Splunk Use Case Library 2016-09-29

(1)

Splunk Use Case Repository

Sept 29

th

₂₀₁₆

(2)

Splunk, Inc. +1.415.568.4200(Main) The information transmitted in this document is intended only for the addressee and may contain

confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use of or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability.

Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial, contractual and special marketing information, ideas, technical data and concepts originated by the disclosing party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public, not previously available without restriction to the receiving party or others, nor normally furnished to others without compensation, and which the disclosing party desires to protect against unrestricted disclosure or competitive use, and which is furnished pursuant to this document and appropriately identified as being proprietary when furnished.

Copyright © 2016 Splunk, Inc. All rights reserved. The Splunk logo is a registered trademark of Splunk. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners.

Version Control

SECURITY PROGRAM REVIEW

Client Name None

Client Contact

Document Issue No 2.1

Author(s) Ryan Faircloth

Delivery Date July 20th₂₀₁₆

(3)

Professional Services/Security Use Case Workshop

The use case development workshop is designed to assist the customer in the process of cataloging business drivers and requirements used to guide the customer delivery team assisted by Splunk Consultants in delivery of a solution that will meet the customers needs and budget. Using information gained from the workshop the project team will deliver a prioritized list of data sources for on data boarding and use case adoption for the cyber security operations team.

Preparation

Identify essential and beneficial staff per session based on the agenda that follows Secure meeting space

Minimize meeting location changes as this is disruptive to progress and contributes to no shows Adequate seating for attendes

One, preferable 2 projectors/screens Guest Wifi

White boards

Splunk will provide a Webex session and use digital whiteboards, and utilize recording unless the customer has objections, this is utilized to review enrich notes as needed to prepare deliverables and is not required if the customer is uncomfortable Collect supporting documentation electronically

All applicable internal policies and supporting standards such as Information Resource Classification

Information Retention and Destruction Infrastructure logging and configuration Database Logging and Configuration Application Logging and Configuration

Inventory of Standards with requirments for logging and monitoring applicable to your business

Internal Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA inclusive current draft reports External Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA

Identifiy the following project roles and schedule for attendance Project Manager

Senior Business Analyst

Senior Technical Analyst/Architect Senior Security Analyst

Test Lead Executive Sponsor

Executive Stakeholders or immediate deputies Compliance Analysts

Internal Assors

Typical Agenda 3 days

The following agenda can be modified collaboratively if needed, our experience has been that we must allow some blocks of time between sessions and start/end of day to avoid walk aways due to urgent business need arising during the day.

Opening Session 9:30-11:00 (all participants)

Openings and personal introductions, roles and responsibilities (all) Presentation of methodology for the workshop (splunk)

Executive Round Table discus formal and informal project drivers other goals and success criteria. Review audit findings, addressable items, mandated remediations

Review prior year penetration test findings

Review burdensome existing compliance and reporting activities

Working Sessions each session will present a set of use cases to the team for joint evaluation and prioritization based on the criteria developed in the opening session. Each session requires a representative with relevant experience in the domain and empowerment to set priority within the bounds given. A deputy for each executive stakeholder should attend working sessions additional participants are welcome.

Working Session #1 D1 11:00 13:00 (with 1 hour lunch) Review out of box use cases for Enterprise Security

Identify and catalog required data, enrichment and applicable use cases Working Session #2 D1 13:00 - 16:00

Review Professional Services/Customer developed Security Use cases Identify and catalog required data, enrichment and applicable use cases Working Session #3 D2 9:30 - 12:00

Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise endpoint estate Working Session #4 D2 13:00 - 15:00

Identify and catalog required data, enrichment and applicable use cases for gap areas in enterprise network estate Working Session #5 D3 9:30 - 12:00

(4)

Review tabled items from prior sessions, interview stake holders identified in prior sessions but not planed Review Session 14:00 - 16:00

Review items captured

(5)

1. Value Narrative and Use Case Repository . . . 5

1.1 Adoption Motivations . . . 11

1.1.1 Motivating Problem Type View . . . 12

1.1.1.1 PRT01-Compliance . . . 14

1.1.1.1.1 PRT01Compliance-PCI . . . 17

1.1.1.1.2 PRT02Compliance-NercCIP . . . 23

1.1.1.1.3 PRT03Compliance-NIST Cyber Security Framework . . . 27

1.1.1.1.4 PRT04-FFIEC . . . 34 1.1.1.2 PRT02-SecurityVisibility . . . 35 1.1.1.2.1 PRT02-IdentifyPatientZero . . . 36 1.1.1.2.2 PRT02-SecurityVisibilityEndpointMalware . . . 37 1.1.1.2.3 PRT02-SecurityVisibilityExfiltration . . . 39 1.1.1.2.4 PRT02-SecurityVisibilityLateralMovement . . . 40 1.1.1.2.5 PRT02-SecurityVisibilityPhishingAttack . . . 41 1.1.1.2.6 PRT02-SecurityVisibilityPriviledgeUserMonitoring . . . 42 1.1.1.2.7 PRT02-SecurityVisibilityUserActivity . . . 43 1.1.1.2.8 PRT02-SecurityVisibilityZeroDayAttacks . . . 45 1.1.1.2.9 PRT02-SecurityVisiblityWebbait . . . 46 1.1.1.3 PRT03-PeerAdoption . . . 47 1.1.1.3.1 PRT03-PeerAdoption-Phase1-Essentials . . . 48 1.1.1.3.2 PRT03-PeerAdoption-Phase2-Maturing . . . 50 1.1.1.3.3 PRT03-PeerAdoption-Phase3-Mature . . . 57 1.1.1.3.4 PRT03-PeerAdoption-Phase4-Edge . . . 59 1.1.1.4 PRT04-ProcessEffectivness . . . 61 1.1.1.4.1 PRT04-ProcessEffectivness-HuntPaths . . . 62 1.1.1.5 PRT05-Tactical Threat . . . 63 1.1.1.5.1 PRT05-TacticalThreat-InsiderThreat . . . 64 1.1.1.5.2 PRT05-TacticalThreat-Ransomeware . . . 66 1.1.1.5.3 PRT05-TacticalThreat-SpearphishingCampaign . . . 69 1.1.1.6 PRT06-SecureConfigurationMgmt . . . 70 1.1.1.6.1 PRT06-SecureConfigurationMgmtUpdateManagement . . . 71 1.1.1.6.2 PRT06-SecureConfigurationMgmtVulnerability . . . 72 1.1.1.7 PRT07-SpecialRequests . . . 73 1.1.1.7.1 PRT07-SpecialRequests-Creative . . . 74 1.1.1.8 PRT08-ProductAdoption . . . 75 1.1.1.8.1 PRT08-ProductAdoption-ES . . . 76

1.1.2 Motivating Risk View Perspective . . . 89

1.1.2.1 RV1-AbuseofAccess . . . 90 1.1.2.2 RV2-Access . . . 93 1.1.2.3 RV3-MaliciousCode . . . 95 1.1.2.4 RV4-ScanProbe . . . 98 1.1.2.5 RV5-DenialofService . . . 100 1.1.2.6 RV6-Misconfiguration . . . 101

