enterprise sec + user bahavior analytics
TRANSCRIPT
Copyright © 2015 Splunk Inc.
Enterprise Security & UBA Overview
splunklive Long Beach 2015Mark Bonsack, Staff SE
James Brodsky, Security SME
VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWire Data
Hadoop & NoSQL
4
Recent Splunk Releases
4
Splunk Enterprise 6.3
Enterprise Security 4.0
ES
User Behavior Analytics 2.0
UBA
IT Service Intelligence
ITSI
5
Enterprise Security
Provides support for security operations/command centers
Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing
Persona service: SOC Analyst, security teams, incident responders, hunters, security managers
Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches
5
6
User Behavior Analytics
Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any)
Functions: baselines behavior from log data to detect anomalies and threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science.
6
Machine data contains a definitive record of all interactions
Splunk is a very effective platform to collect, store, and analyze all of that data
Human Machine
Machine Machine
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to improve its visionary position
2014 Leader 2013 Leader2012 Challenger2011 Niche Player
2015
10 10
AppServers
Network
Threat Intelligence
FirewallWeb Proxy
Internal Network Security Endpoints
Splunk as the Security Nerve Center
Identity
11
ES Fast Facts● Current version: 4.0 just released a little over a month ago● Two releases per year● Content comes from industry experts, market analysis, but most
importantly YOU● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable● ES has its own development team, dedicated support, services
practice, and training courses
The best part of ES is free!●You’ve got a bunch of systems…●How to bring in:
●Network AV●Windows + OS X AV●PCI-zone Linux AV●Network Sandboxing●APT Protection
●CIM = Data Normalization
Copyright © 2015 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.
Data Normalization is Mandatory for your SOC
“The organization consuming the data must develop and consistently
use a standard format for log normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck creating investigative queries
16
ES Evolution
Q3 2014 Q4 2014 Q2 2015
ES 3.1• Risk Framework• Guided Search• Unified Search
Editor• Threatlist Scoring• Threatlist Audit
ES 4.0• Breach Analysis• Integration with
Splunk UBA• Splunk Security
Framework
ES 3.0
ES 3.2• Protocol
Intelligence (Stream capture)• Semantic Search
(Dynamic Thresholding)
ES 3.3• Threat Intel
framework•User Activity
Monitoring• Content Sharing•Data Ingestion
Q4 2015
17
New Features in Enterprise Security 4.0
Optimize multi-step analyses to improve breach detection and response
Extensible Analytics & Collaboration
INVESTIGATION COLLABORATION
• Investigator Journal• Attack & Investigation Timeline
• Open Solutions Framework• Framework App : PCI
18
…and, Integration with Splunk UBA
SIGNATURES
RULES HUMAN ANALYSIS
Integrated withSplunk Enterprise Security
21
Open Solutions FrameworkSupports critical security related management framework features
21
EnterpriseSecurityFramework
• Notable Events Framework• Thereat Intelligence
Framework
• Risk Scoring Framework• Identity & Asset
Framework
Customer Apps
APPs / Content
Partner Apps
APPs / Content
Splunk Apps
APPs / Content
• Export• Import• Share
• Summarization Framework• Alerting & Scheduling
• Visualization Framework• Application Framework
ExternalInstance
34
Administering complex tech=hard.DATA BREACH COST: $154 on average per record.
We’re gonna need a bigger boat.
35
Administering complex tech=hard.DATA BREACH COST: $154 on average per record.
UBA
Unsupervised Machine Learning + Data Science
for User/Entity Behavior Analytics
38
…Splunk UBA currently has 31 Threat and Anomaly Models
Thre
at A
ttack
Cor
rela
tion
Polymorphic Attack Analysis
Behavioral Peer Group Analysis
User & Entity Behavior Baseline
Entropy/Rare Event Detection
Cyber Attack / External Threat Detection
Reconnaissance, Botnet and C&C Analysis
Lateral Movement Analysis
Statistical Analysis
Data Exfiltration Models
IP Reputation Analysis
Insider Threat Detection
User/Device Dynamic Fingerprinting
42
Web Gateway
Proxy Server
Firewall
Box, SF.com, Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat Stream, FS-ISAC or other blacklists for
IPs/domains
Active Directory/Domain Controller
Single Sign-on
HRMS
VPN
Identity/Auth SaaS/MobileSecurity Products
External Threat Feeds
Activity(N-S, E-W)
OPTIONAL
Netflow, PCAP
AWS CloudTrail
End-point
IDS, IPS, AV
DNS, DHCP K E YDLP, File Server/Host Logs
Data Sources
43
Web Gateway
Proxy Server
Firewall
Box, SF.com, Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat Stream, FS-ISAC or other blacklists for
IPs/domains
Active Directory/Domain Controller
Single Sign-on
HRMS
VPN
Identity/Auth SaaS/MobileSecurity Products
External Threat Feeds
Activity(N-S, E-W)
OPTIONAL
Netflow, PCAP
AWS CloudTrail
End-point
IDS, IPS, AV
DNS, DHCP K E YDLP, File Server/Host Logs
Data Sources
Splunk Enterprise & ES preferred, but not required. UBA can be standalone!
Copyright © 2015 Splunk Inc.
•September 26-29, 2016 •The Disney Swan and Dolphin, Orlando•5000+ IT & Business Professionals•3 days of technical content•165+ sessions•3 days of Splunk University•Sept 24-26, 2016•Get Splunk Certified for FREE! •Get CPE credits for CISSP, CAP, SSCP•Save thousands on Splunk education!
•80+ Customer Speakers•35+ Apps in Splunk Apps Showcase•75+ Technology Partners•1:1 networking: Ask The Experts and•Security Experts, Birds of a Feather and Chalk Talks•NEW hands-on labs! •Expanded show floor, Dashboards Control Room & Clinic, and MORE!
Visit conf.splunk.com for more information
.conf2016: The 7th Annual Splunk Worldwide Users’ Conference
47
We Want to Hear your Feedback!
After the Breakout Sessions concludeText Splunk to 20691
And be entered for a chance to win a $100 AMEX gift card!