theanalyenabled soc>siemusecases* · visualizaonandanaly

Copyright © 2014 Splunk Inc.

The Analy<cs-‐Enabled SOC > SIEM Use Cases

Fred Wilmot (CISSP) Director, Global Security Prac<ce

Sanford Owings Principle Consultant, Splunk Services

Disclaimer

2

During the course of this presenta<on, we may make forward looking statements regarding future events or the expected performance of the company. We cau<on you that such statements reflect our current expecta<ons and

es<mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,

please review our filings with the SEC. The forward-‐looking statements made in the this presenta<on are being made as of the <me and date of its live presenta<on. If reviewed aVer its live presenta<on, this presenta<on may not contain current or accurate informa<on. We do not assume any obliga<on to update any forward looking statements we may make. In addi<on, any informa<on about our roadmap outlines our general product direc<on and is subject to change at any <me without no<ce. It is for informa<onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga<on either to develop the features or func<onality described or to

include any such feature or func<onality in a future release.

Fred Wilmot | Director, Global Security Prac<ce (fred|Securityczar)@splunk.com

3

•  Strategy §  Drives Security Prac<ce Strategy globally §  Works on Splunk’s hardest Security Use Cases §  Visualiza<on and Analy<cs using Splunk §  Solves strategic product/implementa<on challenges

•  Research •  Digital Forensics /Assessment Tools •  Social Risk/User behavior modeling •  ML/Advanced Sta<s<cal Analysis •  Threat Intelligence

•  Product §  Influence product strategy for security content and features

in the field and through the factory.

Minister of Silly Walks “Electric Mayhem” @fewdisc

Sanford Owings| Principal Consultant, Splunk Services [email protected]

4

Sanford Owings (Sowings) began his compu<ng career in 1990 in a word processing lab with network administra<on on PCs and various flavors of Unix. A computer science educa<on at Berkeley (with more system and network administra<on thrown in) showed him the light twenty years later. Sanford began using Splunk in early 2010, working to integrate it as an OEM repor<ng solu<on into an email appliance. Since March 2012, he has worked as a member of the Professional Services team at Splunk, leveraging his development background while assis<ng customers. In his free <me, he enjoys spending <me with his wife Erin, cooking, cycling and traveling.

sowings (muppet disguise)

Agenda "   Why do we use SIEMs? "   How to Achieve these ‘SIEM’ use cases? "   Security Maturity Model: How do I get there? "   Where do we Start? "   Ques<ons? "   Appendix

5

Why do we use SIEMS?

Not Really…

But we may feel that way because we don’t really know what problem we are solving, we don’t have the right people, or process to leverage our technology. Lack of internal knowledge leads to external guidance…

Gartner SIEM MQ 2014

8

2012

2013

“…the rise in successful targeted a/acks has caused a growing number of organiza<ons to use SIEM for threat management to improve security monitoring and early breach detec<on”

Threat Management Real-‐<me monitoring and repor<ng of user ac<vity, data access and applica<on ac<vity, in combina<on with effec<ve ad hoc query capabili<es…. capabili<es that aid in targeted aoack detec<on”

This research note is restricted to the personal use of [email protected]

This research note is restricted to the personal use of [email protected]

Table 2. Product/Service Rating on Critical Capabilities

Product/Service Rating

Acc

elO

ps

Alie

nVau

lt

Bla

ckS

trat

us

Eve

ntTr

acke

r

HP

(Arc

Sig

ht)

IBM

Sec

urity

(QR

adar

)

LogR

hyth

m

McA

fee

(ES

M)

Net

IQ

EM

C (R

SA

)

Sol

arW

inds

Spl

unk

Tena

ble

Net

wor

k S

ecur

ity

Tibc

o S

oftw

are

(Log

Logi

c)

Trus

twav

e

Real-Time Monitoring 3.50 3.00 3.00 2.9 4.1 4.0 3.75 3.75 3.90 3.3 3.00 3.7 2.0 1.50 3.00

Threat Intelligence 3.00 3.50 2.50 1.5 4.0 4.0 3.25 4.00 1.50 4.0 3.00 3.5 1.5 1.00 3.65

Behavior Profiling 2.50 3.50 2.50 2.8 4.0 4.5 3.38 3.50 3.25 3.0 2.50 3.6 2.5 3.00 3.25