1.1.3 Supporting Data View . . . 103

1.1.3.1 DS001MAIL . . . 105 1.1.3.2 DS002DNS . . . 107 1.1.3.3 DS003Authentication . . . 110 1.1.3.4 DS004EndPointAntiMalware . . . 120 1.1.3.5 DS005WebProxyRequest . . . 124 1.1.3.6 DS006UserActivity . . . 127 1.1.3.7 DS007AuditTrail . . . 130 1.1.3.8 DS008HRMasterData . . . 132 1.1.3.9 DS009EndPointIntel . . . 134 1.1.3.10 DS010NetworkCommunication . . . 137 1.1.3.11 DS011MalwareDetonation . . . 142 1.1.3.12 DS012NetworkIntrusionDetection . . . 147 1.1.3.13 DS013TicketManagement . . . 149 1.1.3.14 DS014WebServer . . . 151 1.1.3.15 DS015ConfigurationManagement . . . 153 1.1.3.16 DS016DataLossPrevention . . . 155 1.1.3.17 DS017PhysicalSecurity . . . 156 1.1.3.18 DS018VulnerabilityDetection . . . 157 1.1.3.19 DS019PatchManagement . . . 158 1.1.3.20 DS020HostIntrustionDetection . . . 159 1.1.3.21 DS021Telephony . . . 161 1.1.3.22 DS022Performance . . . 162 1.1.3.23 DS023CrashReporting . . . 163 1.1.3.24 DS024ApplicationServer . . . 164

1.1.4 Supporting Event Type View . . . 165

1.1.4.1 DS001Mail-ET01Access . . . 166

1.1.4.2 DS001Mail-ET02Receive . . . 167

(6)

1.1.4.4 DS002DNS-ET01Query . . . 169 1.1.4.4.1 DS002DNS-ET01QueryRequest . . . 171 1.1.4.4.2 DS002DNS-ET01QueryResponse . . . 172 1.1.4.5 DS003Authentication-ET01Success . . . 173 1.1.4.6 DS003Authentication-ET02Failure . . . 176 1.1.4.6.1 DS003Authentication-ET02FailureBadFactor . . . 177 1.1.4.6.2 DS003Authentication-ET02FailureError . . . 178 1.1.4.6.3 DS003Authentication-ET02FailureUnknownAccount . . . 179 1.1.4.7 DS004EndPointAntiMalware-ET01SigDetected . . . 180 1.1.4.8 DS004EndPointAntiMalware-ET02UpdatedSig . . . 183 1.1.4.9 DS004EndPointAntiMalware-ET03UpdatedEng . . . 184 1.1.4.10 DS005WebProxyRequest-ET01Requested . . . 185 1.1.4.10.1 DS005WebProxyRequest-ET01RequestedWebAppAware . . . 186 1.1.4.11 DS005WebProxyRequest-ET02Connect . . . 187 1.1.4.12 DS006UserActivity-ET01List . . . 188 1.1.4.13 DS006UserActivity-ET02Read . . . 189 1.1.4.14 DS006UserActivity-ET03Create . . . 190 1.1.4.15 DS006UserActivity-ET04Update . . . 191 1.1.4.16 DS006UserActivity-ET05Delete . . . 192 1.1.4.17 DS006UserActivity-ET06Search . . . 193 1.1.4.18 DS006UserActivity-ET07ExecuteAs . . . 194 1.1.4.19 DS007AuditTrail-ET01Clear . . . 195 1.1.4.20 DS007AuditTrail-ET02Alter . . . 196 1.1.4.21 DS007AuditTrail-ET03TimeSync . . . 197 1.1.4.22 DS008HRMasterData-ET01Joined . . . 198 1.1.4.23 DS008HRMasterData-ET02SeperationNotice . . . 199 1.1.4.24 DS008HRMasterData-ET03SeperationImmediate . . . 200 1.1.4.25 DS009EndPointIntel-ET01ObjectChange . . . 201 1.1.4.26 DS009EndPointIntel-ET01ProcessLaunch . . . 202 1.1.4.27 DS010NetworkCommunication-ET01Traffic . . . 203 1.1.4.27.1 DS010NetworkCommunication-ET01TrafficAppAware . . . 205 1.1.4.28 DS010NetworkCommunication-ET02State . . . 207 1.1.4.29 DS011MalwareDetonation-ET01Detection . . . 208 1.1.4.30 DS012NetworkIntrusionDetection-ET01SigDetection . . . 212 1.1.4.31 DS013TicketManagement-ET01 . . . 214 1.1.4.32 DS014WebServer-ET01Access . . . 216 1.1.4.33 DS015ConfigurationManagement-ET01General . . . 218 1.1.4.34 DS016DataLossPrevention-ET01Violation . . . 219 1.1.4.35 DS017PhysicalSecurity-ET01Access . . . 220 1.1.4.36 DS018VulnerabilityDetection-ET01SigDetected . . . 221 1.1.4.37 DS019PatchManagement-Applied . . . 222 1.1.4.38 DS019PatchManagement-Eligable . . . 223 1.1.4.39 DS019PatchManagement-Failed . . . 224 1.1.4.40 DS020HostIntrustionDetection-ET01SigDetected . . . 225 1.1.4.41 DS021Telephony-ET01CDR . . . 227 1.1.4.42 DS022Performance-ET01General . . . 228 1.1.4.43 DS023CrashReporting-ET01General . . . 229 1.1.4.44 DS024ApplicationServer-ET01General . . . 230

1.1.5 Technology Provider View . . . 231

1.1.5.1 PT001-Microsoft-Exchange . . . 232 1.1.5.2 PT002-Splunk-Stream . . . 234 1.1.5.2.1 PT002-Splunk-Stream-DHCP . . . 235 1.1.5.2.2 PT002-Splunk-Stream-DNS . . . 236 1.1.5.2.3 PT002-Splunk-Stream-SMTP . . . 237 1.1.5.3 PT003-ExtraHop . . . 238 1.1.5.3.1 PT003-ExtraHop-DNS . . . 239 1.1.5.3.2 PT003-ExtraHop-SMTP . . . 240

1.1.5.4 PT004-McAfee Web Gateway . . . 241

1.1.5.5 PT005-Microsoft-Windows . . . 242 1.1.5.6 PT006-PaloAlto Firewall . . . 244 1.1.5.7 PT008-Snort . . . 245 1.1.5.8 PT009-SourceFire . . . 246 1.1.5.9 PT010-Websense . . . 247 1.1.5.10 PT011-Bluecoat . . . 248 1.1.5.11 PT012-Splunk-InternalLogging . . . 249 1.1.5.12 PT013-ISCBIND-DNS . . . 250 1.1.5.13 PT014-PhysicalAccessControl . . . 251 1.1.5.14 PT015-Linux-Deb/RH . . . 252 1.1.5.15 PT016-Cisco-ASA/PIX/FWSM . . . 253 1.1.5.16 PT017-Trend-TippingPoint . . . 255

1.1.6 Enrichment Data View . . . 256

(7)

