Copyright © 2014 Splunk Inc.
Joe Goldberg
– Product MarkeAng,
Splunk
Gary Mikula
– Senior Director
InformaAon Security, FINRA
Sivakanth Mundru
– Product
Manager, AWS
Building a cloud-‐based
SIEM with Splunk
Disclaimer
2
During the course of this presentaAon, we may make forward-‐looking statements regarding future events or the
expected performance of the company. We cauAon you that such statements reflect our current expectaAons and
esAmates based on factors currently known to us and that actual events or results could differ materially. For
important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaAon are being made as
of the Ame and date of its live presentaAon. If reviewed aVer its live presentaAon, this presentaAon may not contain
current or accurate informaAon. We do not assume any obligaAon to update any forward-‐looking statements we may
make. In addiAon, any informaAon about our roadmap outlines our general product direcAon and is subject to change
at any Ame without noAce. It is for informaAonal purposes only, and shall not be incorporated into any contract or
other commitment. Splunk undertakes no obligaAon either to develop the features or funcAonality described or to
Agenda
3
!
Splunk for security and cloud offerings
!
AWS CloudTrail
!
FINRA using Splunk Cloud as a SIEM
Splunk for Security
and Cloud Offerings
IT
OperaAons
Security and
Compliance
Intelligence
Digital
App Dev and
App Mgmt.
Developer Pla[orm (REST API, SDKs)
Business
AnalyAcs
Industrial
Data and
Internet of
Things
Small Data. Big Data. Huge Data.
Use Cases for Machine Data AnalyAcs
5
Core Use Cases
Emerging Use Cases
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackerremotetool.rootkit,Occurrences: 1,C:/Documents and Sejngs/smithe/Local Sejngs/Temp/evil.tmp,"""",Actual acAon: QuaranAned,Requested acAon: Cleaned, Ame: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [ClassificaAon: PotenAal Corporate Privacy ViolaAon] Credit Card Number Detected in Clear Text [Priority: 2]:
{"requestParameters": {"duraAonSeconds": 43200}, "responseElements": {"credenAals": {"sessionToken": "AQoDYXdzEPP///==", "accessKeyId": "ASIAJWQDLBKDOAKEWNIQ", "expiraAon": "Nov 13, 2013 5:22:32 AM"}, "eventSource": "sts.amazonaws.com", "sourceIPAddress": “10.11.36.1", "eventTime": "2013-‐11-‐12T17:22:32Z", "userIdenAty": {Administrator:root", "principalId": "930458123955", "accountId": "930458123955", "type": "Root"}, "eventName": "GetSessionToken", "userAgent": "signin.amazonaws.com"}
6
Machine Data Contains CriAcal Insights
Sources
Time Range Intrusion Detec2on Endpoint Security AWS CloudTrail
All three occurring within a 24-‐hour period
Example Correla0on – Data Loss
Source IP
Source IP
Source IP
Data Loss
Default Admin Account
Big Data SIEM – All Data is Security Relevant
OSes
Service
Desk
Storage
CloudTrail
Web
Call
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Industrial
Control
Badges
Databases
Mobile
Intrusion
DetecAon
Firewall
Data Loss
PrevenAon
AnA-‐
Malware
Vulnerability
Scans
Tradi0onal SIEM
AuthenAcaAon
7Top Splunk Security Use Cases
A SIEM Plus Much More
Security &
Compliance
ReporAng
Real-‐Ame
Monitoring of
Known
Threats
Real-‐Ame
Monitoring of
Unknown
Threats
Incident
InvesAgaAons
& Forensics
Splunk Can Complement OR Replace an ExisAng SIEM
Insider
Threat
detecAon
Fraud
Over 2800 Global Security Customers
Leading Big Data SIEM
(plus more!)