Data and User Monitoring 2.97 2.43 2.16 3.2 4.2 3.8 3.41 4.44 3.56 3.5 3.38 3.3 2.1 2.44 3.28

Application Monitoring 2.90 3.65 2.90 3.2 4.5 4.3 4.10 4.20 3.40 4.0 2.90 4.3 2.8 2.60 3.10

Analytics 2.44 3.19 2.94 2.9 3.8 3.7 3.30 3.59 2.44 3.3 2.44 3.8 2.1 1.63 3.13

Log Management and Reporting 2.75 3.00 2.50 3.4 4.0 3.8 3.75 3.25 3.63 3.1 3.25 4.0 2.5 4.00 3.25

Deployment/Support Simplicity 3.50 4.00 3.00 4.3 3.7 4.3 4.25 4.00 3.50 2.0 4.40 3.4 2.8 3.25 2.50

Source: Gartner (June 2014)

Page 32 of 37 Gartner, Inc. | G00261642

What capabili<es are you looking for from SIEM?

9

Why Splunk Compared to SIEM Legacy SIEM Splunk

Data sources Limited Any technology, device

Custom Device Support Difficult Easy

Add Intelligence Difficult Easy

Customized Repor<ng Required 3rd party App Built-‐in (from search)

Speed of Search/Repor<ng Slow and Unusable Fast and Responsive

Correla<on Difficult (rule-‐based)

Easy (search-‐based)

Scalability Limited Extensible

10

11

Be Pragma<c, not Dogma<c. Be prepared to challenge your asser<ons if you want to

mature your opera<ons

Top Five Splunk Security Use Cases More than a SIEM; a Security Intelligence Pla5orm

Security & Compliance Repor<ng

Real-‐<me Monitoring of

Known Threats

Real-‐<me Monitoring of Unknown Threats

Incident Inves<ga<ons & Forensics

Splunk Can Complement OR Replace Exis<ng SIEMs

Fraud detec<on

12

Splunk soVware complements, replaces and goes beyond tradi<onal SIEMs.

Moving Past SIEM to Security Intelligence

Small Data. Big Data. Huge Data.

SECURITY & COMPLIANCE REPORTING

REAL-‐TIME MONITORING OF KNOWN THREATS

MONITORING OF UNKNOWN

THREATS

INCIDENT INVESTIGATIONS & FORENSICS

FRAUD DETECTION

INSIDER THREAT

How do we achieve Analy<cs Enabled SOC?

15

A journey of a thousand miles begins with a single step. Lao-‐tzu, The Way of Lao-‐tzu

A Methodology for Analy<cs-‐Enabled SOC: Map the Business to the Threat Model

What does the business care about?

•  Market Sen<ment?

•  Fraud?

•  Denial of Service?

•  Intellectual property theV?

•  Sensi<ve data/customer data leak?

•  Brand reputa<on?

•  Industrial sabotage?

•  Corporate espionage?

16

A Methodology for Analy<cs-‐Enabled SOC: Construct a Hypothesis

•  How could someone gain access to data that should be kept private?

•  What could cause a mass system outage does the business care about?

•  How could we find exfiltra<on of sensi<ve informa<on if it was happening?

17

A Methodology for Analy<cs-‐Enabled SOC: It’s about the Data

•  What visibility do we need? •  For data exfiltra<on, start with

URLs.

•  DNS requests, proxy logs, web logs, mail logs

•  Beg, borrow, and steal SME exper<se from system owners

18

A Methodology for Analy<cs-‐Enabled SOC: Data Evalua<on

•  For data exfiltra<on, start with what’s normal and what’s not (create a sta<s<cal model)

•  How do we ‘normally’ behave?

•  What paoerns would we see to iden<fy outliers?

•  Look for other paoerns based on uniqueness, frequency, periodicity, volume, dura<on, newness, dura<on, locality, etc.