1.1.6.2 DE002IdentityInformation . . . 259

1.2 Adoption Narratives . . . 260

1.2.1 Adoptable Compliance and Security Narratives . . . 261

1.2.1.1 UC0001 Detection of new/prohibited web application . . . 265

1.2.1.2 UC0002 Detection of prohibited protocol (application) . . . 266

1.2.1.3 UC0003 Server generating email outside of approved usage . . . 267

1.2.1.4 UC0004 Excessive number of emails sent from internal user . . . 268

1.2.1.5 UC0005 System modification to insecure state . . . 269

1.2.1.6 UC0006 Windows security event log purged . . . 270

1.2.1.7 UC0007 Account logon successful method outside of policy . . . 271

1.2.1.8 UC0008 Activity on previously inactive account . . . 272

1.2.1.9 UC0009 Authenticated communication from a risky source network . . . 273

1.2.1.10 UC0010 Detect unauthorized use of remote access technologies . . . 274

1.2.1.11 UC0011 Improbable distance between logins . . . 275

1.2.1.12 UC0012 Increase risk score of employees once adverse seperation is identified or anticipated . . . 276

1.2.1.13 UC0013 Monitor change for high value groups . . . 277

1.2.1.14 UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted . . 278

1.2.1.15 UC0015 Privileged user accessing more than expected number of machines in period . . . 279

1.2.1.16 UC0016 Successfully authenticated computer accounts accessing network resources . . . 280

1.2.1.17 UC0017 Unauthorized access or risky use of NHA . . . 281

1.2.1.18 UC0018 Unauthorized access SSO brute force . . . 282

1.2.1.19 UC0019 User authenticated to routine business systems while on extended absense . . . 283

1.2.1.20 UC0020 Attempted communication through external firewall not explicitly granted . . . 284

1.2.1.21 UC0021 Communication outbound to regions without business relationship . . . 285

1.2.1.22 UC0022 Endpoint communicating with an excessive number of unique hosts . . . 286

1.2.1.23 UC0023 Endpoint communicating with an excessive number of unique ports . . . 287

1.2.1.24 UC0024 Endpoint communicating with external service identified on a threat list. . . . 288

1.2.1.25 UC0025 Endpoint Multiple devices in 48 hours in the same site . . . 289

1.2.1.26 UC0026 Endpoint Multiple devices in 48 hours in the same subnet . . . 290

1.2.1.27 UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit . . . 291

1.2.1.28 UC0028 Endpoint Multiple infections over short time . . . 292

1.2.1.29 UC0029 Endpoint new malware detected by signature . . . 294

1.2.1.30 UC0030 Endpoint uncleaned malware detection . . . 296

1.2.1.31 UC0031 Non human account starting processes not associated with the purpose of the account . . . 297

1.2.1.32 UC0032 Brute force authentication attempt . . . 298

1.2.1.33 UC0033 Brute force authentication attempt distributed . . . 299

1.2.1.34 UC0034 Brute force successful authentication . . . 300

1.2.1.35 UC0035 Compromised account access testing . . . 301

1.2.1.36 UC0036 Compromised account access testing (Critical/Sensitive Resource) . . . 302

1.2.1.37 UC0037 Network Intrusion External - New Signatures . . . 303

1.2.1.38 UC0038 Excessive use of Shared Secrets . . . 304

1.2.1.39 UC0039 Use of Shared Secret for access to critical or sensitive system . . . 305

1.2.1.40 UC0040 Use of Shared Secret for or by automated process with risky attributes . . . 306

1.2.1.41 UC0041 SSH v1 detected . . . 307

1.2.1.42 UC0042 SSH Authentication using unknown key . . . 308

1.2.1.43 UC0043 Direct Authentication to NHA . . . 309

1.2.1.44 UC0044 Network authentication using password auth . . . 310

1.2.1.45 UC0045 Local authentication server . . . 311

1.2.1.46 UC0046 Endpoint failure to sync time . . . 312

1.2.1.47 UC0047 Communication with newly seen domain . . . 313

1.2.1.48 UC0049 Detection of DNS Tunnel . . . 315

1.2.1.49 UC0051 Excessive physical access failures to CIP assets . . . 319

1.2.1.50 UC0052 Non-CIP user attempts to access CIP asset . . . 320

1.2.1.51 UC0065 Malware detected compliance asset . . . 321

1.2.1.52 UC0071 Improbably short time between Remote Authentications with IP change . . . 322

1.2.1.53 UC0072 Detection of unauthorized using DNS resolution for WPAD . . . 323

1.2.1.54 UC0073 Endpoint detected malware infection from url . . . 324

1.2.1.55 UC0074 Network Intrusion Internal Network . . . 326

1.2.1.56 UC0075 Network Malware Detection . . . 327

1.2.1.57 UC0076 Excessive DNS Failures . . . 328

1.2.1.58 UC0077 Detection Risky Referral Domains . . . 330

1.2.1.59 UC0079 Use of accountable privileged identity to access new or rare sensitive resource . . . 331

1.2.1.60 UC0080 Trusted Individual exceeds authorization in observation of other users . . . 333

1.2.1.61 UC0081 Communication with unestablished domain . . . 334

1.2.1.62 UC0082 Communication with enclave by default rule . . . 335

1.2.1.63 UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule . . . 336

1.2.1.64 UC0084 Monitor Execution of Triage Activtity . . . 337

1.2.1.65 UC0085 Alert per host where web application logs indicate a source IP not classified as WAF . . . 338

1.2.1.66 UC0086 Detect Multiple Primary Functions . . . 339

1.2.1.67 UC0087 Malware signature not updated by SLA for compliance asset . . . 340

(8)

