Copyright © 2014 Splunk Inc. The Analy<cs-‐Enabled SOC > SIEM Use Cases Fred Wilmot (CISSP) Director, Global Security Prac<ce Sanford Owings Principle Consultant, Splunk Services Disclaimer During the course of this presenta<on, we may make forward looking statements regarding future events or the expected performance of the company. We cau<on you that such statements reflect our current expecta<ons and es<mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presenta<on are being made as of the <me and date of its live presenta<on. If reviewed aVer its live presenta<on, this presenta<on may not contain current or accurate informa<on. We do not assume any obliga<on to update any forward looking statements we may make. In addi<on, any informa<on about our roadmap outlines our general product direc<on and is subject to change at any <me without no<ce. It is for informa<onal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliga<on either to develop the features or func<onality described or to include any such feature or func<onality in a future release. 2 Fred Wilmot | Director, Global Security Prac<ce (fred|Securityczar)@splunk.com • Strategy § § § § Minister of Silly Walks “Electric Mayhem” @fewdisc Drives Security Prac<ce Strategy globally Works on Splunk’s hardest Security Use Cases Visualiza<on and Analy<cs using Splunk Solves strategic product/implementa<on challenges • Research • • • • Digital Forensics /Assessment Tools Social Risk/User behavior modeling ML/Advanced Sta<s<cal Analysis Threat Intelligence • Product § Influence product strategy for security content and features in the field and through the factory. 3 Sanford Owings| Principal Consultant, Splunk Services [email protected] sowings (muppet disguise) Sanford Owings (Sowings) began his compu<ng career in 1990 in a word processing lab with network administra<on on PCs and various flavors of Unix. A computer science educa<on at Berkeley (with more system and network administra<on thrown in) showed him the light twenty years later. Sanford began using Splunk in early 2010, working to integrate it as an OEM repor<ng solu<on into an email appliance. Since March 2012, he has worked as a member of the Professional Services team at Splunk, leveraging his development background while assis<ng customers. In his free <me, he enjoys spending <me with his wife Erin, cooking, cycling and traveling. 4 Agenda " Why do we use SIEMs? How to Achieve these ‘SIEM’ use cases? Security Maturity Model: How do I get there? Where do we Start? Ques<ons? " Appendix " " " " 5 Why do we use SIEMS? Not Really… But we may feel that way because we don’t really know what problem we are solving, we don’t have the right people, or process to leverage our technology. Lack of internal knowledge leads to external guidance… 2013 2012 “…the rise in successful targeted a/acks has caused a growing number of organiza<ons to use SIEM for threat management to improve security monitoring and early breach detec<on” Threat Management Real-‐<me monitoring and repor<ng of user ac<vity, data access and applica<on ac<vity, in combina<on with effec<ve ad hoc query capabili<es…. capabili<es that aid in targeted aoack detec<on” 8 AccelOps Gartner SIEM MQ 2014 Product/Service Rating Real-Time Monitoring 3.50 3 Threat Intelligence 3.00 3 Behavior Profiling 2.50 3 Data and User Monitoring 2.97 2 Application Monitoring 2.90 3 Analytics 2.44 3 Log Management and Reporting 2.75 3 Deployment/Support Simplicity 3.50 4 Source: Gartner (June 2014) What capabili<es are you looking for from SIEM? 9 Why Splunk Compared to SIEM Legacy SIEM Splunk Data sources Limited Any technology, device Custom Device Support Difficult Easy Add Intelligence Difficult Easy Required 3rd party App Built-‐in (from search) Slow and Unusable Fast and Responsive Difficult (rule-‐based) Easy (search-‐based) Limited Extensible