the*analyenabled* soc*>siemuse*cases* · visualizaon*and*analy
TRANSCRIPT
Copyright © 2014 Splunk Inc.
The Analy<cs-‐Enabled SOC > SIEM Use Cases
Fred Wilmot (CISSP) Director, Global Security Prac<ce
Sanford Owings Principle Consultant, Splunk Services
Disclaimer
2
During the course of this presenta<on, we may make forward looking statements regarding future events or the expected performance of the company. We cau<on you that such statements reflect our current expecta<ons and
es<mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presenta<on are being made as of the <me and date of its live presenta<on. If reviewed aVer its live presenta<on, this presenta<on may not contain current or accurate informa<on. We do not assume any obliga<on to update any forward looking statements we may make. In addi<on, any informa<on about our roadmap outlines our general product direc<on and is subject to change at any <me without no<ce. It is for informa<onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga<on either to develop the features or func<onality described or to
include any such feature or func<onality in a future release.
Fred Wilmot | Director, Global Security Prac<ce (fred|Securityczar)@splunk.com
3
• Strategy § Drives Security Prac<ce Strategy globally § Works on Splunk’s hardest Security Use Cases § Visualiza<on and Analy<cs using Splunk § Solves strategic product/implementa<on challenges
• Research • Digital Forensics /Assessment Tools • Social Risk/User behavior modeling • ML/Advanced Sta<s<cal Analysis • Threat Intelligence
• Product § Influence product strategy for security content and features
in the field and through the factory.
Minister of Silly Walks “Electric Mayhem” @fewdisc
Sanford Owings| Principal Consultant, Splunk Services [email protected]
4
Sanford Owings (Sowings) began his compu<ng career in 1990 in a word processing lab with network administra<on on PCs and various flavors of Unix. A computer science educa<on at Berkeley (with more system and network administra<on thrown in) showed him the light twenty years later. Sanford began using Splunk in early 2010, working to integrate it as an OEM repor<ng solu<on into an email appliance. Since March 2012, he has worked as a member of the Professional Services team at Splunk, leveraging his development background while assis<ng customers. In his free <me, he enjoys spending <me with his wife Erin, cooking, cycling and traveling.
sowings (muppet disguise)
Agenda " Why do we use SIEMs? " How to Achieve these ‘SIEM’ use cases? " Security Maturity Model: How do I get there? " Where do we Start? " Ques<ons? " Appendix
5
Not Really…
But we may feel that way because we don’t really know what problem we are solving, we don’t have the right people, or process to leverage our technology. Lack of internal knowledge leads to external guidance…
Gartner SIEM MQ 2014
8
2012
2013
“…the rise in successful targeted a/acks has caused a growing number of organiza<ons to use SIEM for threat management to improve security monitoring and early breach detec<on”
Threat Management Real-‐<me monitoring and repor<ng of user ac<vity, data access and applica<on ac<vity, in combina<on with effec<ve ad hoc query capabili<es…. capabili<es that aid in targeted aoack detec<on”
This research note is restricted to the personal use of [email protected]
This research note is restricted to the personal use of [email protected]