1.2.1.69 UC0089 Detection of Communication with Algorithmically Generated Domain . . . 342

1.2.1.70 UC0090 User account cross enclave access . . . 343

1.2.1.71 UC0091 Validate Execution of Vulnerability Scan . . . 344

1.2.1.72 UC0092 Exception to Approved Flow for Web Applications . . . 345

1.2.1.73 UC0093 Previously active account has not accessed enclave/lifecycle . . . 346

1.2.1.74 UC0094 Insecure authentication method detected . . . 347

1.2.2 Adoptable IT Operations Use Cases . . . 348

1.2.2.1 Enterprise Service Availability . . . 349

1.2.2.1.1 ITOAUC-0001 Enterprise Service Availability Messaging . . . 350

1.2.2.1.2 ITOAUC-0002 Enterprise Service Availability Authentication . . . 351

1.2.3 Product Enterprise Security Use Cases . . . 352

1.2.3.1 UCESS002 Abnormally High Number of Endpoint Changes By User . . . 353

1.2.3.2 UCESS003 Abnormally High Number of HTTP Method Events By Src . . . 354

1.2.3.3 UCESS004 Account Deleted . . . 355

1.2.3.4 UCESS005 Activity from Expired User Identity . . . 356

1.2.3.5 UCESS006 Anomalous Audit Trail Activity Detected . . . 357

1.2.3.6 UCESS007 Anomalous New Process . . . 358

1.2.3.7 UCESS008 Anomalous New Service . . . 359

1.2.3.8 UCESS009 Asset Ownership Unspecified . . . 360

1.2.3.9 UCESS010 Anomalous New Listening Port . . . 361

1.2.3.10 UCESS011 Brute Force Access Behavior Detected . . . 362

1.2.3.11 UCESS012 Brute Force Access Behavior Detected Over One Day . . . 363

1.2.3.12 UCESS013 Cleartext Password At Rest Detected . . . 364

1.2.3.13 UCESS014 Completely Inactive Account . . . 365

1.2.3.14 UCESS015 Concurrent Login Attempts Detected . . . 366

1.2.3.15 UCESS016 Default Account Activity Detected . . . 367

1.2.3.16 UCESS017 Default Account At Rest Detected . . . 368

1.2.3.17 UCESS018 Excessive DNS Failures . . . 369

1.2.3.18 UCESS019 Excessive DNS Queries . . . 370

1.2.3.19 UCESS020 Excessive Failed Logins . . . 371

1.2.3.20 UCESS021 Excessive HTTP Failure Responses . . . 372

1.2.3.21 UCESS022 Expected Host Not Reporting . . . 373

1.2.3.22 UCESS023 Alerts on access attempts that are improbably based on time and geography. . . . 374

1.2.3.23 UCESS024 High Number of Hosts Not Updating Malware Signatures . . . 375

1.2.3.24 UCESS025 High Number Of Infected Hosts . . . 376

1.2.3.25 UCESS026 High Or Critical Priority Host With Malware Detected . . . 377

1.2.3.26 UCESS027 High or Critical Priority Individual Logging into Infected Machine . . . 378

1.2.3.27 UCESS028 High Process Count . . . 379

1.2.3.28 UCESS030 High Volume of Traffic from High or Critical Host Observed . . . 380

1.2.3.29 UCESS031 Host Sending Excessive Email . . . 381

1.2.3.30 UCESS032 Host With A Recurring Malware Infection . . . 382

1.2.3.31 UCESS033 Host With High Number Of Listening ports . . . 383

1.2.3.32 UCESS034 Host With High Number Of Services . . . 384

1.2.3.33 UCESS035 Host With Multiple Infections . . . 385

1.2.3.34 UCESS036 Host With Old Infection Or Potential Re-Infection . . . 386

1.2.3.35 UCESS037 Inactive Account Activity Detected . . . 387

1.2.3.36 UCESS038 Insecure Or Cleartext Authentication Detected . . . 388

1.2.3.37 UCESS039 Multiple Primary Functions Detected . . . 389

1.2.3.38 UCESS040 Network Change Detected . . . 390

1.2.3.39 UCESS041 Network Device Rebooted . . . 391

1.2.3.40 UCESS042 New User Account Created On Multiple Hosts . . . 392

1.2.3.41 UCESS043 Outbreak Detected . . . 393

1.2.3.42 UCESS044 Personally Identifiable Information Detected . . . 394

1.2.3.43 UCESS045 Potential Gap in Data . . . 395

1.2.3.44 UCESS046 Prohibited Process Detected . . . 396

1.2.3.45 UCESS047 Prohibited Service Detected . . . 397

1.2.3.46 UCESS048 Same Error On Many Servers Detected . . . 398

1.2.3.47 UCESS049 Short-lived Account Detected . . . 399

1.2.3.48 UCESS050 Should Timesync Host Not Syncing . . . 400

1.2.3.49 UCESS051 Substantial Increase In Events . . . 401

1.2.3.50 UCESS052 Substantial Increase In Port Activity . . . 402

1.2.3.51 UCESS053 Threat Activity Detected . . . 403

1.2.3.52 UCESS056 Unapproved Port Activity Detected . . . 404

1.2.3.53 UCESS057 Unroutable Activity Detected . . . 405

1.2.3.54 UCESS058 Untriaged Notable Events . . . 406

1.2.3.55 UCESS059 Unusual Volume of Network Activity . . . 407

1.2.3.56 UCESS060 Vulnerability Scanner Detected (by events) . . . 408

1.2.3.57 UCESS061 Vulnerability Scanner Detected (by targets) . . . 409

1.2.3.58 UCESS062 Watchlisted Event Observed . . . 410

1.2.3.59 UCESS063 Web Uploads to Non-corporate Sites by Users . . . 411

(9)

Value Narrative and Use Case Repository

Purpose

A narrative defining a business impacting problem and a logical solution are the essential elements of each use case in the repository. Each narrative is cataloged using a number of fields allowing search ability within the repository. The fields themselves allow the consuming user to define a rubric for the problem type being addressed to arrive at a number of valid narratives which can be proposed to address the problem at hand.

Introduction

Target Audience

The repository has a number of well define audience targets each as the repository evolves each group should be better served. Account Team - Utilizing key terms from customer dialog identify value proposition based on customer experiences Sales Engineering - Cross reference Core, Premium, Third party, and services solutions to support customer objectives

Professional Services Managers - Better estimate project scope utilizing objective based planning with the ability to plan schedule based on prior experiences

Professional Services Consultant - Better understand what was agreed to and implementation requirements

Scope

Presently the scope of the repository if focused on addressing motivating problems experienced by leaders in the Information Security and Compliance markets.

How to Navigate

Reactive

Use of the repository allows the user to work along side the customer, typically analysts, managers, and architects, to demonstrate value which is currently being realized or can be realized based on data sources. Careful consideration should be made in how the narratives are presented. The amount of information can be overwhelming.

Using the left hand navigation menu or a short cut below begin with one of the following "views"

Supporting Data View - Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success.

Technology Provider View - Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.

Proactive

Use of the repository allows the user to work along side the customer, typically executive leaders and senior leaders to identify the opportunities within the organization where the greatest value gains can be realized for the smallest opportunity costs. When used in this way the Account team can being documenting the motivating problems, ideal solution narratives (use cases), and perceived value early in the relationship. These artifacts can easily be used by the account team, customer success, and professional services to assist the customer in staying on track to value delivery and recognition of product value. This approach is summarized as objective lead solutions development.

Using the left hand navigation menu or a short cut below begin with one of the following "views"

Motivating Problem Type View - Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural

(10)

missions or objectives with charter and support from all involved.

Motivating Risk View Perspective - Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes.

How to read the use case narrative

The use case narrative is designed using the Rosetta Stone metaphor, it is intended that users may approach from a number of perspective and engage in dialog with users of another perspective.

Motivation and Data

The Motivation, Data source and Enrichment requirements connect the narrative to the customer motivation and supporting data requirements for success.

Motivating Problem Type View

Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved.

Motivating Risk View Perspective

Risk mitigation is tangential to the traditional view of business value, to address this motivation and realize value the customer will place an artificial cost on the occurrence of an event narratives and solutions will provide support for the decision makers to show the broader business leadership that risks are being addressed proactively through the development of detection and monitoring processes.

Supporting Data View

Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success.

Data Definition - Tracker

Data Definitions for tracking are dynamic lists created by search processes used to enrich latter searches as search time lookups.

Data Definition - Enrichment

Dynamic external or static content utilized at search time to provide critical contextual information for events.

Adoption

The first section of each use case contains a brief descriptive narrative element, followed by adoption phase descriptors. Three types of adoption phase descriptors are used:

(11)

Adoption Phase SME

Adoption Phase SME represents the current status of the narrative in the development life cycle. This attribute will assist the user and customer in determining the timing of use case implementation.

APS-Accepted — The third stage of development "Accepted" indicates the RFC period has completed and the narrative is awaiting implementation or pilot.

