Upload
vodat
View
224
Download
0
Embed Size (px)
Citation preview
Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.
Splunk Insights for Ransomware
3 Key TakeawaysSplunk Insights for Ransomware – New Offer
1
Details of the Offer
2
Getting the Meeting
3
Making the Offer
▶ New way to buy Splunk Enterprise
• Allows new customers solve a specific use case and to get started more easily
▶ Use case-optimized pricing
• Based on metrics that are more familiar to buyer of that use case
▶ Use case-restricted licensing
• Not based on volume per day licensing
▶ Splunk Insights for Ransomware is the first release of the Splunk Insights concept
What is Splunk Insights?
▶ The first release of the Splunk Insights concept
▶ New SKU – available on partner price lists as of Jun 15
▶ 1-year term, restricted use license of Splunk Enterprise
• Governed by a licensing amendment – see the next slide
• Use to solve ransomware – cannot be used for any other use case
• Purchased based on “monitored account” – cannot exceed the # of monitored accounts
• Customer cannot combine with or add to other Splunk software licenses
▶ Targeted at smaller customers
Splunk Insights for Ransomware
▶ Customer agrees to only use the Software to detect if ransomware is present, attempting to be present or attempting to be disseminated in the Customer’s environment and for no other purpose. Customer is not authorized to combine or add this license with or to any other Splunk license.
▶ The License Capacity for Splunk Enterprise for Ransomware is based on the Number of Ransomware Monitored Accounts. “Number of Ransomware Monitored Accounts” means the number of user and system accounts in Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) or any similar service that is used to authenticate users inside the network.
License Amendment - Additional TermsSplunk Insights for Ransomware
▶ SKU Name
• SI-T-LIC-ESUP-RWARE
▶ SKU Description
• Splunk Insights for Ransomware – Term License with Enterprise Support – Monitored Account
▶ SKU Name
• SI-T-LIC-GSUP-RWARE
▶ SKU Description
• Splunk Insights for Ransomware – Term License with Global Support – Monitored Account
SKUsSplunk Insights for Ransomware
Pricing (AMER LIST)*
Enterprise Support Global Support
up to 250 monitored accounts $25,000 $27,000
251-500 monitored accounts $40,000 $44,000
501-1000 monitored accounts $70,000 $76,000
*International pricing – standard uplifts apply*Standard channel discounts for license apply
Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.
Selling to the Ransomware Problem
▶ CISO-level visibility
• Directives to ensure emerging threats do not disrupt operations
▶ Topical urgency
• Splunk for security is more relevant than ever
Why You Care about Ransomware
▶ For organizations who need to be prepared for the next ransomware attack
• Easy to buy, competitive pricing with ransomware solutions
▶ Splunk Insights for Ransomware provides additional layer of security visibility
• Centered on the importance of posture, investigation, response
▶ This additional layer of security will augment point solutions
• Does not replace “prevent” mechanisms or other malware or hygiene tools
Positioning – Solving Ransomware With Splunk
▶ Key to combating ransomware is to gain better awareness awareness and ability to rapidly investigate and respond
▶ Splunk enables teams to gain that visibility without rip-and-replace or ”suite” solution requirements – simply drop Splunk in to augment existing solutions
▶ Splunk provides broader, analytics-based approach to a problem that is typically “endpoint” or “network” focused and relies heavily on “blocking”
▶ By not relying solely on “blocking” type technologies to “stop” the attack, security teams can use Splunk to get insights -- including early warning signs -- into potential ransomware infections like WannaCry that are finding ways to get into the environment even with “preventive” mechanisms in place
Splunk Differentiation
▶ Northwestern University
• “Northwestern University uses Splunk software to help our security team detect threats so we can deliver consistent services and protect critical data for staff, faculty and students. Splunk enables us to search for threat indicators across our systems on the fly, without having to generate cumbersome reports or manually sift through data in source systems,” said Tom Murphy, CISO, Northwestern University. “With Splunk our security analysts can pivot and view new sets of data from a single source as investigations evolve. In the case of WannaCry, we used statistical models and visualizations from Splunk Enterprise to maintain a comprehensive, real-time view of network activity that might be associated with ransomware, to help detect and prevent any damage from occurring.”