Table 2. Product/Service Rating on Critical Capabilities
Product/Service Rating
Acc
elO
ps
Alie
nVau
lt
Bla
ckS
trat
us
Eve
ntTr
acke
r
HP
(Arc
Sig
ht)
IBM
Sec
urity
(QR
adar
)
LogR
hyth
m
McA
fee
(ES
M)
Net
IQ
EM
C (R
SA
)
Sol
arW
inds
Spl
unk
Tena
ble
Net
wor
k S
ecur
ity
Tibc
o S
oftw
are
(Log
Logi
c)
Trus
twav
e
Real-Time Monitoring 3.50 3.00 3.00 2.9 4.1 4.0 3.75 3.75 3.90 3.3 3.00 3.7 2.0 1.50 3.00
Threat Intelligence 3.00 3.50 2.50 1.5 4.0 4.0 3.25 4.00 1.50 4.0 3.00 3.5 1.5 1.00 3.65
Behavior Profiling 2.50 3.50 2.50 2.8 4.0 4.5 3.38 3.50 3.25 3.0 2.50 3.6 2.5 3.00 3.25
Data and User Monitoring 2.97 2.43 2.16 3.2 4.2 3.8 3.41 4.44 3.56 3.5 3.38 3.3 2.1 2.44 3.28
Application Monitoring 2.90 3.65 2.90 3.2 4.5 4.3 4.10 4.20 3.40 4.0 2.90 4.3 2.8 2.60 3.10
Analytics 2.44 3.19 2.94 2.9 3.8 3.7 3.30 3.59 2.44 3.3 2.44 3.8 2.1 1.63 3.13
Log Management and Reporting 2.75 3.00 2.50 3.4 4.0 3.8 3.75 3.25 3.63 3.1 3.25 4.0 2.5 4.00 3.25
Deployment/Support Simplicity 3.50 4.00 3.00 4.3 3.7 4.3 4.25 4.00 3.50 2.0 4.40 3.4 2.8 3.25 2.50
Source: Gartner (June 2014)
Page 32 of 37 Gartner, Inc. | G00261642
Why Splunk Compared to SIEM Legacy SIEM Splunk
Data sources Limited Any technology, device
Custom Device Support Difficult Easy
Add Intelligence Difficult Easy
Customized Repor<ng Required 3rd party App Built-‐in (from search)
Speed of Search/Repor<ng Slow and Unusable Fast and Responsive
Correla<on Difficult (rule-‐based)
Easy (search-‐based)
Scalability Limited Extensible
10
11
Be Pragma<c, not Dogma<c. Be prepared to challenge your asser<ons if you want to
mature your opera<ons
Top Five Splunk Security Use Cases More than a SIEM; a Security Intelligence Pla5orm
Security & Compliance Repor<ng
Real-‐<me Monitoring of
Known Threats
Real-‐<me Monitoring of Unknown Threats
Incident Inves<ga<ons & Forensics
Splunk Can Complement OR Replace Exis<ng SIEMs
Fraud detec<on
12
Splunk soVware complements, replaces and goes beyond tradi<onal SIEMs.
Moving Past SIEM to Security Intelligence
Small Data. Big Data. Huge Data.
SECURITY & COMPLIANCE REPORTING
REAL-‐TIME MONITORING OF KNOWN THREATS
MONITORING OF UNKNOWN
THREATS
INCIDENT INVESTIGATIONS & FORENSICS
FRAUD DETECTION
INSIDER THREAT
A Methodology for Analy<cs-‐Enabled SOC: Map the Business to the Threat Model
What does the business care about?
• Market Sen<ment?
• Fraud?
• Denial of Service?
• Intellectual property theV?
• Sensi<ve data/customer data leak?
• Brand reputa<on?
• Industrial sabotage?
• Corporate espionage?
16
A Methodology for Analy<cs-‐Enabled SOC: Construct a Hypothesis
• How could someone gain access to data that should be kept private?
• What could cause a mass system outage does the business care about?
• How could we find exfiltra<on of sensi<ve informa<on if it was happening?
17
A Methodology for Analy<cs-‐Enabled SOC: It’s about the Data
• What visibility do we need? • For data exfiltra<on, start with
URLs.
• DNS requests, proxy logs, web logs, mail logs
• Beg, borrow, and steal SME exper<se from system owners
18
A Methodology for Analy<cs-‐Enabled SOC: Data Evalua<on
• For data exfiltra<on, start with what’s normal and what’s not (create a sta<s<cal model)
• How do we ‘normally’ behave?
• What paoerns would we see to iden<fy outliers?
• Look for other paoerns based on uniqueness, frequency, periodicity, volume, dura<on, newness, dura<on, locality, etc.