10
Gartner
Cloud Offerings For Security and Compliance
• App for AWS CloudTrail
– FREE
• Splunk App for
Enterprise Security
Applica2ons
• Splunk Enterprise as a
service
• Full app, SDK, API,
pla[orm support
SaaS
• Self-‐deploy in cloud or
on-‐premises
• Centralized view across
cloud and on-‐premises
• Splunk Enterprise and
Hunk AMIs
• Accelerate deployment in
AWS
Amazon Machine Images (AMI)
SoEware
Amazon Confidential
Agenda
•
Overview and Use cases
•
Regional availability and support for AWS services
•
Event payload review
Amazon Confidential
Customers are
making API
calls...
On a growing set
of services around
the world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to
customers
CloudTrail – Overview
Amazon Confidential
Use Cases Enabled By CloudTrail
•
Security Analysis
v
Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns
•
Track Changes to AWS Resources
v
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
•
Troubleshoot Operational Issues
v
Quickly identify the most recent changes made to resources in your environment
•
Compliance Aid
Amazon Confidential
Amazon Confidential
Amazon Confidential
•
Who
made the API call?
•
When
was the API call made?
•
What
was the API call?
•
What
were the resources that were acted up on in the API call?
•
Where
was the API call made from?
Amazon Confidential
•
Records detailed information for all AWS identity types
v
Root user
v
IAM user
v
Federated user
v
Role
•
Information includes
v
Friendly user name
v
AWS AccessKeyId
v
12 digit AWS account number
v
Amazon Resource Name (ARN)
v
Session context and issuer information, if applicable
v
invokedBy section identifies the AWS service making request on behalf of
the user
Amazon Confidential
•
IAM user Bob making an API call
"userIdentity": {
"accessKeyId": "AKEXAMPLE123EJVA",
"accountId": “123456789012",
"arn": "arn:aws:iam::123456789012:user/Bob",
"principalId": "AIEXAMPLE987ZKLALD3HS",
"type": "IAMUser",
"userName": “Bob"
}
Amazon Confidential
•
Federated user Alice making an API call
"userIdentity":{
"type":"FederatedUser",
"principalId":"123456789012:Alice",
"arn":"arn:aws:sts::123456789012:federated-user/Alice",
"accountId":"123456789012",
"accessKeyId":"ASEXAMPLE1234WTROX8F",
"sessionIssuer":{
"type":"IAMUser",
"accountId":"123456789012",
"userName":“Bob"
}
}
Amazon Confidential
•
Time and Date of the event in ISO 8601 format
"eventTime": "2013-10-23T23:30:42Z“
•
Event time is captured on the service host where the API call is
executed
•
Event time is NOT the time log file is written to S3
Amazon Confidential
What Was the API Call?
What Resources Were Acted Up On?
•
API call and the service the API call belongs to.
"eventName": "RunInstances"
"eventSource": "EC2"
•
Request parameters provided by the requester and Response
elements returned by the AWS service
•
Response elements for read only API calls (Describe*, Get*, List*)
Amazon Confidential
•
Apparent IP address of the requester making the API call
•
Records the apparent IP address of the requester when making API calls
from AWS Management Console
•
AWS region to which the API call was made. Global services
( Examples: IAM/STS) will be recorded as us-east-1
"sourceIPAddress": "54.234.127.135",
"awsRegion": "us-east-1“
Amazon Confidential
•
Detailed and Descriptive error codes and error messages, recorded only
when errors occur.