Customized Repor<ng Speed of Search/Repor<ng Correla<on Scalability 10 Be Pragma<c, not Dogma<c. Be prepared to challenge your asser<ons if you want to mature your opera<ons 11 Top Five Splunk Security Use Cases More than a SIEM; a Security Intelligence Pla5orm Splunk Can Complement OR Replace Exis<ng SIEMs Incident Inves<ga<ons & Forensics Real-‐<me Security & Monitoring of Compliance Known Repor<ng Threats 12 Real-‐<me Monitoring of Unknown Threats Fraud detec<on Moving Past SIEM to Security Intelligence INCIDENT INVESTIGATIONS & FORENSICS SECURITY & COMPLIANCE REPORTING REAL-‐TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN THREATS FRAUD DETECTION INSIDER THREAT Small Data. Big Data. Huge Data. Splunk soVware complements, replaces and goes beyond tradi<onal SIEMs. How do we achieve Analy<cs Enabled SOC? A journey of a thousand miles begins with a single step. Lao-‐tzu, The Way of Lao-‐tzu 15 A Methodology for Analy<cs-‐Enabled SOC: Map the Business to the Threat Model What does the business care about? 16 • Market Sen<ment? • Fraud? • Denial of Service? • Intellectual property theV? • Sensi<ve data/customer data leak? • Brand reputa<on? • Industrial sabotage? • Corporate espionage? A Methodology for Analy<cs-‐Enabled SOC: Construct a Hypothesis 17 • How could someone gain access to data that should be kept private? • What could cause a mass system outage does the business care about? • How could we find exfiltra<on of sensi<ve informa<on if it was happening? A Methodology for Analy<cs-‐Enabled SOC: It’s about the Data 18 • What visibility do we need? • For data exfiltra<on, start with URLs. • DNS requests, proxy logs, web logs, mail logs • Beg, borrow, and steal SME exper<se from system owners A Methodology for Analy<cs-‐Enabled SOC: Data Evalua<on 19 • For data exfiltra<on, start with what’s normal and what’s not (create a sta<s<cal model) • How do we ‘normally’ behave? • What paoerns would we see to iden<fy outliers? • Look for other paoerns based on uniqueness, frequency, periodicity, volume, dura<on, newness, dura<on, locality, etc. Spoiler Alert! DNS Exfiltra<on Indicators • • • • • • • • • • • • • 1) Look @ all DNS traffic for mul<ple levels of DNS strings. look for hexadecimal strings. 2) Look for this 3rd level to be less than 40 bytes in length... like *.domain.com, where * is longer than 40 bytes 3) Look for mul<ple DNS Name lookups to sketchy foreign domains, and look at the frequency in a short <me span. 4) DNS TXT or SRV record queries to any foreign or high entropy domains 5) ANY DNS response to a loopback or RFC 1918 space/bogon space. (5.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) could indicate a C2 channel 6) Look for mul<ple DNS queries to the same non-‐obvious or foreign domain during off-‐hours <mes in the office = check for frequency, and periodicity. 7) DNS queries to dynamic DNS providers (like OpenDNS) 8) DNS queries not followed by a proxy request for connec<on 9) Iden<fy recurring interval or beaconing following any of the above (zero variance behavior) 10) Look for Teredo IPv6 addresses 11) Look for large TXT or NULL payloads (tunneling), and TXT that isn’t 7-‐bith clean 12) Look for CNAME chains if they resolve internally 13) look for changes in authorita<ve name servers and their IP addresses as well. 20 A Methodology for Analy<cs-‐Enabled SOC: Analysis + context • Increase in business communica<ons overseas? • Does your sta<s<cal model need to change due change, business growth, or volume of data? • Implemented a new service or applica<on? • Added employees overseas? • Enriching/synthesizing outliers with visualiza<ons? 21 Need to Connect the “Data-‐dots” to See the Whole Story Delivery, exploit installaRon Threat intelligence Network AcRvity/Security Host AcRvity/Security Auth -‐ User Roles, Corp Context Gain trusted access Upgrade (escalate) Lateral