infosecurity europe 2016: detect insider and advanced threats by leveraging machine learning

Copyright © 2016 Splunk Inc.

Detect Insider and Advanced Threats by Leveraging Machine Learning

Fill out the Postcard and win a SONOS Play:1 today

"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },

Are you using Splunk already?

IN 2014, INDUSTRY SPENT

$1.7 Billion

SECURE EMAIL GATEWAY

$1.3 Billion

SECURE WEB GATEWAY

$2.8 Billion

ENDPOINT PROTECTION

$1.2 Billion

INTRUSION PREVENTION

$9.4 Billion

FIREWALL

$16+ BillionSo why do we needeven more tools?

FAMILIAR WITH THESE THREATS?

January 2015 February 2015 February 2015

Morgan Stanley

730K

PII Records

Anthem Insurance

80M

Patient Records

Office of Personal Management22M

PII Records

July 2015

Ashley Madison

37M

PII Records

SO, WHAT IS THECOMPROMISED / MISUSED CREDENTIALS OR DEVICES

LACK OF RESOURCES (SECURITY EXPERTISE)

LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES

PROBLEM?

EXTERNAL ATTACK

USER ACTIVITYPeter and Sam access a compromised website -

backdoor gets installed

The attacker uses Peter’s stolen credential and VPNs into Domain Controller

The attacker uses the backdoors to download and execute WCE – password cracker

Peter’s and Sam’s devices begin communicating with CnC

The attacker logs in as Sam and accesses sensitive documents from a file share

The attacker steals the admin Kerberos ticket and escalates the privileges for Sam

The attacker uses Peter’s VPN credential to connect, copies the docs to an external staging server, and logs

out after three hours

Day 1

.

.

Day 2

.

.

Day N

INSIDER THREAT

John connects via VPN

Administrator performs ssh (root) to a file share - finance department

John executes remote desktop to a system (administrator) - PCI zone

John elevates his privileges

root copies the document to another file share - Corporate zone

root accesses a sensitive document from the file share

root uses a set of Twitter handles to chop and copy the data outside the enterprise

USER ACTIVITY

Day 1

.

.

Day 2

.

.

Day N

WHAT ISSPLUNK UBA?

DETECT MALICIOUS INSIDER THREATS

DETECT ADVANCED CYBERATTACKS

THE FOUNDATION

ANOMALY DETECTION THREAT DETECTION

UNSUPERVISED MACHINE LEARNING

BEHAVIOR BASELINING &

MODELING

REAL-TIME & BIG DATA ARCHITECTURE

REAL-TIME & BIG DATA ARCHITECTURE

SCALABLE ARCHITECTURE

0.5 BillionEVENTS

MULTI-ENTITY BEHAVIORAL MODEL

APPLICATION

USER

HOST

NETWORK

DATA

DESIGNED FOR A

HUNTERANOMALY DETECTION

APPLYING ML AGAINST

BEHAVIOR BASELINES

DESIGNED FOR A

SOC ANALYSTTHREAT DETECTION

ML DRIVEN AUTOMATED

ANOMALY CORRELATION

INSIDER THREAT

Day 1

.

.

Day 2

.

.

Day N

John connects via VPN

Administrator performs ssh (root) to a file share - finance department

John executes remote desktop to a system (administrator) - PCI zone

John elevates his privileges

root copies the document to another file share - Corporate zone

root accesses a sensitive document from the file share

root uses a set of Twitter handles to chop and copy the data outside the enterprise

USER ACTIVITY

Unusual Machine Access (Lateral Movement; Individual & Peer Group)

Unusual Zone (CorpPCI) traversal (Lateral Movement)

Unusual Activity Sequence

Unusual Zone Combination (PCICorp)

Unusual File Access (Individual & Peer Group)

Multiple Outgoing Connections & Unusual SSL session duration

PROXY SERVER

FIREWALL

WHAT DOES SPLUNK UBA NEED?

ACTIVE DIRECTORY /DOMAIN CONTROLLER

DNS, DHCP

SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM

Demo

WHY SPLUNK UBA?

THE MOST ADVANCED

UEBA TECHNOLOGY

THE LARGEST INVESTMENT IN

MACHINE LEARNING

A COMPLETE SOLUTION FROM

SPLUNK

DETECT THE UNKNOWNS

IMPROVE SOC & HUNTER EFFICIENCY

WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA

Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this solution as it makes the life of our SOC analysts’ way better. Mark Grimse, VP IT Security, Rambus

A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk UBA to be one of the most advanced technologies within the behavioral analytics space. Randolph Barr, CSO, Saba

Fill out the Postcard and win a SONOS Play:1 today

"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },

Thank you