splunklive brisbane splunking the endpoint
TRANSCRIPT
2
DisclaimerDuringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfuture
eventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthose
containedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.
Wedonotassumeanyobligationtoupdateanyforwardlookingstatementswemaymake.
Inaddition,anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. Itisforinformationalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeatures
orfunctionalitydescribedortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Doyouknowthisman?
• WhyisSplunkinganendpointimportant?
• MostPOSsystemsarebasedonwindows…
• Infectingunprotectedendpointsiseasy
• Exfiltrationofdatacanbeeasy
6
SessionGoals
• UnderstandwhyyoushouldSplunktheendpoint
• BelievethattheUniversalForwarderisawesome
• Learnaboutcustomersuccess• Getsomeartifactsyoucanuse• Bringhomewhatyoucandotoday
7
WHY?1. ItisrelativelyinexpensivetoSplunk
yourendpoints,anditwillimproveyoursecurityposture.
2. VISIBILITY!Youwillhavemorecompleteinformation inthecaseofbreach.
3. Theinformationfromyourendpointsmapswellto securityguidance,includingtheCIS20andtheASDtop35.
9
Sothesehappened in2014/2015…
Endpoint/ServerVulnerabilities Endpoint-BasedMalware….theendpoints?
Couldwebemoresecureifwe
13
TheEndpointisimportant!
Closesttohumans Versatile
Underprotected Data-rich
70%ofsuccessfulbreachesstartontheendpoint*
*IDCstudy2014
17
SplunkUniversalForwarderforETD*!• “Free”• Lightweight• Secure• Runsonmanyversionsof
Windows&*NIX&OSX• Flexible• Centrallyconfigurable• SCALE!
*EndpointThreatDetection(Response?)
20
SplunkForwarderforETD*!• “Free”• Lightweight• Secure• Runsonmanyversionsof
Windows&*NIX&OSX• Flexible• Centrallyconfigurable• SCALE!
*EndpointThreatDetection(Response?)
Comeon.IsanyoneusingtheUniversalForwarderinthisway?
YES.
21
UseCase1:LargeInternetCompany
…x(Manyindexers)
onprem dmz
Int.forwarders
ds
install
config
internet
UFx10,000!
Individualcerts
• Windowsevent logs• OSX/var/log/*• CarbonBlackoutput• CrashlogsforITOps• Customscriptforapps
installed• UNIXTA(uponrequest)• WindowsTA(uponrequest)• Additionalgranularityfor
execsandtheiradmins• MovingtoSplunkCloud
search
!
ProxyLogs
23
Additionalwaystogatherendpointdata
IntegrityManagement
NGEndpointProtection
WhitelistingLookforapps
onsplunkbase!
24
Backtothesebreaches…
Endpoint-BasedMalware
RegistryEntries
SystemEventLogs
NewServices
NewFiles
Comms/Running Proc
SecurityEventLogs
KnownVulns/Apps
25
Let’smapthesetothecapabilitiesoftheUF…RegistryEntries
SystemEventLogs
NewServices
NewFiles
Comms/Running Proc
SecurityEventLogs
KnownVulns/Apps
26
Weconfiguretheforwardertogiveusdataofinterest
RegistryEntries
SystemEventLogs
SecurityEventLogs
NewServices
NewFiles
Comms/Running Proc
WinRegMon
WinEventLog:SystemandWinHostMon
WinEventLog:Security+Auditing
ScriptedInputs
WinEventLog:System
WinEventLog:Security
TA-Microsoft-SysmonStream,WinHostMon
WindowsUpdate
Monitor:WindowsUpdate.log
KnownVulns/Apps
ScriptedInputsorWinHostMon
Configurationexamples?See
demo&appendix
27
Whatcouldwelookfor?• ANYnewWindowsservices• Registrybeingwrittentowhereitshouldnot• Usersthatshouldn’tbeused• Unusual/unapprovedprocessesbeing launchedandtheir connections/hashes• Unusual/unapprovedports/connectionsinuse• UnapprovedUSBdevicesbeinginserted• Newfiles inplaces theyshouldnotbe(Windows\System32…)• Files thatlooklikeonethingbutarereallyanother• Newdrivelettersbeingmapped• LackofrecentWindowsupdates• Versionsofsoftwareknowntobevulnerable• …andmore
INSTANT,GRANULARDATAABOUTCOMMONBEHAVIOROFWINDOWSMALWARE!
29
UseCase2:UFforATMSecurity+Fraud• BankusesATMsthatareWindows-based• EachATMhasaUFinstalled, securelysendingdatato
intermediateforwarderonprem andthenuptoSplunkCloud
• DataretrievedfromcustomATMlogs– canunderstandwhat’sgoingonwithin1-2seconds
• Customerrepscanseewhattheproblem iseasily• Understandbaseline– whenareATMspopular?
Handlethecashlevels• Understandfraud– hassomeonestolenacard+PIN
andhittingATMsincloseclusters?“Superman”correlation
• ConversionOpp:knowthata3rd-partybankcustomerhitsabankATMeveryFridayfor$200
RegionalBankinNE,US
33
Whatversionsofwhatexistonmynetwork?
ScriptedInputfromWindowsTAorWinHostMon
DoIhaveknownvulnerablesoftwareonendpoints?
39
EndpointinfocriticaltoCSC(SANS)201&2:Loghardwareinfo,runningprocs/svcs3:Scriptedinputstocheckforconfig issues4:Evaluateprocesses/servicesforvulns5:Lookformaliciousnewservices/processes11:Lookformaliciousports/protocols12:Lookforlocaluseofpriv accounts14:Gatherwindowsevents/*NIXlogs16:Evaluateuseofscreensaverlocks17:Identifylapsesinlocalencryption
YoucoulddoallofthatwiththeUniversalForwarder.