APS-Obsolete — Used when a narrative concept is replaced by one or more new narratives delivering higher value or when for external reasons the narrative is no longer relevant to a meaningful number of customers. APS-Pilot — The fifth state of development indicates one or more customers is testing the narrative concept. Additional knowledge gained in the pilot may prompt a return to RFC or permit advancement to the next stage.

APS-POC — The forth stage "Proof of Concept" allows for testing a narrative using demonstration data or partial implementation in a live environment before adoption as a pilot

APS-Productized — The third stage of development "Productized" indicates the RFC period has completed and the narrative is awaiting implementation or pilot.

APS-Proposed — Proposed narrative not yet tested in the field

APS-ProposedField — A proposed narrative based on solutions developed in the field. Reserved for "live" narratives.

APS-Rejected — At any point in the development live cycle a narrative may be rejected. Future developments in data sources, enrichment, technology, or the concept may permit a rejected narrative to return to the accepted phase.

APS-Release — The final stage adoption is release, in this phase the narrative is considered complete. Revisions may occur in the narrative or implementation within the boundaries of the original stated objective. APS-RFC — The second phase in narrative development Request for Comments, allows interested parties to provide feedback to enhance the clarity of the narrative, including goals, data sources, enrichment and addressed problems.

Adoption Phase Customer

The adoption phase of the customer describes the appropriate timing for this narrative in the continuum of the customer journey.

APC-Edge — An edge use case is adopted by a customer for reasons which may be described in the

narrative. These reasons typically motivate customers in specific circumstances to adopt a use case narrative though we may not expect adoption by other customers in similar verticals or maturity stages.

APC-Essential — An essential use case narrative when filtered by a Motivating problem describes a solution implemented almost by default. These use cases have qualities such as easy implementation, immediate high value return, or compliance satisfaction as justification for early adoption.

APC-Mature — A Mature use case narrative when filtered by a Motivating problem describes a solution used to expand value from existing data sources or to justify the addition of data sources.

APC-Maturing — A Maturing use case narrative when filtered by a Motivating problem describes a solution which will present a high value to the customer; however, customer maturity, implementation requirements, data sources, or complexity would likely cause delays.

APC-Superceded — A Superceded use case narrative has been replaced with one or more improved

narratives. The excerpt of the Superceded narrative should be updated to include a direct link to the targets. APC-Undetermined — Adoption phase has yet to be assigned

(12)

Adoption Phase Industry

The adoption phase based on the industry perspective allows the user to estimate how widely known or how well the narrative could be expected with an audience reasonable well versed in industry trends. This attribute does not speak to deployment of solutions similar to the narrative and is not scientific.

API-Accepted — Narratives described as accepted generally have recognized merit and value within the industry. These narratives have not yet been widely adopted and represent an opportunity to provide value not presently obtained from current solutions within the organization.

API-Dated — Narratives described as dated will have little emotional appeal and potentially no longer provide value when implemented. For customers with legacy needs it may be appropriate to recommend some use cases from this category.

API-Distinctive — Narratives described as distinctive represent utilization of unique capabilities of the Splunk platform. While it may be possible to implement these narratives outside of the usage of Splunk factors such as specialized skill or complexity make implementation impractical.

API-Expected — Narratives described as expected could also be described as must and should do. Adequate adoption in the industry allows the narrative to self justify implementation with little convincing of stakeholders required.

API-Known — Narratives described as known would have recognition in the industry. These narratives may still be controversial but have been presented adequately as to not be considered foreign concepts.

API-Socializing — Narratives described as socializing in the industry are currently being presented at

conferences, spoken about in blogs or other venues and have not yet made an impression of value with the industry community.

Qualification

The second section of each use case contains attributes intended to assist the user and customer in evaluating the use case in consideration of the customer environment, skill sets available and work load generated.

Severity

Severity of any notable event generated (automatically or manually) as a result of discoveries made utilizing this use case.

SV1 - Low — Low severity issues will frequently be trumped by higher priority issues and external work load. In most organizations low priority issues frequently aged out without review.

SV2 - Medium — Medium severity items must be addressed within the organizations service level agreement, however such events may not be an organizational priority. For example, "it will get dealt with, but I may go to lunch or an unrelated meeting before I actually address it."

SV3 - High — High severity notable events will interrupt work for immediate attention. Evaluation of a high event may result in a formal incident and or escalation. For example, "I will skip meetings and lunch and other interruptions during the workday to deal with this; however, while I will stay late, I will not come in during the night or skip my child's recital because of it."

SV4 - Critical — Critical severity items require immediate and constant attention until resolved. For example: "I will work nights and weekends and Christmas morning if necessary to resolve this."

Rate of Detection

Rate of Detection is a non scientific estimate of the number of occurrences for a specified event.

RATED0-Rare — Rare events will occur less than once per day on average.

RATED1-Common — Common events may occur a few times per day in a typical environment. It is generally expected that common events will not overwhelm the operations team.

RATED2-Frequent — Frequent Events are expected to occur often in a typical event, this type of event may overwhelm a operations team without careful tuning and mitigations.

(13)

FIDELITY

The fidelity of a narrative describes the ratio of signal (valid/positive) to noise (invalid/false positive) anticipated based on field experience.

FIDELITY-High — This indicates a relatively high signal to noise ratio, and therefore a lower likelihood of false positives, and it should not require additional searches to validate it.

FIDELITY-Low — This indicates a relatively low signal to noise ratio, and therefore a higher likelihood of false positives. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches).

FIDELITY-Moderate — This indicates an unpredictable signal to noise ratio with a bias towards signal, and therefore a higher likelihood of false positives than high. Confidence in the output can be increased through other means (i.e. cross-correlation and/or subsequent searches).

FIDELITY-Undetermined — Adequate information has not yet been presented to determine this value

System Load

System load estimates the noticeable impact of the narrative on system performance.

LOAD-Excessive — Excessive impact to the system performance. Careful consideration should be made before adoption of this use case such as limiting the scope to essential systems or users.

LOAD-High — High impact to the system performance. Narratives are expected to require a noticeable amount of time to execute.

LOAD-Low — Low estimated impact to the system performance.

LOAD-Moderate — Moderate estimated impact to the system performance, unlikely to create a perceptible impact for interactive users, may contribute to the latency of scheduled searches.

LOAD-Undetermined — Adequate information has not yet been presented to determine this value

Analyst Load

Relative level of load or work effort involved in resolution of the notable event

AnalystLoad-Automation — Requires no outside information for triage and can be automated to resolution in many environments. When automation is not available these narratives are considered low.

AnalystLoad-High — Requires a large amount of time/effort to triage the notable event. AnalystLoad-Low — Requires a small amount of time/effort to triage the notable event.

AnalystLoad-Moderate — Requires a Moderate amount of time/effort to triage the notable event, triage is seldom expected to extend beyond the current shift

AnalystLoad-Undetermined — Adequate information has not yet been presented to determine this value

Implementation Skill Relative level of skill necessary to implement the use case.

SKILLI-Customer SKILLI-PS-General SKILLI-PS-SecurtityEnabled SKILLI-PS-SecurtitySpecialist

(14)

Use Case Domains

Use case domains reflect the data domain used to support a specific use case. Subject matter expertise will align closely with each individual domain or a sub domain.

The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security.

