SplunkLive! - Splunk for Security
•
4 gefällt mir•1,542 views
SplunkLive! Breakout Session - Splunk for Security
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (11)
Ähnlich wie SplunkLive! - Splunk for Security
Ähnlich wie SplunkLive! - Splunk for Security (20)
Mehr von Splunk
Mehr von Splunk (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
SplunkLive! - Splunk for Security
- 1. Copyright © 2015 Splunk Inc. Security Session Philipp Drieger Sales Engineer Beginnt um 14:30
- 2. 2 Safe Harbor Statement During the course of this presentation,we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described orto includeany suchfeatureor functionalityina futurerelease.
- 3. 3 Agenda Splunk for Security ZEUS Demo Enterprise Security Splunk User Behavior Analytics
- 6. 6 Advanced Threats Are Hard to Find 6 Cyber Criminals Nation States Insider Threats Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
- 7. 7 7 Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication All Data is Security Relevant = Big Data
- 8. 8 Solution: Splunk, The Engine For Machine Data 8 Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-Time Machine Data References – Coded fields, mappings, aliases Dynamic information – Stored in non-traditional formats Environmental context – Human maintained files, documents System/application – Available only using application request Intelligence/analytics – Indicators, anomaly, research, white/blacklist
- 9. 9 Fraud Detection Insider Threat Advanced Threat Detection Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting Security Intelligence Use Cases Splunk provides solutions that address SIEM use cases and more Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting
- 10. 10 1 Example Patterns of Fraud in Machine Data Industry Type of Fraud/Theft/Abuse Pattern Financial Services Account takeover Abnormally high number or dollar amounts of wire transfer withdrawals Healthcare Physician billing Physician billing for drugs outside their expertise area E-Tailing Account takeover Many accounts accessed from one IP Telecoms Calling plan abuse Customer making excessive amount of international calls on an unlimited plan Online Education Student loan fraud Student receiving federal loan has IP in “high-risk” overseas country and is absent from online classrooms and forums
- 11. 11 Insider Threat What To Look For Data Source Abnormally high number of file transfers to USB or CD/DVD OS Abnormally large amount of data going to personal webmail account or uploaded to external file hosting site Email / web server Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD Above actions + employee is on an internal watchlist as result of transfer / demotion / poor review / impending layoff HR systems / above User name of terminated employee accessing internal system AD / HR systems 11
- 12. 12 Example of Advanced Threat Activities 1 HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Conduct Business Create additional environment Gain Access to systemTransaction .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 13. 13 Connect the “Data-Dots” to See the Whole Story 1 Persist, Repeat Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, Exploit Installation Gain Trusted Access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat • Third-party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
- 14. 14 Threat intelligence Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery Accomplish Mission Security Ecosystem for Coverage and Protection Auth - User Roles, Corp Context
- 15. 15 STIX/TAXII and Open IOC 101 • Info sharing across companies and industries • Standardized XML • IOCs include IPs, web/email domains, hashes, processes, registry key, certificates
- 16. 16 Threat Intelligence in Splunk
- 17. 17 Sample TAXII Feeds User Community Organisation Cyber Threat XChange Health Information Trust Alliance Defense Security Information Exchange Defense Industrial Base Information and Sharing and Analysis Organization ICS-ISAC Industrial Control System Information Sharing and Analysis Center NH-ISAC National Health Cybersecurity Intelligence Platform National Health Information and Analysis Center FS-ISAC / Soltra Edge Financial Services Information Sharing and Analyses Center (FS-ISAC) Retail Cyber Intelligence Sharing Center, Intelligence Sharing Portal Retail Information Sharing and Analysis Center (Retail-ISAC) More: http://stixproject.github.io/supporters/
- 18. ZEUS Demo
- 20. Customer Example
- 21. 21 Sample Nasdaq - Heartbleed
