3. About the Speaker
George Starcher, Data Security Coordinator
Was with Cinram for 14 years and discovered Splunk there
– Splunk fit my philosophy from my retail loss prevention days
“My job exists at UAB because of Splunk”
Log all the things.
– RaspberryPi + Splunk Storm = Optimal Laundry Time
– http://www.georgestarcher.com/?p=398
3
4. University of Alabama at Birmingham
Problem
• No solid log collection platform
• Reduce Intrusion Detection Time
• IP to User attribution
Results
• Search functionality allows for quick and
easy resolution
• Address security risks with alerts
• Resolving DMCA compliance issues easier
4
6. Battling Copyright Infringement with Splunk
Identify specific users illegally
sharing files
– DMCA Complaint provides IP and time
– Issue is connecting person’s user ID, IP,
and Mac address
Went from taking several days to minutes for resolution
6
9. Identifying Compromised User Credentials
Identify compromised user credentials through VPN and reverse proxy logs
– ID logging in from China to SSL VPN using Google Translate as a proxy
Reduce impact of attacks by daily review
– IPs from non-US sources
– Anything in the IP range for Google Translate
9
12. Saved Searches
sourcetype=vpn-syslog | transaction startswith="Authentication Successful"
endswith="Disconnected" keepevicted=true blazer_id | eval ip=src_ip | lookup dnsLookup ip
| geoip src_ip | search src_ip_country_code=* NOT src_ip_country_code=US OR
(src_ip="74.125.0.0/16" OR src_ip="207.126.144.0/20" OR src_ip="64.18.0.0/20" OR
src_ip="64.233.160.0/19")| table _time, blazer_id, uab_src_ip, src_ip, hostname,
src_ip_country_name
index="app_ezproxy*" NOT sourcetype=ezprozy_messages NOT domain=*ebsco* NOT
domain=*uab.edu | geoip src_ip | search NOT src_ip_country_code="US" | eval
MB=(bytes/1024/1024) | transaction session_id | stats sum(MB) AS totalMB by user,
src_ip_country_name | eval MB=round(totalMB,0) | table user, src_ip_country_name, MB
12
13. Brand Monitoring – Google Hacking
Google Hacking
– Python script taking known Google hacking search strings. Uses the Google API
– Run saved searches against Google for our domain and take the results into
Splunk
13
18. Security Other Splunk Uses
• Until we get the Enterprise Security Application in place made our
own dashboards
• Security Daily Events [ SSH outbound, IDS/IPS Events, SSH/RDP In]
• Linux Log Review [Interfaces to Promiscuous Mode, Root Activity, User
Activity, Disk/File Errors, SUDO activity and SU activity]
• Rolling Hour alerts on Domain Account across multiple workstations
18
19. AHA!
The ability to correlate the log types
The ability to keep improving parsing over time
The metadata about the data
Transaction command is really fun
Being able to pull reports for upper level management in
minutes vs. taking hours to produce a single monthly
report. Especially with the attribution to location or
system owner.
19
20. Deployment Gotchas
A good inventory
Making a weekly progress of log collection completion
The system admins have to ensure logging configuration
– Syslog vs local retention when moving to Splunk forwarders
Hosts behind NAT
Good index planning for delegation of access
Understand white/blacklist behavior in deployment server; Don’t make
typos in serverclass.conf
20
21. What is Next
Enterprise Security Application
Indexer Replication
Need to clean up my own
enhancements into apps
Data Retention
FISMA/PCI
21
Retail loss prevention report. Being able to change the questions.
If you embed in a form, you have to put the ip in escaped quotes. Something to do with the parsing process of the view to search macro.
Note the ezproxy index wildcard naming scheme.Had Edge case of sessions open for extended periods. Still splunk made it easy to identify those.
Watch the 2600 magazine for the how to.
Need to find and kill the private ip block in the google maps appWe easily can take our other data such as Nessus results, etc against the map or organizational ownership
Also flag the “owner” of the UAB IP; very handy in seeing scans, logins across domains of responsibility