Introducing Splunk Enterprise 6 - Security Summit Analytics attraverso i... · advanced analy cs ... Splunk® Enterprise per trasformare i da macchina in preziose di il

Copyright © 2015 Splunk Inc.

Introducing Splunk Enterprise 6.2 Stefano Radaelli Senior Sales Engineer


Splunk Company Overview

2

Company

  Global HQs: §  San Francisco §  London §  Hong Kong

  1,300 employees globally   Annual Revenue: $302.6M (YoY +52%)   NASDAQ: SPLK

Products

  Free trial to massive scale   Splunk products:

§  Splunk Enterprise §  Splunk Cloud §  Hunk §  Splunk MINT §  Premium Apps

Customers

  7,900+ customers   Across 100 countries   Small to large organiza�ons   70+ of the Fortune 100   Largest license:

§  300+ Terabytes/day


Big Data Comes from Machines Volume | Velocity | Variety | Variability

GPS, RFID,

Hypervisor, Web Servers,

Email, Messaging Clickstreams, Mobile,

Telephony, IVR, Databases, Sensors, Telema�cs, Storage,

Servers, Security Devices, Desktops 3

What Does Machine Data Look Like? Sources

Order Processing

Twi�er

Care IVR

Middleware Error

4

Machine Data Contains Cri�cal Insights Customer ID Order ID

Customer’s Tweet

Time Wai�ng On Hold

Twi�er ID

Product ID

Company’s Twi�er ID

Customer ID Order ID

Customer ID

Sources

Order Processing

Twi�er

Care IVR

Middleware Error

5

Machine Data Contains Cri�cal Insights Order ID

Customer’s Tweet

Time Wai�ng On Hold

Product ID

Company’s Twi�er ID

Order ID

Customer ID

Twi�er ID

Customer ID

Customer ID

Sources

Order Processing

Twi�er

Care IVR

Middleware Error

6

Copyright © 2014 Splunk Inc. 7

Make machine data accessible, usable and valuable to everyone.

7


Industry Leading Pla�orm For Machine Data Machine Data: Any Loca�on, Type, Volume

Online Services Web

Services

Servers Security GPS

Loca�on

Storage Desktops

Networks

Packaged Applica�ons

Custom Applica�ons Messaging

Telecoms Online

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

On-‐ Premises

Private Cloud

Public Cloud

Pla�orm Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Answer Any Ques�on

Developer Pla�orm

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search


Industry Leading Pla�orm For Machine Data Machine Data: Any Loca�on, Type, Volume

Online Services Web

Services

Servers Security GPS

Loca�on

Storage Desktops

Networks


Custom Applica�ons Messaging

Telecoms Online

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records


RFID

On-‐ Premises

Private Cloud

Public Cloud

Pla�orm Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Answer Any Ques�on

Developer Pla�orm

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search

Any amount, any loca�on, any source

Schema-‐on-‐the-‐fly

Universal indexing

No back-‐end RDBMS

No need to filter data


Demo


Security Use Case

11


Security Intelligence

12

Developer Pla�orm

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search

Threat Intelligence

Asset & CMDB

Employee Info

Data Stores Applica�ons

Online Services

Web Services

Security GPS

Loca�on

Storage

Desktops

Networks


Custom Applica�ons

Messaging

Telecoms Online

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records


Firewall

Authen�ca�on

Threat Intelligence

Servers

Endpoint

External Lookups


Big Data Pla�orm: Insight for Business Risk

13

LDAP, AD Watch Lists

App Monitoring Data Security Data IT Operations Data

Business Process Data

Distribution System

Data

Business Analy�cs Web Intelligence IT Opera�ons Management Security & Compliance

Business Risk and Security Applica�on Monitoring


Case #1 -‐ Incident Inves�ga�on/Forensics   O�en ini�ated by alert in another product   May be a “cold case” inves�ga�on requiring machine data going back months

  Need all the original data in one place and a fast way to search it to answer: –  What happened and was it a false posi�ve? –  How did the threat get in, where have they

gone, and did they steal any data?

–  Has this occurred elsewhere in the past?