19
Spoiler Alert! DNS Exfiltra<on Indicators • 1) Look @ all DNS traffic for mul<ple levels of DNS strings. look for hexadecimal strings. • 2) Look for this 3rd level to be less than 40 bytes in length... like *.domain.com, where * is longer than 40 bytes • 3) Look for mul<ple DNS Name lookups to sketchy foreign domains, and look at the frequency in a short <me
span. • 4) DNS TXT or SRV record queries to any foreign or high entropy domains • 5) ANY DNS response to a loopback or RFC 1918 space/bogon space. (5.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12) could indicate a C2 channel • 6) Look for mul<ple DNS queries to the same non-‐obvious or foreign domain during off-‐hours <mes in the office
= check for frequency, and periodicity. • 7) DNS queries to dynamic DNS providers (like OpenDNS) • 8) DNS queries not followed by a proxy request for connec<on • 9) Iden<fy recurring interval or beaconing following any of the above (zero variance behavior) • 10) Look for Teredo IPv6 addresses • 11) Look for large TXT or NULL payloads (tunneling), and TXT that isn’t 7-‐bith clean • 12) Look for CNAME chains if they resolve internally • 13) look for changes in authorita<ve name servers and their IP addresses as well.
20
A Methodology for Analy<cs-‐Enabled SOC: Analysis + context
• Increase in business communica<ons overseas?
• Does your sta<s<cal model need to change due change, business growth, or volume of data?
• Implemented a new service or applica<on?
• Added employees overseas?
• Enriching/synthesizing outliers with visualiza<ons?
21
Need to Connect the “Data-‐dots” to See the Whole Story
Persist, Repeat
Threat intelligence
Auth -‐ User Roles, Corp Context
Host AcRvity/Security
Network AcRvity/Security
Aoacker, know relay/C2 sites, infected sites, IOC, aoack/campaign intent and aoribu<on
Where they went to, who talked to whom, aoack transmioed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process owner, registry mods, aoack/malware ar<facts, patching level, aoack suscep<bility
Access level, privileged users, likelihood of infec<on, where they might be in kill chain
22
Delivery, exploit installaRon
Gain trusted access
ExfiltraRon Data Gathering Upgrade (escalate) Lateral movement
Persist, Repeat
Subscrip<on feeds Internal black lists
Open source Intelligence Sharing …
Firewalls
IDS/IPS
Email, Web, DNS
Infrastructure
Malware analysis
Net flow …
Asset databases CMBD,
inventory,
LDAP, Ac<ve Directory, Authen<ca<on,
SSO …
Endpoint Threat Detec<on and
Response (ETDR) OS, App ,
database logs Endpoint Security
Malware analysis
Vulnerability Assessment
Patching …
Methodology Par<ng Thoughts
• What paoerns/correla<ons of weak-‐signals in ‘normal’ IT ac<vi<es would represent ‘abnormal’ ac<vity?
• Heuris<c detec<on approaches (SIEM historical standard) are best used with other detec<on approaches (Sta<s<cal/Behavioral)
• Threat modeling MUST be associated with cri<cal data assets and employees • Context is hardest and most cri<cal to add, give yourself lead <me…BUT DO IT • What is rarely seen, newly seen, or a behavioral/sta<s<cal devia<on? • What normal ac<vi<es occur during abnormal <mes?
23
Security Intelligence requires tradiRonal IT data sources, not just security technology.
Maturity Model for Security Opera<ons
25
q APT detec<on/hun<ng (kill chain method) q Counter threat automa<on q Threat Intelligence aggrega<on (internal & external) q Fraud detec<on – ATO, account abuse, q Insider threat detec<on q Replace SIEM @ lower TCO, increase maturity q Augment SIEM @ increase coverage & agility q Compliance monitoring, repor<ng, audi<ng q Log reten<on, storage, monitoring, audi<ng q Con<nuous monitoring/evalua<on q Incident response and forensic inves<ga<on q Event searching, repor<ng, monitoring & correla<on q Rapid learning loop, shorten discover/detect cycle q Rapid insight from all data
q Fraud analyst q Threat research/Intelligence q Malware research q Cyber Security/Threat
q Security Analyst q CSIRT q Forensics q Engineering
q Tier 1 Analyst q Tier 2 Analyst q Tier 3 Analyst q Audit/Compliance
Security OperaRons Roles/FuncRons
ReacRve
ProacRve
Search and
Inves<gate
Proac<ve Monitoring and Aler<ng
Security Situa<onal Awareness
Real-‐<me Risk
Insight
Honest Ques<ons, Honest Answers " What is the talent level of my (Security) team?
