Embed Size (px)
Citation preview
Copyright © 2015 Splunk Inc.
Splunk for Security:Background & Customer Case Study
2
Wipro Technologies
Andrew Gerber
3
Agenda
Background
Why Splunk for Security
Customer Case Study• Build out and architecture• Phased approach• Hybrid Cloud/on-premise solution
Example Security Use Cases
Roadmap & Key Takeaways
4
Wipro Overview• Wipro Ltd. (NYSE:WIT) is a global information technology, consulting, and outsourcing
company• 158,000+ employees in 175 cities+ across 6 continents• Revenues of $7.5 billion for the financial year ended March 31, 2015• Wipro uses and supports Splunk in many areas for our customers, including:• transaction analysis• fraud detection• business & IT operations monitoring• process improvement• information security
5
Speaker Bio
Andrew Gerber: Architect & Consultant, Enterprise Security Solutions, Wipro– Discovered Splunk about 4 years ago
My mission is to help customers manage their security requirements efficiently and effectively, and to provide meaningful and measurable benefits while improving their security posture.
6
Why Splunk for Security
• Slow SIEM platform• Limited capabilities and limited customization options• Data source integration and parsing challenges• Lots of effort to create workarounds instead of creating new capabilities
Customer challenges
• Great user interface and straightforward/flexible SPL• Fast results• Ability to scale flexibly and affordably• Rapid value realization• Late-binding schema• API and extensibility• Higher ROI potential with a competitive TCO
Key reasons we often see Splunk selected for Security use cases over other SIEM tools:
7
Customer Story - Situation
SIEM platform deployed for several years
Performance was limiting (could take
days to search hours’ worth of
data)
Vendor announced End of
Life/End of Support for SIEM
platform
Gap Analysis of SIEM Platform
Difficulty to gain insight… limited by
supported functions (COUNT, AVG, MIN,
MAX, …)
Creation of content required in-depth knowledge about data sources and vendor parsing
schema
Limited datacenter capacity to scale the
existing platform
8
Splunk – Phase 1
Hybrid POC/Pilot over only 12 weeks!
Partnered with Splunk PS
200GB/day On-Premise Deployment Growing to
400GB/day
Identified key security data sources to integrate
Initial Content Development
Dashboards & Demos for stakeholders at all levels,
including Executives
9
Splunk – Phase 1 ArchitectureHandled 200GB/day & 10 users comfortably
Grew to 400GB/day while still providing sufficient performance
>300 Universal Forwarder instances deployed
On-Premise
ClusterMaster
DeploymentServer
300+ Forwarders
Syslog-NG
NAS
10
Splunk – Phase 1 ResultsSpeed
• Searching performance – went from days to seconds to get results• Integrating data sources – ingest first, parse later as needed• Creating searches/dashboards – powerful and straightforward, fast to create
Power• SPL, stats, subsearches, graphical reporting, mapping, API, Apps
Use cases transformed• Went from listing top machines by # of malware detection alerts to mapping out trends and identifying
effective points of intervention/remediation• Went from seeing a list of failed VPN login attempts by user to mapping VPN authentication activity and
identifying anomalous activity for further investigation
Ability to demo dashboards all the way up to executive leadership
11
Scaling successfully: Enter Splunk CloudDynamic business context
Rapid pace of acquisitions
Datacenter transformation project underway
Cloud strategy evolving
Flexibility of Splunk Cloud was key
Availability, capacity, retention, scalability
Safeguards & security – beyond the basics
Extensive review with Splunk and customer Enterprise Architecture & Security teams
Audited Security: Splunk SOC 2 Type 1 & 2 in addition to AWS controls & attestations
Flexibility to specify geographic restrictions on where data travels/resides
Ability to configure encryption on data at rest
Hybrid search heads – can have indexes reside entirely on-prem as needed, on-prem search heads can search cloud
12
Splunk – Phase 2 (in progress)
Added capacity: 500GB/day Splunk Cloud + 200GB/day on-premise
Increasing data source variety, adding apps and integrations (i.e. Remedy for ticketing)
Accommodate data center capacity
constraints (transformation
project underway)
Add and integrate users across business
units
Create processes around security
monitoring and SOC operations
Deploying Splunk App for Enterprise Security
+
13
Splunk Phase 2 Architecture
On-Premise
AWS
ClusterMaster
DeploymentServer
500+ Forwarders
Syslog-NG
~70%
~30%
NAS
S3
14
Example Use CasesUse Case 1 - VPN Activity Profiling
• Detect inappropriate or malicious remote access• Profiling of employees, contractors, vendors, and other insiders
Use Case 2 – Malware Analysis• Detect new signatures & hashes seen• Enhance information with threat intelligence• Profile activity by host and user• Monitor time to resolution
Use Case 3 – Off-Network Jumping• Detect attempted and actual bypass of network controls • Detect network jumping and off-network activity
15
Use Case: VPN Activity Profiling• Find abnormal remote access usage pattern in remote access
– VPN access with valid credentials used in major attacks, including recent healthcare industry breach
• Profile remote usage by employees, contractors, vendors, and other insiders• Look for:
– Indicators of Delivery, C2, Exfiltration, as well as employee or insider FTA– Identify potentially compromised credentials
• Key points to look for:– Increase in login frequency – Odd times/locations– Improbable travel distance between logins or login attempts
(velocity requirements between consecutive geographical login locations too high)
16
Use Case: VPN Activity Profiling
User level VPN Trends• Multiple login failures by count and over time and
successful logins provide insight into VPN behavior.