- 22. 22 22 Splunk Enterprise is a well thought-out solution, designed from the outset for development and operation, and it delivers immediate results in a number of areas. “ SIEM General Project Manager, Finanz Informatik GmbH & Co. KG Challenges: Existing SIEM tools did not meet security needs – Different security information and event management (SIEM) solutions for the mainframe, network, Unix and Windows. – Difficult to correlate Security incidents accross variuos plaforms Enter Splunk: One unified solution – A single solution across platforms and functions means faster and more comprehensive investigation and resolution of security incidents – Guarantee Full protection of its customer data and at the same time reduce complexity, error rates and costs. – Alerts that identify security events, authorization violations or unusual patterns of queries. Splunk at Finanz Informatik “ “
- 23. 23 Replacing a SIEM @ Cisco 23 We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. ““ Gavin Reid, Leader, Cisco Computer Security Incident Response Team Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – Easy to index any type of machine data from any source – Over 60 users doing investigations, RT correlations, reporting, advanced threat detection – All the data + flexible searches and reporting = empowered team – 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data – Estimate Splunk is 25% the cost of a traditional SIEM
- 25. 25
- 26. 26 1Risk-based security Fast Incident Review and Investigation
- 27. 27 1Risk-based security Continuous Monitoring for Security Domains 2
- 30. 30
- 31. 31
- 32. 32
- 33. 33 Spot Suspicious Access • Simultaneous logins for single user occurring at two distant locations • Concurrent application access – password sharing or theft
- 34. 34
- 35. 35
- 36. 36 Features in Enterprise Security 4.0 Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION COLLABORATION • Investigator Journal • Attack & Investigation Timeline • Open Solutions Framework • Framework App : PCI
- 39. ENTERPRISE CHALLENGES THREATS PEOPLE EFFICIENCY Cyber Attacks, Insider Threats, Hidden, Or Unknown Availability of Security Expertise Too Many Alerts And False Positives
- 40. 40 Majority of the Threat Detection Solutions focus on the KNOWNS. UNKNOWNS? What about the
- 42. DATA-SCIENCE DRIVEN BEHAVIORAL ANALYTICS BIG DATA DRIVEN SECURITY ANALYTICS MACHINE LEARNING A NEW PARADIGM
- 44. ADVANCED CYBER ATTACKS SPLUNK UBA detects & INSIDER THREATS with BEHAVIORAL THREAT DETECTION
- 47. 47 SECURITY ANALYTICS KILL-CHAIN HUNTER KEY WORKFLOWS - HUNTER Investigate suspicious users, devices, and applications Dig deeper into identified anomalies and threat indicators Look for policy violations
- 50. 50 THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST Quickly spot threats within your network Leverage Threat Detection workflow to investigate insider threats and cyber attacks Act on forensic details – deactivate accounts, unplug network devices, etc.
- 55. 55 INSIDER THREAT 5 USER ACTIVITIES RISK/THREAT DETECTION AREAS John logs in via VPN from 1.0.63.14 Unusual Geo (China) Unusual Activity Time3:00 PM Unusual Machine Access (lateral movement; individual + peer group) 3:15 PMJohn (Admin) performs an ssh as root to a new machine from the BizDev department Unusual Zone (CorpPCI) traversal (lateral movement)3:10 PM John performs a remote desktop on a system as Administrator on the PCI network zone 3:05 PM Unusual Activity Sequence (AD/DC Privilege Escalation) John elevates his privileges for the PCI network Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIcorp) 6:00 PMJohn (Adminroot) copies all the negotiation docs to another share on the corp zone Unusual File Access (individual + peer group)3:40 PM John (Adminroot) accesses all the excel and negotiations documents on the BizDev file shares Multiple Outgoing Connections Unusual VPN session duration (11h)11:35 PMJohn (Adminroot) uses a set of Twitter handles to chop and copy the data outside the enterprise
- 56. 56 EXTERNAL ATTACK 5 USER ACTIVITIES RISK/THREAT DETECTION AREAS Peter and Sam access a malicious website. A backdoor gets installed on their computers Malicious Domain (AGD) Unusual Browser HeaderNov 15 Unusual Machine Access for Peter (lateral movement; individual + peer group)Dec 10The attacker logs on to Domain Controller via VPN with Peter’s stolen credentials from 1.0.63.14 Unusual Browser Header for Peter and SamNov 16 The attacker uses Peter and Sam’s backdoors to download and execute WCE to crack their password Nov 16 Beacons for Peter and Sam to www.byeigs.ddns.com Peter and Sam’s machines are communicating with www.byeigs.ddns.info Unusual Machine Access for Sam Unusual File Access for Sam (individual + peer group)) Dec 10 The attacker logs in as Sam and accesses all excel and negotiations docs on the BizDev shares Unusual Activity Sequence of Admin for Sam (AD/DC Privilege Escalation)Dec 10 The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Sam. Excessive Data Transmission for Peter Unusual VPN session durationJan 14The attacker VPNs as Peter, copies the docs to an external staging IP and then logs out after 3 hours.
