Best Practices for Scoping Infections and Disrupting Breaches
•
4 gefällt mir•1,092 views
Best Practices for Scoping Infections and Disrupting Breaches
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Best Practices for Scoping Infections and Disrupting Breaches
Ähnlich wie Best Practices for Scoping Infections and Disrupting Breaches (20)
Mehr von Splunk
Mehr von Splunk (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Best Practices for Scoping Infections and Disrupting Breaches
- 1. Best Practices for Scoping Infections and Disrupting Breaches @monzymerza monzy merza Minister of Defense, Splunk Inc.
- 2. Agenda • SplunkOverview • BestPracticesforScopingInfections&DisruptingBreaches • LiveDemo:IncidentInvestigation • Q&A 2
- 3. Legal Notices Duringthecourseofthispresentation,wemaymakeforward-lookingstatementsregarding futureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuch statementsreflectourcurrentexpectationsandestimatesbasedonfactorscurrentlyknown tousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmay causeactualresultstodifferfromthosecontainedinourforward-lookingstatements,please reviewourfilingswiththeSEC. Theforward-lookingstatementsmadeinthispresentationare beingmadeasofthetimeanddateofitslivepresentation. Ifreviewedafteritslive presentation,thispresentationmaynotcontaincurrentoraccurateinformation. Wedonot assumeanyobligationtoupdateanyforward-lookingstatementswemaymake. Inaddition, anyinformationaboutourroadmapoutlinesourgeneralproductdirectionandissubjectto changeatanytimewithoutnotice. Itisforinformationalpurposesonlyandshallnotbe incorporatedintoanycontractorothercommitment. Splunkundertakesnoobligationeither todevelopthefeaturesorfunctionalitydescribedortoincludeanysuchfeatureor functionalityinafuturerelease. 3
- 4. 4 Make machine data accessible, usable and valuable to everyone. 444
- 5. COLLECT DATA FROM ANYWHERE SEARCH AND ANALYZE EVERYTHING GAIN REAL-TIME OPERATIONAL INTELLIGENCE The Power of Splunk 5
- 6. WhySplunk? 6 FAST TIME-TO-VALUE ONE PLATFORM, MULTIPLE USE CASES VISIBILITY ACROSS STACK, NOT JUST SILOS ASK ANY QUESTION OF DATA ANY DATA, ANY SOURCE
- 7. Turning Machine Data Into Business Value 7 Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance, and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
- 8. Phases of Operational Intelligence Reactive Search and Investigate Proactive Monitoring and Alerting Operational Visibility Proactive Real-time Business Insight
- 9. IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Delivers Value Across IT and the Business 9 Business Analytics Industrial Data and Internet of Things Security, Compliance, and Fraud
- 10. Platformfor ApplicationDeliveryand IT Operations 10 ROOT CAUSE AND ISSUE RESOLUTION PROACTIVE MONITORING AND REAL-TIME ALERTING DELIVER BETTER QUALITY CODE FASTER CLOUD APP AND INFRASTRUCTURE MONITORING MOBILE APP TROUBLESHOOTING USER & USAGE ANALYTICS
- 11. 11 SinglePlatformforSecurityIntelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 12. 12 SinglePlatformforSecurityIntelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 13. Best Practices for Scoping Infections & Disrupting Breaches 13 Best Practices for Scoping Infections & Disrupting Breaches
- 14. 14 Source: Mandiant M-Trends Report 2012/2013/2014 67% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection The Ever-changing Threat Landscape
- 15. 15 Threat IntelligenceNetwork Endpoint Access/Identity Data Sources Required
- 16. Data Sources Required 16 Persist, Repeat • 3rd party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Web Proxy • NetFlow • Network • AV/IPS/FW • Malware detection • Config Management • Performance • OS logs • File System • Directory Services • Asset Mgmt • Authentication Logs • App Services • VPN, SSO Threat intelligence Access/Identity Endpoint Network Known relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Who talked to whom, traffic, malware download/delivery, C2, exfiltration, lateral movement Running process, services, process owner, registry mods, file system changes, patching level, network connections by process/service Access level, privileged use/escalation, system ownership, user/system/service business criticality
- 17. The capabilities required to distinguish an infection from a breach
- 18. Capabilities - Scoping Infections and Breach 18 Report and analyze Custom dashboards Monitor and alert Ad hoc search Threat Intelligenc e Asset & CMDB Employee Info Data Store s Applicatio ns Raw Events Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint
- 19. Capabilities - Scoping Infections and Breach 19 Analytics Context & Intelligence Connecting Data and People
- 20. Adversary Perspective- Attack Kill Chain 20 Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/ LM-White-Paper-Intel-Driven-Defense.pdf
- 21. Exploitation != GameOver 21 Exploitation != GameOver
- 22. Kill Chain – Breach Example 22 http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat intelligence Access/Identity Endpoint Network
- 23. Demo 23 Demo