Use Case Domain - Access — Use cases related to the use of access, authorized or unauthorized activity which may identify a threat to the organization.

Use Case Domain - Endpoint — Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization.

Use Case Domain - Identity — Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the object to better inform analysts with context when reviewing notable events.

Use Case Domain - Network — Use cases utilizing data from network communications to identify a threat to the organization.

Measurement

Each narrative describes appropriate key performance indicators and recommends an appropriate review cadence. Each implementing customer should utilize the metrics to monitor the effectiveness of each narrative in light of the organizations operational objectives.

Artifacts

(15)

Adoption Motivations

Adoption motivations are an attempt to group together the impetus which drives a potential customer to seek out and/or be open to considering our solution. Here are a few example motivations:

New functionality required by mandate (compliance requirement, executive directive, etc.)

New functionality requested due to one or more pain points have been identified that need to be alleviated

(16)

Motivating Problem Type View

Motivating problems are those broad business needs requiring generally these are targeted at the expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural missions or objectives with charter and support from all involved.

Found 10 search result(s) for title:PRT*.

PRT03-PeerAdoption-Phase2-Maturing(Narrative and Use Case Center)

Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program. Supporting Use Cases

Sep 23, 2016

PRT03-PeerAdoption-Phase1-Essentials(Narrative and Use Case Center)

Use case narratives adopted during the initial deployment phase of , monitoring, and response program. Supporting Use Cases

Sep 23, 2016

PRT04-ProcessEffectivness-HuntPaths(Narrative and Use Case Center)

Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic process potential security weakness or previously unknown threats

Jul 20, 2016

PRT08-ProductAdoption(Narrative and Use Case Center)

Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer

Aug 14, 2016

PRT08-ProductAdoption-ES(Narrative and Use Case Center) Aug 14, 2016

PRT08-ProductAdoption-ES-Maturing(Narrative and Use Case Center)

DS010NetworkCommunication Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network. All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private network ...

Aug 14, 2016

PRT08-ProductAdoption-ES-Mature(Narrative and Use Case Center)

Aug 14, 2016

PRT08-ProductAdoption-ES-Essentials(Narrative and Use Case Center)

Aug 14, 2016

PRT04-ProcessEffectivness(Narrative and Use Case Center)

High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems in the enterprise and in the cloud. Supporting Use Cases Essentials Maturing

Apr 07, 2016

PRT03-PeerAdoption(Narrative and Use Case Center)

(17)

This view will assist the user in determine which use cases should be considered in during the adoption phase Apr 07, 2016 A-C access asa cim-authentication cim-network-communication cim-network-session cisco creative D-M data-definition data-source data-source-event ha kb-detect kb-detect-network kb-how-to-article kb-troubleshooting-article loadbalancer N-T nlb provider-type prt05-tacticalthreat-ransomeware response risk-abuse sev-critical superceded syslog syslog-ng U-Z ucd-access

(18)

PRT01-Compliance

High level compliance problems regardless of specific regulation or standard applied tend may be addressed with very similar use case narratives. Within the compliance problem type, individual common regulations will be addressed.

Supporting Use Cases

Essentials

Click here to expand...

Found search result(s) for 8 title:UC* contentBody:"APC-Essential" contentBody:"PRT01-Compliance".

UCESS045 Potential Gap in Data(Narrative and Use Case Center)

Detects gaps caused by the failure of the search head. If saved searches do not execute then there may be gaps in summary data.For the past 5 minutes starting 5 minutes after realtime, return scheduled searches that were successful where the app context ...

Aug 16, 2016

UC0006 Windows security event log purged(Narrative and Use Case Center)

Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear DE001AssetInformation Adoption ...

Apr 08, 2016

UC0046 Endpoint failure to sync time(Narrative and Use Case Center)

Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host. Problem Types Addressed Risk Addressed Event Data Sources ...

Apr 25, 2016

UC0043 Direct Authentication to NHA(Narrative and Use Case Center)

Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ...

Apr 11, 2016

UC0030 Endpoint uncleaned malware detection(Narrative and Use Case Center)

... Contributing Events Search datamodel Malware MalwareAttacks search search

MalwareAttacks.dest="$dest$" Compliance YES Container App DAESSSecKitEndpointProtection Related articles Related articles appear here ...

Apr 08, 2016

Labels: prt05-tacticalthreat-ransomeware

UC0020 Attempted communication through external firewall not explicitly granted(Narrative and Use Case )

Center

Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...

Apr 08, 2016

Labels: prt05-tacticalthreat-ransomeware

UC0074 Network Intrusion Internal Network(Narrative and Use Case Center)

... IDSAttacks.category,IDSAttacks.signature `dropdmobjectname("IDSAttacks")` Note alternative implementation with XS should be considered Compliance YES Container

App SecKitDAESSNetworkProtection

https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to 5m@m ...

May 09, 2016

(19)

UC0075 Network Malware Detection(Narrative and Use Case Center)

... src dvcip dest product signature severity impact extref `getasset(src)` Compliance YES Container App SecKitDAESSNetworkProtection

https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to now Cron ...

Apr 25, 2016

Maturing

Click here to expand...

Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT01-Compliance".

UCESS016 Default Account Activity Detected(Narrative and Use Case Center)

Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default

passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ...

Aug 14, 2016

UCESS028 High Process Count(Narrative and Use Case Center)

Alerts when host has a high number of processes. This may be due to an infection or a runaway process. For the past 24 hours, get the most recent time and group by destination (host, IP, name) and process. Get the max time by destination and compare ...

Aug 14, 2016

UCESS038 Insecure Or Cleartext Authentication Detected(Narrative and Use Case Center)

Detects authentication requests that transmit the password over the network as cleartext

(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ...

Aug 14, 2016

UCESS039 Multiple Primary Functions Detected(Narrative and Use Case Center)

primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and associates identity and asset information with each. Looking back over the past 24 hours, return values of the function and their distinct count grouped by destination (host ...

Aug 14, 2016

UC0091 Validate Execution of Vulnerability Scan(Narrative and Use Case Center)

Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners, Problem Types Addressed Risk Addressed ...

Jul 12, 2016

UCESS009 Asset Ownership Unspecified(Narrative and Use Case Center)

Alerts when there are assets that define a specific priority and category but do not have an assigned owner. Return all assets where the priority is not null and the length of the value in priority is greater than 0 and the category is not null and the length of the value in category is greater than ...

Aug 14, 2016

UCESS058 Untriaged Notable Events(Narrative and Use Case Center)

Alerts when notable events have not been triaged. For the past 48 hours starting 4 hours after realtime, return notable events that have a status group of New or the owner is unassigned. Return the values time, owner, status, rule ...

Aug 14, 2016

UC0094 Insecure authentication method detected(Narrative and Use Case Center)

each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ...

(20)

UC0090 User account cross enclave access(Narrative and Use Case Center)

Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be

remediated Problem Types Addressed Risk Addressed Event Data ...

Jun 24, 2016

UC0040 Use of Shared Secret for or by automated process with risky attributes(Narrative and Use Case )

Center

Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access ...

