Splunk Use Cases Webinar

Exploring  ³Big  data´  

Security  Analytics:  Use  

Cases  and  More  

Dave  Shackleford,  SANS  and  Voodoo  Security  

Mark  Seward,  Sr.  Director,  Security  and  Compliance,  Splunk  

Recap:  Webinar  #1  

‡ Security  and  Big  Data:  What's  all  

the  Hype  About?  

± Defined  ³Big  data´  

± Core  use  cases  

‡ Incident  Response   ‡ Root  cause  analysis   ‡ Security  intelligence   ‡ KPI  analytics  

2 ‹7KH6$16Œ,QVWLWXWH-­  www.sans.org    

The  Need  for  Security  Intelligence  

‡ More  and  more,  we  need  bigger  data  

sets  to  analyze  

‡ IT  operational  data  can  provide  

incredibly  useful  context  and  

correlation  points  

± DB  information  

± App  data  

± OS  data  

‡ SIEM  gives  us  a    

lot  of  info,  but  not    

enough  

³Ok,  Ok,  I¶m  convinced.  

Big  data  and  the  big  

data  phenomenon  is  

real.  So  what  do  I  do  

with  it?´  

The  Big  Data  Powered  Business  

‡ Less  µGut  Feeling¶  ±   More  µEvidence¶  based   decisions  

‡ Seen  as  a  way  to   increase  top  line  

revenues  and  reduce   expenses  

‡ New  dependence  on   understanding  the  data   ‡ Hurting  my  business  

means  messing  with,   stealing,  or  interrupting   the  flow  of  my  data  and   µchanging¶  my  decisions      

³Epsilon leverages big

data and analytics.

Revenues increased by

20%.´

IBM

³60% potential increase

in operating margins

possible with big data.

McKinsey and Co. June

2011

The  Need  to  µThink  Differently¶  

Creativity    

consists  of    

Convergent  

and  

Divergent  

Thinking  

Big-­data  and  Creative  

Security  Thinking    

7

Divergent  Thinking:  

ʹ The  Aha  moment  /  Spontaneous  epiphany   ʹ Remote  associative  processes  

ʹ Pattern-­based  thinking    

Convergent  Thinking:  

ʹ About  analysis  and  attention  

ʹ The  act  of  µun-­concealing¶  ±  chiseling  away  at  a  

problem  

ʹ Write  a  symphony  /  poem  /  solve  an  algebraic  

equation  

Security  Intelligence  Requires:  

µThinking  Like  a  Criminal¶  

Application  

Data   DHCP   Netflow   DNS   Physical  

Security   GPS   AD/LDAP   VPN  

9 What¶s  the  modus  operandi  of  the  

attacker?  

9 What  are  the  most  critical  data  sets  

owned  by  the  business?  

9 What  physical  or  virtual  assets  have  

the  data?  

9 What  patterns  of  weak-­signals  in  

µnormal¶  IT  activities  would  represent   µabnormal¶  human  or  machine  

behaviors?  

µNormal¶  IT   Services  Data  

Where  are  my  big  data  

experts?  

‡ Traditional  security  folk  

SOXV«GRPDLQNQRZOHGJH  

‡ Where  will  µbig  data  

experts¶  be  hired  

‡ Constituents  will  be  

partners  and  partners   constituents  

‡ µHub  and  Spoke¶  design   ‡ Fosters  data-­driven  

decision  making  

Meet your µnew¶ virtual security team

Finance Team Business Line Owners Finance Team Legal Department IT Operations Finance Team Development Business Service Providers Traditional   Security   Team  

³Lets  define  a  new  thinking  

process´  

Big  Data,  Big  Thinking,  New  Process  

11

‡ What  will  cause  the   business  to  stop   functioning?  

‡ What¶s  normal?  

‡ Data  SMEs  from  the   business  and  security  

teams  figure  out  ±  µwhat¶s   normal¶  and  what  would   not  be  normal  

‡ Analysis  options   categorized  with  

combinations  of  R/T  and   historic  searches  

‡ Support  for  agile  

interpretation  and  iteration    

Adapted  from͞The  "Human  Element"  of  the  Big  Data  Equation͟  by  Steve  Durbin  ISF  ,  CRM   magazine,    November  2012  

Using  the  Process  -­  

Example  

The  Steps   The  Response  

Business  Issue   Service  degradation  causes  monetary   damage  and  customer  satisfaction   issues.  

Construct  one  of  more  

hypothesis  (team  creativity   required)    

Unwanted  bots  can  degrade  service  and   steal  content.  

