34
Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC. Splunk Insights for Ransomware

Splunk Insights for Ransomware - ecs-dk.arrow.com · Splunk Insights for Ransomware is the ... What risk does ransomware or a large scale malware attack ... • Vulnerability and

  • Upload
    vodat

  • View
    224

  • Download
    0

Embed Size (px)

Citation preview

Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.

Splunk Insights for Ransomware

3 Key TakeawaysSplunk Insights for Ransomware – New Offer

1

Details of the Offer

2

Getting the Meeting

3

Making the Offer

▶ New way to buy Splunk Enterprise

• Allows new customers solve a specific use case and to get started more easily

▶ Use case-optimized pricing

• Based on metrics that are more familiar to buyer of that use case

▶ Use case-restricted licensing

• Not based on volume per day licensing

▶ Splunk Insights for Ransomware is the first release of the Splunk Insights concept

What is Splunk Insights?

▶ The first release of the Splunk Insights concept

▶ New SKU – available on partner price lists as of Jun 15

▶ 1-year term, restricted use license of Splunk Enterprise

• Governed by a licensing amendment – see the next slide

• Use to solve ransomware – cannot be used for any other use case

• Purchased based on “monitored account” – cannot exceed the # of monitored accounts

• Customer cannot combine with or add to other Splunk software licenses

▶ Targeted at smaller customers

Splunk Insights for Ransomware

▶ Customer agrees to only use the Software to detect if ransomware is present, attempting to be present or attempting to be disseminated in the Customer’s environment and for no other purpose. Customer is not authorized to combine or add this license with or to any other Splunk license.

▶ The License Capacity for Splunk Enterprise for Ransomware is based on the Number of Ransomware Monitored Accounts. “Number of Ransomware Monitored Accounts” means the number of user and system accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network.

License Amendment - Additional TermsSplunk Insights for Ransomware

▶ SKU Name

• SI-T-LIC-ESUP-RWARE

▶ SKU Description

• Splunk Insights for Ransomware – Term License with Enterprise Support – Monitored Account

▶ SKU Name

• SI-T-LIC-GSUP-RWARE

▶ SKU Description

• Splunk Insights for Ransomware – Term License with Global Support – Monitored Account

SKUsSplunk Insights for Ransomware

Pricing (AMER LIST)*

Enterprise Support Global Support

up to 250 monitored accounts $25,000 $27,000

251-500 monitored accounts $40,000 $44,000

501-1000 monitored accounts $70,000 $76,000

*International pricing – standard uplifts apply*Standard channel discounts for license apply

Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.

Selling to the Ransomware Problem

▶ CISO-level visibility

• Directives to ensure emerging threats do not disrupt operations

▶ Topical urgency

• Splunk for security is more relevant than ever

Why You Care about Ransomware

▶ For organizations who need to be prepared for the next ransomware attack

• Easy to buy, competitive pricing with ransomware solutions

▶ Splunk Insights for Ransomware provides additional layer of security visibility

• Centered on the importance of posture, investigation, response

▶ This additional layer of security will augment point solutions

• Does not replace “prevent” mechanisms or other malware or hygiene tools

Positioning – Solving Ransomware With Splunk

▶ Key to combating ransomware is to gain better awareness awareness and ability to rapidly investigate and respond

▶ Splunk enables teams to gain that visibility without rip-and-replace or ”suite” solution requirements – simply drop Splunk in to augment existing solutions

▶ Splunk provides broader, analytics-based approach to a problem that is typically “endpoint” or “network” focused and relies heavily on “blocking”

▶ By not relying solely on “blocking” type technologies to “stop” the attack, security teams can use Splunk to get insights -- including early warning signs -- into potential ransomware infections like WannaCry that are finding ways to get into the environment even with “preventive” mechanisms in place

Splunk Differentiation

▶ Northwestern University

• “Northwestern University uses Splunk software to help our security team detect threats so we can deliver consistent services and protect critical data for staff, faculty and students. Splunk enables us to search for threat indicators across our systems on the fly, without having to generate cumbersome reports or manually sift through data in source systems,” said Tom Murphy, CISO, Northwestern University. “With Splunk our security analysts can pivot and view new sets of data from a single source as investigations evolve. In the case of WannaCry, we used statistical models and visualizations from Splunk Enterprise to maintain a comprehensive, real-time view of network activity that might be associated with ransomware, to help detect and prevent any damage from occurring.”