- 57. Copyright © 2015 Splunk Inc. Thank You! – Q&A
Hinweis der Redaktion
- Splunk Enterprise Security
- Splunk safe harbor statement.
- Lets start with today’s ever changing threat landscape: With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries: the cyber criminals, the nation states and also the malicious Insiders; All going after major stakes of our life, our company and our nation.
- The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, whether it be credit cards or IP, and many of their victims unfortunately end up in the headlines. Cyber criminals include the credit card theft at Target and Neiman Marcus. Nation state attacks include Iran and China attacking governments and private sector companies to steal intellectual property and/or national secrets. FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats. APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports. 100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected. The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors 243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions. 63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
- There is an old parable about a group of blind men that touch an elephant to learn what it is like. Each one feels a different part, but only one part, such as the side, or the tusk. They then compare notes, and learn that they are in complete disagreement. When a sighted man walks by, the blind men also learn that they are all blind. While one’s subjective experience is true, it may not be the totality of truth. The parable is a rather apt allegory for the types of problems experienced in the past by many of our customers. Each blind man could represent a monitored data source, or a team (eg infrastructure or networks) providing a subjective view of the current security state. However these silos miss relevant activities – they only come together during escalated incidents. Data breaches often go unnoticed, attackers evading detection. Its difficult fully understand the security issue and to take decisive action without the complete picture. Splunk in this case could be the sighted man, capable of seeing the elephant as a whole. Splunk can provide end-to-end awareness by ingesting and correlating all security and infrastructure data, allowing our customers to find attackers, and threats faster, reducing the damage caused. I’m going to hand over now to my Presales Consultant, Dominique, to demo parts of the Enterprise Security App which we feel will help address some of your issues and concerns.
- Splunk can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into Splunk for indexing. Once indexed, users can perform the use cases on the top right on the data. They can search through the data, monitor the data and be alerted in real-time if scheduled search parameters are met. The raw data can be aggregated in seconds for custom reports and dashboards. Also Splunk is a platform that developers can build on. It uses a well documented Rest API and several SDKs so developers and external; applications can directly access and act on the data within Splunk. Also, besides indexing raw data into its flat file data store, Splunk can also retrieve and index data that resides in other data stores such as a SQL database or Hadoop. Splunk can easily ingest external data to enrich existing data Splunk has indexed to increase accuracy and reduce false positives. This external could come from a wide range of sources outlined on this slide. It includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, IP ranges of critical internal networks (like a PCI-related credit cardholder environment). Correlation searches can include this external content. So for example Splunk can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or Splunk can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events.
- We support a full set of security intelligence use cases.. Some of you in the audience are using Splunk for the 3 traditional SIEM use cases, and doing it more effectively than using the the traditional SIEM tech! For understanding security and compliance posture in real time and conducting forensics investigation, with Splunk, you no longer have to rely on just power users ; with the simplificy Dhavany talked about, we make your whole team become Splunk Ninjas. With Splunk and all the data at your fingers tips, our customers have seen the MTTR came down from days to mins We also see more and more customers go beyond the SIEM use cases (the 3 on the right) with Splunk. With the power of analytics and visualization, our customers are better at detecting Advanced threats, the APT, the unknown, and to able to shine a bright light on user behaviors monitor and counter insider threats; With the business and security data all inside one platform, they use splunk to manage business risks such as fraud and abuse. One of our customers were able to save 10s of millions in financial fraud by leveraging data already in Splunk Thanks to all of you, your vision and championship , we have seen a great uptick in adoption of Splunk for security. So Why are the seeing the shift in our industry?