▶ Children’s Discovery Museum
• Implemented early warning using Splunk
• Monitor email, DNS ransomware and spear phishing threats
• Detected initial wave of attack – suspicious attachment
• Sub-5 min response
• Webinar coming in July -- Register
Customer Success - Solving Ransomware With Splunk(general use of Splunk Enterprise to combat ransomware)
▶ Events like WannaCry can serve as a wake-up call as to why security/cyber hygiene is so important.
• How did this event change your organization?
• Have the behaviors or procedures of your security or IT teams changed after this event?
▶ What risk does ransomware or a large scale malware attack pose to your organization?
• What do you view as your most critical assets?
▶ Has the WannaCry incident changed your security priorities for the year?
• What are your top 3 initiatives?
▶ On a 1-10 scale, 1 being a non-issue and 10 meaning you didn’t sleep for days, how concerned were you about WannaCry in particular? Why?
• How concerned are you about new exploits leveraging similar methods?
▶ If you were forced to restore critical systems from backup, how would this impact your business?
• What do you view as your most critical assets?
▶ We often look at the people, process, and technology needed for effective security.
• Which area are the most and least confident in?
▶ What vendors do you view as strategic in the fight against malware/ransomware?
• Are you aware of what Splunk can do to help make those tools work better for you?
▶ [Existing Customer Only] Was Splunk used while this malware was spreading, either to search for infected hosts or to get a grip on your risk?
• Have you done an assessment to determine if the proper data is in Splunk and the correct skills are in place for the next incident like this?
Discovery QuestionsMost Important Questions in RED
Global Field Enablement - Internal and Partner Use Only - Proprietary and Confidential © 2017 SPLUNK INC.
First Customer DeckSplunk Insights for Ransomware
▶ It’s hard to maintain good security hygiene – especially smaller organizations
• Hygiene = “the basics” including patching, backup, updated FW rules, cleaning infections, etc.
▶ Cybercriminals / syndicates use ransomware to monetize poor hygiene
• It is paying off for them – investing in new ways to launch hard-to-stop attacks
▶ Even if hygiene is good, staying ahead of ransomware = lot of moving parts
• Many tools / people, limited formal processes to assess posture, investigate, respond
Why Ransomware is So Pervasive
Ransomware Now Self-Propagates and Continues to Mutate
In the Wild Since May 12. 2017
What is it? Ransomware with Self-Propagating capabilities (wormable) using a very powerful exploit – See Blog
Who is the Target? Not targeted to individuals/industry. It targets Windows systems worldwide. Estimated >300.000 Victims
How does it spread? Attacks the exposed (port445) and vulnerable service directly via the internet (or via Email dropper)
Vulnerability it exploits Vulnerability in Microsoft SMBv1 Protocol (MS17-010) - ETERNALBLUE exploiting CVE-2017-0145
https://www.nettitude.com/us/incident-response/wannacry-overv iew/
ETERNALBLUERemote Exploit
DOUBLEPULSARBackdoor
WANNACRYRansomware
ETERNALBLUERemote Exploit
DOUBLEPULSARBackdoor
ADYLKUZZBitcoin Miner
ETERNALBLUERemote Exploit
DOUBLEPULSARBackdoor
UIWIXRansomware
DOUBLEPULSARBackdoor
RATsRemote Access Trojans
ETERNALBLUERemote Exploit
THOSE IMPACTED relied solely on point products designed to see singular aspect of the attack
• Firewall for delivery of the payload
• Endpoint detection for infections
• Vulnerability and AV systems for propagation vectors and worms
• Patching and backup systems for security patches and to establish restore point
None of these provided a single view of “ransomware posture” from which to analyze and act
Minimally impacted teams were able to:
- Assess posture – end to end
- Investigate – thoroughly, efficiently
- Decide and respond – appropriately, quickly
What Traditional Tools Can Do
▶ Patching and essential basic hygiene tasks
• Hygiene means ransomware cannot gain a foothold, right?
▶ Endpoint protection solutions – “blocks” ransomware
• Prevention means I am protected, right?