• Identify repeat VPN login failure trends by userEasy to spot outlier and clustered events
Geographic & Network VPN Trends• At-a-glance profiling of VPN login success and failures• Geolocation and domain charting identify normal vs.
abnormal access• Top Level Domains and other domain names to find
anomalies, i.e. connections from .edu TLD or external VPN services
17
Use Case: VPN Activity Profiling
Geographic Analysis with “Traveler” identification• Per-country trends & users with multiple locations in a
given time period• Also identify relative distances for users from a relevant
fixed location
“Traveler” mapping & improbable behavior analysis• Determine unlikely distance/time combinations between
VPN logins• Identify credential theft and/or sharing
18
Use Case: Malware Analysis• Understand malware persistence and activity levels
– Identify duration of malware persistence– Identify malware by activity levels
• Further prioritize remediation– Identifying hosts of interest
• Review new signatures and hashes– Understand new threats– Include data enrichment via threat feeds
19
Use Case: Malware AnalysisMax Malware File Duration• Malware File Duration reflects length of time between first
malware message about a specific file and the last malware message (a combination of automated and manual resolution is reflected in this)
Max Malware File Events• Malware File Events reflects # of events referencing a
specific file (highlights high-activity files)
20
Use Case: Malware Analysis
Identifying Outliers• Mapping # of malware indicators against timeline and
duration of indicator presence allows for easy profiling and identification of hosts
21
Use Case: Malware Analysis
Tracking new signatures & hashes seen• Understand new threats• Data enrichment with threat intelligence feeds
22
Use Case: Off-Network Jumping• Find assets & users jumping from corporate LAN, WLAN to Guest Network
– Detect attempts to bypass security controls– Detect malware vector of “benign” off-network browsing
1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report)• Profile jumping behavior to look for patterns and anomalies
– Identify the User, IP address, MAC address– Identify activity before and after jumping
• Key points to look for include– Assets and users jumping periodically –
Normal business users should be on corporate network– Network jumps which don’t appear to be pre-meditated
(i.e. looking for programmatic jumps) – Volume, periodicity, destination, traffic type can all be
indicators of potential Exfiltration
“40% [of companies] reported that they had been exposed to a security threat as a direct consequence of an off-network user’s laptop getting compromised within the last twelve months.”
From Google report, “Off-Network Workers –The Weakest Link to Corporate Web Security”
23
Key event: Guest network DHCP requestKey search to identify this activity• Look at guest network firewall logs which logs DHCP requests (IP MAC hostname)• Look at DHCP requests using IP address of one of our corporate networks, and the MAC address. • Eliminate mobile devices, limit results to our corporate hostname naming convention• Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.
Use Case: Off-Network Jumping
24
Use Case: Off-Network Jumping
Selection to lookup user
Selection determines drill down
Long/Short Term Off-Net Jumping Trends• Visual analysis to determine what looks abnormal• At-a-glance profiling of corporate resources used on guest
network – activity for today, 7-days, etc.
Rapid investigation to identify users of interest• Selection enables deep investigation via drilldown into user
activity details• Dynamic drilldown is a key Splunk feature for effective
investigation dashboards
25
Use Case: Off-Network Jumping
Behavior Investigation – Longitudinal Trending• Patterns identify potential repeat offender, or possible
C2/exfiltration• Compare to guest network activity trend to identify likely
scenario
Having quickly found a user of interest, we can now dig into the details of their activity…
26
Use Case: Off-Network Jumping
Overview of behavior before/during/after the jump• Looking back in time from the jump
• User activity on the corporate network preceding the jump
• Looking at the jump• User device mapping to IP address of jumper
• Looking in time after the jump• User activity on the guest network after the jump
Behavior Investigation – Pre-Jump Activity• Does the jump make sense? – driven by business logic or
“benign” behavior• Does the jump look like attacker trying to get out? – more
“random” patterns• Does the jump look like insider threat? – exfiltration, etc.
27
What’s Next
• SOC Operations with Splunk as core tool• Splunk Enterprise Security App• Extreme Search• D3.js• Endpoint• Stream
What excites us about future projects we are planning to leverage our data and Splunk
products?
28
Top Takeaways
You can get value out of
Splunk quickly
Splunk Cloud is a flexible option for
growth
Basics matter!
Process, People,
Technology in Balance
Thank You