movement Data Gathering Aoacker, know relay/C2 sites, infected sites, IOC, aoack/campaign intent and aoribu<on Where they went to, who talked to whom, aoack transmioed, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, aoack/malware ar<facts, patching level, aoack suscep<bility Access level, privileged users, likelihood of infec<on, where they might be in kill chain 22 Persist, Repeat Persist, Repeat ExfiltraRon Subscrip<on feeds Internal black lists Open source Intelligence Sharing Firewalls Email, Web, DNS Malware analysis IDS/IPS Infrastructure Net flow … … Endpoint Threat Detec<on and Response (ETDR) Malware analysis Vulnerability Assessment Endpoint Security OS, App , database logs Patching LDAP, Ac<ve Directory, Authen<ca<on, SSO Asset databases CMBD, inventory, … … Methodology Par<ng Thoughts Security Intelligence requires tradiRonal IT data sources, not just security technology. • • • • • • What paoerns/correla<ons of weak-‐signals in ‘normal’ IT ac<vi<es would represent ‘abnormal’ ac<vity? Heuris<c detec<on approaches (SIEM historical standard) are best used with other detec<on approaches (Sta<s<cal/Behavioral) Threat modeling MUST be associated with cri<cal data assets and employees Context is hardest and most cri<cal to add, give yourself lead <me…BUT DO IT What is rarely seen, newly seen, or a behavioral/sta<s<cal devia<on? What normal ac<vi<es occur during abnormal <mes? 23 Security Maturity Model with Splunk: How do I get there? Maturity Model for Security Opera<ons q q q q q q q q q q q q q q APT detec<on/hun<ng (kill chain method) Counter threat automa<on Threat Intelligence aggrega<on (internal & external) Fraud detec<on – ATO, account abuse, Insider threat detec<on Replace SIEM @ lower TCO, increase maturity Augment SIEM @ increase coverage & agility Compliance monitoring, repor<ng, audi<ng Log reten<on, storage, monitoring, audi<ng Con<nuous monitoring/evalua<on Incident response and forensic inves<ga<on Event searching, repor<ng, monitoring & correla<on Rapid learning loop, shorten discover/detect cycle Rapid insight from all data Real-‐<me Risk Insight Security Situa<onal Awareness Search and Inves<gate ProacRve Proac<ve Monitoring and Aler<ng ReacRve Security OperaRons Roles/FuncRons q q q q Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Audit/Compliance 25 q q q q Security Analyst CSIRT Forensics Engineering q q q q Fraud analyst Threat research/Intelligence Malware research Cyber Security/Threat Honest Ques<ons, Honest Answers " What is the talent level of my (Security) team? " Do I have exis<ng mature skill sets I can leverage/need to keep? " What is the business’s appe<te for change? " Am I building a Security Organiza<on for Hun<ng and Advanced Threats, or doing what I can with the team/resources I have? " Can I be successful implemen<ng new processes around this methodology? 26 How Do I Determine My Maturity Level? Pre-‐Engagement Posture Discussion " What is your current SecOps model? – Insourced/outsourced/hybrid? – Incident Response plan? BIA? – what do you when you find something significant? Threat Priority Matrix • What are the risks to the business? – Establish business priori<es – Model Threats and Business process – Design detec<on/preven<on logic Talent Capability Model • How capable are my people? – Beginner/Intermediate/Advanced responders – are you inves<ng in Threat Intelligence and Malware analysts? – How much collabora<on happens between security and subject experts? 27 How Do I Determine My Maturity Level? (cont’d) Content Strategy – – – – Data Acquisi<on mapped to threats/use cases Response by: Alerts/repor<ng/integra<on Manifest process and methodology into technology “How will I implement my playbook?” Post-‐Engagement EvaluaRon – – – – Does the work we did, translate to reducing business Risk? Is it measurable? Does it enable Security team to iterate and automate? Does it move the organiza<on up the Security Maturity Model? 