  build  a  complete  picture,  we  disrupt  the  Kill  Chain,  we  disrupt  the  

adversary  

17  

18  

Report  and    

analyze  

Custom    dashboards  

Monitor    and  alert  

Ad  hoc    search  

18  

Developer  PlaQorm  

Machine  Data  Real-­‐.me  or  Batch  

Online  Services   Web  

Services  

Servers  Security   GPS  

Loca<on  

Storage  Desktops  

Networks  

Packaged  Applica<ons  

Custom  Applica<ons  Messaging  

Telecoms  Online  

Shopping  Cart  

Web  Clickstreams  

Databases  

Energy  Meters  

Call  Detail  Records  

Smartphones  and  Devices  

RFID  

Datacenter  

Private    Cloud  

Public    Cloud  

External  Lookups  

Kill  Chain  Analysis  Across  Technology/Devices  

Threat  Intelligence  

Asset    &  CMDB  

Employee  Info  

Data  Stores  Applica.ons  

19  

Connec<ng  the  “data-­‐dots”  via  mul<ple/dynamic  rela<onships  

Persist,  Repeat  

Threat  intelligence  

Auth  -­‐  User  Roles  

Host    Ac.vity/Security  

Network    Ac.vity/Security  

A`acker,  know  relay/C2  sites,  infected  sites,  IOC,  a`ack/campaign  intent  and  a`ribu<on  

Where  they  went  to,  who  talked  to  whom,  a`ack  transmi`ed,  abnormal  traffic,  malware  download  

What  process  is  running  (malicious,  abnormal,  etc.)  Process  owner,  registry  mods,  a`ack/malware  ar<facts,  patching  level,  a`ack  suscep<bility  

Access  level,  privileged  users,  likelihood  of  infec<on,  where  they  might  be  in  kill  chain    

Delivery,  exploit  installa.on  

Gain  trusted  access  

Exfiltra.on  Data  Gathering  Upgrade  (escalate)  Lateral  movement  

Persist,  Repeat    

19  

20  

Kill  Chain  Demo  Link:    

h`ps://splunkevents.webex.com/splunkevents/lsr.php?RCID=beec1404b8b7ca27ae25bb418a906259  

20  

EDU  Case  Studies  ASU  –  phishing  EDU1  –  DMCA  Duke  –  direct  deposit  EDU2  –  bomb  threat    

22  

Where  did  this  info  come  from?  •  ASU,  Duke,  and  [pres<gious  private  university  in  Boston]  have  all  acknowledged  use  of  Splunk  publicly  

•  Security  has  been  a  driving  factor  for  adop<on  for  all  three  •  I  cannot  do  these  jus9ce  –  they  are  mere  highlights.  I  thank  the  Splunkers  from  these  universi9es  profusely  

•  NONE  OF  THESE  SCHOOLS  OFFICIALLY  ENDORSE  SPLUNK.  They  have  shared  this  informa9on  in  the  spirit  of  collabora9on.  

•  Visit  below  URL  for  slides  and  recordings:  

h`p://conf.splunk.com  22  

ASU  Originally  from  C.  Kurtz  

24  24  

25  25  

26  26  

27  27  

28  28  

Quick  GeoIP/Haversine  Demo  

30  30  

31  31  

Automa<on…  

32  32  

33  33  

•  Wordstats  –  Search  for  data  that  has  significant  “shannon  entropy”  –  good  for  finding,  for  example,  DGA  domains  

•  Phishing  Lookup  –  Compare  URLs  found  in  data  for  known  phishing  sites  

•  Sen<ment  Analysis  –  Analyze  phrases  found  in  data  (such  as  tweets)  and  determine  if  they  are  posi<ve  or  nega<ve    

•  SPLICE  –  Consume  IOCs  in  STIX,  CybOX,  OpenIOC  formats  and  compare  your  data  to  filenames,  hashes,  domains,  URLs,  etc  found  within  

Other  Li`le-­‐Known  Security  Apps  

[pres<gious  private  university  in  Boston]  

35  35  

36  36  

37  37  

38  38  

39  39  

DMCA  Viola<on  Repor<ng  •  DMCA  Viola<ons  regularly  sent  via  email  from  industry  representa<ves  

•  Use  Splunk  to  figure  out  who  had  that  IP  address  during  the  <mestamp  given  (dashboard  form  searches)  

•  Use  DB  Connect  or  API  query  of  student/employee  database  to  match  IP  to  MAC,  and  iden<fy  system  owner  

•  No<fy  system  owner  of  copyright  viola<on  

We  can  automate  much  of  this,  too.  

40  40  

Duke    

Originally  from  J.  Hopkins,  P.  BaJon,  E.  Hope  

42  42  

43  43  

44  44  

45  45  

46  46  

47  47  

48  48  

49  49  

50  50  

51  51  

52  52  

53  53  

54  54  

55  55  

56  56  

57  57  

58  58  

59  59  

60  60  

61  61  

62  62  

63  63  

[large  university  in  the  northeast]  -­‐  Inves<ga<ng  a  

Bomb  Threat  

65  

A  large  university  in  the  Northeast…  •  Student  needed  more  <me  to  prep  for  an  exam,  so  decided  to  e-­‐mail  in  a  bomb  threat  to  campus  security.  “I’m  going  to  blow  up  the  science  building…”  

•  He  did  this  via  Tor  so  as  to  remain  anonymous.  •  Campus  security  worked  with  security  team  and  FBI  to  inves<gate,  using  Splunk.  How?  