(21)

PRT01Compliance-PCI

Guidance for implementation of logging and monitoring for business as usual compliance with PCI 3.2

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement Guidance

1.1.1 In support of testing procedure 1.1.1b maintain online and searchable logs for all change activity. In support of testing procedure 1.1.1b maintain online and searchable records for all change activity

1.1.4 In support of testing procedure 1.1.4.c maintain online and searchable logs for all DS010NetworkCommunication-ET01Traff from any dvc designated as cardholder, border, or internet.

ic

1.1.6 In support of 1.1.6.a build upon the work effort invested in 1.1.4 Implement the following monitoring controls: UC0083 Communication from or to an enclave network permitted by previously unknown or modified firewall rule In support of 1.1.6.c build upon work effort invested in 1.1.4 Implement the following monitoring controls:

UC0082 Communication with enclave by default rule

1.2.1 In support of 1.2.1.c implement the following monitoring controls to ensure continual compliance UC0084 Monitor Execution of Triage Activtity

1.2.3 In support of 1.2.3b build upon the work effort of 1.1.6 ensure consideration in existing process to consider the wifi network as an enclave

1.3.1 In support of 1.3.1 build upon the work effort of 1.1.5

UC0085 Alert per host where web application logs indicate a source IP not classified as WAF

1.4 In support of 1.4.b Ensure data collection for DS010NetworkCommunication-ET02State from all devices in scope

2.1 In support of 2.1.a Ensure data collection for DS003Authentication-ET01Success from all in scope systems. Ensure all PIM systems are correctly identified in DE001AssetInformation and ensure all default accounts have been correctly listed in DE0

prior to implementation of 02IdentityInformation

UC0007 Account logon successful method outside of policy

2.2.1 In support of 2.2.1.a Ensure data collection for dynamic primary function identification is in place to support the complete definition of DE001AssetInformation

UC0086 Detect Multiple Primary Functions

2.2.5 In support of 2.2.4.c Ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place prior to implementation of

RP001 New web application or network protocol detected

2.4 Implement a reliable dynamic asset identification solution DE001AssetInformation with the following attributes Appropriate Values for pci_domain by cidr

All hosts within the CDE are identified with static IP address All firewalls and interfaces containing the CDE are identified Collect data from the following sources

DS010NetworkCommunication-ET01Traffic

DS003Authentication-ET01Success (Machine account) DS015ConfigurationManagement-ET01General

3.1 Implement clear logging and collection for each application component responsible for deletion of online CHD. Generate a customer specific use case for the absence of successful reports in the job execution window

3.2 Implement data collection for customer specific data identification system Implement custom use case for new location for PCI information Respond by verification that authentication data is not recorded

(22)

3.4.1 If disk/share encryption is used implement data collection for the specific provider supporting the following data types DS003Authentication-ET01Success

DS006UserActivity-ET02Read DS006UserActivity-ET06Search

3.5.1 Implement customer specific use case alerting when a key is read, imported or assigned to a specific encrypted resource review for review by the key administrator

3.5.2 Implement customer specific use case alerting when a key is accessed by a human manually review the access with the key administrator

4.1 In support of 4.1.c ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place for all CDE network segments and implement

RP001 New web application or network protocol detected

4.2 In support of 4.2.a ensure data collection for DS016DataLossPrevention-ET01Violation is in place and implement customer specific use case for alerting on actual or attempted transmission of CHD via email chat FTP or removable media

5.1 In support of 5.1 ensure data collection for DS004EndPointAntiMalware-ET02UpdatedSig is in place and ensure requires_antivirus is set for all applicable records in DE001AssetInformation implement the following use cases. 5.2 In support of 5.2.b 5.2.c and 5.2.d implement the following use cases

UCESS024 High Number of Hosts Not Updating Malware Signatures UC0087 Malware signature not updated by SLA for compliance asset

6.4.1 In support of 6.4.1.b define an enclave for each CDE/lifecycle such that production and non production systems can be identified

UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule 6.4.2 In support of 6.4.2 define an enclave for each CDE/lifecycle such that production and non production systems can be

identified

UC0090 User account cross enclave access

6.4.3 In support of 6.4.3 identify ranges or fixed sets of PAN ranges that may be utilized in the non production life cycle and create a set of periodic scripts to asses that no data exists outside of the fixed range. Log the results for compliance reporting.

6.4.4 While not conclusive for all environments the implementation of control 6.4.3 may assist in ongoing evidence of compliance. 6.4.5.x Not applicable to the logging and monitoring processes

6.4.6 Not applicable to the logging and monitoring processes

6.5.x Capture and retain logs from automated software installation and testing processes to provide evidence of for compliance to the execution of testing against common weaknesses.

Capture and retain applicable logs from defect tracking systems to evidence that issues were reported and reviewed without modification prior to release of software to production

6.6 Using an external vulnerability scanner not granted unfiltered access scan the public facing networks UCESS010 Anomalous New Listening Port

UC0091 Validate Execution of Vulnerability Scan

Periodically validate the implementation of the load balancer and web application firewall. UC0092 Exception to Approved Flow for Web Applications

6.7 Not applicable to the logging and monitoring processes 7.x Not applicable to the logging and monitoring processes

8.1 In support of this section all authentication success and failure events must be captured for all components of the application infrastructure.

8.1.1 In support of continued monitoring of compliance with 8.1.1 implement the following use cases: UC0039 Use of Shared Secret for access to critical or sensitive system

UC0088 User account sharing detection by source device ownership 8.1.2 Not applicable to the logging and monitoring processes

(23)

8.1.3 Support continued compliance and verification through implementation of the following use case UCESS005 Activity from Expired User Identity

8.1.4 Support continued compliance and verification through implementation of the following use case UC0008 Activity on previously inactive account

UC0093 Previously active account has not accessed enclave/lifecycle 8.1.5 Not applicable to the logging and monitoring processes

8.1.6 Not applicable to the logging and monitoring processes 8.1.7 Not applicable to the logging and monitoring processes 8.1.8 Not applicable to the logging and monitoring processes

8.2 Implement an appropriate site specific compliance report to identify that all successful logins to a production enclave use one of the approved authentication factors for that enclave/component.

8.2.1 Support continued compliance and verification through implementation of the following use case UC0094 Insecure authentication method detected

8.2.2 Not applicable to the logging and monitoring processes 8.2.3 Not applicable to the logging and monitoring processes 8.2.4 Not applicable to the logging and monitoring processes 8.2.5 Not applicable to the logging and monitoring processes 8.2.6 Not applicable to the logging and monitoring processes

8.3.x Support continued compliance and verification through implementation of the following use case UC0007 Account logon successful method outside of policy

8.4 Support continued compliance and verification through implementation of the following use case 8.5 Support continued compliance and verification through implementation of the following use case

UC0039 Use of Shared Secret for access to critical or sensitive system UC0040 Use of Shared Secret for or by automated process with risky attributes 8.6 Not applicable to the logging and monitoring processes

8.7 Not applicable to the logging and monitoring processes 8.8 Not applicable to the logging and monitoring processes

9.1 Support continued compliance and verification through implementation of the following use case UC0045 Local authentication server

Review resulting events in consideration of approved physical access activity, change, incident, problem and virtual remote console logs such as virtual infrastructure and KVM.