  Take results and turn them into a real-‐�me search/alert if needed

14

Suspect A Suspect B

Suspect C

client=unknown[99.120.205.249]<160>Jan 2616:27 (cJFFNMS

DHCPACK=ASCII from host=85.196.82.110

truncating integer value > 32 bits <46>Jan ASCII from client=unknown

Accomplice A

Accomplice B

January February March April


Case #2 – Security/Compliance Repor�ng

15

  Many types of visualiza�ons

  Easy to create in Splunk –  Ad-‐hoc auditor reports –  New incident list –  Historical reports

–  SOC/NOC dashboards –  Execu�ve/auditor dashboards


Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Se�ngs/smithe/Local Se�ngs/Temp/evil.tmp,"""",Actual ac�on: Quaran�ned,Requested ac�on: Cleaned, �me: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20

Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classifica�on: Poten�al Corporate Privacy Viola�on] Credit Card Number Detected in Clear Text [Priority: 2]:

20130806041221.000000Cap�on=ACME-‐2975EB\Administrator Descrip�on=Built-‐in account for administering the computer/domainDomain=ACME-‐2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts

16

Case #3 – Real-‐�me Monitoring of Known Threats Sources

Time Range

Intrusion Detec�on

Endpoint Security

Windows Authen�ca�on

All three occurring within a 24-‐hour period

Example Correla�on – Data Loss

Source IP

Source IP

Source IP Data Loss

Default Admin Account

Malware Found


2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compa�ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"

08/09/2013 16:23:51.0128event_status="(0)The opera�on completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microso�\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-‐PC\Printers\{}\ NeverSeenbefore" data_type""

2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this a�achment with payroll informa�on,, ,2013-‐08-‐09T22:40:24.975Z

17

Case #4 – Real-‐�me Monitoring of Unknown Threats Sources

Time Range

Endpoint Logs

Web Proxy

Email Server

All three occurring within a 24-‐hour period

Example Correla�on -‐ Spearphishing User Name

User Name

Rarely seen email domain

Rarely visited web site

User Name

Rarely seen service


Case #4 – More Examples

18

A�ack Phase What Threat is Doing What to Look For Data

Source Lateral movement

Crea�ng new admin accounts Account crea�on without corresponding IT service desk �cket

AD/ Service Desk logs

Data gathering

Stealing creden�als

For single employee: Badges in at one loca�on, then logs in countries away

Badge/ VPN/ Auth

Data gathering

Gathering confiden�al data for the�

Employee makes standard devia�ons more data requests from file server with confiden�al data than normal

OS

Exfiltra�on Exfiltra�on of info Standard devia�ons larger traffic flows (incl DNS) from a host to a given IP

NetFlow


Case #5 – Insider Threat

19

What To Look For Data Source

Abnormally high number of file transfers to USB or CD/DVD OS

Abnormally large amount of data going to personal webmail account or uploaded to external file hos�ng site

Email / web server

Unusual physical access a�empts (a�er hours, accessing unauthorized area, etc) Physical badge records / AD

Above ac�ons + employee is on an internal watchlist as result of transfer / demo�on / poor review / impending layoff

HR systems / above

User name of terminated employee accessing internal system AD / HR systems


Case #6 – Fraud Detec�on Sample Pa�erns of Fraud in Machine Data:

Type of Fraud Pa�ern of fraud Ver�cal

Financial Services

E-‐tailing

Healthcare

Telecom

Online educa�on

Account takeover Many transac�ons between $9-‐10k

Many accounts accessed from one IP

Physician billing Physician billing for drugs outside their exper�se area

Roaming abuse Excessive roaming on partner network by unlimited use customers

Student loan fraud Student IP in “high-‐risk” country and student absent from classes & assignments

Account takeover


A 3-‐YEAR JOURNEY

Completeness of Vision As of June 2014

CHALLENGERS LEADERS

NICHE PLAYERS VISIONARIES

Ability to

Execute

2012

2014 2013

21


Industry Accolades

22

BEST ENTERPRISE SECURITY SOLUTION SC Magazine Awards, Europe 2013 & US 2014

BEST SIEM Informa�on Security Magazine Readers’ Choice Awards, 2013

BEST SIEM SOLUTION SC Magazine Awards, 2013


Enterprise Security v3.2.1

23


“Defense-‐in-‐depth” Requires a New Strategy

24

Two types of analysis to fight today’s threats

Tradi�onal Monitoring for Known Events

  In the ‘wild’ but prevalent   Uses vendor supplied signatures   Generally caught by IDS/IPS, AV or firewall

  Reported to tradi�onal SIEM

Sta�s�cal Analysis for Unknown Events

  Hidden in terabytes of ‘normal’ user ac�vity

  Circumvents perimeter defenses   O�en uses HTTP to communicate   Much harder to find without advanced analy�cs


Analysis of real-‐�me and historical data using Splunk sta�s�cal analy�cs to be�er understand, detect and

address unknown threats.