19

Spoiler Alert! DNS Exfiltra<on Indicators •  1) Look @ all DNS traffic for mul<ple levels of DNS strings. look for hexadecimal strings. •  2) Look for this 3rd level to be less than 40 bytes in length... like *.domain.com, where * is longer than 40 bytes •  3) Look for mul<ple DNS Name lookups to sketchy foreign domains, and look at the frequency in a short <me

span. •  4) DNS TXT or SRV record queries to any foreign or high entropy domains •  5) ANY DNS response to a loopback or RFC 1918 space/bogon space. (5.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16,

172.16.0.0/12) could indicate a C2 channel •  6) Look for mul<ple DNS queries to the same non-‐obvious or foreign domain during off-‐hours <mes in the office

= check for frequency, and periodicity. •  7) DNS queries to dynamic DNS providers (like OpenDNS) •  8) DNS queries not followed by a proxy request for connec<on •  9) Iden<fy recurring interval or beaconing following any of the above (zero variance behavior) •  10) Look for Teredo IPv6 addresses •  11) Look for large TXT or NULL payloads (tunneling), and TXT that isn’t 7-‐bith clean •  12) Look for CNAME chains if they resolve internally •  13) look for changes in authorita<ve name servers and their IP addresses as well.

20

A Methodology for Analy<cs-‐Enabled SOC: Analysis + context

•  Increase in business communica<ons overseas?

•  Does your sta<s<cal model need to change due change, business growth, or volume of data?

•  Implemented a new service or applica<on?

•  Added employees overseas?

•  Enriching/synthesizing outliers with visualiza<ons?

21

Need to Connect the “Data-‐dots” to See the Whole Story

Persist, Repeat

Threat intelligence

Auth -‐ User Roles, Corp Context

Host AcRvity/Security

Network AcRvity/Security

Aoacker, know relay/C2 sites, infected sites, IOC, aoack/campaign intent and aoribu<on

Where they went to, who talked to whom, aoack transmioed, abnormal traffic, malware download

What process is running (malicious, abnormal, etc.) Process owner, registry mods, aoack/malware ar<facts, patching level, aoack suscep<bility

Access level, privileged users, likelihood of infec<on, where they might be in kill chain

22

Delivery, exploit installaRon

Gain trusted access

ExfiltraRon Data Gathering Upgrade (escalate) Lateral movement

Persist, Repeat

Subscrip<on feeds Internal black lists

Open source Intelligence Sharing …

Firewalls

IDS/IPS

Email, Web, DNS

Infrastructure

Malware analysis

Net flow …

Asset databases CMBD,

inventory,

LDAP, Ac<ve Directory, Authen<ca<on,

SSO …

Endpoint Threat Detec<on and

Response (ETDR) OS, App ,

database logs Endpoint Security

Malware analysis

Vulnerability Assessment

Patching …

Methodology Par<ng Thoughts

•  What paoerns/correla<ons of weak-‐signals in ‘normal’ IT ac<vi<es would represent ‘abnormal’ ac<vity?

•  Heuris<c detec<on approaches (SIEM historical standard) are best used with other detec<on approaches (Sta<s<cal/Behavioral)

•  Threat modeling MUST be associated with cri<cal data assets and employees •  Context is hardest and most cri<cal to add, give yourself lead <me…BUT DO IT •  What is rarely seen, newly seen, or a behavioral/sta<s<cal devia<on? •  What normal ac<vi<es occur during abnormal <mes?

23

Security Intelligence requires tradiRonal IT data sources, not just security technology.

Security Maturity Model with Splunk: How do I get there?

Maturity Model for Security Opera<ons

25

q  APT detec<on/hun<ng (kill chain method) q  Counter threat automa<on q  Threat Intelligence aggrega<on (internal & external) q  Fraud detec<on – ATO, account abuse, q  Insider threat detec<on q  Replace SIEM @ lower TCO, increase maturity q  Augment SIEM @ increase coverage & agility q  Compliance monitoring, repor<ng, audi<ng q  Log reten<on, storage, monitoring, audi<ng q  Con<nuous monitoring/evalua<on q  Incident response and forensic inves<ga<on q  Event searching, repor<ng, monitoring & correla<on q  Rapid learning loop, shorten discover/detect cycle q  Rapid insight from all data

q  Fraud analyst q  Threat research/Intelligence q  Malware research q  Cyber Security/Threat

q  Security Analyst q  CSIRT q  Forensics q  Engineering

q  Tier 1 Analyst q  Tier 2 Analyst q  Tier 3 Analyst q  Audit/Compliance

Security OperaRons Roles/FuncRons

ReacRve

ProacRve

Search and

Inves<gate

Proac<ve Monitoring and Aler<ng

Security Situa<onal Awareness

Real-‐<me Risk

Insight

Honest Ques<ons, Honest Answers "   What is the talent level of my (Security) team?