- Ultimately the patterns of fraud often are in machine data and searches can be written to look for these patterns and then alert on them. Examples are listed on this slide…there could be dozens and dozens of possible patterns…they vary based on the vertical, type of fraud, and organization….but we just listed a few here.
- Insider threat is the malicious insider (likely not technical) who is stealing confidential data. Maybe that data is customer records, financial forecasts, product roadmaps, or intellectual property. If the employee is taking the data to their next job and that is with a competitor, the stakes are higher b/c the stolen data perhaps can be used by the competitor to take market share or revenue from the organization which lost the data. Also of a course the insider could be revealing sensitive data which has national security implications, like with Edward Snowden. As with prior slide, the items listed here are just a few examples. They represent possible data loss. Is the theft of large amounts of data. Easiest is to copy vs emailing out Is data theft but via email to personal account like Gmail, or to an upload to a site like Dropbox Example could be an employee not in finance trying to badge into the floor where the finance department is after hours. Or a non-IT employee trying to badge into the physical server room These type of people are more likely to steal data out of anger/spite, or to help them with their next job Can help identify if the employee termination process is not working correctly and some of the user accounts of a terminated employee have not been disabled
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Password Credential Tools: WCE Windows Credential Editor werden nicht von Virenscannern erkannt. Vor allem aktuelle Versionen.
- Cisco, the global networking company. Their internal security team uses us. 7 clusters around globe, 900GB a day, 350TB stored data. (note – while Cisco has presented this info at numerous public events, and also blogged about it, please limit this information just to the customer you are presenting to – do not make public) Some logging and SIEM solutions we have used or evaluated required considerable effort to process custom formats (custom parsers, etc.) In our experience with SIEM 1 we found it to be rigid, inflexible, and difficult to customize Modifying how We like the ability to throw data of virtually any format/structure at our logging system No API/CLI Fat java-based clients Only direct database access or worse, no alternative access Making scripting and automation more challenging In the past, it wasn’t uncommon for regular reports and ad-hoc queries run against the SIEMs to take hours to complete CSIRT undertook reevaluation of logging/SIEM project in mid-2010 running a number of trials and proof of concepts, wrapping up in early 2011 In CY12Q1 we retired the SIEM that had been in use since CY03 (NetIQ) Extensive migration project to replicate all existing playbook reports from SIEM in Splunk logging has been successful. Moved over 400 regularly scheduled reports from our SIEM into the new logging solution. Global logging solution deployed by end of CY11 Also see: http://blogs.cisco.com/security/security-logging-in-an-enterprise-part-2-of-2/ Based on sheer cost of deployment, we estimate that investment for a global logging solution was roughly 25% of what deploying a full SIEM would have cost us Began mid-2010, completed early 2011 Evaluated, trialed, Ran PoCs: Splunk and three other loggers SIEM 1 and six other SIEMs Strategy moving forward: Retire current SIEM Undertake global logging Estimated: 25% of SIEM cost Over 90% 0f the team is using the tool (where as before we primarily had analysts running reports) It is a great fit for the brand new analyst all the way up to the most seasoned investigators Much higher percentage than SIEM 1 (which required logging in via a fat client or using direct DB access) With our revamped event collection deployment we are: Indexing over 35x the volume of data we were previously Querying on average 20x faster Long Queries: With SIEM 1: 2% over 1 hour With Splunk: <0.5% over 1 hour