28 Talent Capability Model Scale 29 Cyber Opera<ons Model Incident Handling Monitor Security Technologies Malware Analysis Cyber Network Defense Forensics and Root Cause Analysis Fraud and TheV Analysis Behavioral Analysis Incident Response Process Collabora<on Itera<on Automa<on Audit Applica<on Repor<ng and Security Design Assessment Network Secure Coding & Development Security Design Vulnerability Remedia<on Cyber Network Offense Threat Intelligence PROACTIVE REACTIVE 30 Counter Intelligence Threat Modeling Cyber Opera<ons Model IteraRon Threat Modeling, Intelligence Gathering, Research, hun<ng AutomaRon Machine-‐<me response Triage using machine data and context In order to gain a complete view of OperaRonal Security, we need to see the iteraRon of Counter Intelligence in Monitoring CollaboraRon Communica<on Automa<on Itera<on Incident Response 31 CollaboraRon Incident Response Forensic analysis Operate on machine data and Threat Intelligence Security Intelligence combines methodology, technology, collabora<on as context for smarter security decisions 32 Where do we start? Integra<on Examples Maturity Model Type Integra<ons 1) I have no visibility into my data, and I need to operate on that data 2) I have a SIEM, it doesn’t do what I want. I need to augment with visibility and context 3) I have visibility, and context, I need threat intelligence and workflow and integra<on 4) I don’t have a SIEM, but I also don’t have any resources to do that Lets look at an MSSP that supports your threat profile Applica<on Performance Monitoring, Metrics, and Drill-‐down No SIEM: Ge{ng Visibility First Helpdesk Staff “I’m not a security shop, I just need to see all my data first” Real-‐Rme Data Machine • Splunk for incident inves<ga<ons/ forensics • Splunk for aler<ng/repor<ng/ dashboarding • Begin building data consump<on towards use cases Security Analysts 35 Applica<on Performance Monitoring, Metrics, and Drill-‐down Legacy SIEM: Limited Visibility Search/Alert Splunk App for CEF “I have a subset of security in my SIEM, I need more visibility across IT data” Different data sent to Splunk and SIEM Real-‐Rme Machine Data Logger Helpdesk Staff • Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment • ArcSight for correla<on, alerts, Analyst workflow opRons for Splunk-‐to-‐ESM data flow: ESM 36 1. At index <me, Splunk can forward data to ArcSight: SplunkSight 2. At search <me, Splunk can forward CEF Security Analysts format to ArcSight: Splunk App for CEF 3. Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services Applica<on Performance Monitoring, Metrics, and Drill-‐down Legacy SIEM: Splunk to ArcSight ESM Helpdesk Staff “I have a mature playbook my analysts use in SIEM” Search/Alert Splunk App for CEF Real-‐Rme Data Machine Filter/Forward SplunkSight • Splunk for log aggrega<on, incident inves<ga<on/forensics, enrichment • ArcSight for correla<on, alerts, Analyst workflow opRons for Splunk-‐to-‐ESM data flow: Mail/SNMP CEF syslog collector ESM Using Splunk Forwarders for na<ve log consump<on 37 1. At index <me, Splunk can forward raw or filtered data to ArcSight: SplunkSight 2. At search <me, Splunk can forward selected, and/or enriched events in CEF Security format to ArcSight: Splunk App for CEF Analysts 3. Splunk alerts to ArcSight ESM via SNMP trap, e-‐mail, web services Applica<on Performance Monitoring, Metrics, and Drill-‐down SOC Integrated components Helpdesk Staff “II have many products leveraging my methodology and playbook” Ad hoc search Monitor Report and Custom Decisions on workflow made by automaRon/ and alert analyze dashboards prioriRzaRon feeding mulRple tuned products SIEM Real-‐Rme Machine Data Threat Asset Employee Intelligence & CMDB Info ApplicaRons • CriRcal è AutomaRc Rckets for SME resoluRon, InvesRgaRon (i.e. Archer) • High/Medè Triage by type: automated acRon result/analyst acRon (i.e. SIEM) • Low è prioriRzed and funneled (i.e. Remedy) • Methodology driven, business process melded with technology and analyst skill sets • Archer, JIRA, Remedy, ServiceNow integra<ons, Security Security tools like Palo Alto, Mandiant, FAnalysts ireEye, Checkpoint, Sourcefire • Packets, flows, Threat Intel, enrichment, context Data Stores 38 Adding Context Faster/Beoer Decisions with Context Online Services Ad hoc search Web Services Security GPS Loca<on Servers Desktops Networks Storage Messaging Online Shopping Cart Telecoms Packaged Applica<ons Custom Applica<ons Report and Custom analyze dashboards Developer Placorm Real-‐Rme Machine Data External Lookups RFID Call Detail Web Records Clickstreams Smartphones and Devices Monitor and alert Databases Energy Meters References – Coded fields, mappings, aliases Dynamic informaRon – Stored in non-‐tradi<onal formats Environmental context – Human maintained files, documents System/applicaRon – Available only using applica<on request Intelligence/analyRcs – Indicators, anomaly, research, white/blacklist AND MORE… 40 Encoded log with threat and asset context Asset # Log IP Address File code Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! 2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680! Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! Code .csv file CMBD Vendor mapping 41 Threat Intelligence mapping Encoded log with threat and asset context Asset # Log IP Address File code Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! 2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680! Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! Code .csv file CMBD Vendor mapping Threat Intelligence mapping File code ✓ 42 Hash value Variants Filenames Encoded log with threat and asset context Log Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! 2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680! Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for [email protected] 10.164.232.181 from 12.130.60.5 recorded OK.! External Lookup using .csv Threat info (various) Product code (file) Asset (CMDB, various) 43 Automate Context: IOC lookups -‐ Filename 44 Automate Context: IOC lookups -‐ CIDR 45 Adding Intelligence Internal Threat Intelligence Context for Security • Directory User Informa<on (personal e-‐mail, access, user privs) Proxy informa<on (content) DLP & Business Unit Risk (trade secrets/IP lists) Case History/Ticket Tracking Malware/AV • HR/Business Role • • • • 47 • • • • Applica<on Usage & Consump<on (In House) Database Usage /Access Monitoring (privileged) En<tlements/ Access Outliers (In House) User associa<on based on geography, frequency, uniqueness and privilege External Threat Intelligence Consumable Sources • • • • • • • • • • • • OSINT (free Sources) Dell SecureWorks Verisign iDefense Symantec Deepsight McAfee Threat Intelligence SANS/Whitelist/Blacklist CVEs CWEs, OSVDB (Vulns) iSight Partners ThreatStream ATLAS ThreatConnect Farsight • • • • • • • • • • • • 48 Palo Alto Wildfire Crowdstrike AlienVault OTX RecordedFuture Team Cymru ISACs or US-‐CERT FireEye/Mandiant Vorstack cyberUnited ThreatGrid ZeroFox Norse CorporaRon External Threat Intelligence Integra<on import hoplib, urllib params = urllib.urlencode({'apikey': 'f6dbdee2dc8c6118933b90178657877cc2cede3023ce0eba4xxxxxxxxxxxxxxx', 'ip': ’46.229.160.7', 'method': 'ipview'}) #headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "text/plain"} headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "applica<on/json"} conn = hoplib.HTTPConnec<on("us.api.ipviking.com:80") conn.request("POST", "/api/", params, headers) response = conn.getresponse() print response.status, response.reason data = response.read() print(data) Most IntegraRons are APIs or Modular Inputs – EASY! conn.close() 49 