Examples
v
Client error code: TagLimitExceeded
v
Server error code: Internal Error
v
Authorization failure: UnauthorizedOperation
•
Authorization Failure Example
“eventName": “TerminateInstances",
“errorCode": “UnauthorizedOperation”,
“errorMessage”:”You are not authorized to perform this operation”
Amazon Confidential
•
Optionally, CloudTrail will publish SNS notification of each new log file
•
Notifications contain the address of the log file delivered to your S3 bucket
and allow you to take immediate action
•
Does not require you to continuously poll S3 to check whether new log files
were delivered
•
Multiple subscribers can subscribe to the same SNS topic and retrieve the
log files for analysis
Amazon Confidential
•
Default descriptive folder structure makes it easier to store log files from
multiple accounts and regions in the same S3 bucket
•
Detailed log file name helps identify the contents of the log file, regardless
of where they are stored
•
Time stamp of the log file is the event time of the first event in
chronological order
•
In the rare event of duplicate file delivery, unique identifier in the file name
prevents overwriting log files
Amazon Confidential
FINRA using Splunk
Cloud as a SIEM
FINRA Splunk Presentation Copyright 2014FINRA
Who We Are
n
FINRA—the Financial Industry Regulatory Authority—is an
independent, non-governmental regulator for all securities firms doing
business with the public in the United States
n
FINRA protects investors by regulating brokers and brokerage firms
and by monitoring trading on U.S. stock markets
n
FINRA monitor over 6 billion shares traded on the stock market each
day
n
FINRA handles more ‘big data’ on a daily basis than the Library of
Congress or Visa
®—to build a holistic picture of the trading market
FINRA Splunk Presentation Copyright 2014FINRA
So You Want to Own a SIEM?
FINRA Splunk Presentation Copyright 2014FINRA
n
Wanted ALL logs Centralized
n
Enterprise Resource
n
Maintenance <<< Analytics
n
Push Changes Centrally
n
Integrated into Process Flow
n
Ease/Flexibility in Reporting
n
Avoid Hidden Costs
n
Relational DB Independent
n
Tech Refreshes Hurt
FINRA Splunk Presentation Copyright 2014FINRA
Where We Are: Splunk Cloud
n
Offload HW/SW Worries
n
Can Collect Anything
n
Widened Our User Base
n
Granular AC
n
Easily Duplicated All Reporting
& Alerting
n
Vendors Give Us Apps
n
Great User Community
n
Easily Determine Actual Costs
FINRA
VPC’S SplunkCloudVPC’s
FINRA DATA CENTERS
FINRA Splunk Presentation Copyright 2014FINRA
Why the AWS CloudTrail Application?
n
FINRA Moving Applications into the Cloud
n
AWS is Currently FINRA’s Primary Cloud Provider
n
Data Collection via AWS s3 Bucket Objects Not Trivial
n
CloudTrail Captures
Everything,
Well Almost…
n
Splunk App for AWS Allows for Filtering
n
Fully Extracted & Tagged AWS CloudTrail Records in an Easy, Flexible UI
FINRA Splunk Presentation Copyright 2014FINRA
FINRA Use Cases
Ad-Hoc Queries/Reporting
n
Who Spun Up/Terminated that ec2
n
Show me Everything Done by Role ‘X’ Yesterday
Alerting
n
Has Anyone Used the Root Account
n
Does the Security Group Contain a Class ‘A’
Compliance & Governance
n
Do the Policies Adhere to FINRA Standards**
FINRA Splunk Presentation Copyright 2014FINRA
AWS CloudTrail Overview
FINRA Splunk Presentation Copyright 2014FINRA
Use Case: Ensure User Permissions in the Cloud
FINRA Splunk Presentation Copyright 2014FINRA
How We Do It
SPLUNK SAVED SEARCH:
iam_change_detection (daily) Cron AWS
Identity Access and Management AWS CloudTrail AWS S3 Buckets aws_daily_check.py aws_monthly_check.py Compliance Results Subversion
Search API calling records for CreateRole, PutRolePolicy, DeleteRolePolicy AWS IAM Compliance Dashboard Finra Cloudpass
Overview of FINRA AWS Compliance System
FINRA Splunk Presentation Copyright 2014FINRA
Executive Summary
FINRA Splunk Presentation Copyright 2014FINRA
Remediation Report
FINRA Splunk Presentation Copyright 2014FINRA
Demo of Splunk App
for Enterprise
Security & AWS
CloudTrail
Resources
!
Splunk Cloud
–
h|p://www.splunk.com/cloud
!
Splunk App for AWS CloudTrail
–
h|p://apps.splunk.com/app/1274/
!
Splunk App for Enterprise Security
–
h|p://www.splunk.com/view/enterprise-‐security-‐app/SP-‐CAAAE8Z
FINRA Splunk Presentation Copyright 2014FINRA