- Cisco, the global networking company. Their internal security team uses us. 7 clusters around globe, 900GB a day, 350TB stored data. (note – while Cisco has presented this info at numerous public events, and also blogged about it, please limit this information just to the customer you are presenting to – do not make public) Some logging and SIEM solutions we have used or evaluated required considerable effort to process custom formats (custom parsers, etc.) In our experience with SIEM 1 we found it to be rigid, inflexible, and difficult to customize Modifying how We like the ability to throw data of virtually any format/structure at our logging system No API/CLI Fat java-based clients Only direct database access or worse, no alternative access Making scripting and automation more challenging In the past, it wasn’t uncommon for regular reports and ad-hoc queries run against the SIEMs to take hours to complete CSIRT undertook reevaluation of logging/SIEM project in mid-2010 running a number of trials and proof of concepts, wrapping up in early 2011 In CY12Q1 we retired the SIEM that had been in use since CY03 (NetIQ) Extensive migration project to replicate all existing playbook reports from SIEM in Splunk logging has been successful. Moved over 400 regularly scheduled reports from our SIEM into the new logging solution. Global logging solution deployed by end of CY11 Also see: http://blogs.cisco.com/security/security-logging-in-an-enterprise-part-2-of-2/ Based on sheer cost of deployment, we estimate that investment for a global logging solution was roughly 25% of what deploying a full SIEM would have cost us Began mid-2010, completed early 2011 Evaluated, trialed, Ran PoCs: Splunk and three other loggers SIEM 1 and six other SIEMs Strategy moving forward: Retire current SIEM Undertake global logging Estimated: 25% of SIEM cost Over 90% 0f the team is using the tool (where as before we primarily had analysts running reports) It is a great fit for the brand new analyst all the way up to the most seasoned investigators Much higher percentage than SIEM 1 (which required logging in via a fat client or using direct DB access) With our revamped event collection deployment we are: Indexing over 35x the volume of data we were previously Querying on average 20x faster Long Queries: With SIEM 1: 2% over 1 hour With Splunk: <0.5% over 1 hour
- Pre-built correlation searches trigger alerts across the security stack Alerts are based on baselines of rolling time windows and not static values - Autoconfiguring thresholds improve threat detection for hard to find attacks and reduce false positives. Use the Incident Review dashboard to manage alerts, filter, assign, prioritize and comment on alerts. Incident Review dashboard is the starting point for investigation. Expand the alert tab to get more information. Use Event Actions to get contextual drill downs and acquire deeper context
- Pre-built reports and dashboards for Access Protection, Endpoint Protection, Network Protection, Asset and Identity Center Simplify monitoring and exception analysis Satisfy compliance and forensics requirements to track activity Increase the effectiveness of security and IT tools across the enterprise
- Give all users the ability to find relationships visually Visually organize and fuse any data to discern any context Create event swim lanes from from the web UI SHOW: https://es-na.demo.splunk.com/en-US/app/SplunkEnterpriseSecuritySuite/asset_investigator?form.asset=10.11.36.20
- Give all users the ability to find relationships visually Visually organize and fuse any data to discern any context Create event swim lanes from from the web UI SHOW: https://es-na.demo.splunk.com/en-US/app/SplunkEnterpriseSecuritySuite/asset_investigator?form.asset=10.11.36.20
- Let’s talk about “What’s new in Enterprise Security 4.0” First Pillar is investigation : It’s a major release because the design is to Optimized multi-step analyses, specifically for breach analysis. In order for us to accomplish the goal, we are introducing Investigator Journal which is a feature that tracks analyst’s action Attack & Investigation timeline that puts analysis events and notes in timeline to address our plan toward managing kill chain concept. Second pillar is Collaboration : We understand that security is coordination of people and expertise which involves team efforts. So, we believed that it is important to introduce, ES as Open Solutions Framework where analysts and communities can share knowledge objects or ES specific extended features. As an example, PCI app is re written on top of ES open Solutions Framework, PCI conveniently reuses features in ES, like notable events framework, threat intelligence framework, asset and identity framework.. Etc..
- Find RATs. ….
- Horizontal timeline
- Horizontal timeline