External Threat Intelligence 50 51 Raw IOC Not Easy 52 53 Context+Threat Intelligence:TLD against GeoIP How would I find all the URLs by their Top Level Domain, and compare them with their geoloca<on to validate they are legi<mate on a map? 54 Matching against TLD & GeoIP sourcetype=bluecoat url=* | lookup faup url | fields url_domain url_tld | geoip url_domain | eval url_domain_country_code=lower(url_domain_country_code) | eval tld_match=if(url_tld == url_domain_country_code, "true", "false") #Run FAUP as a lookup across all bluecoat URLS #generate the geoloca<on telemetry for url_domain #determine if the url country code is = to the TLD Now, show me on the map where they are… 55 56 Ques<ons? Some Content For You • Archer Integra<on Technology add-‐on template • Scripts for <cket system aler<ng • SA-‐VA, ES Vulnerability Assessment/Risk calcula<on tool Follow @Splunksec on twi/er for these releases today aqer our session! 58 What You Can Do for the Security Prac<ce • • • • We love to dig through new data sets Share cool, hard use cases with us Share knowledge to help us beoer the product All your desires and concerns for features and uses Partner with us, we will do the same! • Help with integra<ons, use cases, features func<ons. • Our job is to help you get to your highest maturity level 59 Thank you! @SplunkSec [email protected] Appendix • SA-‐VA (How it works) • SplunkSight (How it works) • TA-‐Archer (How it works) Adding Context: Splunk > Nmap + CVE=Risk Score Problem • • • • Network complexity and aoack surface is growing No central loca<on for exploit informa<on Manual system priori<za<on based on risk is (nearly) impossible Analysis must be done regularly as new exploits are released Solu<on: SA-‐VA • Automated exploit database aggrega<on • SA-‐VA automa<cally parses Na<onal Vulnerability Database hop://nvd.nist.gov/ and Offensive Security’s Exploit-‐DB hops://github.com/offensive-‐security/exploit-‐ database • Scheduled vulnerability scan • Integra<on with Splunk Enterprise Security assets • SA-‐VA integrates with your exis<ng security solu<ons to give a clearer picture Solu<on: SA-‐VA Monitor network risk trends Solu<on: SA-‐VA Isolate exploits affec<ng a large number of hosts Solu<on: SA-‐VA Access to informa<on on thousands of exploits Solu<on: SA-‐VA View all hosts affected by specific exploits Calcula<ng Risk for Assets.csv • Risk Percentage • Δ Risk Score / Reference Score (Gold Standard) • Risk Score • Σ Service Score • Service Score • CVSS Severity / (Current Year – Release Year) • Every host scanned is assigned a risk percent as a func<on of the reference score, and an overall risk score • Every service is assigned a risk percent score as a percentage of host’s overall risk Example Configurability • Provide custom arguments to Nmap scan in addi<on to preset scan arguments • Whitelist to exclude sensi<ve hosts from scans • Block specific vulnerabili<es scoring on a host specific and global level • Schedule and automate database updates and network scans based on your network needs Summary Automate vulnerability database aggrega<on Schedule scans and database updates Whitelist machines sensi<ve to scans Mul<ple scan intensity op<ons including custom arguments for VoIP, printers, and other sensi<ve systems • Integra<on with Enterprise Security assets model • • • • • Appends fields to exis<ng assets.csv • Create new assets.csv based on scan • Calculated Risk priori<za<on score • Risk % = Δ Risk Score / Gold Standard • Risk Score = Σ (CVSS severity /(Current Year – Release Year)) SIEM Augmenta<on: SplunkSight Splunk > Arcsight Delivering Context to CEF for Analy<cs-‐driven Security Connect and Visualize Datamodel Enrichments Disparate Data In Familiar Enhance Decision Making Tools • Add context to events by using Splunk Add-‐ons and custom lookups • Constrain, filter, or augment data via CIM or