" Do I have exis<ng mature skill sets I can leverage/need to keep?
" What is the business’s appe<te for change?
" Am I building a Security Organiza<on for Hun<ng and Advanced Threats, or doing what I can with the team/resources I have?
" Can I be successful implemen<ng new processes around this methodology?
26
How Do I Determine My Maturity Level? Pre-‐Engagement Posture Discussion " What is your current SecOps model?
– Insourced/outsourced/hybrid? – Incident Response plan? BIA? – what do you when you find something significant?
Threat Priority Matrix • What are the risks to the business?
– Establish business priori<es – Model Threats and Business process – Design detec<on/preven<on logic
Talent Capability Model • How capable are my people?
– Beginner/Intermediate/Advanced responders – are you inves<ng in Threat Intelligence and Malware analysts? – How much collabora<on happens between security and subject experts?
27
How Do I Determine My Maturity Level? (cont’d)
Content Strategy – Data Acquisi<on mapped to threats/use cases – Response by: Alerts/repor<ng/integra<on – Manifest process and methodology into technology – “How will I implement my playbook?”
Post-‐Engagement EvaluaRon – Does the work we did, translate to reducing business Risk? – Is it measurable? – Does it enable Security team to iterate and automate? – Does it move the organiza<on up the Security Maturity Model?
28
Cyber Opera<ons Model
30
Audit Repor<ng and Assessment
Forensics and Root Cause Analysis
Secure Coding & Development
Monitor Security
Technologies
Incident Response Process
Incident Handling
Network Security Design
Applica<on Security Design
Fraud and TheV Analysis
Behavioral Analysis
Vulnerability Remedia<on
Malware Analysis
Threat Modeling Threat
Intelligence Cyber Network
Defense Cyber Network
Offense
Collabora<on
Itera<on
Automa<on
REACTIVE PROACTIVE
Counter Intelligence
Cyber Opera<ons Model
31
Incident Response
CollaboraRon
Communica<on
Automa<on
Itera<on
AutomaRon Machine-‐<me response Triage using machine data and context
IteraRon Threat Modeling,
Intelligence Gathering, Research, hun<ng
CollaboraRon Incident Response Forensic analysis
Operate on machine data and Threat Intelligence
In order to gain a complete view of OperaRonal Security, we need to see the iteraRon of Counter Intelligence in Monitoring
32
Security Intelligence combines methodology, technology, collabora<on as context for smarter
security decisions
1) I have no visibility into my data, and I need to operate on that data 2) I have a SIEM, it doesn’t do what I want. I need to augment with
visibility and context 3) I have visibility, and context, I need threat intelligence and
workflow and integra<on 4) I don’t have a SIEM, but I also don’t have any resources to do that Lets look at an MSSP that supports your threat profile
Maturity Model Type Integra<ons
35
Applica<on Performance Monitoring, Metrics, and Drill-‐down
Helpdesk Staff
Security Analysts
No SIEM: Ge{ng Visibility First “I’m not a security shop, I just need to see all my data first”
• Splunk for incident inves<ga<ons/forensics
• Splunk for aler<ng/repor<ng/dashboarding
• Begin building data consump<on towards use cases
Real-‐Rme Machine Data
36
Applica<on Performance Monitoring, Metrics, and Drill-‐down
Helpdesk Staff
Security Analysts
Legacy SIEM: Limited Visibility “I have a subset of security in my SIEM, I need more visibility across IT data”
Different data sent to Splunk and SIEM
• Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment
• ArcSight for correla<on, alerts, Analyst workflow
opRons for Splunk-‐to-‐ESM data flow:
1. At index <me, Splunk can forward data to ArcSight: SplunkSight
2. At search <me, Splunk can forward CEF format to ArcSight: Splunk App for CEF
3. Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services
Real-‐Rme Machine Data
ESM
Logger
Search/Alert Splunk App for CEF
37
Applica<on Performance Monitoring, Metrics, and Drill-‐down
Helpdesk Staff
Security Analysts
Legacy SIEM: Splunk to ArcSight ESM
ESM
“I have a mature playbook my analysts use in SIEM”
• Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment
• ArcSight for correla<on, alerts, Analyst workflow