"   Do I have exis<ng mature skill sets I can leverage/need to keep?

"   What is the business’s appe<te for change?

"   Am I building a Security Organiza<on for Hun<ng and Advanced Threats, or doing what I can with the team/resources I have?

"   Can I be successful implemen<ng new processes around this methodology?

26

How Do I Determine My Maturity Level? Pre-‐Engagement Posture Discussion "   What is your current SecOps model?

–  Insourced/outsourced/hybrid? –  Incident Response plan? BIA? –  what do you when you find something significant?

Threat Priority Matrix •  What are the risks to the business?

–  Establish business priori<es –  Model Threats and Business process –  Design detec<on/preven<on logic

Talent Capability Model •  How capable are my people?

–  Beginner/Intermediate/Advanced responders –  are you inves<ng in Threat Intelligence and Malware analysts? –  How much collabora<on happens between security and subject experts?

27

How Do I Determine My Maturity Level? (cont’d)

Content Strategy –  Data Acquisi<on mapped to threats/use cases –  Response by: Alerts/repor<ng/integra<on –  Manifest process and methodology into technology –  “How will I implement my playbook?”

Post-‐Engagement EvaluaRon –  Does the work we did, translate to reducing business Risk? –  Is it measurable? –  Does it enable Security team to iterate and automate? –  Does it move the organiza<on up the Security Maturity Model?

28

Talent Capability Model Scale

29

Cyber Opera<ons Model

30

Audit Repor<ng and Assessment

Forensics and Root Cause Analysis

Secure Coding & Development

Monitor Security

Technologies

Incident Response Process

Incident Handling

Network Security Design

Applica<on Security Design

Fraud and TheV Analysis

Behavioral Analysis

Vulnerability Remedia<on

Malware Analysis

Threat Modeling Threat

Intelligence Cyber Network

Defense Cyber Network

Offense

Collabora<on

Itera<on

Automa<on

REACTIVE PROACTIVE

Counter Intelligence

Cyber Opera<ons Model

31

Incident Response

CollaboraRon

Communica<on

Automa<on

Itera<on

AutomaRon Machine-‐<me response Triage using machine data and context

IteraRon Threat Modeling,

Intelligence Gathering, Research, hun<ng

CollaboraRon Incident Response Forensic analysis

Operate on machine data and Threat Intelligence

In order to gain a complete view of OperaRonal Security, we need to see the iteraRon of Counter Intelligence in Monitoring

32

Security Intelligence combines methodology, technology, collabora<on as context for smarter

security decisions

Where do we start?Integra<on Examples

1)  I have no visibility into my data, and I need to operate on that data 2)  I have a SIEM, it doesn’t do what I want. I need to augment with

visibility and context 3)  I have visibility, and context, I need threat intelligence and

workflow and integra<on 4)  I don’t have a SIEM, but I also don’t have any resources to do that Lets look at an MSSP that supports your threat profile

Maturity Model Type Integra<ons

35

Applica<on Performance Monitoring, Metrics, and Drill-‐down

Helpdesk Staff

Security Analysts

No SIEM: Ge{ng Visibility First “I’m not a security shop, I just need to see all my data first”

•  Splunk for incident inves<ga<ons/forensics

•  Splunk for aler<ng/repor<ng/dashboarding

•  Begin building data consump<on towards use cases

Real-‐Rme Machine Data

36


Helpdesk Staff

Security Analysts

Legacy SIEM: Limited Visibility “I have a subset of security in my SIEM, I need more visibility across IT data”

Different data sent to Splunk and SIEM

•  Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment

•  ArcSight for correla<on, alerts, Analyst workflow

opRons for Splunk-‐to-‐ESM data flow:

1.  At index <me, Splunk can forward data to ArcSight: SplunkSight

2.  At search <me, Splunk can forward CEF format to ArcSight: Splunk App for CEF

3.  Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services


ESM

Logger

Search/Alert Splunk App for CEF

37


Helpdesk Staff

Security Analysts

Legacy SIEM: Splunk to ArcSight ESM

ESM

“I have a mature playbook my analysts use in SIEM”

