Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLive Canberra2016JonHarris,Sr SE
SecuritySplunkGuy
2
> Jon Harris [email protected]
• 6 months at Splunk• Senior SE (focus on security)• 15+ years in IT and security• Worked for leading IT Security vendors• Software development background
whoami
3
LEGALNOTICESDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
5
DataBreachesinAustralia
6
2016CostofDataBreachStudy
Thecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalAveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponse
Source: June2016
7
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-Trends Report2012/2013/2014
100%Validcredentialswereused
40Average#ofsystems accessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotified byexternalentity
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyse allofthatdata
Human Machine
Machine Machine
9
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
SplunkastheSecurityNerveCenter
Identity
10
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
11
SplunkforSecurity
11
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMISEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
WhatisSplunkES?
14
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
What’sNewSplunkEnterpriseSecurityv4
16
AttackandInvestigationTimelines
Addingcontenttotimeline:
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
17
Prioritise andSpeedInvestigations
Centralised incident reviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
18
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
ESDemo
WhatisSplunkUBA?
21
WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
22
ENTERPRISE SECURITYOPSCHALLENGES
THREATS
RESOURCES
EFFICIENCYExternal,Insiders,Hidden
And/OrUnknown
AvailabilityofSecurityExpertise
LackofAlertPrioritisation&ExcessiveFalsePositives
23
SplunkUserBehavioural AnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviourBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
24
SplunkUBA: TECHNOLOGY
ANOMALYDETECTION THREATDETECTION
UNSUPERVISEDMACHINELEARNING
BEHAVIOURMODELING
REALTIME&BIGDATAARCHITECTURE
25
MULTI-ENTITYBEHAVIOURALMODEL
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
26
MULTI-ENTITYBEHAVIOURALMODEL
APPLICATION
USER
HOST
NETWORK
DATA
27
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
28
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
29
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
30
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
31
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
What’sNewinUBA2.x
33
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
34
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehaviour
UBA2.2
35
Behavioural AnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
35
DetectandInvestigatefasterusingMLintegratedwithSIEM
36
USERCENTRICTop-NusersbynumberoftransactionsTop-Nusersbylogin/logoutactivityLogin/LogoutactivityovertimeAverage daily/weekly/monthly/yearlylogin/logoutcountNumberoffailedlogins(global)Top-NusersforfailedloginsFailedloginsovertimeAverage daily/weekly/monthly/yearlyfailedlogincountsTop-NusersbydatatransferAverage daily/weekly/monthly/yearlydatatransferforusersTop-NusersbysessioncountTop-NusersbysessionlengthAverage sessiondurationofusers
DEVICECENTRIC
APPLICATION /SESSIONCENTRICPROTOCOLCENTRIC
Top-Nservers byactivity(numberoftransactions)Top-Nservers bylogin/logoutactivityTop-Nservers forfailedloginsFailedloginsovertimeTop-NdestinationdevicesbydatatransferTop-Nservers bydatatransferAverage daily/weekly/monthly/yearlydatatransferforserversTop-Nsourcedevicesbysessioncount
TotalsessionscountTotalsessionscountovertimeTotalsessionscountbydevice-type(AD,VPN,SSH)Average sessionscountdaily,weekly,monthly,yearly)Average globalsessiondurationAverage sessionsdurationovertime(daily,weekly,monthly,yearly)
HTTPTrafficbyapplication-type(Protocol)Top-NdomainsbytrafficTop-Ndomainsbyactivity(numberofevents)Top-NclientmachinesbytrafficHTTPtrafficovertime(day,week,month,year)Average daily,weekly,monthly,yearlyhttptraffic
UBADemo
38
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!
Appendix
41
DesktopsEmail WebThreat
Intelligence
StorageHypervisor BadgesMobile
Servers DHCP/DNS PhysicalAccess
CMDB
TransactionRecords
NetworkFlows
CustomApps
Traditional
IntrusionDetection
Data LossPrevention
Anti-Malware
Firewall VulnerabilityScans
Authentication
AllDataisSecurityRelevant
Services
WebClickstreams
Cloud
Printers
42
Protect GrowServe
MissionofGovernment
Defendagainstandreduceimpactof
externalandinsiderthreats
Meetmissiongoalsthrough operational
excellence
Ensureagilityandscalewhileembracing
innovation
43
Challenges:• Proactivehuntingofcyberadversaries
• Resource(analysts) constraints
• Cumbersomemalwaredetectionprocess
• Myopicvisibility intothenetwork
ValueDelivered:• Wentfromreactivetoproactive
• MadeTier1analystsimmediatelyeffective
• Holisticvisibility acrossnetwork
• Bonus:ITOperationstroubleshooting
• Validatesecuritydeployment decisions
WhiteHouseMilitaryOffice– FromHuntedtoHunter
“Splunk hashelpedustakeTier1securityanalystsandmakethemimmediatelyeffectivetodefendournetwork.”