opRons for Splunk-‐to-‐ESM data flow:
1. At index <me, Splunk can forward raw or filtered data to ArcSight: SplunkSight
2. At search <me, Splunk can forward selected, and/or enriched events in CEF format to ArcSight: Splunk App for CEF
3. Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services
Search/Alert Splunk App for CEF
Filter/Forward SplunkSight
Real-‐Rme
Machine Data
Using Splunk Forwarders for na<ve log consump<on
Mail/SNMP CEF syslog collector
38
Applica<on Performance Monitoring, Metrics, and Drill-‐down
Helpdesk Staff
Security Analysts
SOC Integrated components “II have many products leveraging my methodology and playbook” Decisions on workflow made by automaRon/prioriRzaRon feeding mulRple tuned products
• CriRcal è AutomaRc Rckets for SME resoluRon, InvesRgaRon (i.e. Archer)
• High/Medè Triage by type: automated acRon result/analyst acRon (i.e. SIEM)
• Low è prioriRzed and funneled (i.e. Remedy)
• Methodology driven, business process melded with technology and analyst skill sets
• Archer, JIRA, Remedy, ServiceNow integra<ons, Security tools like Palo Alto, Mandiant, FireEye, Checkpoint, Sourcefire
• Packets, flows, Threat Intel, enrichment, context
Real-‐Rme Machine Data
SIEM
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores ApplicaRons
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
40
Online Services
Web Services
Servers
Security GPS
Loca<on
Storage
Desktops Networks
Packaged Applica<ons
Custom Applica<ons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Developer Placorm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Faster/Beoer Decisions with Context
External Lookups References – Coded fields, mappings, aliases Dynamic informaRon – Stored in non-‐tradi<onal formats Environmental context – Human maintained files, documents System/applicaRon – Available only using applica<on request Intelligence/analyRcs – Indicators, anomaly, research, white/blacklist AND MORE…
Real-‐Rme
Machine Data
Encoded log with threat and asset context
41
Log
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!
Asset # IP Address
CMBD .csv file Vendor mapping
Threat Intelligence mapping
Code
File code
Encoded log with threat and asset context
42
Log
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!
Asset # IP Address
CMBD .csv file Vendor mapping
Code
File code
File code Hash value Variants Filenames
✓
Threat Intelligence mapping
Encoded log with threat and asset context
43
Log
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.!
Threat info (various) Product code (file)
Asset (CMDB, various)
External Lookup using .csv
Internal Threat Intelligence Context for Security
47
• Applica<on Usage & Consump<on (In House)
• Database Usage /Access Monitoring (privileged)
• En<tlements/ Access Outliers (In House)
• User associa<on based on geography, frequency, uniqueness and privilege
• Directory User Informa<on (personal e-‐mail, access, user privs)
• Proxy informa<on (content) • DLP & Business Unit Risk (trade secrets/IP lists)
• Case History/Ticket Tracking • Malware/AV • HR/Business Role
External Threat Intelligence Consumable Sources
48
• Palo Alto Wildfire • Crowdstrike • AlienVault OTX • RecordedFuture • Team Cymru • ISACs or US-‐CERT • FireEye/Mandiant • Vorstack • cyberUnited • ThreatGrid • ZeroFox • Norse CorporaRon
• OSINT (free Sources) • Dell SecureWorks • Verisign iDefense • Symantec Deepsight • McAfee Threat Intelligence • SANS/Whitelist/Blacklist • CVEs CWEs, OSVDB (Vulns) • iSight Partners • ThreatStream • ATLAS • ThreatConnect • Farsight
External Threat Intelligence Integra<on import hoplib, urllib params = urllib.urlencode({'apikey': 'f6dbdee2dc8c6118933b90178657877cc2cede3023ce0eba4xxxxxxxxxxxxxxx', 'ip': ’46.229.160.7', 'method': 'ipview'}) #headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "text/plain"} headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "applica<on/json"} conn = hoplib.HTTPConnec<on("us.api.ipviking.com:80") conn.request("POST", "/api/", params, headers) response = conn.getresponse() print response.status, response.reason data = response.read() print(data) conn.close()
49
Most IntegraRons are APIs or Modular Inputs – EASY!