▶ Other point-based solutions (endpoint backup, e.g.)
• Point-based solutions provide a safety net, right?
What about
mutations?
Can I verify this
is true?
Am I OK relying
on a safety net?
Assessing Posture – End-to-End Visibility
Ransomware posture requires end-to-end visibility of the above and more- Backups recent? Systems patched? Old operating systems isolated?
- Unusual Internet traffic? Spikes in traffic from workstations talking to each other?
- Uncleaned infections? Known bad files? Signs of spear phishing?
▶ Patching and essential basic hygiene tasks
• Hygiene means ransomware cannot gain a foothold, right?
▶ Endpoint protection solutions – “blocks” ransomware
• Prevention means I am protected, right?
▶ Other point-based solutions (endpoint backup, e.g.)
• Point-based solutions provide a safety net, right?
What about
mutations?
Can I verify this
is true?
Can I rely solely
on safety net?How many IT / security staff does it take to...
Streamlining Investigation – Central Analysis
Ransomware investigation requires efficient analysis of the above and more- What is running on vulnerable systems? What networks are they on? Who has access?
- How did a file get in? What is it attempting to do?
- Did the file spread? Are specific users being targeted?
▶ Patching and essential basic hygiene tasks
• Hygiene means ransomware cannot gain a foothold, right?
▶ Endpoint protection solutions – “blocks” ransomware
• Prevention means I am protected, right?
▶ Other point-based solutions (endpoint backup, e.g.)
• Point-based solutions provide a safety net, right?
What about
mutations?
Can I verify this
is true?
Can I rely solely
on safety net?How many IT / security staff does it take to...
Rapid Response – Analytics-Driven Decisions
Ransomware response requires fast, good decisions based on the above- Should I disable email clients on old equipment? Segment certain assets?
- Change a firewall rule? Quarantine a host or subnet?
- Do I still have time to contain? What can I automate in the future?
▶ Patching and essential basic hygiene tasks
• Hygiene means ransomware cannot gain a foothold, right?
▶ Endpoint protection solutions – “blocks” ransomware
• Prevention means I am protected, right?
▶ Other point-based solutions (endpoint backup, e.g.)
• Point-based solutions provide a safety net, right?
What about
mutations?
Can I verify this
is true?
Can I rely solely
on safety net?How many IT / security staff does it take to...
▶ The first release of the “Splunk Insights” concept – targeted at smaller IT / security shops
• Use case-specific version of Splunk Enterprise Software
• Data can only be used to combat ransomware
• Competitively priced with ransomware solutions
• Additional layer of security augments point solutions
▶ Benefits of the Solution
• Central visibility & analysis of ransomware
• Use relevant data – endpoint, network, etc. – to identify, assess potential ransomware activity
• Faster, streamlined investigation of ransomware activity
• Investigative capabilities pulls together multiple technologies across security and IT
• Hunt for ransomware – make proactive decisions
• Leverage IR best practices to hunt down issues that look likely to be related to ransomware
Splunk Insights for Ransomware
End-to-EndVisibility
Central Analysis
Analytics-Driven Decisions
Splunk Insights for Ransomware
End-to-End
Visibility
Start Basic.
Central
Analysis
Analytics-Driven
Decisions
Splunk Insights for Ransomware
Threat
Intelligence
Network
Endpoint
Access/Identity
Other Security-Relevant Data
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
Add More Data for More Insights.
▶ Use an additional layer of security focused on visibility/analysis
• Bring all security layers together to see the combined view
▶ See all aspects of the environment (and attack)
• Identify gaps – both before the attack – as well as after you know about it
▶ Get better at detection, investigation and response
• Use best practices to better control your environment
Getting Ready for the Next Attack
End-to-End Visibility of Ransomware
Detection via Firewall Logs
Detection via IDS Events
Detection via Network Activity
Detection via SMB Events
Detection via Deletion of Shadow Copies
Forensics via log2timeline
Prevention via Lag Detection
Prevention via Vulnerability Management
Prevention via Backup Activity
Prevention via Automated File Analysis
Office Spawns Unusual Process (Windows Events / Sysmon)
Detection via Statistical Analysis
Detection via Windows Registry
Detection via Shannon Entropy
Detection via Fake Windows Processes
and tstats
Detection via File Encryption Events
Detection via DNS Traffic
Detection via Sysmon Comms
Splunk Security Essentials For Ransomware
Identify Malware
Monitor Best Practices
Improve Security Posture
Multiple best-practice
techniques (DIY)
Detection, prevention, forensics
Spanning all stages of an attack
Methodology, examples, data sources
Essentials to get started
(prepackaged)
Over a dozen key use cases to get started
Data sources include endpoint and wire data
Search templates – customizable to environment
Central Analysis of Ransomware
What happened?