- 24. Demo Review 24 • Challenge: • Difficulttogofromthreat-intelmatchtorootcause • Hardtodetermine–wasthereabreach? • Sources • ThreatIntel–opensourcethreatintelfeed • Network–webproxylogs,emaillogs • Endpoint–endpointmonitoringagent • Access/Identity–assetmanagementdatabase • Findingtherootcause:connectingthedots • Matchthethreat-intelIPtonetworkdatatoidentifytheinfectedmachine • Identifythemaliciousprocessbymappingnetworkdatatoendpointdata • Discovertheinfectedemailbymatchinglocalfileaccesstoemaildata
- 25. Best Practices – Breach Response Posture Bring in data from (minimum at least one from each category): 25 • Bringin datafrom(minimumat leastone fromeachcategory): • Network– nextgen firewallor web proxy,email,dns • Endpoint– windowslogs,registrychanges,file changes • ThreatIntelligence– open sourceor subscriptionbased • Accessand Identity– authenticationevents,machine-usermapping • Employa securityintelligenceplatformso analystscan: • Contextualizeevents,analyticsand alerts • Automatetheiranalysisandexploration • Sharetechniquesand resultsto learnand improve
- 26. Breach Example – Disruption Opportunities 26 http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat intelligence Access/Identity Endpoint Network
- 27. Breach Example – Disruption Opportunities 28 http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB Delivery Exploitation Installation C2 Actions on Objectives .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Threat intelligence Access/Identity Endpoint Network
- 28. Compromise is Inevitable 29 Compromise is Inevitable Breaches are Preventable
- 29. Splunk App for Enterprise Security 30 Risk-Based Analytics Visualize and Discover Relationships Enrich Security Analysis with Threat Intelligence
- 30. Splunk App for Enterprise Security Incident Investigations and ManagementDashboards & Reports Statistical Outliers & Risk Scoring Asset & Identity Aware Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds 31
- 31. Extends Security Analytics Leadership by Adding Behavioral Analytics to Better Detect Advanced and Insider Threats Splunk Acquires Splunk App for Enterprise Security Behavioral Analytics+ + ADVANCED THREATS INSIDER THREATS
- 32. What does Caspida do? 33 SIEM, Hadoop Firewall, AD Cloud, Mobile App, DB logs Netflow Threat Feeds Behavior Models & Decision Engine Automated Threat Detection & Review Kill Chain Detection Ranked Threat Review Attack Vector Discovery Actions & Resolution 99.99% event reduction
- 33. 34
- 34. Thousands of Global Security Customers 35
- 36. Dev.splunk.com40,000+ questions and answers 600+ apps Local User Groups and SplunkLive! events Thriving Community 37
- 37. 38 www.splunk.com/apptitude July 20th, 2015 Submission deadline
- 38. The 6th Annual Splunk Worldwide Users’ Conference September 21-24, 2015 The MGM Grand Hotel, Las Vegas • 50+ Customer Speakers • 50+ Splunk Speakers • 35+ Apps in Splunk Apps Showcase • 65 Technology Partners • 4,000+ IT & Business Professionals • 2 Keynote Sessions • 3 days of technical content (150+ Sessions) • 3 days of Splunk University – Get Splunk Certified – Get CPE credits for CISSP, CAP, SSCP, etc. – Save thousands on Splunk education! 39 Register at: conf.splunk.com
- 39. WeWant to Hear yourFeedback! After the Breakout Sessions conclude Text Splunk to 878787 And be entered for a chance to win a $100AMEX gift card!
- 40. • Info, case study, analyst reports: • Splunk.com > Solutions > Security & Fraud • Try Splunk Enterprise for free! • Download Splunk http://www.splunk.com/download • Splunk.com > Community > Documentation > Search Tutorial • In 30 minutes: imported data, run searches, created reports • Free apps at Splunk.com > Community > Apps • Contact sales team at Splunk.com > About Us > Contact Next Steps 41 Traditional SIEMSplunk
Hinweis der Redaktion
- That’s where we come in. Spunk’s mission is to make machine data accessible, usable, and valuable to everyone.
- At it’s core, the Splunk platform enables you to: Collect data from anywhere – with universal forwarding and indexing technology. Search and analyze across all your data – with powerful search and schema-on-the-fly technology. Rapidly deliver real-time insights to IT and business people This is what we call Operational Intelligence.
- What would you do if you could install software, point it at your data – all of it, then ask any questions you have? That’s the power of Splunk! Designed to be downloaded and installed in minutes. The same software that’s a free download scales to hundreds of terabytes of data per day, and enables you to ask questions across your entire infrastructure—even across data silos. And as you add more data, you receive more insights.
- Splunk collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once in Splunk Enterprise, you can search, analyze, report-on and derive insights across all your data. Customers use Splunk across application troubleshooting, IT infrastructure monitoring, security, business analytics, and internet of things Our Splunk Cloud offering delivers Splunk Enterprise as a cloud-based Software-as-a-service – essentially empowering you with Operational Intelligence without any operational effort.