Context+Threat Intelligence:TLD against GeoIP
How would I find all the URLs by their Top Level Domain, and compare them with their geoloca<on to validate they are legi<mate on a map?
54
Matching against TLD & GeoIP sourcetype=bluecoat url=* | lookup faup url | fields url_domain url_tld | geoip url_domain | eval url_domain_country_code=lower(url_domain_country_code) | eval tld_match=if(url_tld == url_domain_country_code, "true", "false") #Run FAUP as a lookup across all bluecoat URLS #generate the geoloca<on telemetry for url_domain #determine if the url country code is = to the TLD Now, show me on the map where they are…
55
Some Content For You
• Archer Integra<on Technology add-‐on template • Scripts for <cket system aler<ng
• SA-‐VA, ES Vulnerability Assessment/Risk calcula<on tool
Follow @Splunksec on twi/er for these releases today aqer our session! 58
What You Can Do for the Security Prac<ce
• We love to dig through new data sets • Share cool, hard use cases with us • Share knowledge to help us beoer the product • All your desires and concerns for features and uses Partner with us, we will do the same! • Help with integra<ons, use cases, features func<ons. • Our job is to help you get to your highest maturity level
59
Thank you! @SplunkSec [email protected]
• Network complexity and aoack surface is growing • No central loca<on for exploit informa<on • Manual system priori<za<on based on risk is (nearly) impossible • Analysis must be done regularly as new exploits are released
Problem
• Automated exploit database aggrega<on • SA-‐VA automa<cally parses Na<onal Vulnerability
Database hop://nvd.nist.gov/ and Offensive Security’s Exploit-‐DB hops://github.com/offensive-‐security/exploit-‐database
• Scheduled vulnerability scan • Integra<on with Splunk Enterprise Security assets • SA-‐VA integrates with your exis<ng security solu<ons
to give a clearer picture
Solu<on: SA-‐VA
• Risk Percentage • Δ Risk Score / Reference Score (Gold Standard)
• Risk Score • Σ Service Score
• Service Score • CVSS Severity / (Current Year – Release Year)
• Every host scanned is assigned a risk percent as a func<on of the reference score, and an overall risk score
• Every service is assigned a risk percent score as a percentage of host’s overall risk
Calcula<ng Risk for Assets.csv
• Provide custom arguments to Nmap scan in addi<on to preset scan arguments
• Whitelist to exclude sensi<ve hosts from scans • Block specific vulnerabili<es scoring on a host specific and global level
• Schedule and automate database updates and network scans based on your network needs
Configurability
• Automate vulnerability database aggrega<on • Schedule scans and database updates • Whitelist machines sensi<ve to scans • Mul<ple scan intensity op<ons including custom arguments for VoIP, printers, and other sensi<ve systems
• Integra<on with Enterprise Security assets model • Appends fields to exis<ng assets.csv • Create new assets.csv based on scan
• Calculated Risk priori<za<on score • Risk % = Δ Risk Score / Gold Standard • Risk Score = Σ (CVSS severity /(Current Year – Release Year))
Summary
Delivering Context to CEF for Analy<cs-‐driven Security
Datamodel Enrichments Enhance Decision Making
• Add context to events by using Splunk Add-‐ons and custom lookups
• Constrain, filter, or augment data via CIM or custom datamodels
• Aggregate events from mul<ple sources before forwarding
Connect and Visualize Disparate Data In Familiar
Tools
• Gain faster, easier and deeper insights across all machine data
• Simply map Splunk fields to CEF fields without knowledge of the Splunk search syntax, using a new Guided UI
Automa<cally Deliver Insight from Splunk to the
Front Lines
• Organiza<ons where an incumbent SIEM is the Tier 1 tool can now receive augmented events and alerts
• Increase the value of threat intelligence by indica<ng important events
Inside Splunk App for CEF
75
RAW DATA INDEXED IN SPLUNK
TECHNOLOGY ADD-‐ONS DATA MODELS SEARCH
OUTPUT COMMON
EVENT FORMAT OVER TCP
Use Common Informa<on Model
or custom datamodels
Gather and enrich data as needed
using full power of Splunk
Guided search wizard helps users construct powerful
searches
Why Splunk app for CEF?
