7. Turning Machine Data Into Business Value
7
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance,
and Fraud
IT Operations
Business Analytics
Industrial Data and
the Internet of Things
8. Phases of Operational Intelligence
Reactive
Search
and
Investigate
Proactive
Monitoring
and Alerting
Operational
Visibility
Proactive
Real-time
Business
Insight
9. IT
Operations
Application
Delivery
Developer Platform (REST API, SDKs)
Business
Analytics
Industrial Data
and Internet of
Things
Delivers Value Across IT and the Business
9
Business
Analytics
Industrial Data
and Internet of
Things
Security,
Compliance,
and Fraud
10. Platformfor ApplicationDeliveryand IT Operations
10
ROOT CAUSE
AND ISSUE
RESOLUTION
PROACTIVE
MONITORING
AND REAL-TIME
ALERTING
DELIVER BETTER
QUALITY CODE
FASTER
CLOUD APP AND
INFRASTRUCTURE
MONITORING
MOBILE APP
TROUBLESHOOTING
USER & USAGE
ANALYTICS
13. Best Practices for Scoping Infections & Disrupting Breaches
13
Best Practices for
Scoping Infections &
Disrupting Breaches
14. 14
Source: Mandiant M-Trends Report 2012/2013/2014
67%
Victims notified
by external
entity
100%
Valid credentials
were used
229
Median # of
days before
detection
The Ever-changing Threat Landscape
18. Capabilities - Scoping Infections and Breach
18
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Threat
Intelligenc
e
Asset
& CMDB
Employee
Info
Data
Store
s
Applicatio
ns
Raw Events
Online
Services
Web
Services
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
Threat
Intelligence
Servers
Endpoint
19. Capabilities - Scoping Infections and Breach
19
Analytics Context &
Intelligence
Connecting Data
and People
20. Adversary Perspective- Attack Kill Chain
20
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and
Control (C2)
Actions on
Objectives
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/
LM-White-Paper-Intel-Driven-Defense.pdf
22. Kill Chain – Breach Example
22
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Access/Identity
Endpoint
Network
25. Best Practices – Breach Response Posture
Bring in data from (minimum at least one from each category):
25
• Bringin datafrom(minimumat leastone fromeachcategory):
• Network– nextgen firewallor web proxy,email,dns
• Endpoint– windowslogs,registrychanges,file changes
• ThreatIntelligence– open sourceor subscriptionbased
• Accessand Identity– authenticationevents,machine-usermapping
• Employa securityintelligenceplatformso analystscan:
• Contextualizeevents,analyticsand alerts
• Automatetheiranalysisandexploration
• Sharetechniquesand resultsto learnand improve
26. Breach Example – Disruption Opportunities
26
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Access/Identity
Endpoint
Network
27. Breach Example – Disruption Opportunities
28
http (web) session to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
WEB
Delivery Exploitation Installation C2 Actions on Objectives
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Access/Identity
Endpoint
Network
38. The 6th Annual Splunk Worldwide Users’ Conference
September 21-24, 2015 The MGM Grand Hotel, Las Vegas
• 50+ Customer Speakers
• 50+ Splunk Speakers
• 35+ Apps in Splunk Apps Showcase
• 65 Technology Partners
• 4,000+ IT & Business Professionals
• 2 Keynote Sessions
• 3 days of technical content (150+ Sessions)
• 3 days of Splunk University
– Get Splunk Certified
– Get CPE credits for CISSP, CAP, SSCP, etc.
– Save thousands on Splunk education!
39
Register at: conf.splunk.com
39. WeWant to Hear yourFeedback!
After the Breakout Sessions conclude
Text Splunk to 878787
And be entered for a chance to win a $100AMEX gift card!
40. • Info, case study, analyst reports:
• Splunk.com > Solutions > Security & Fraud
• Try Splunk Enterprise for free!