▶ Children’s Discovery Museum

• Implemented early warning using Splunk

• Monitor email, DNS ransomware and spear phishing threats

• Detected initial wave of attack – suspicious attachment

• Sub-5 min response

• Webinar coming in July -- Register

Customer Success - Solving Ransomware With Splunk(general use of Splunk Enterprise to combat ransomware)

▶ Events like WannaCry can serve as a wake-up call as to why security/cyber hygiene is so important.

• How did this event change your organization?

• Have the behaviors or procedures of your security or IT teams changed after this event?

▶ What risk does ransomware or a large scale malware attack pose to your organization?

• What do you view as your most critical assets?

▶ Has the WannaCry incident changed your security priorities for the year?

• What are your top 3 initiatives?

▶ On a 1-10 scale, 1 being a non-issue and 10 meaning you didn’t sleep for days, how concerned were you about WannaCry in particular? Why?

• How concerned are you about new exploits leveraging similar methods?

▶ If you were forced to restore critical systems from backup, how would this impact your business?

• What do you view as your most critical assets?

▶ We often look at the people, process, and technology needed for effective security.

• Which area are the most and least confident in?

▶ What vendors do you view as strategic in the fight against malware/ransomware?

• Are you aware of what Splunk can do to help make those tools work better for you?

▶ [Existing Customer Only] Was Splunk used while this malware was spreading, either to search for infected hosts or to get a grip on your risk?

• Have you done an assessment to determine if the proper data is in Splunk and the correct skills are in place for the next incident like this?

Discovery QuestionsMost Important Questions in RED

Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.

First Customer DeckSplunk Insights for Ransomware

15

Ransomware is Top-of-Mind News Headline

▶ It’s hard to maintain good security hygiene – especially smaller organizations

• Hygiene = “the basics” including patching, backup, updated FW rules, cleaning infections, etc.

▶ Cybercriminals / syndicates use ransomware to monetize poor hygiene

• It is paying off for them – investing in new ways to launch hard-to-stop attacks

▶ Even if hygiene is good, staying ahead of ransomware = lot of moving parts

• Many tools / people, limited formal processes to assess posture, investigate, respond

Why Ransomware is So Pervasive

Ransomware Now Self-Propagates and Continues to Mutate

In the Wild Since May 12. 2017

What is it? Ransomware with Self-Propagating capabilities (wormable) using a very powerful exploit – See Blog

Who is the Target? Not targeted to individuals/industry. It targets Windows systems worldwide. Estimated >300.000 Victims

How does it spread? Attacks the exposed (port445) and vulnerable service directly via the internet (or via Email dropper)

Vulnerability it exploits Vulnerability in Microsoft SMBv1 Protocol (MS17-010) - ETERNALBLUE exploiting CVE-2017-0145

https://www.nettitude.com/us/incident-response/wannacry-overv iew/

ETERNALBLUERemote Exploit

DOUBLEPULSARBackdoor

WANNACRYRansomware

ETERNALBLUERemote Exploit

DOUBLEPULSARBackdoor

ADYLKUZZBitcoin Miner

ETERNALBLUERemote Exploit

DOUBLEPULSARBackdoor

UIWIXRansomware

DOUBLEPULSARBackdoor

RATsRemote Access Trojans

ETERNALBLUERemote Exploit

THOSE IMPACTED relied solely on point products designed to see singular aspect of the attack

• Firewall for delivery of the payload

• Endpoint detection for infections

• Vulnerability and AV systems for propagation vectors and worms

• Patching and backup systems for security patches and to establish restore point

None of these provided a single view of “ransomware posture” from which to analyze and act

Minimally impacted teams were able to:

- Assess posture – end to end

- Investigate – thoroughly, efficiently

- Decide and respond – appropriately, quickly

What Traditional Tools Can Do

▶ Patching and essential basic hygiene tasks

• Hygiene means ransomware cannot gain a foothold, right?

▶ Endpoint protection solutions – “blocks” ransomware

• Prevention means I am protected, right?

▶ Other point-based solutions (endpoint backup, e.g.)

• Point-based solutions provide a safety net, right?

What about

mutations?

Can I verify this

is true?

Am I OK relying

on a safety net?

Assessing Posture – End-to-End Visibility

Ransomware posture requires end-to-end visibility of the above and more- Backups recent? Systems patched? Old operating systems isolated?

- Unusual Internet traffic? Spikes in traffic from workstations talking to each other?

- Uncleaned infections? Known bad files? Signs of spear phishing?

▶ Patching and essential basic hygiene tasks

• Hygiene means ransomware cannot gain a foothold, right?

▶ Endpoint protection solutions – “blocks” ransomware

• Prevention means I am protected, right?

