splunksummit 2015 - splunk user behavioral analytics
TRANSCRIPT
Splunk User Behavior Analy4cs
Nick Cro8s Senior Sales Engineer ANZ / Security SME
Disclaimer
2
During the course of this presenta4on, we may make forward looking statements regarding future events or the expected performance of the company. We cau4on you that such statements reflect our current expecta4ons and es4mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta4on are being made as of the 4me and date of its live presenta4on. If reviewed a8er its live presenta4on, this presenta4on may not contain current or
accurate informa4on. We do not assume any obliga4on to update any forward looking statements we may make.
In addi4on, any informa4on about our roadmap outlines our general product direc4on and is subject to change at any 4me without no4ce. It is for informa4onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga4on either to develop the features
or func4onality described or to include any such feature or func4onality in a future release. Referenced customers for ITSI product par4cipated in a limited release so8ware program that included
items at no charge.
ENTERPRISE CHALLENGES
THREATS
PEOPLE
EFFICIENCY Cyber ATacks, Insider
Threats, Hidden, Or Unknown Availability of
Security Exper4se
Too Many Alerts And False Posi4ves
How many alerts can the average SOC analyst can handle in a full 8 hour work day?
24-‐32 alerts /8hr shi8.
Neiman Marcus had 60,000 un-‐remediated incidents.
60,000 alerts / 28 alerts per analyst = 1,034 analysts required to remediate all alerts in 8 hours.
OLD PARADIGM
SIGNATURES
RULES HUMAN ANALYSIS
Majority of the Threat Detec8on Solu8ons focus on the KNOWNS.
UNKNOWNS? What about the
10
ADVANCED CYBER ATTACKS SPLUNK UBA detects
& INSIDER THREATS with BEHAVIORAL THREAT DETECTION
Splunk UBA adds Data-‐Science Driven Behavioral Analy8cs
BIG DATA DRIVEN
AUTOMATED SECURITY ANALYTICS
MACHINE LEARNING
A NEW PARADIGM
KEY USE-‐CASES
12
Advanced Cyber-‐ATacks
Malicious Insider Threats
Online ATO
WHAT DOES SPLUNK UBA DO?
13
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM, Cloud, Mobile
End-‐point, App, DB logs
NeOlow, PCAP
Threat Feeds
AUTOMATED THREAT DETECTION
& SECURITY ANALYTICS
Baseline KPIs Analy4cs
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MULTI-‐ENTITY FOCUSED
User
App
Systems (VMs, Hosts)
Network
Data
Web Gateway
Proxy Server
Firewall
Box, SF.com, Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat Stream, FS-‐ISAC or other blacklists for
IPs/domains
DATA SOURCES
15
Ac4ve Directory/ Domain Controller
Single Sign-‐on
HRMS
VPN
DNS, DHCP
Iden8ty/Auth SaaS/Mobile Security Products
External Threat Feeds
Ac8vity (N-‐S, E-‐W)
K E Y OPTIONAL
Neilow, PCAP
DLP, File Server/Host Logs
AWS CloudTrail
End-‐point
IDS, IPS, AV
16
THE OVERALL SOLUTION
Online Services
Web Services
Servers
Security GPS
Loca4on
Storage
Desktops Networks
Packaged Applica4ons
Custom Applica4ons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Real-‐Time
Machine Data
DEVELOPER PLATFORM REPORT & ANALYZE CUSTOM DASHBOARDS MONITOR & ALERT AD HOC SEARCH
MACHINE LEARNING
BEHAVIOR ANALYTICS
ANOMALY DETECTION
THREAT DETECTION
SECURITY ANALYTICS
UBA
ATTACK DEFENSES
17
Threat ATack Co
rrela4
on
Polymorphic ATack Analysis
Behavioral Peer Group Analysis
User & En4ty Behavior Baseline
Entropy/Rare Event Detec4on
Cyber ATack / External Threat Detec4on
Reconnaissance, Botnet and C&C Analysis
Lateral Movement Analysis
Sta4s4cal Analysis
Data Exfiltra4on Models
IP Reputa4on Analysis
Insider Threat Detec4on
User/Device Dynamic Fingerprin4ng
SECURITY ANALYTICS
KILL-‐CHAIN
HUNTER
KEY WORKFLOWS -‐ HUNTER
§ Inves4gate suspicious users, devices, and applica4ons
§ Dig deeper into iden4fied anomalies and threat indicators
§ Look for policy viola4ons
THREAT DETECTION
KEY WORKFLOWS – SOC ANALYST SOC ANALYST
§ Quickly spot threats within your network
§ Leverage Threat Detec8on workflow to inves4gate insider threats and cyber aTacks
§ Act on forensic details – deac4vate accounts, unplug network devices, etc.
INSIDER THREAT
20
USER ACTIVITIES! RISK/THREAT DETECTION AREAS!
John logs in via VPN from 1.0.63.14 Unusual Geo (China) Unusual Activity Time 3:00 PM!