•  Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment

•  ArcSight for correla<on, alerts, Analyst workflow

opRons for Splunk-‐to-‐ESM data flow:

1.  At index <me, Splunk can forward raw or filtered data to ArcSight: SplunkSight

2.  At search <me, Splunk can forward selected, and/or enriched events in CEF format to ArcSight: Splunk App for CEF

3.  Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services

Search/Alert Splunk App for CEF

Filter/Forward SplunkSight

Real-‐Rme

Machine Data

Using Splunk Forwarders for na<ve log consump<on

Mail/SNMP CEF syslog collector

38


Helpdesk Staff

Security Analysts

SOC Integrated components “II have many products leveraging my methodology and playbook” Decisions on workflow made by automaRon/prioriRzaRon feeding mulRple tuned products

•  CriRcal è AutomaRc Rckets for SME resoluRon, InvesRgaRon (i.e. Archer)

•  High/Medè Triage by type: automated acRon result/analyst acRon (i.e. SIEM)

•  Low è prioriRzed and funneled (i.e. Remedy)

•  Methodology driven, business process melded with technology and analyst skill sets

•  Archer, JIRA, Remedy, ServiceNow integra<ons, Security tools like Palo Alto, Mandiant, FireEye, Checkpoint, Sourcefire

•  Packets, flows, Threat Intel, enrichment, context


SIEM

Threat Intelligence

Asset & CMDB

Employee Info

Data Stores ApplicaRons

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search

Adding Context

40

Online Services

Web Services

Servers

Security GPS

Loca<on

Storage

Desktops Networks

Packaged Applica<ons

Custom Applica<ons

Messaging

Telecoms Online

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

Developer Placorm

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search

Faster/Beoer Decisions with Context

External Lookups References – Coded fields, mappings, aliases Dynamic informaRon – Stored in non-‐tradi<onal formats Environmental context – Human maintained files, documents System/applicaRon – Available only using applica<on request Intelligence/analyRcs – Indicators, anomaly, research, white/blacklist AND MORE…

Real-‐Rme

Machine Data

Encoded log with threat and asset context

41

Log

Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!

Asset # IP Address

CMBD .csv file Vendor mapping

Threat Intelligence mapping

Code

File code


42

Log


Asset # IP Address

CMBD .csv file Vendor mapping

Code

File code

File code Hash value Variants Filenames

✓

Threat Intelligence mapping


43

Log


Threat info (various) Product code (file)

Asset (CMDB, various)

External Lookup using .csv

Automate Context: IOC lookups -‐ Filename

44

Automate Context: IOC lookups -‐ CIDR

45

Adding Intelligence

Internal Threat Intelligence Context for Security

47

•  Applica<on Usage & Consump<on (In House)

•  Database Usage /Access Monitoring (privileged)

•  En<tlements/ Access Outliers (In House)

•  User associa<on based on geography, frequency, uniqueness and privilege

•  Directory User Informa<on (personal e-‐mail, access, user privs)

•  Proxy informa<on (content) •  DLP & Business Unit Risk (trade secrets/IP lists)

•  Case History/Ticket Tracking •  Malware/AV •  HR/Business Role

External Threat Intelligence Consumable Sources

48

•  Palo Alto Wildfire •  Crowdstrike •  AlienVault OTX •  RecordedFuture •  Team Cymru •  ISACs or US-‐CERT •  FireEye/Mandiant •  Vorstack •  cyberUnited •  ThreatGrid •  ZeroFox •  Norse CorporaRon

•  OSINT (free Sources) •  Dell SecureWorks •  Verisign iDefense •  Symantec Deepsight •  McAfee Threat Intelligence •  SANS/Whitelist/Blacklist •  CVEs CWEs, OSVDB (Vulns) •  iSight Partners •  ThreatStream •  ATLAS •  ThreatConnect •  Farsight

External Threat Intelligence Integra<on import hoplib, urllib params = urllib.urlencode({'apikey': 'f6dbdee2dc8c6118933b90178657877cc2cede3023ce0eba4xxxxxxxxxxxxxxx', 'ip': ’46.229.160.7', 'method': 'ipview'}) #headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "text/plain"} headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "applica<on/json"} conn = hoplib.HTTPConnec<on("us.api.ipviking.com:80") conn.request("POST", "/api/", params, headers) response = conn.getresponse() print response.status, response.reason data = response.read() print(data) conn.close()

49

Most IntegraRons are APIs or Modular Inputs – EASY!