custom datamodels • Aggregate events from mul<ple sources before forwarding • Gain faster, easier and deeper insights across all machine data • Simply map Splunk fields to CEF fields without knowledge of the Splunk search syntax, using a new Guided UI Automa<cally Deliver Insight from Splunk to the Front Lines • Organiza<ons where an incumbent SIEM is the Tier 1 tool can now receive augmented events and alerts • Increase the value of threat intelligence by indica<ng important events Inside Splunk App for CEF Use Common Informa<on Model or custom datamodels RAW DATA INDEXED IN SPLUNK TECHNOLOGY ADD-‐ONS DATA MODELS SEARCH Guided search wizard helps users construct powerful searches Gather and enrich data as needed using full power of Splunk 75 OUTPUT COMMON EVENT FORMAT OVER TCP Why Splunk app for CEF? • For many data sources, dual feeding both Arcsight and Splunk , the same events is not feasible • Splunk App for CEF enables CEF-‐formaoed output based on search results in Splunk • Field mappings from Splunk CIM to Arcsight CEF make configura<on easy 76 Inside SplunkSight Use Common Informa<on Model and pre-‐indexed keys RAW DATA INDEXED IN SPLUNK TECHNOLOGY ADD-‐ONS INDEX PIPELINE Gather and enrich data as needed using full power of Splunk Configurable dynamic mapping of CIM fields to CEF fields 77 OUTPUT COMMON EVENT FORMAT OVER TCP Why SplunkSight? • Scaling your CEF output structure should scale with Splunk architecture • SplunkSight enables CEF formaoed output based indexed fields in Splunk • SplunkSight uses TCPOUT to process events directly on each indexer • Index and sourcetype filters enable flexibility • Field mappings from Splunk CIM to Arcsight CEF make configura<on easy 78 Integra<on Challenges • Splunk currently, cannot send CEF data directly to Arcsight ESM at scale, or index <me. • Logger agents tend to lose data in transla<on via Snare and syslog • Splunk forwarders are not distributed across the en<re infrastructure to capture raw windows events • Target’s challenge is 100% visibility, and ubiquity in their collec<on environment for host data collec<on • single agent to feed both their collec<on and correla<on technology. We built SplunkSight to deal with these challenges 79 SplunkSight Designed to be Highly scalable • Located on each Indexer as a separate socket-‐ized process • Mul<-‐threaded process to deal with scale • Operates at index-‐<me as opposed to search-‐<me • Does not impact the parsing or indexing queues in indexing pipeline • Does not directly impact search behaviors or search pipeline performance 80 SplunkSight Designed to be easily configurable • Enable mapping from CIM to CEF in a .csv file • Designed to work with metadata wrioen at index <me using Technology Add-‐on framework • Allows Target to specify specific fields to consume in Splunk for consump<on in ESM • Manageable via the deployment server 81 Current Architecture Challenge Syslo g CEF aoed form ArcSight Architecture 82 Architecture with SplunkSight Real-‐Rme Machine Data SplunkSight CEF formaoed 83 How it Works • Communica<on from forwarder – We configure the forwarder to send data to the Splunk Indexer, as you have currently deployed Splunk today. – For data types requiring transforma<on at index <me (either on a Heavy Forwarder, or on the Indexer) we send either Cooked or Uncooked data. – The indexer listens on 9997 as usual, receives data into Splunk and consumes it. 84 How it Works • Communica<on from indexer to SplunkSight – The Splunk Indexer sends via outputs.conf, data to SplunkSight, which lives on a configurable socket on the indexer (we are using 9996 as example) – We are sending data using our TCPOUT op<on in our proprietary S2S protocol, which allows us to field map, and transform data into CEF Output. 