25

Enterprise Security Content Focus


Dashboard: Traffic Size Analysis

26

Compare traffic data with sta�s�cal data to find outliers

Iden�fy suspicious data exfiltra�on

pa�erns

Drill-‐down to look for anomalous source/

dest traffic


Dashboard: HTTP Category Analysis

27

Inves�gate ‘unknown’ HTTP

traffic

Find low volume traffic ac�vity

Compare with sta�s�cal data to find

outliers

Look for suspicious pa�erns of ac�vity by

category


Dashboard: URL Length Analysis

28

Compare each URL sta�s�cally to iden�fy outliers

Inves�gate long URLs where no referrer

exists

See how many assets are talking to the URL

Look for long URLs that may include embedded

C&C instruc�ons


Dashboard: New Domain Analysis

29

Iden�fy unexpected top level domain

ac�vity

Hosts talking to recently registered domains

Discover outlier ac�vity to newly registered

domains


Dashboard: HTTP User Agent Analysis

30

Whitelist or blacklist specific user agents

Visualize outliers as compared to sta�s�cally

normal ac�vity

Evaluate user agents for command and control

ac�vity

Find unexpected HTTP communica�on ac�vity


Asset and User Iden��es Lookup Editor

31

 More easily edit values in each of the columns   Color coding for specialized fields for added visual clarity   Add new rows of data with a single right-‐click ac�on


Security Threat Indicator Library   Key Security Indicators (over 100 available)   The ability to set a threshold for each metric that indicates if the value is acceptable or not

  Change in color (good or bad) based on customer defined threshold   A descrip�on of the trend (increasing or decreasing) depending on whether the an increase or a decrease ought to be interpreted as good or bad)

  Drill-‐down from the metric to a dashboard that provides more informa�on


Threat Visualizer   Search for unusual behavior pa�erns based on Asset and/or Iden�ty

  Pre-‐determined (by the customer) events in �me-‐synchronized swim lanes

  Select specific events to create visual correla�ons across known assets or iden��es in a single view

  The selec�ons create a “story board” (shown on the right) for inves�ga�on


Pivot Tables for Security Repor�ng

  Driving down report crea�on complexity

  Create Pivot-‐based reports   Customize as needed graph type, color, detail, etc.

  Create and circulate as a report

  Add to or create a dashboard

34


Protocol Intelligence Reports

36


Faster Protocol Inves�ga�ons

37

Important protocol fields are exposed for fast access

Enter into workflows for inves�ga�on

Create new reports or export inves�ga�on results


Acquire Wire Data – On Alert or On-‐The-‐Fly

38

Over 2800 Global Security Customers

39


Oltre 8.400 aziende di tu�o il mondo, incluse 70 tra le Fortune 100 usano Splunk® Enterprise per trasformare i da� macchina in preziose informazioni in grado di garan�re un rapido ROI e un valore reale per il reparto IT e il business in generale. Partecipando a SplunkLive! Italia potrai :   Scoprire la straordinaria rapidità e semplicità delle funzioni di analisi

di Splunk Enterprise 6.2   Imparare come o�enere in modo eficiente, informazioni da data store

�po Hadoop e NoSQL   Ascoltare casi di successo dire�amente dai clien� e capire come

hanno ricavto valore dai loro da� grazie a Splunk.   Assistere a nuovi training che insegnano come massimizzare

l’inves�mento fa�o e risolvere nuovi problem di business. Qualunque sia la tua a�vità, dallo sviluppo di applicazioni o generazione di analisi a fini aziendali, alla ges�one, protezione e verifica in ambito IT, Splunk può aiutar� ad acquisire rapidamente valore dai tuoi da�.. Iscrivi� oggi stesso : h�p://live.splunk.com/italia_2015 A presto, Il team Splunk Any ques�on? [email protected]

Tes�monianze clien� Milano   Cerved Group S.P.A   Alma Mater Studiorum –

Università di Bologna   Fastweb S.P.A. Tes�monianze clien� Roma   HBG Connex S.P.A.   Università La Sapienza   Poste Italiane

De�agli evento Milano: 24 marzo 2015, ore 9.30-‐16.30 presso NHOW Milano -‐ Via Tortona 35 Roma: 26 marzo 2015, ore 9.30-‐16.30 presso Wes�n Excelsior -‐ Via Vi�orio Veneto 125

Thank You Stefano Radaelli [email protected]

42