External Threat Intelligence

50

52

Raw IOC Not Easy

Context+Threat Intelligence:TLD against GeoIP

How would I find all the URLs by their Top Level Domain, and compare them with their geoloca<on to validate they are legi<mate on a map?

54

Matching against TLD & GeoIP sourcetype=bluecoat url=* | lookup faup url | fields url_domain url_tld | geoip url_domain | eval url_domain_country_code=lower(url_domain_country_code) | eval tld_match=if(url_tld == url_domain_country_code, "true", "false") #Run FAUP as a lookup across all bluecoat URLS #generate the geoloca<on telemetry for url_domain #determine if the url country code is = to the TLD Now, show me on the map where they are…

55

Ques<ons?

Some Content For You

•  Archer Integra<on Technology add-‐on template •  Scripts for <cket system aler<ng

•  SA-‐VA, ES Vulnerability Assessment/Risk calcula<on tool

Follow @Splunksec on twi/er for these releases today aqer our session! 58

What You Can Do for the Security Prac<ce

•  We love to dig through new data sets •  Share cool, hard use cases with us •  Share knowledge to help us beoer the product •  All your desires and concerns for features and uses Partner with us, we will do the same! •  Help with integra<ons, use cases, features func<ons. •  Our job is to help you get to your highest maturity level

59

Thank you! @SplunkSec [email protected]

•  SA-‐VA (How it works)

•  SplunkSight (How it works)

•  TA-‐Archer (How it works)

Appendix

Splunk > Nmap + CVE=Risk Score

Adding Context:

•  Network complexity and aoack surface is growing •  No central loca<on for exploit informa<on •  Manual system priori<za<on based on risk is (nearly) impossible •  Analysis must be done regularly as new exploits are released

Problem

•  Automated exploit database aggrega<on •  SA-‐VA automa<cally parses Na<onal Vulnerability

Database hop://nvd.nist.gov/ and Offensive Security’s Exploit-‐DB hops://github.com/offensive-‐security/exploit-‐database

•  Scheduled vulnerability scan •  Integra<on with Splunk Enterprise Security assets •  SA-‐VA integrates with your exis<ng security solu<ons

to give a clearer picture

Solu<on: SA-‐VA

Monitor network risk trends

Solu<on: SA-‐VA

Isolate exploits affec<ng a large number of hosts

Solu<on: SA-‐VA

Access to informa<on on thousands of exploits

Solu<on: SA-‐VA

View all hosts affected by specific exploits

Solu<on: SA-‐VA

•  Risk Percentage •  Δ Risk Score / Reference Score (Gold Standard)

•  Risk Score •  Σ Service Score

•  Service Score •  CVSS Severity / (Current Year – Release Year)

•  Every host scanned is assigned a risk percent as a func<on of the reference score, and an overall risk score

•  Every service is assigned a risk percent score as a percentage of host’s overall risk

Calcula<ng Risk for Assets.csv

Example

•  Provide custom arguments to Nmap scan in addi<on to preset scan arguments

•  Whitelist to exclude sensi<ve hosts from scans •  Block specific vulnerabili<es scoring on a host specific and global level

•  Schedule and automate database updates and network scans based on your network needs

Configurability

•  Automate vulnerability database aggrega<on •  Schedule scans and database updates •  Whitelist machines sensi<ve to scans •  Mul<ple scan intensity op<ons including custom arguments for VoIP, printers, and other sensi<ve systems

•  Integra<on with Enterprise Security assets model •  Appends fields to exis<ng assets.csv •  Create new assets.csv based on scan

•  Calculated Risk priori<za<on score •  Risk % = Δ Risk Score / Gold Standard •  Risk Score = Σ (CVSS severity /(Current Year – Release Year))

Summary

SplunkSight Splunk > Arcsight

SIEM Augmenta<on:

