splunklive brisbane splunking the endpoint
TRANSCRIPT
2
DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfuture
eventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose
containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.
Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.
Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeatures
orfunctionalitydescribedortoincludeanysuchfeatureorfunctionality inafuturerelease.
DEMO,PARTI
4
Doyouknowthisman?
• WhyisSplunkinganendpointimportant?
• MostPOSsystemsarebasedonwindows…
• Infectingunprotectedendpointsiseasy
• Exfiltrationofdatacanbeeasy
5
Doyouknowthisman?
6
SessionGoals
• UnderstandwhyyoushouldSplunktheendpoint
• BelievethattheUniversalForwarderisawesome
• Learnaboutcustomersuccess• Getsomeartifactsyoucanuse• Bringhomewhatyoucandotoday
7
WHY?1. ItisrelativelyinexpensivetoSplunk
yourendpoints,anditwillimproveyoursecurityposture.
2. VISIBILITY!Youwillhavemorecompleteinformation inthecaseofbreach.
3. Theinformationfromyourendpointsmapswellto securityguidance,includingtheCIS20andtheASDtop35.
8
Youmayhaveheard…
Endpoint/ServerVulnerabilities Endpoint-BasedMalware
9
Sothesehappened in2014/2015…
Endpoint/ServerVulnerabilities Endpoint-BasedMalware….theendpoints?
Couldwebemoresecureifwe
10
ExecutiveSummary:
YES!(sodothat)
THANKYOU!
12
TheEndpointisimportant!
Closesttohumans Versatile
Underprotected Data-rich
13
TheEndpointisimportant!
Closesttohumans Versatile
Underprotected Data-rich
70%ofsuccessfulbreachesstartontheendpoint*
*IDCstudy2014
14
TheUF:It’smorethanyouthink
Logs
….yourendpoints.
TheUniversalForwarderallowsyouto
15
TheUF:It’smorethanyouthink
Logs
16
TheUF:It’smorethanyouthink
Scripts
Perfmon
WireData
Logs
Process/Apps/FIM
Registry
Sysmon
17
SplunkUniversalForwarderforETD*!• “Free”• Lightweight• Secure• Runsonmanyversionsof
Windows&*NIX&OSX• Flexible• Centrallyconfigurable• SCALE!
*EndpointThreatDetection(Response?)
18
Whataboutthe“Response”?
VISIBILITYreactivity
(fornow)
19
Whataboutthe“Response”?
There’sstuffoutthere.YMMV.
20
SplunkForwarderforETD*!• “Free”• Lightweight• Secure• Runsonmanyversionsof
Windows&*NIX&OSX• Flexible• Centrallyconfigurable• SCALE!
*EndpointThreatDetection(Response?)
Comeon.IsanyoneusingtheUniversalForwarderinthisway?
YES.
21
UseCase1:LargeInternetCompany
…x(Manyindexers)
onprem dmz
Int.forwarders
ds
install
config
internet
UFx10,000!
Individualcerts
• Windowsevent logs• OSX/var/log/*• CarbonBlackoutput• CrashlogsforITOps• Customscriptforapps
installed• UNIXTA(uponrequest)• WindowsTA(uponrequest)• Additionalgranularityfor
execsandtheiradmins• MovingtoSplunkCloud
search
!
22
CentralControlwithDeploymentServer
One(Linux)DS=10,000endpoints!
ProxyLogs
23
Additionalwaystogatherendpointdata
IntegrityManagement
NGEndpointProtection
WhitelistingLookforapps
onsplunkbase!
24
Backtothesebreaches…
Endpoint-BasedMalware
RegistryEntries
SystemEventLogs
NewServices
NewFiles
Comms/Running Proc
SecurityEventLogs
KnownVulns/Apps
25
Let’smapthesetothecapabilitiesoftheUF…RegistryEntries
SystemEventLogs
NewServices
NewFiles
Comms/Running Proc
SecurityEventLogs
KnownVulns/Apps
26
Weconfiguretheforwardertogiveusdataofinterest
RegistryEntries
SystemEventLogs
SecurityEventLogs
NewServices
NewFiles
Comms/Running Proc
WinRegMon
WinEventLog:SystemandWinHostMon
WinEventLog:Security+Auditing
ScriptedInputs
WinEventLog:System
WinEventLog:Security
TA-Microsoft-SysmonStream,WinHostMon
WindowsUpdate
Monitor:WindowsUpdate.log
KnownVulns/Apps
ScriptedInputsorWinHostMon
Configurationexamples?See
demo&appendix
27
Whatcouldwelookfor?• ANYnewWindowsservices• Registrybeingwrittentowhereitshouldnot• Usersthatshouldn’tbeused• Unusual/unapprovedprocessesbeing launchedandtheir connections/hashes• Unusual/unapprovedports/connectionsinuse• UnapprovedUSBdevicesbeinginserted• Newfiles inplaces theyshouldnotbe(Windows\System32…)• Files thatlooklikeonethingbutarereallyanother• Newdrivelettersbeingmapped• LackofrecentWindowsupdates• Versionsofsoftwareknowntobevulnerable• …andmore
INSTANT,GRANULARDATAABOUTCOMMONBEHAVIOROFWINDOWSMALWARE!
