4. Legacy SIEM type technologies aren’t
enough to detect insider threats and
advanced adversaries and are poorly
designed for rapid incident response.
[SIEM - Security Information & Event Management]
5. Inadequate
Contextual Data
68% of respondents in the
survey said that reports
often only indicated
changes without specifying
what the change was.
Innocuous
Events of Interest
81% of respondents said
that SIEM reports contain
too much extraneous
information and were
overwhelmed with
false positives.
2016 SIEM Efficiency Survey - Conducted by Netwrix
10. DETECT ADVANCED CYBERATTACKS
DETECT MALICIOUS INSIDER THREATS
ANOMALY
DETECTION
THREAT
DETECTION
UNSUPERVISED
MACHINE
LEARNING
BEHAVIOR
BASELINING &
MODELING
REAL-TIME &
BIG DATA
ARCHITECTURE
WHAT IS SPLUNK
USER BEHAVIORAL ANALYTICS?
11. INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy
the data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
14. UBA 2.2 LATEST FEATURES
• Threat Modeling Framework
• Create custom threats using 60+ anomalies.
• Enhanced Security Analytics
• Visibility and baseline metrics around user,
device, application and protocols.
• Risk Percentile & Dynamic Peer Groups
• Support for Additional 3rd Party Devices
Slide: Evidence
The same survey showed that over half of the respondents are trying to employ more entry level analysts to deal with the overwhelming (but largely worthless) alerts coming from their legacy SIEMs and further more turning to audits and compliance activities to overcome the SIEMs drawbacks.
Sources:
http://www.bloomberg.com/research/markets/news/article.asp?docKey=600-201603150921MRKTWIREUSPR_____1249121-1
http://www.information-age.com/technology/information-management/123461162/why-big-data-and-siem-dont-always-equal-big-answers-security
Slide: Technology Development
Slide: Events Overload
Slide: Splunk Security Platform
Slide: Machine Learning Evolution
Slide: Solution – Splunk UBA
Splunk User Behavior Analytics is a cyber security and threat detection solution that helps organizations find hidden threats without using rules, signatures or human analysis.
It uses behavior modeling, peer group analysis, real-time statistical analysis, collaborative filtering and other machine learning techniques.
Has a 99% reduction of notable events in various customer based case studies, enabling analysts to focus on important threats and not waste time confirming false positives.
Attack Defenses
User & Entity Behavior Baseline
Behavioral Peer Group Analysis
Insider Threat Detection
IP Reputation Analysis
Reconnaissance, Botnet and C&C Analysis
Statistical Analysis
Data Exfiltration Models
Lateral Movement Analysis
Polymorphic Attack Analysis
Cyber Attack / External Threat Detection
Entropy/Rare Event Detection
User/Device Dynamic Fingerprinting
Threat Attack Correlation
Data Sources
Key:
Identity/Authentication
Active Directory/Domain Controller
Single Sign-on
HRIS
VPN
DNS, DHCP
Activity
Web Gateway
Proxy Server
Firewall
DLP
Security Products
Malware
Endpoint
IDS, IPS, AV
Optional:
SaaS/Mobile
AWS CloudTrail
Box, SF.com, Dropbox, other SaaS apps
Mobile Devices
External Threat Feeds
Threat Stream, FS-ISAC or other blacklists for IPs/domains
Slide: Example – Insider Threat
Slide: Behaviour Modelling
Categories
Deviation from Baseline
Time series
Rarity, probabilistic difference
Rare sequences
Outliers
Advanced Behaviour Detection
Beaconing
Exploit kit
Malware for HTTP
Malware for IP
Webshell
Graph Models
Lateral movement
Resource Access
Helper Models
Anomalies based on rules
Externals alarms handlers
Session Building
Connection between events
Track activity from different perspectives in a kill chain
Threat Models
Graph-based models
Session-based models
Rule-based models