9.1.1 See 9.1

9.1.2 Not applicable to the logging and monitoring processes 9.1.3 Not applicable to the logging and monitoring processes 9.2 Not applicable to the logging and monitoring processes 9.3 Not applicable to the logging and monitoring processes 9.4 Not applicable to the logging and monitoring processes 9.5 Not applicable to the logging and monitoring processes 9.6 Not applicable to the logging and monitoring processes 9.7 Not applicable to the logging and monitoring processes 9.8 Not applicable to the logging and monitoring processes

(24)

9.9 Not applicable to the logging and monitoring processes 10.1 Implement collection and retention of the following log sources

DS003Authentication

DS003Authentication-ET01Success DS003Authentication-ET02Failure

10.2 See below

10.2.1 Implement collection and retention of the following log sources DS006UserActivity-ET02Read

10.2.2 Implement collection and retention of the following log sources DS006UserActivity-ET04Update DS007AuditTrail DS009EndPointIntel DS009EndPointIntel-ET01ProcessLaunch DS009EndPointIntel-ET01ObjectChange DS020HostIntrustionDetection-ET01SigDetected 10.2.3 Implement collection and retention of the following log sources

DS007AuditTrail-ET01Clear

10.2.4 Implement collection and retention of the following log sources DS003Authentication-ET02Failure

10.2.5 Implement collection and retention of the following log sources as applied to authentication mechanisms such as directory servers, two factor authentication systems, single sign on systems, and local authentication controls

DS006UserActivity-ET03Create DS006UserActivity-ET04Update DS006UserActivity-ET05Delete

10.2.6 Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing

DS006UserActivity-ET04Update

Note include service start, stop, and alter for configuration controlling the audit process such as syslog, group policy, windows registry, and database triggers

DS007AuditTrail-ET01Clear DS007AuditTrail-ET02Alter

10.2.7 Implement collection and retention of the following log sources as applied to the service and configuration utilized in auditing

10.3 Verify compliance of data sources identified with minimum requirements of the objective 10.4 Implement collection and retention of the following log sources

DS007AuditTrail-ET03TimeSync Implement the following use case

UC0046 Endpoint failure to sync time 10.5

10.5.1 Implement streaming collection of all log sources. Avoid batch collection activities and build adequate defensive and detective controls to ensure audit processes are not tampered with when batch collection is in use.

Implement access controls as is appropriate to limit access to audit trail data in Splunk

Implement routine trim of original audit trails such that no audit data is retained on source systems beyond a reasonable amount allowing recovery in the event of streaming collection failure

10.5.2 Implement index integrity features in Splunk

10.5.3 Implement Splunk Archiver function with a write only external service such as Amazon S3 to ensure data is archived to a system under separate control.

(25)

10.5.4 Implementation of log collection for all web application server infrastructure logs especially the following: DS002DNS-ET01QueryResponse DS003Authentication-ET01Success DS003Authentication-ET02Failure DS004EndPointAntiMalware-ET01SigDetected DS004EndPointAntiMalware-ET03UpdatedEng DS005WebProxyRequest-ET01Requested DS006UserActivity DS007AuditTrail DS009EndPointIntel-ET01ProcessLaunch DS010NetworkCommunication-ET01Traffic DS014WebServer-ET01Access DS015ConfigurationManagement-ET01General DS018VulnerabilityDetection DS019PatchManagement DS020HostIntrustionDetection-ET01SigDetected

10.5.5 Implementation of log collection for all web application server infrastructure logs especially the following: DS020HostIntrustionDetection-ET01SigDetected

10.6.1 Implementation of a robust set of correlation search to monitor each security technology in the enterprise

Management should daily review the PCI dashboards to ensure that notable events have been triaged and are being resolve in accordance with the company policy

10.6.2 Expansion of monitoring beyond the immediate PCI scope to ensure attackers are kept more than one degree away from all PCI systems.

Management should daily review critical dashboards such as and act on trends highlighted Enterprise Security Security Posture

Incident Review

10.6.3 Notable events determined to indicate suspicious activities should be identified as formal incident and handled in according to industry accepted practices.

10.7 Ensure all in scope event data is retained online and searchable for at minimum of 3 months.

Ensure adequate search hardware is available or can be provisions (cloud) to recall and search data up to 1 full year OR ensure at least 1 full year for all data sources is available.

Ensure that log infrastructure can not be subject to denial of service attach by external actors by identification of points where external actors can generate sufficient log traffic to cause early purge or failure of logging infrastructure. Identify methods of mitigating this risk.

10.8 Identify methods of detecting and alerting failure of critical control systems to produce events 10.9 Not applicable to the logging and monitoring processes

11.1 Not applicable to the logging and monitoring processes 11.2 Collect and retain vulnerability scan data

DS018VulnerabilityDetection-ET01SigDetected 11.3 Not applicable to the logging and monitoring processes 11.4 Implement the following use cases

UC0074 Network Intrusion Internal Network

11.5 Implement collection of the following data sources, identify appropriate technology specific use cases for the environment. DS009EndPointIntel

DS020HostIntrustionDetection-ET01SigDetected 11.6 Not applicable to the logging and monitoring processes

12 Not applicable to the logging and monitoring processes except as noted

12.5 Adopt a formal methodology align with enterprise risk assessment to identify risk and detective controls to be implemented and monitored by appropriate sensor/detection technology with correlation in a single security event and information management system

(26)

Supporting Documentation

PCI Data Security Standard (PCI-DSS)

(27)

PRT02Compliance-NercCIP

Currently, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have significant implications nationwide, with potential impacts to national economic security, public heath or safety, etc.

NERC CIP Requirements

Standard Requirement Details Guidance

CIP-002-3 Cyber Security: Critical Cyber Asset Identification

R2 Critical Asset Identification:

The responsible entity shall develop a list of its identified critical assets determined through an annual application of the risk-based assessment methodology as required by this standard. List shall be reviewed and updated annually, at minimum. Assets to be considered should include the following:

Control centers and backup control centers performing critical functions as described within CIP standards

Transmission substations that support the reliable operation of the BES (Bulk Electris System)

Generation resources that support the reliable operation of the BES Systems and facilities critical to system restoration, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration

Systems and facilities critical to automatic load shedding under a common control system capable of shedding 300MW or more Special protection systems that support reliable operation of the BES

Any additional assets that support reliable operation of the BES

Enrichment:

DDE001 Asset Information

Note: pci_domain field not applicable to CIP assets

Use Cases:

UC0010 Asset Ownership Unspecified

CIP-003-3 Cyber Security: Security Management Controls R5.1 Access Control:

The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.

Personnel shall be identified by name, title, and the information for which the are responsible for authorizing access

The list of personnel responsible for authorizing access to protected information shall be verified at least annually

Enrichment:

DDE002 Identity Information

In addition to CIP authorized individuals, CIP authorizing personnel should be identified in identity list. Information they are responsible for can be specified in bunit field

Use Cases:

UC0052 Non-CIP user attempted to access CIP asset

UC0013 Monitor change for high value groups CIP005-3a Cyber Security: Electronic Security Perimeter

R2 Electronic Access Controls:

The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s).

Enrichment:

DDE002 Asset Information All assets that define the Electronic Security Perimeter (ESP) to be defined in asset list

Use Cases:

Prohibited Service Detected Unapproved Port Activity Detected

UC0007 Anomalous New Process UC0008 Anomalous New Listening Port