DEMO,PARTII
29
UseCase2:UFforATMSecurity+Fraud• BankusesATMsthatareWindows-based• EachATMhasaUFinstalled, securelysendingdatato
intermediateforwarderonprem andthenuptoSplunkCloud
• DataretrievedfromcustomATMlogs– canunderstandwhat’sgoingonwithin1-2seconds
• Customerrepscanseewhattheproblem iseasily• Understandbaseline– whenareATMspopular?
Handlethecashlevels• Understandfraud– hassomeonestolenacard+PIN
andhittingATMsincloseclusters?“Superman”correlation
• ConversionOpp:knowthata3rd-partybankcustomerhitsabankATMeveryFridayfor$200
RegionalBankinNE,US
30
Howaboutinventory+vulnerabilities?
31
Howaboutinventory+vulnerabilities?
32
Twowaystogetinstalledapps,therearemore…
ScriptedInputfromWindowsTAorWinHostMon
MicrosoftSysmon
33
Whatversionsofwhatexistonmynetwork?
ScriptedInputfromWindowsTAorWinHostMon
DoIhaveknownvulnerablesoftwareonendpoints?
34
Hashdatafromapps
MicrosoftSysmon
Correlatehashwiththreatintel
35
WindowsUpdatedata
36
WindowsUpdateData(twosourcetypes)
Monitor:WindowsUpdate.log
Monitor:WinEventLog:System
37
WindowsPortData
ScriptedinputfromWindowsTAorWinHostMon
38
WindowsPortDataPIDdata=easycorrelationto
processresponsible
Orusesysmon…
39
EndpointinfocriticaltoCSC(SANS)201&2:Loghardwareinfo,runningprocs/svcs3:Scriptedinputstocheckforconfig issues4:Evaluateprocesses/servicesforvulns5:Lookformaliciousnewservices/processes11:Lookformaliciousports/protocols12:Lookforlocaluseofpriv accounts14:Gatherwindowsevents/*NIXlogs16:Evaluateuseofscreensaverlocks17:Identifylapsesinlocalencryption
YoucoulddoallofthatwiththeUniversalForwarder.
SimilarmappingstoASD35…
40
ThreatIntelligence,yousay?
Filenamesandhashes
Expired/boguscerts
Known BadIP
Processes/Services
41
Endpointvulns canbefoundifyougoogle whattolookfor…
42
Rememberthis?
shellshock
• Publiclyannouncedon24/9/2014.• OneVulnerabilityManagementvendorhadaplugin
on25/9.That’sprettygood!• Othersfollowedon26/9and29/9 – notsogood.• Theserequire authenticated scans.
43
Rememberthis?
shellshock
• Publiclyannouncedon9/24/2014.• OneVulnerabilityManagementvendorhadaplugin
on9/25.That’sprettygood!• Othersfollowedon9/26and9/29 – notsogood.• Theserequire authenticated scans.makethisprocessmoretimely?
Could
44
TheUniversalForwarderasself-helpguru
ThatUFsuredoesalotby
itself!
45
TheUniversalForwarderasself-helpguru• IfyouhadtheSplunkUFonallofyourproduction
*NIXservers…• Youcouldveryquicklyprogramthemtofind
shellshock(orghost,orpoodle,orheartbleed).• YouavoidVulnerabilityManagementVendorLag• Youcouldthenreportonremediationeffortsover
time.• And thedataingestwouldbeverysmall.
46
5StepVulnerabilityTrackingStrategy1. Ondayone,becomeawareofvulnerability2. Google“howtodetect$vulnerability$”3. Adoptcodeviascript(shell,batch,etc)andplaceintoyourSplunkdeploymentserver4. ForwardersruncodeanddeliverresultsintoSplunk indexers5. Reportontheresults
Agoodstepbystep
47
UseCase3:UFforShellshockTracking
“Wewroteitonthesamedayandranit– itwasreallyfundamentaltoourdefense.”– MarkGraff,NASDAQ
Shellshockon20,000Linux,Solaris,AIXserverstrackedinSplunk
(Largepaymentprocessingcompany)
48
Howaboutwiredata?• TechnologyAdd-onorTA(Splunk_TA_stream)• ProvidesanewDataInputcalled“WireData”– passivelycapturestrafficusingamodularinput
– C++executablecalled“StreamForwarder”(streamfwd)
• Capturesapplicationlayer(level7)attributes• AutomaticallydecryptsSSL/TLStrafficusingRSAkeys
TurntheUFintoalittle
networksniffer
49
StreamProtocols/PlatformsSupported• UDP• TCP• HTTP
• IMAP• MySQL(login/cmd/query)
• Oracle(TNS)• PostgreSQL• Sybase/SQLServer(TDS)
• FTP• SMB• NFS• POP3• SMTP
• LDAP/AD• SIP• XMPP• AMQP• MAPI• IRC
SupportsWindows7(64-bit),Windows2008R2(64bit),Linux(32-bit/64-bit) andMacOSX(64-bit)
• DNS• DHCP• RADIUS• Diameter• BitTorrent• SMPP
50
Howmuchdata?