- Reactive – Proactive in a security context Search and Investigate as part of breach response The way you move is to get more organized in your data sources capabilities Security use case example – forensics, alerting, situaational awareness, sharing and collaboration, internal threat intel development, actor tracking
- Thanks Nate… The cool thing about Splunk is that both IT and business professionals can analyze machine data to get real-time visibility and operational intelligence. With our platform for machine data, organizations can improve their performance in a wide range of areas.
- With Splunk software and cloud services, you can quickly identify and pinpoint code-level issues at any stage of the development and release process. You can find and fix bugs quickly so you can ship product faster, gain insights into application usage and user behavior and get real time, mission-critical visibility into every step, system and process involved in building, testing and shipping new products to your customers. Splunk’s universal machine data platform empowers you to consolidate all information within a unified console to find the root-cause of issues, proactively manage events and incidents and reduce resolution times. You can quickly create alerts to proactively monitor your distributed infrastructure and complex applications/services. With Splunk MINT, our Mobile Intelligence solution, we’re now extending Operational Intelligence to Mobile Applications. With Splunk MINT, you are enabled to deliver reliable, better performing mobile apps with end-to-end visibility across mobile applications and their supporting application infrastructure. You can combine and correlate mobile app data with data from other channels such as web or desktop to gain cross-channel user and usage analytics with the Splunk platform. We have many apps that monitor cloud applications. The Splunk App for Stream enables the capture of real-time streaming wire data, across distributed infrastructures including private, public and hybrid Clouds. This enables visibility into application, business and user activity without the need for instrumentation, enhancing various operational use cases across IT, security and the business.
- Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
- Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
- There are three numbers in the cyber security statistics are very telling, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 67% of , which represents 2 out 3, breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ? Network – network based attack, lateral movement, exfiltration Endpoint – malware exploitation – data gathering, launch point Authentication – the basis of lateral movement and access to assets, intellectual property Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
- The capabilities required to distinguish an infection from a breach Why is it important to preserve an event?
- Risk Based Analytics to Align Security Operations With the Business Risk scoring framework enhances decision making by applying risk score to any data Quickly and easily assign any KSI or KPI to any event to produce risk scores Expose the contributing factors of a risk score for deeper insights Visualize and Discover Relationships for Faster Detection and Investigation Visually fuse data, context and threat-intel across the stack and time to discern any context Pre-built correlations, alerts and dashboards for detection, investigation and compliance Workflow actions and automated lookups enhance context building Enrich Security Analysis with Threat Intelligence Automatically apply threat intelligence from any number of providers Apply threat intelligence to event data as well as wire data Conduct historical analysis using new threat intelligence across all data
- The adversary’s success lies in a deliberate methodology. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- Exploitation != Gameover when you have analysts that can use the analytics ability and contextualize it
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Lets take a look at two examples. Lets see how we can do continuous monitoring for vulnerarbilities. And then lets take a look at how we can investigate an alert.
- Contextualization and exploration is automatic – you saw this in the field discovery menu Raw events without modification or changes – so you can auto-extract and search adhoc and tie things together as you see fit Nothing to join Create a search
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Use the animation to talk to the Zeus attack scenario described in the Zeus demo. Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf) Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document) Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe Installation – calc.exe spans svchost.exe, a generic program on windows machines Command and Control – svchost.exe establishes communication to remote command and control server. Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
- Risk-Based Analytics to Align Security Operations With the Business Risk scoring framework enhances decision making by applying risk scores to any data Quickly and easily assign any KSI or KPI to any event to align with your current priorities Expose the contributing factors of a risk score for deeper insights Visualize and Discover Relationships for Faster Detection and Investigation Visually fuse data, context and threat-intel across the stack and time to discern relationships Pre-built correlations, alerts and dashboards for detection, investigation and compliance Workflow actions and automated lookups enhance context building Enrich Security Analysis with Threat Intelligence Automatically apply threat intelligence from any number of providers Apply threat intelligence to event data as well as wire data
- All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows. Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity Manage and investigate incidents by correlating event data and contextual information from any data source Pre-built statistical capabilities identify unusual activity and reduce false positives Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management
- Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
- We are humbled by your trust. You have confirmed to us that in partnering with you – our customers we deliver a world class security intelligence platform. Thank you! Before we jump into questions. Some important .conf announcements…
- Splunk has an active community: There is an emerging ecosystem of new companies building apps on top of Splunk. They are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications. Splunk Answers is the go-to place for your questions – and answers. Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions. You can participate in meet-ups and User Groups, contribute to our forums, or attend local SplunkLive events (like this one) to hear from you peers.
- ----- Meeting Notes (4/22/15 10:47) ----- Splunk Apptitude is live and open. You've got 90 days. To win more than $150,000 in cash and prizes. Last day to submit is July 20th, 2015. We'll announce the winners at Black Hat in August. Good luck!
- And finally, I would like to encourage all of you to attend our user conference in September. The energy level and passion that our customers bring to this event is simply electrifying. Combined with inspirational keynotes and 150+ breakout session across all areas of operational intelligence, It is simply the best forum to bring our Splunk community together, to learn about new and advanced Splunk offerings, and most of all to learn from one another.