Unusual Machine Access (lateral movement; individual + peer group) 3:15 PM!John (Admin) performs an ssh as root to a new
machine from the BizDev department
Unusual Zone (CorpàPCI) traversal (lateral movement) 3:10 PM!John performs a remote desktop on a system as
Administrator on the PCI network zone
3:05 PM! Unusual Activity Sequence (AD/DC Privilege Escalation) John elevates his privileges for the PCI network
Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIàcorp)"
6:00 PM!John (Adminàroot) copies all the negotiation docs to another share on the corp zone
Unusual File Access (individual + peer group) 3:40 PM!John (Adminàroot) accesses all the excel and
negotiations documents on the BizDev file shares
Multiple Outgoing Connections Unusual VPN session duration (11h) 11:35 PM!John (Adminàroot) uses a set of Twitter handles to
chop and copy the data outside the enterprise
DEPLOYMENT MODELS
21
CLUSTERED VMs
Enterprise
On AWS for Cloud/Hybrid Deployments
DATA SOURCES / SPLUNK ENTERPRISE
ON-‐PREM CLOUD
UBA UBA
22
MAPPING RATs TO ACTIONABLE KILL-‐CHAIN
A W
N O M A L I E S
H R E A T
DEMO TIME
QUESTIONS?
THANK YOU!
CUSTOMER THREATS UNCOVERED
ACCOUNT TAKEOVER • Privileged account compromise • Data loss
LATERAL MOVEMENT
• Pass-‐the-‐hash kill chain • Privilege escala4on INSIDER THREATS • Misuse of creden4als • IP the8
26
MALWARE ATTACKS • Hidden malware ac4vity • Advanced Persistent Threats (APTs) BOTNET, C&C
• Malware beaconing • Data exfiltra4on
USER & ENTITY BEHAVIOR ANALYTICS • Login creden4al abuse • Suspicious behavior
SECURITY ANALYTICS ADVANCED
CUSTOMER EXAMPLES
28
q Malicious domain ac4vity
q Infected user accounts
q Insider threat actor watch lists
q Suspicious privileged account ac4vity
q Fake Windows update server ac4vity
q Asprox, Redyms malware
q Lateral movement amongst contractors
q Cryptowall ransomware
q Fiesta exploit kit
q Account takeover of privileged account
q Login irregulari4es and land-‐speed viola4on
q IOCs and viola4ons
RETAIL HI-‐TECH MANUFACTURING FINANCIAL
Cost-‐Effec4ve Threat Detec4on
29
Seconds
Billion
of Incom
ing Even
ts
Learn Data & Detect Anomalies Group
Indicators
Fina
l Ran
ked Th
reats
(for review)
Human Assisted Threat Review
Mob
ile
Clo
ud
Sources
?
Threat Models
Threat Intelligence
Feeds
Security Alert
Baselines +
Suppor8ng Evidence
Ente
rpris
e
99.99% Reduction
Local/Global Threat
Correla8on
Indicators of
Compromise
Splunk UBA VM-‐based On-‐Prem Physical Deployment
30
Splunk UBA On-‐Prem Deployment
IAM, Ac8ve Directory
DHCP, DNS, Proxy Servers
FW, IDS VPN Server
App Servers
Syslog
Enterprise Network
SIEM
Caspida App Server
VM
500 GB
100 GB
Network Disks for UI/Inges8on VM
VM1
Linux
VM1
Linux
Analysis VM
VM
…
100 GB
100 GB
Network Disks for Analysis VMs
Requirements: • vSphere (ESXi v5.0+) • Availability of storage volumes
(100 GB for each Analysis VMs, 500 GB for App Server)
• Splunk UBA is packaged in an OVA
Sizing*
31
10 nodes 40 nodes 100 nodes
Events per sec 50K 200K 500K
Events per day 4.3B 17.3B 43B
TB per day 4.3TB 17.3TB 43TB
*Assumes ~10-20K user accounts and 50K internal devices
Event workflow
Raw Events"
1
Anomalies"
Statistical methods!
Security semantics!
2 Threat Models"
Lateral movement
ML!
Patterns!
Sequences!
Beaconing
Land-‐speed viola4on
Threats"
Kill chain sequence!
5
Supporting evidence!
Threat scoring!
Graph Mining"
4
Con
tinuo
us s
elf-l
earn
ing
Anomalies graph!
Uber graph!
3
Overall Model Workflow
33
Data Parsing
ETL
Engine
Data Profiling
Model Building
Threat Model Scoring
Mod
els
not t
rain
ed
Mod
els
trai
ned
Threat Grouping Engine
Model 1
Model 2
…
Model N
Universal Scoring Engine
Security Alert
Threat Review
Threats
Anom
alies
Normalized
An
omalies
Not a Threat?
Model Re-‐enforcement Learning
Adjustment of Model Weights (optional)
Enable/Disable Models (optional)
Source
s
Dec
isio
n M
akin
g
Mob
ile
Clo
ud
Ente
rpris
e