• Download Splunk http://www.splunk.com/download
• Splunk.com > Community > Documentation > Search Tutorial
• In 30 minutes: imported data, run searches, created reports
• Free apps at Splunk.com > Community > Apps
• Contact sales team at Splunk.com > About Us > Contact
Next Steps
41
Traditional SIEMSplunk
That’s where we come in. Spunk’s mission is to make machine data accessible, usable, and valuable to everyone.
At it’s core, the Splunk platform enables you to:
Collect data from anywhere – with universal forwarding and indexing technology.
Search and analyze across all your data – with powerful search and schema-on-the-fly technology.
Rapidly deliver real-time insights to IT and business people
This is what we call Operational Intelligence.
What would you do if you could install software, point it at your data – all of it, then ask any questions you have?
That’s the power of Splunk!
Designed to be downloaded and installed in minutes. The same software that’s a free download scales to hundreds of terabytes of data per day, and enables you to ask questions across your entire infrastructure—even across data silos.
And as you add more data, you receive more insights.
Splunk collects and indexes machine data, from a single source to tens of thousands of sources. All in real time.
Once in Splunk Enterprise, you can search, analyze, report-on and derive insights across all your data.
Customers use Splunk across application troubleshooting, IT infrastructure monitoring, security, business analytics, and internet of things
Our Splunk Cloud offering delivers Splunk Enterprise as a cloud-based Software-as-a-service – essentially empowering you with Operational Intelligence without any operational effort.
Reactive – Proactive in a security context
Search and Investigate as part of breach response
The way you move is to get more organized in your data sources capabilities
Security use case example – forensics, alerting, situaational awareness, sharing and collaboration, internal threat intel development, actor tracking
Thanks Nate…
The cool thing about Splunk is that both IT and business professionals can analyze machine data to get real-time visibility and operational intelligence.
With our platform for machine data, organizations can improve their performance in a wide range of areas.
With Splunk software and cloud services, you can quickly identify and pinpoint code-level issues at any stage of the development and release process. You can find and fix bugs quickly so you can ship product faster, gain insights into application usage and user behavior and get real time, mission-critical visibility into every step, system and process involved in building, testing and shipping new products to your customers.
Splunk’s universal machine data platform empowers you to consolidate all information within a unified console to find the root-cause of issues, proactively manage events and incidents and reduce resolution times. You can quickly create alerts to proactively monitor your distributed infrastructure and complex applications/services.
With Splunk MINT, our Mobile Intelligence solution, we’re now extending Operational Intelligence to Mobile Applications. With Splunk MINT, you are enabled to deliver reliable, better performing mobile apps with end-to-end visibility across mobile applications and their supporting application infrastructure. You can combine and correlate mobile app data with data from other channels such as web or desktop to gain cross-channel user and usage analytics with the Splunk platform.
We have many apps that monitor cloud applications. The Splunk App for Stream enables the capture of real-time streaming wire data, across distributed infrastructures including private, public and hybrid Clouds. This enables visibility into application, business and user activity without the need for instrumentation, enhancing various operational use cases across IT, security and the business.
Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
There are three numbers in the cyber security statistics are very telling, and we should pay close attention to:
100% of breaches are done using valid credentials;
And it still takes average 229 days to detect a breach;
With all security technologies deployed in the enterprises, there are still 67% of , which represents 2 out 3, breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
You want visibility where the adversary manifests itself. Imagine a malicious email that gives delivered. what are the places you can detect it ? And respond to the breach ?
Network – network based attack, lateral movement, exfiltration
Endpoint – malware exploitation – data gathering, launch point
Authentication – the basis of lateral movement and access to assets, intellectual property
Threat intel – External context to be fused with all these data sources, in advance of the attack or post breach
You derive this rationale from the activity in your in your environment. Fusing it with the knowledge of those who have broader vantage points. And then contextualizing it with business information. Lets talk about each of these. Many of you in this room have told us that this is what works. And indeed, this has been my own experience. Before I came to splunk, I was a splunk customer…. And this strategy works… Lets dive into this…
The capabilities required to distinguish an infection from a breach
Why is it important to preserve an event?