65  

66  

Search  Ideas  •  What  can  provide  us  with  what  students  are  searching?  •  Proxy  logs,  Wire  Data  •  Needle  in  a  haystack  –  who  has  been  searching  for  “anonymous  email”  over  the  past  week?  

•  Once  we  have  an  IP  or  a  MAC  or  both,  then  con<nue  inves<ga<on  –  we  will  use  DHCP  logs,  AP  logs,  and  correla<ng  with  several  structured  data  sources.  

66  

67  

Search  Terms  against  Wire  or  Proxy  Data  

67  

•  Where  else  did  they  go?  If  we  see  them  “disappear”  perhaps  h`ps?  Tor?  

68  

Search  Terms  against  Wire  or  Proxy  Data  

68  

•  Downloaded  Tor.  But  we  have  a  MAC  address  and  an  IP  address…let’s  use  those  to  dig  further…  

69  

Search  Terms  against  DHCP  logs  

69  

•  Use  MAC  to  get  a  hostname,  how  about  access  point  logs?  

70  

Search  Terms  against  AP  logs  

70  

•  Just  search  the  hostname  or  the  MAC  we  found  against  AP  logs.  We  can  link  to  residence  hall…  

71  

Mapping  it  out  •  Where  is  the  residence  hall?  Simple  lookup:  provide  Splunk  with  lat/lon  of  all  access  points…  

71  

72  

Who  is  it?  •  All  users  of  campus  network  have  to  register  MAC  addresses,  so…use  Splunk  DB  Connect  (DBX)  to  a`ach  to  data  warehouse…  

72  

10:DD:B1:B7:EB:A8,jbombalot@myschool.edu,jbrodsky-­‐mbp15,jb45478  

73  

Who  is  it?  •  Now  we  have  context  in  our  search  results.  

73  

•  Let’s  correlate  network  ID  with  another  DB  of  student  info.    

74  

In  sum…  •  Proxy  logs  or  wire  data  allowed  us  to  look  for  suspicious  search  terms  and  find  an  IP  address  doing  those  searches.  

•  DHCP  logs  and  AP  logs  allowed  us  to  find  a  MAC  address  associated  with  those  searches.  

•  Linking  the  AP  logs  with  geographic  data  allows  us  to  see  where  the  user  was.  

•  Linking  the  MAC  address  with  registra<on  database  lets  us  find  a  “network  ID”  that  registered  the  device  doing  the  searching.  

•  Linking  network  ID  with  student  database  allows  us  to  see  informa<on  about  student.  

74  

Enterprise  Security  Demo  (Time  PermiKng)  

76  

ES  Demo  Link:    

h`p://www.splunk.com/view/SP-­‐CAAAJP6  

76  

In  Conclusion  

78  

Security  is  a  team  sport  and  takes  a  village!  

78  

Leverage  a  rich  Eco  System  

79  

Security  Intelligence  pla�orm  

200+ SECURITY APPS/ADD-ONS

SPLUNK FOR ENTERPRISE SECURITY

Cisco    WSA,  ESA,    ISE,  SF  

Palo  Alto    Networks  

FireEye   DShield  

DNS  

OSSEC  

VENDOR COMMUNITY

CUSTOM APPS Symantec  

ADDITIONAL SPLUNK APPS

…  

Threat  Stream  

Customer  and  Industry  Recogni<on  

80  

2800  Security  Customers   Leader  in  Gartner  SIEM  MQ    

Splunk  

Industry  Awards  

81  

Analy<cs  Driven  Security  –    Empowering  People  and  Data  

A  security  intelligence  pla�orm  should  enable  any  Security  Program  to  leverage  Technology,  Human  Exper<se,  and  Business/IT  Processes  in  the  most  effec<ve  way  to  deliver  on  security  

81  

82  

Why  Splunk?  

Integrated,  Holis.c  &  Open    

•  Single  product  &  data  store  •  All  original  machine  data  is  

indexed  and  searchable  •  Open  pla�orm  with  API,  SDKs,  

+500  Apps  

Flexible  &  Empowering      

•  Schema  on  read    •  Search  delivers  accurate,  faster  

inves<ga<ons  and  detec<on  •  Powerful  visualiza<ons  and  

analy<cs  help  iden<fy  outliers  

Simplicity,  Speed  and  Scale    

•  Fast  deployment    +    ease-­‐of-­‐use    =    rapid  <me-­‐to-­‐value  

•  Runs  on  commodity  hardware,  virtualized  and/or  in  the  cloud  

•  Scales  as  your  needs  grow    

All  Your  Data  in  One  Place:  Increases  Collabora<on  and  Partnership,  Eliminates  Silos  &  Delivers  Proven  ROI  

83  83

Tradi<onal  SIEM  Splunk  Next  Steps  

•  Info,  data  sheets,  white  papers,  recorded  demos  at:  Ø  Splunk.com  >  Solu<ons  >  Security  Ø  Splunk.com  >  Solu<ons  >  Compliance  Ø  conf.splunk.com  for  full  EDU  presenta<ons  

•  Try  Splunk  for  free!  Ø  Download  Splunk  at  www.splunk.com  Ø  Go  to  Splunk.com  >  Community  >  Documenta<on  >  Search  Tutorial    Ø  In  30  minutes  will  have  imported  data,  run  searches,  created  reports    Ø  Security  Apps  at  h`ps://apps.splunk.com/  

•  Contact  sales  team  at  Splunk.com  >  About  Us  >  Contact  

Q&A  

Thank  You