▶ Other point-based solutions (endpoint backup, e.g.)

• Point-based solutions provide a safety net, right?

What about

mutations?

Can I verify this

is true?

Can I rely solely

on safety net?How many IT / security staff does it take to...

Streamlining Investigation – Central Analysis

Ransomware investigation requires efficient analysis of the above and more- What is running on vulnerable systems? What networks are they on? Who has access?

- How did a file get in? What is it attempting to do?

- Did the file spread? Are specific users being targeted?

▶ Patching and essential basic hygiene tasks

• Hygiene means ransomware cannot gain a foothold, right?

▶ Endpoint protection solutions – “blocks” ransomware

• Prevention means I am protected, right?

▶ Other point-based solutions (endpoint backup, e.g.)

• Point-based solutions provide a safety net, right?

What about

mutations?

Can I verify this

is true?

Can I rely solely

on safety net?How many IT / security staff does it take to...

Rapid Response – Analytics-Driven Decisions

Ransomware response requires fast, good decisions based on the above- Should I disable email clients on old equipment? Segment certain assets?

- Change a firewall rule? Quarantine a host or subnet?

- Do I still have time to contain? What can I automate in the future?

▶ Patching and essential basic hygiene tasks

• Hygiene means ransomware cannot gain a foothold, right?

▶ Endpoint protection solutions – “blocks” ransomware

• Prevention means I am protected, right?

▶ Other point-based solutions (endpoint backup, e.g.)

• Point-based solutions provide a safety net, right?

What about

mutations?

Can I verify this

is true?

Can I rely solely

on safety net?How many IT / security staff does it take to...

▶ The first release of the “Splunk Insights” concept – targeted at smaller IT / security shops

• Use case-specific version of Splunk Enterprise Software

• Data can only be used to combat ransomware

• Competitively priced with ransomware solutions

• Additional layer of security augments point solutions

▶ Benefits of the Solution

• Central visibility & analysis of ransomware

• Use relevant data – endpoint, network, etc. – to identify, assess potential ransomware activity

• Faster, streamlined investigation of ransomware activity

• Investigative capabilities pulls together multiple technologies across security and IT

• Hunt for ransomware – make proactive decisions

• Leverage IR best practices to hunt down issues that look likely to be related to ransomware

Splunk Insights for Ransomware

End-to-EndVisibility

Central Analysis

Analytics-Driven Decisions

Splunk Insights for Ransomware

End-to-End

Visibility

Start Basic.

Central

Analysis

Analytics-Driven

Decisions

Splunk Insights for Ransomware

Threat

Intelligence

Network

Endpoint

Access/Identity

Other Security-Relevant Data

On-Premises

Private Cloud

Public

Cloud

Storage

Online

Shopping Cart

Telecoms

Desktops

Security

Web

Services

Networks

Containers

Web

Clickstreams

RFID

Smartphones

and Devices

Servers

Messaging

GPS

Location

Packaged

Applications

Custom

Applications

Online

Services

DatabasesCall Detail

Records

Energy MetersFirewall

Intrusion

Prevention

Add More Data for More Insights.

▶ Use an additional layer of security focused on visibility/analysis

• Bring all security layers together to see the combined view

▶ See all aspects of the environment (and attack)

• Identify gaps – both before the attack – as well as after you know about it

▶ Get better at detection, investigation and response

• Use best practices to better control your environment

Getting Ready for the Next Attack

End-to-End Visibility of Ransomware

Detection via Firewall Logs

Detection via IDS Events

Detection via Network Activity

Detection via SMB Events

Detection via Deletion of Shadow Copies

Forensics via log2timeline

Prevention via Lag Detection

Prevention via Vulnerability Management

Prevention via Backup Activity

Prevention via Automated File Analysis

Office Spawns Unusual Process (Windows Events / Sysmon)

Detection via Statistical Analysis

Detection via Windows Registry

Detection via Shannon Entropy

Detection via Fake Windows Processes

and tstats

Detection via File Encryption Events

Detection via DNS Traffic

Detection via Sysmon Comms

Splunk Security Essentials For Ransomware

Identify Malware

Monitor Best Practices

Improve Security Posture

Multiple best-practice

techniques (DIY)

Detection, prevention, forensics

Spanning all stages of an attack

Methodology, examples, data sources

Essentials to get started

(prepackaged)

Over a dozen key use cases to get started

Data sources include endpoint and wire data

Search templates – customizable to environment

Central Analysis of Ransomware

What happened?

Who was involved?

When did it start?