Risk Based Analytics to Align Security Operations With the Business
Risk scoring framework enhances decision making by applying risk score to any data
Quickly and easily assign any KSI or KPI to any event to produce risk scores
Expose the contributing factors of a risk score for deeper insights
Visualize and Discover Relationships for Faster Detection and Investigation
Visually fuse data, context and threat-intel across the stack and time to discern any context
Pre-built correlations, alerts and dashboards for detection, investigation and compliance
Workflow actions and automated lookups enhance context building
Enrich Security Analysis with Threat Intelligence
Automatically apply threat intelligence from any number of providers
Apply threat intelligence to event data as well as wire data
Conduct historical analysis using new threat intelligence across all data
The adversary’s success lies in a deliberate methodology.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
Exploitation != Gameover when you have analysts that can use the analytics ability and contextualize it
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
Lets take a look at two examples. Lets see how we can do continuous monitoring for vulnerarbilities. And then lets take a look at how we can investigate an alert.
Contextualization and exploration is automatic – you saw this in the field discovery menu
Raw events without modification or changes – so you can auto-extract and search adhoc and tie things together as you see fit
Nothing to join
Create a search
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
Use the animation to talk to the Zeus attack scenario described in the Zeus demo.
Reconn – find vulnerability, find method most likely to gain access – locate vulnerable server with .pdf
Reconn - Attacker attacks an extranet portal (vulnerable server) and steals a known good document (.pdf)
Weaponization - Attacker creates malware and packages up in pdf and names it the same document as that on the portal (look like a good document)
Delivery - Attacker spoofs (use technique to send email that looks like it’s coming from an employee of the company) a company employee email and sends to several targets at the company
Exploitation – User (all it takes is one) reads email, open the attachment, exploits a vulnerable in a document reader that allows programs to run
Installation – program installs several programs that over-write “good” programs on the computer – the calculator program – calc.exe
Installation – calc.exe spans svchost.exe, a generic program on windows machines
Command and Control – svchost.exe establishes communication to remote command and control server.
Point out – this came from a real example. The left shows the different defensive technologies that might have seen something.
Risk-Based Analytics to Align Security Operations With the Business
Risk scoring framework enhances decision making by applying risk scores to any data
Quickly and easily assign any KSI or KPI to any event to align with your current priorities
Expose the contributing factors of a risk score for deeper insights
Visualize and Discover Relationships for Faster Detection and Investigation
Visually fuse data, context and threat-intel across the stack and time to discern relationships
Pre-built correlations, alerts and dashboards for detection, investigation and compliance
Workflow actions and automated lookups enhance context building
Enrich Security Analysis with Threat Intelligence
Automatically apply threat intelligence from any number of providers
Apply threat intelligence to event data as well as wire data
All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows.
Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity
Manage and investigate incidents by correlating event data and contextual information from any data source
Pre-built statistical capabilities identify unusual activity and reduce false positives
Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations
Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management
Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
We are humbled by your trust. You have confirmed to us that in partnering with you – our customers we deliver a world class security intelligence platform.
Thank you!
Before we jump into questions. Some important .conf announcements…
Splunk has an active community:
There is an emerging ecosystem of new companies building apps on top of Splunk. They are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications.
Splunk Answers is the go-to place for your questions – and answers. Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions.
You can participate in meet-ups and User Groups, contribute to our forums, or attend local SplunkLive events (like this one) to hear from you peers.
----- Meeting Notes (4/22/15 10:47) -----
Splunk Apptitude is live and open.
You've got 90 days.
To win more than $150,000 in cash and prizes.
Last day to submit is July 20th, 2015.
We'll announce the winners at Black Hat in August.
Good luck!
And finally, I would like to encourage all of you to attend our user conference in September.
The energy level and passion that our customers bring to this event is simply electrifying.
Combined with inspirational keynotes and 150+ breakout session across all areas of operational intelligence,
It is simply the best forum to bring our Splunk community together, to learn about new and advanced Splunk offerings, and most of all to learn from one another.