85 How it Works • Sending data to Arcsight ESM – Defined in splunksight.conf – Output is UDP syslog – SplunkSight runs as a service and includes a few python processes: ê Process.py ê Cefobjec<zer.py ê Daemon.py ê U<ls.py ê Read-‐conf.py ê Splunksightsyslog.py ê Splunksight.py 86 Splunksight.conf [daemon] listen_ip = 0.0.0.0 listen_port = 9996 log_file = /tmp/splunksight.log pid_file = /tmp/splunksight.pid log_type = standard [syslog] proto = udp dest_ip = x.x.x.x dest_port = 514 How it Works • Configuring SplunkSight – Requires WRITE_META = true for Technology add-‐ons (This creates an indexed field), fields and props configura<on. – Provide mapping of CIM (Splunk) fields, to CEF (Arcsight) fields i.e. default.csv Default.csv #cim,cef dest,CEF_dest session_id,CEF_session_id dest_nt_host,CEF_dest_host src_ip,src dest_ip,dst src_port,spt 87 Splunk_TA_Windows Transforms.conf [Target_Server_Name_as_dest] SOURCE_KEY = Target_Server_Name REGEX = ([\\]+)?([^-‐].*) WRITE_META = True FORMAT = dest::"$2” Fields.conf [dest] INDEXED = true How it Works • Configuring SplunkSight – Enables filtering based on Sourcetypes and indexes. By default, we remove all the _* indexes – Can configure whether we send ALL data, or just metadata 88 Splunksight.conf [filters] indexes_to_discard = _internal _introspec<on _thefishbucket _audit _blocksignature #sourcetypes_to_discard =sourcetype::syslog sourcetypes_to_discard =sourcetype::sep::risk CEF Output example Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.11.36.20 end=179 fileType=applica<on/x-‐fcs in=24804 request=hop://199.9.251.150/idle/1021363361/6290 xreferrer=-‐ requestMethod=POST suser=-‐ act=TCP_NC_MISS xstatus=200 requestCookies="Flash\"" out=212 Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5| Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.44.38.116 end=125 fileType=-‐ in=39 request=tcp://216.219.113.250:443/ xreferrer=-‐ requestMethod=CONNECT suser=-‐ act=TCP_TUNNELED xstatus=200 requestCookies=-‐ out=67 89 Workflow Example: Splunk > Archer 91 Splunk / Archer Integration Workflow - v1.0 START Event Review 1.0 Escalation Notification 3.1a Review Incident 4.0 Resolve Incident 4.1 Review Closure 5.0 Escalation Mgr Closed Notification 4.2a Mark for Closure 4.2 YES Escalate Event 1.1 Review Incident 3.0 Escalate? 3.1 NO NO Monitor Events 2.0 New Splunk Incident Notification 3.0a Escalated Event? 2.1 Create Archer Record 2.2 YES Resolve Incident 3.2 Monitor Splunk Incident 6.0 Mark for Closure 3.2 END Incident Mgr Closed Notification 3.2a Splunk Archer 92 NO Integration Escalation Mgr. Closed Incident? 6.1 YES Incident Mgr. Close Splunk Event 6.2 Operations Ge{ng Data to Archer python REST API interac<on with Splunk API for gathering things like asset info, vuln data, etc pulled from the metadata ‘Notable Events’ correla<on framework. The common set of fields in the correla<onsearches.conf specifica<on would be passed to archer, driven by the rule_id security_domain severity rule_name descripRon rule_Rtle rule_descripRon drilldown_name drilldown_search default_status default_owner 93 Ge{ng Data to Archer 94 Ge{ng Data to Archer • Archer fields mapped to Splunk Notable Events field in python SOAP script • Splunk generates metadata events, and ‘Archer’ command, sends it to Archer via custom search in Enterprise Security. • Workflow ac<on to escalate a Notable Event to Archer directly • Automated Splunk Search of the 'Notable Events' Macro every few minutes based on rule_id, event_id and urgency (for aler<ng if desired) Ge{ng Data to Archer Closing a Notable Event from Archer Archer dashboard object or ac<on to close a 'Notable Event'. We use the ‘search’ REST endpoint to allow a REST call, to change a status or close a status. This hander takes some input and writes a properly forma/ed line of CSV to incident_review.csv. incident_review.csv's header contains the following fields: Rme rule_id Owner Urgency Status Comment user
© Copyright 2024 ExpyDoc