Delivering Context to CEF for Analy<cs-‐driven Security

Datamodel Enrichments Enhance Decision Making

• Add context to events by using Splunk Add-‐ons and custom lookups

• Constrain, filter, or augment data via CIM or custom datamodels

• Aggregate events from mul<ple sources before forwarding

Connect and Visualize Disparate Data In Familiar

Tools

• Gain faster, easier and deeper insights across all machine data

•  Simply map Splunk fields to CEF fields without knowledge of the Splunk search syntax, using a new Guided UI

Automa<cally Deliver Insight from Splunk to the

Front Lines

• Organiza<ons where an incumbent SIEM is the Tier 1 tool can now receive augmented events and alerts

•  Increase the value of threat intelligence by indica<ng important events

Inside Splunk App for CEF

75

RAW DATA INDEXED IN SPLUNK

TECHNOLOGY ADD-‐ONS DATA MODELS SEARCH

OUTPUT COMMON

EVENT FORMAT OVER TCP

Use Common Informa<on Model

or custom datamodels

Gather and enrich data as needed

using full power of Splunk

Guided search wizard helps users construct powerful

searches

Why Splunk app for CEF?

76

•  For many data sources, dual feeding both Arcsight and Splunk , the same events is not feasible

•  Splunk App for CEF enables CEF-‐formaoed output based on

search results in Splunk •  Field mappings from Splunk CIM to Arcsight CEF make

configura<on easy

Inside SplunkSight

77

RAW DATA INDEXED IN SPLUNK

TECHNOLOGY ADD-‐ONS INDEX PIPELINE

OUTPUT COMMON

EVENT FORMAT OVER TCP

Use Common Informa<on Model and pre-‐indexed

keys

Gather and enrich data as needed

using full power of Splunk

Configurable dynamic mapping of CIM fields to CEF

fields

Why SplunkSight?

78

•  Scaling your CEF output structure should scale with Splunk architecture

•  SplunkSight enables CEF formaoed output based indexed

fields in Splunk •  SplunkSight uses TCPOUT to process events directly on each

indexer •  Index and sourcetype filters enable flexibility •  Field mappings from Splunk CIM to Arcsight CEF make

configura<on easy

Integra<on Challenges

79

•  Splunk currently, cannot send CEF data directly to Arcsight ESM at scale, or index <me.

•  Logger agents tend to lose data in transla<on via Snare and syslog

•  Splunk forwarders are not distributed across the en<re infrastructure to capture raw windows events

•  Target’s challenge is 100% visibility, and ubiquity in their collec<on environment for host data collec<on

•  single agent to feed both their collec<on and correla<on technology.

We built SplunkSight to deal with these challenges

SplunkSight

80

Designed to be Highly scalable •  Located on each Indexer as a separate socket-‐ized

process •  Mul<-‐threaded process to deal with scale •  Operates at index-‐<me as opposed to search-‐<me •  Does not impact the parsing or indexing queues in

indexing pipeline •  Does not directly impact search behaviors or search

pipeline performance

SplunkSight

81

Designed to be easily configurable •  Enable mapping from CIM to CEF in a .csv file •  Designed to work with metadata wrioen at index <me

using Technology Add-‐on framework •  Allows Target to specify specific fields to consume in

Splunk for consump<on in ESM •  Manageable via the deployment server

Current Architecture Challenge

82

Syslog CEF fo

rmaoed ArcSight Architecture

Architecture with SplunkSight

83

CEF formaoed SplunkSight Real-‐Rme Machine Data

How it Works •  Communica<on from forwarder

–  We configure the forwarder to send data to the Splunk Indexer, as you have currently deployed Splunk today.

–  For data types requiring transforma<on at index <me (either on a Heavy Forwarder, or on the Indexer) we send either Cooked or Uncooked data.

–  The indexer listens on 9997 as usual, receives data into Splunk and consumes it.

84

How it Works •  Communica<on from indexer to SplunkSight

–  The Splunk Indexer sends via outputs.conf, data to SplunkSight, which lives on a configurable socket on the indexer (we are using 9996 as example)

–  We are sending data using our TCPOUT op<on in our proprietary S2S protocol, which allows us to field map, and transform data into CEF Output.