SimilarmappingstoASD35…
42
Rememberthis?
shellshock
• Publiclyannouncedon24/9/2014.• OneVulnerabilityManagementvendorhadaplugin
on25/9.That’sprettygood!• Othersfollowedon26/9and29/9 – notsogood.• Theserequire authenticated scans.
43
Rememberthis?
shellshock
• Publiclyannouncedon9/24/2014.• OneVulnerabilityManagementvendorhadaplugin
on9/25.That’sprettygood!• Othersfollowedon9/26and9/29 – notsogood.• Theserequire authenticated scans.makethisprocessmoretimely?
Could
45
TheUniversalForwarderasself-helpguru• IfyouhadtheSplunkUFonallofyourproduction
*NIXservers…• Youcouldveryquicklyprogramthemtofind
shellshock(orghost,orpoodle,orheartbleed).• YouavoidVulnerabilityManagementVendorLag• Youcouldthenreportonremediationeffortsover
time.• And thedataingestwouldbeverysmall.
46
5StepVulnerabilityTrackingStrategy1. Ondayone,becomeawareofvulnerability2. Google“howtodetect$vulnerability$”3. Adoptcodeviascript(shell,batch,etc)andplaceintoyourSplunkdeploymentserver4. ForwardersruncodeanddeliverresultsintoSplunk indexers5. Reportontheresults
Agoodstepbystep
47
UseCase3:UFforShellshockTracking
“Wewroteitonthesamedayandranit– itwasreallyfundamentaltoourdefense.”– MarkGraff,NASDAQ
Shellshockon20,000Linux,Solaris,AIXserverstrackedinSplunk
(Largepaymentprocessingcompany)
48
Howaboutwiredata?• TechnologyAdd-onorTA(Splunk_TA_stream)• ProvidesanewDataInputcalled“WireData”– passivelycapturestrafficusingamodularinput
– C++executablecalled“StreamForwarder”(streamfwd)
• Capturesapplicationlayer(level7)attributes• AutomaticallydecryptsSSL/TLStrafficusingRSAkeys
TurntheUFintoalittle
networksniffer
49
StreamProtocols/PlatformsSupported• UDP• TCP• HTTP
• IMAP• MySQL(login/cmd/query)
• Oracle(TNS)• PostgreSQL• Sybase/SQLServer(TDS)
• FTP• SMB• NFS• POP3• SMTP
• LDAP/AD• SIP• XMPP• AMQP• MAPI• IRC
SupportsWindows7(64-bit),Windows2008R2(64bit),Linux(32-bit/64-bit) andMacOSX(64-bit)
• DNS• DHCP• RADIUS• Diameter• BitTorrent• SMPP
50
Howmuchdata?
TA-microsoft-sysmon
Splunk_TA_windows
“atypicaldayattheoffice…”
Nicetry,O’Brien!
AllthisendpointSplunking willblowupmylicense…
57
Howmuchdata?
That’smorelikeit.16MBofSysmon,5.5MBofWindowsevents=21.5MBperendpoint.
Coveragefor1,000 Windowsendpoints?21.5GB ingest,perday.
58
Sysmon withnetwork/imagefiltering?
• Start/Stop ofallprocesses• Processnames&fullcommandlineargs• Parent/childrelationships(GUIDs)betweenprocesses• SessionIDs• Hashanduserdataforallprocesses• Filenamesthathavetheircreatetimesupdated• Driver/DLLloadswithhashdata
• Networkcommunicationperprocess(TCPandUDP)includingIPaddress,size,portdata• AbilitytomapcommunicationbacktoprocessGUIDandsessionID
Youstillget…
Youlose…
Youretainfarmorefunctionthanyoulose.
61
InSummary1. Ifyou’renotSplunkingthedatafromyourvariousendpointstoday,
youshouldbe.2. TheSplunkUniversalForwarderisasuper-powerfultooltouseon
yourendpoints,freetoinstall,scaleswell,canbecentrallyconfigured,anddatavolumesarequitereasonable.
3. TheSplunk DeploymentServercanbeusedtoturnfeaturesonandoff,onthefly.
4. ForWindows,eventdataiscritical.Sysmondataisgreattoo,andfreetoinstall.
5. Othercustomersfrommanyverticalsarehavingcontinuedsuccesswiththedatatheycangatherfromendpoints.
67
Sysmon Info• BlogpostfromNovember,2014• AppavailableonSplunkbase,workswithcurrent(3.1)versionofSysmon:
• Forwarder6.2+neededtogetXMLformattedSysmon data(agoodidea,cutsdownonsize)
68
Sysmon Filters• ThisworksforSysmon3.1+
• Addwhatyouneed• IfyouactuallywantImageandNetworkdata,addthosestanzas
• [email protected] forlinkstoexamplefiles!
FilteroutalltheSplunkactivity
70
Sysmon Config Load• sysmon –cwithfilenamewillloadconfig
• Norestartneeded• Ignoreerrors• Runasadmin(orscriptasadmin)
77
RegistryMonitoringconfig• Simpleexamplesshownhere
• Emailsob@splunk.comforanextensiveregistrymonitoringconfigbasedonAutoruns
78
PLACEHOLDER:WinregWillhavelinkandotherinfoheredetailinghowtodowindowsregistrywithsampleconfig of400+registrykeystomonitor.
Ifyoumonitortherightreg keyyoucanfindnewUSBinsertions.
79
RegistryResults• USBinsertedwithBlackPOS malware
• Malwareexecuted–thesearetheregistrychangeslogged