76
• For many data sources, dual feeding both Arcsight and Splunk , the same events is not feasible
• Splunk App for CEF enables CEF-‐formaoed output based on
search results in Splunk • Field mappings from Splunk CIM to Arcsight CEF make
configura<on easy
Inside SplunkSight
77
RAW DATA INDEXED IN SPLUNK
TECHNOLOGY ADD-‐ONS INDEX PIPELINE
OUTPUT COMMON
EVENT FORMAT OVER TCP
Use Common Informa<on Model and pre-‐indexed
keys
Gather and enrich data as needed
using full power of Splunk
Configurable dynamic mapping of CIM fields to CEF
fields
Why SplunkSight?
78
• Scaling your CEF output structure should scale with Splunk architecture
• SplunkSight enables CEF formaoed output based indexed
fields in Splunk • SplunkSight uses TCPOUT to process events directly on each
indexer • Index and sourcetype filters enable flexibility • Field mappings from Splunk CIM to Arcsight CEF make
configura<on easy
Integra<on Challenges
79
• Splunk currently, cannot send CEF data directly to Arcsight ESM at scale, or index <me.
• Logger agents tend to lose data in transla<on via Snare and syslog
• Splunk forwarders are not distributed across the en<re infrastructure to capture raw windows events
• Target’s challenge is 100% visibility, and ubiquity in their collec<on environment for host data collec<on
• single agent to feed both their collec<on and correla<on technology.
We built SplunkSight to deal with these challenges
SplunkSight
80
Designed to be Highly scalable • Located on each Indexer as a separate socket-‐ized
process • Mul<-‐threaded process to deal with scale • Operates at index-‐<me as opposed to search-‐<me • Does not impact the parsing or indexing queues in
indexing pipeline • Does not directly impact search behaviors or search
pipeline performance
SplunkSight
81
Designed to be easily configurable • Enable mapping from CIM to CEF in a .csv file • Designed to work with metadata wrioen at index <me
using Technology Add-‐on framework • Allows Target to specify specific fields to consume in
Splunk for consump<on in ESM • Manageable via the deployment server
How it Works • Communica<on from forwarder
– We configure the forwarder to send data to the Splunk Indexer, as you have currently deployed Splunk today.
– For data types requiring transforma<on at index <me (either on a Heavy Forwarder, or on the Indexer) we send either Cooked or Uncooked data.
– The indexer listens on 9997 as usual, receives data into Splunk and consumes it.
84
How it Works • Communica<on from indexer to SplunkSight
– The Splunk Indexer sends via outputs.conf, data to SplunkSight, which lives on a configurable socket on the indexer (we are using 9996 as example)
– We are sending data using our TCPOUT op<on in our proprietary S2S protocol, which allows us to field map, and transform data into CEF Output.