Where was it seen?

How did it get in?

How do I contain it?Single Source of Truth

Apply an “Investigative Mindset”

Ad-hoc search follows “how you think”

Splunk Insights for Ransomware

Analytics-Driven Response

What

happened?

Who was

involved?

When did it

start?

ALERT

Is there a logical

connection from an

alert, to other

activity, IPs, hosts,

malware, or other

alerts?

Example

Question

Logic Findings Data

Search network and

host event logs to

determine initial

entry

Endpoint

Network devices

Web proxy

Mail proxy

DNS

Authentication

USB key opened

an infected

ransomware file,

user email

indicates victim

of spear phishing

Where was

it seen?

How did it

get in?

How do I

contain it?

Actions

• Eject USB, patch host, set email proxy rule, rotate credentials and notify / train victim of spear phishing attack

Splunk Insights for Ransomware

© 2017 SPLUNK INC.

Journey to solving Ransomware with Splunk

Making the Offer – Entry into the Splunk Portfolio

Splunk Insights

for

Ransomware

Splunk

Enterprise

Splunk

Enterprise

Security / UBA

Entry point

▶ Focus on criticality of ransomware pain

▶ Offer that “this is a way to get that problem off your plate first and foremost”

▶ Tees up additional use case using Splunk Enterprise

▶ Do not need to pivot off their primary need if not ransomware

▶ In fact, this is a way to get them to downstream use case faster @ lower price

Solving Ransomware with SplunkSecurity Solutions Portfolio

Splunk Insights for

RansomwareSplunk Enterprise

Splunk Enterprise

Security and UBA

▶ Splunk Enterprise Security (ES)

• SIEM solution for overall posture assessment, workflow for Incident Responders, Incident Review Audit for Ransomware cases, Adaptive Response to isolate infected hosts, Threat Intelligence to identify indicators of known ransomware, ability for teams to build custom ransomware dashboards

▶ Splunk User Behavior Analytics (UBA)

• Combat ransomware that “moves laterally” across the network, identify/detect ransomware that utilizes domain generation algorithm (DGA) for DNS traffic

▶ Splunk Enterprise Software

• Platform to index, search, report, visualize, analyze all data for security

• Multitude of ransomware techniques available for new and existing customers

• DIY – detection, prevention, forensics examples, mapped to attack stages, with methodology, examples, data sources

▶ Splunk Insights for Ransomware

• Use case-restricted version of Splunk Enterprise software – visibility, ad-hoc investigation of ransomware activity

• Leverage all the capabilities of Splunk Enterprise software for specific ransomware use case

• Entry-level pricing for smaller IT / security shops

Splunk Security Essentials for Ransomware App – pre-packaged templates to quickly get started with assessing ransomware posture

Splunk Security Essentials App – multiple general use cases in access, data, network, threat, and endpoint domains

© 2017 SPLUNK INC.

Wrap Up Section

Review

▶ This Enablement Deck

• Details of the offer, positioning / messaging and pitching

▶ First Call Deck - Splunk Insights for Ransomware

• Helps you get the meeting

▶ FAQ “Splunk Insights for Ransomware”

▶ Role play document

• Selling motion, objection handling, discovery questions

▶ Call scripts / Email templates

▶ WannaCry Rapid Response – Blog, web page

▶ WannaCry Response – short video featuring Haiyan Song

• Strategic significance of analytics-driven approach to combating threats like ransomware

▶ WannaCry Response – ransomware webinars

• EMEA Webinar about general ransomware (English, German)

• APAC Webinar about general ransomware

• AMER Webinar about Splunk Security Essentials for Ransomware App

ResourcesAll Materials Available on Field Enablement Portal Unless Otherwise Specified

▶ Online Demo Experience -- Ransomware Investigation Exercises

▶ Splunk Security Essentials for Ransomware App on Splunkbase

▶ .conf2016 Hands-On session recording and slides

• Splunking the Endpoint: Hands On! Ransomware Edition

▶ Dec 2016 Webinar on Ransomware and Prevention Strategies

• Covers array of detection, prevention, and forensics techniques

▶ Ransomware Wrangling with Splunk .conf2016 session

▶ Blogs

• Steering Clear of the “WannaCry” Ransomware Attack

• Petya Strikes Europe. Are you Ready for the Next Ransomware Attack?

• How Splunk can Help you Prevent Ransomware from Holding your Business Hostage

• Detecting Ransomware Attacks with Splunk

• Enhancing Enterprise Security for Ransomware Detection

Resources (Cont’d)

Thank you!

Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.