TA-microsoft-sysmon
Splunk_TA_windows
“atypicaldayattheoffice…”
Nicetry,O’Brien!
AllthisendpointSplunking willblowupmylicense…
51
Howmuchdata?
TA-microsoft-sysmon
Splunk_TA_windows
“atypicaldayattheoffice…”
52
Howmuchdata?
A12hourday.Evenin
marketing!
53
Howmuchdata?
12hoursofstandardeventlogs=5.5MB.Nice!
54
Howmuchdata?
Hmm.Lotmoreevents…
55
Howmuchdata?
12hoursofSysmon logs=241MB.Ohcrap.TheregoesmySplunk Livetalk…!!
56
Howmuchdata?
Lotsofred….let’stake
thatout.
57
Howmuchdata?
That’smorelikeit.16MBofSysmon,5.5MBofWindowsevents=21.5MBperendpoint.
Coveragefor1,000 Windowsendpoints?21.5GB ingest,perday.
58
Sysmon withnetwork/imagefiltering?
• Start/Stop ofallprocesses• Processnames&fullcommandlineargs• Parent/childrelationships(GUIDs)betweenprocesses• SessionIDs• Hashanduserdataforallprocesses• Filenamesthathavetheircreatetimesupdated• Driver/DLLloadswithhashdata
• Networkcommunicationperprocess(TCPandUDP)includingIPaddress,size,portdata• AbilitytomapcommunicationbacktoprocessGUIDandsessionID
Youstillget…
Youlose…
Youretainfarmorefunctionthanyoulose.
59
Soyoucanstilldo…
IsurfedawholelotinChrome
today…listenedtosometunes,too!
60
Andalso…IreallyDIDworkonthat300slidepowerpoint beforelunch,Iswear!
61
InSummary1. Ifyou’renotSplunkingthedatafromyourvariousendpointstoday,
youshouldbe.2. TheSplunkUniversalForwarderisasuper-powerfultooltouseon
yourendpoints,freetoinstall,scaleswell,canbecentrallyconfigured,anddatavolumesarequitereasonable.
3. TheSplunk DeploymentServercanbeusedtoturnfeaturesonandoff,onthefly.
4. ForWindows,eventdataiscritical.Sysmondataisgreattoo,andfreetoinstall.
5. Othercustomersfrommanyverticalsarehavingcontinuedsuccesswiththedatatheycangatherfromendpoints.
FINALQUESTIONS?
PleasejointheSplunk Slackchannel!!!splunk-usergroups.slack.com
#general#apac
67
Sysmon Info• BlogpostfromNovember,2014• AppavailableonSplunkbase,workswithcurrent(3.1)versionofSysmon:
• Forwarder6.2+neededtogetXMLformattedSysmon data(agoodidea,cutsdownonsize)
68
Sysmon Filters• ThisworksforSysmon3.1+
• Addwhatyouneed• IfyouactuallywantImageandNetworkdata,addthosestanzas
• [email protected] forlinkstoexamplefiles!
FilteroutalltheSplunkactivity
69
Sysmon Config List• sysmon –cwithnofilenamewilldumpconfig
ImageandNetworkdisabled
70
Sysmon Config Load• sysmon –cwithfilenamewillloadconfig
• Norestartneeded• Ignoreerrors• Runasadmin(orscriptasadmin)
77
RegistryMonitoringconfig• Simpleexamplesshownhere
• Emailsob@splunk.comforanextensiveregistrymonitoringconfigbasedonAutoruns
78
PLACEHOLDER:WinregWillhavelinkandotherinfoheredetailinghowtodowindowsregistrywithsampleconfig of400+registrykeystomonitor.
Ifyoumonitortherightreg keyyoucanfindnewUSBinsertions.
79
RegistryResults• USBinsertedwithBlackPOS malware
• Malwareexecuted–thesearetheregistrychangeslogged
81
WinHostMon• Gethardwaredetails,services,processes,apps,etc…
• Builtrightintotheforwarder,noscriptsneeded