Gather  data  sources  and  

expertise     What  combinations  of  data  would  be  considered  definitive  evidence?  What   might  be  the  first  signs  of  trouble?  List   all  data  in  which  this  might  be  reflected.   Determine  the  analysis  to  

be  performed   Determine  the  types  of  data  searches  appropriate    

Interpret  the  results   Do  the  results  represent  false  positives  of   false  positives  or  false  negatives?  Are  

there  good  bots  and  bad  bots?  12  

Detecting  Account  Take-­over    

‡ Statistical  analytics  and  

thresholds  

‡ Behavior  of  logins  and  password   changes  and  resets  

‡ Analysis  of  same  IP  ±  multiple   password  resets  

‡ Multiple  IPs  -­-­  resetting  the  same   account  

‡ How  many  times  people  

change  their  bank  information  

‡ How  many  times  they  change  

their  credit  card  information  

‡ Does  the  IP  address  (location)  

match  the  browser  language   or  time  zone  

Unknown  Threat  Attack  

Pattern  -­-­  Example  

Attack  Pattern  Modeling  ±  

Questions  to  Ask  

15

‡ Is  this  the  first  time  this  

person  has  received  email   from  the  recipient?    

‡ Is  the  website  in  the  email  on  

a  known  list  of  bad  websites?  

‡ Are  their  changes  to  host  

config  files  closely  tied  to  a   website  visit?  

‡ If  so  ±  import  PCAP  and  

Flowdata    

‡ Are  there  DNS  requests  to  

known  bad  sites  or  are  the  IP   addresses  of  the  DNS  URL   request  and  responses  the   same  or  different?  

‡ Monitor  port  and  protocol  

usage  unusual  amounts  or   types   Host based Analytics Network based Analytics

Is  Big  Data  Changing  Security?    

Oh  yeah.  

‡ Zions  Bancorporation  presented  at  

RSA  2012  on  how  analytics  would  

change  their  security  model  

forever  

‡ The  goal?  Actionable,  real-­time  

security  intelligence  over  

petabytes  of  data.  

Zion  Case  Study:  Components  

‡ Looked  to  drive  deeper  forensics  and  

build  complex  stats  models  

± Needed  years  of  data  

‡ Logs  are  still  centralized  

± Using  Hadoop  and  unstructured  data  

file  stores  

‡ Storing:  

± DB  logs  

± FW  logs/events  

± Antivirus  logs  

± IDS  logs    

± Wire  ACS  transfers  

± Credit  data  

Even  More  Use  Cases  

‡ Fraud  Detection  

± Patterns  of  user  behavior  vs.  ³other  

users´  

‡ Intellectual  Property  Theft  

± Data  access  patterns  over  long  

time  periods,  with  many  sources  

‡ Security  Monitoring  Optimization  

± Where  are  best  locations  for  

sensors  and  event  monitoring?  

± What  are  best/optimal  data  

sources?  

So  What  is  Splunk?  

Copyright  ©  2011,  Splunk  Inc.   Listen  to  your  data.  

Customer    

Facing  Data   Outside  the  _Datacenter  

Applications  

‡ _{Web  logs}   ‡ _{Log4J,  JMS,  JMX}   ‡ _{.NET  events}   ‡ _{Code  and  scripts}  

Networking   ‡ _{Configurations}   ‡ _syslog   ‡ _SNMP   ‡ _netflow   Databases   ‡ _{Configurations}   ‡ _{Audit/query  logs}   ‡ _Tables   ‡ _Schemas   Virtualization     &  Cloud   ‡ _Hypervisor   ‡ _{Guest  OS,  Apps}   ‡ _Cloud   Linux/Unix   ‡ _{Configurations}   ‡ _syslog   ‡ _{File  system}   ‡ _{ps,  iostat,  top}  

Configs   Messages   Traps      Alerts  

Metrics   Scripts   Changes   Tickets  

‡ _{Click-­‐stream  data}  

‡ _{Shopping  cart  data}   ‡ _{Online  transaction  data}  

‡ _{DĂŶƵĨĂĐƚƵƌŝŶŐ͕ůŽŐŝƐƚŝĐƐ͙}   ‡ _{CDRs  &  IPDRs}   ‡ _{Power  consumption}   ‡ _{RFID  data}   ‡ _{GPS  data}   Windows   ‡ _Registry   ‡ _{Event  logs}   ‡ _{File  system}   ‡ _sysinternals   Logfiles  

Splunk  Collects  and  Indexes  Any  

Machine  Data      

So  What  is  Splunk?  

+  

Text  Base  Search   Nested  Search   Cross  Data-­‐type   Search   cApend   Abstract   Cluster   Bucket   Multikv   Scrub   Join   Rare  

Splunk:  Big  Data  Security  Intelligence  

Platform  

Machine  Data   Security  Intelligence     for  Business  

Security  Visualizations  for   Executives  

‹7KH6$16Œ,QVWLWXWH-­  www.sans.org     23

Enabling  IT  Risk  Scenarios  

2 3   Business Analytics App Mgmt Compliance IT Ops Web Analytics

Security  Relevant  Data  

Confidentiality  /  Integrity  /  Availability  

CSO / CIO / CEO Views Applying IT Risk Scenarios µFinding Abnormal Behaviors¶

Open  Discussion  

‡ What  are  the  operational  

challenges  with  security  big  data  

analytics?  

‡ Political  issues?  

Questions?  

Contact  

Follow-­up:  [email protected]  

Dave  Shackleford  

[email protected]  

Splunk  

Mark  Seward  

[email protected]