85

How it Works •  Sending data to Arcsight ESM

–  Defined in splunksight.conf –  Output is UDP syslog –  SplunkSight runs as a service and includes a few

python processes: ê  Process.py ê  Cefobjec<zer.py ê  Daemon.py ê  U<ls.py ê  Read-‐conf.py ê  Splunksightsyslog.py ê  Splunksight.py

86

Splunksight.conf [daemon] listen_ip = 0.0.0.0 listen_port = 9996 log_file = /tmp/splunksight.log pid_file = /tmp/splunksight.pid log_type = standard [syslog] proto = udp dest_ip = x.x.x.x dest_port = 514

How it Works •  Configuring SplunkSight

–  Requires WRITE_META = true for Technology add-‐ons (This creates an indexed field), fields and props configura<on.

–  Provide mapping of CIM (Splunk) fields, to CEF (Arcsight) fields i.e. default.csv

87

Splunk_TA_Windows Transforms.conf

[Target_Server_Name_as_dest] SOURCE_KEY = Target_Server_Name REGEX = ([\\]+)?([^-‐].*) WRITE_META = True FORMAT = dest::"$2” Fields.conf [dest] INDEXED = true

Default.csv #cim,cef dest,CEF_dest session_id,CEF_session_id dest_nt_host,CEF_dest_host src_ip,src dest_ip,dst src_port,spt

How it Works •  Configuring SplunkSight

–  Enables filtering based on Sourcetypes and indexes. By default, we remove all the _* indexes

–  Can configure whether we send ALL data, or just metadata

88

Splunksight.conf

[filters] indexes_to_discard = _internal _introspec<on _thefishbucket _audit _blocksignature #sourcetypes_to_discard =sourcetype::syslog sourcetypes_to_discard =sourcetype::sep::risk

CEF Output example

Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.11.36.20 end=179 fileType=applica<on/x-‐fcs in=24804 request=hop://199.9.251.150/idle/1021363361/6290 xreferrer=-‐ requestMethod=POST suser=-‐ act=TCP_NC_MISS xstatus=200 requestCookies="Flash\"" out=212 Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.44.38.116 end=125 fileType=-‐ in=39 request=tcp://216.219.113.250:443/ xreferrer=-‐ requestMethod=CONNECT suser=-‐ act=TCP_TUNNELED xstatus=200 requestCookies=-‐ out=67

89

Splunk > Archer

Workflow Example:

92

Splunk / Archer Integration Workflow - v1.0

Archer IntegrationSplunk OperationsEscalation Mgr. Incident Mgr.

EventReview

1.0

START

Escalate Event

1.1

Escalated Event?

2.1

Monitor Events

2.0

NO

Create Archer Record

2.2YES

Escalate? 3.1

Review Incident

4.0

ResolveIncident

4.1

YES

NO

Mark for Closure

4.2

Escalation Notification

3.1a

Mark for Closure

3.2

Escalation Mgr Closed Notification

4.2a

New SplunkIncident

Notification 3.0a

Review Incident

3.0

ResolveIncident

3.2

ReviewClosure

5.0

Incident Mgr Closed

Notification 3.2a

Closed Incident?

6.1

Monitor SplunkIncident

6.0

NOClose SplunkEvent

6.2YES

END

Ge{ng Data to Archer

93

python REST API interac<on with Splunk API for gathering things like asset info, vuln data, etc pulled from the metadata ‘Notable Events’ correla<on framework. The common set of fields in the correla<onsearches.conf specifica<on would be passed to archer, driven by the rule_id security_domain severity rule_name descripRon rule_Rtle rule_descripRon drilldown_name drilldown_search default_status default_owner


94

Ge{ng Data to Archer •  Archer fields mapped to Splunk Notable Events field in python SOAP script

•  Splunk generates metadata events, and ‘Archer’ command, sends it to Archer via custom search in Enterprise Security.

•  Workflow ac<on to escalate a Notable Event to Archer directly

•  Automated Splunk Search of the 'Notable Events' Macro every few minutes based on rule_id, event_id and urgency (for aler<ng if desired)

Closing a Notable Event from Archer Archer dashboard object or ac<on to close a 'Notable Event'. We use the ‘search’ REST endpoint to allow a REST call, to change a status or close a status. This hander takes some input and writes a properly forma/ed line of CSV to incident_review.csv. incident_review.csv's header contains the following fields: Rme rule_id Owner Urgency Status Comment user

the*analyenabled* soc*>siemuse*cases* · visualizaon*and*analy

Documents

theanalyenabled soc>siemusecases* · visualizaonandanaly