85
How it Works • Sending data to Arcsight ESM
– Defined in splunksight.conf – Output is UDP syslog – SplunkSight runs as a service and includes a few
python processes: ê Process.py ê Cefobjec<zer.py ê Daemon.py ê U<ls.py ê Read-‐conf.py ê Splunksightsyslog.py ê Splunksight.py
86
Splunksight.conf [daemon] listen_ip = 0.0.0.0 listen_port = 9996 log_file = /tmp/splunksight.log pid_file = /tmp/splunksight.pid log_type = standard [syslog] proto = udp dest_ip = x.x.x.x dest_port = 514
How it Works • Configuring SplunkSight
– Requires WRITE_META = true for Technology add-‐ons (This creates an indexed field), fields and props configura<on.
– Provide mapping of CIM (Splunk) fields, to CEF (Arcsight) fields i.e. default.csv
87
Splunk_TA_Windows Transforms.conf
[Target_Server_Name_as_dest] SOURCE_KEY = Target_Server_Name REGEX = ([\\]+)?([^-‐].*) WRITE_META = True FORMAT = dest::"$2” Fields.conf [dest] INDEXED = true
Default.csv #cim,cef dest,CEF_dest session_id,CEF_session_id dest_nt_host,CEF_dest_host src_ip,src dest_ip,dst src_port,spt
How it Works • Configuring SplunkSight
– Enables filtering based on Sourcetypes and indexes. By default, we remove all the _* indexes
– Can configure whether we send ALL data, or just metadata
88
Splunksight.conf
[filters] indexes_to_discard = _internal _introspec<on _thefishbucket _audit _blocksignature #sourcetypes_to_discard =sourcetype::syslog sourcetypes_to_discard =sourcetype::sep::risk
CEF Output example
Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.11.36.20 end=179 fileType=applica<on/x-‐fcs in=24804 request=hop://199.9.251.150/idle/1021363361/6290 xreferrer=-‐ requestMethod=POST suser=-‐ act=TCP_NC_MISS xstatus=200 requestCookies="Flash\"" out=212 Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.44.38.116 end=125 fileType=-‐ in=39 request=tcp://216.219.113.250:443/ xreferrer=-‐ requestMethod=CONNECT suser=-‐ act=TCP_TUNNELED xstatus=200 requestCookies=-‐ out=67
89
92
Splunk / Archer Integration Workflow - v1.0
Archer IntegrationSplunk OperationsEscalation Mgr. Incident Mgr.
EventReview
1.0
START
Escalate Event
1.1
Escalated Event?
2.1
Monitor Events
2.0
NO
Create Archer Record
2.2YES
Escalate? 3.1
Review Incident
4.0
ResolveIncident
4.1
YES
NO
Mark for Closure
4.2
Escalation Notification
3.1a
Mark for Closure
3.2
Escalation Mgr Closed Notification
4.2a
New SplunkIncident
Notification 3.0a
Review Incident
3.0
ResolveIncident
3.2
ReviewClosure
5.0
Incident Mgr Closed
Notification 3.2a
Closed Incident?
6.1
Monitor SplunkIncident
6.0
NOClose SplunkEvent
6.2YES
END
Ge{ng Data to Archer
93
python REST API interac<on with Splunk API for gathering things like asset info, vuln data, etc pulled from the metadata ‘Notable Events’ correla<on framework. The common set of fields in the correla<onsearches.conf specifica<on would be passed to archer, driven by the rule_id security_domain severity rule_name descripRon rule_Rtle rule_descripRon drilldown_name drilldown_search default_status default_owner
Ge{ng Data to Archer • Archer fields mapped to Splunk Notable Events field in python SOAP script
• Splunk generates metadata events, and ‘Archer’ command, sends it to Archer via custom search in Enterprise Security.
• Workflow ac<on to escalate a Notable Event to Archer directly
• Automated Splunk Search of the 'Notable Events' Macro every few minutes based on rule_id, event_id and urgency (for aler<ng if desired)
Closing a Notable Event from Archer Archer dashboard object or ac<on to close a 'Notable Event'. We use the ‘search’ REST endpoint to allow a REST call, to change a status or close a status. This hander takes some input and writes a properly forma/ed line of CSV to incident_review.csv. incident_review.csv's header contains the following fields: Rme rule_id Owner Urgency Status Comment user