Who was involved?
When did it start?
Where was it seen?
How did it get in?
How do I contain it?Single Source of Truth
Apply an “Investigative Mindset”
Ad-hoc search follows “how you think”
Splunk Insights for Ransomware
Analytics-Driven Response
What
happened?
Who was
involved?
When did it
start?
ALERT
Is there a logical
connection from an
alert, to other
activity, IPs, hosts,
malware, or other
alerts?
Example
Question
Logic Findings Data
Search network and
host event logs to
determine initial
entry
Endpoint
Network devices
Web proxy
Mail proxy
DNS
Authentication
USB key opened
an infected
ransomware file,
user email
indicates victim
of spear phishing
Where was
it seen?
How did it
get in?
How do I
contain it?
Actions
• Eject USB, patch host, set email proxy rule, rotate credentials and notify / train victim of spear phishing attack
Splunk Insights for Ransomware
Making the Offer – Entry into the Splunk Portfolio
Splunk Insights
for
Ransomware
Splunk
Enterprise
Splunk
Enterprise
Security / UBA
Entry point
▶ Focus on criticality of ransomware pain
▶ Offer that “this is a way to get that problem off your plate first and foremost”
▶ Tees up additional use case using Splunk Enterprise
▶ Do not need to pivot off their primary need if not ransomware
▶ In fact, this is a way to get them to downstream use case faster @ lower price
Solving Ransomware with SplunkSecurity Solutions Portfolio
Splunk Insights for
RansomwareSplunk Enterprise
Splunk Enterprise
Security and UBA
▶ Splunk Enterprise Security (ES)
• SIEM solution for overall posture assessment, workflow for Incident Responders, Incident Review Audit for Ransomware cases, Adaptive Response to isolate infected hosts, Threat Intelligence to identify indicators of known ransomware, ability for teams to build custom ransomware dashboards
▶ Splunk User Behavior Analytics (UBA)
• Combat ransomware that “moves laterally” across the network, identify/detect ransomware that utilizes domain generation algorithm (DGA) for DNS traffic
▶ Splunk Enterprise Software
• Platform to index, search, report, visualize, analyze all data for security
• Multitude of ransomware techniques available for new and existing customers
• DIY – detection, prevention, forensics examples, mapped to attack stages, with methodology, examples, data sources
▶ Splunk Insights for Ransomware
• Use case-restricted version of Splunk Enterprise software – visibility, ad-hoc investigation of ransomware activity
• Leverage all the capabilities of Splunk Enterprise software for specific ransomware use case
• Entry-level pricing for smaller IT / security shops
Splunk Security Essentials for Ransomware App – pre-packaged templates to quickly get started with assessing ransomware posture
Splunk Security Essentials App – multiple general use cases in access, data, network, threat, and endpoint domains
▶ This Enablement Deck
• Details of the offer, positioning / messaging and pitching
▶ First Call Deck - Splunk Insights for Ransomware
• Helps you get the meeting
▶ FAQ “Splunk Insights for Ransomware”
▶ Role play document
• Selling motion, objection handling, discovery questions
▶ Call scripts / Email templates
▶ WannaCry Rapid Response – Blog, web page
▶ WannaCry Response – short video featuring Haiyan Song
• Strategic significance of analytics-driven approach to combating threats like ransomware
▶ WannaCry Response – ransomware webinars
• EMEA Webinar about general ransomware (English, German)
• APAC Webinar about general ransomware
• AMER Webinar about Splunk Security Essentials for Ransomware App
ResourcesAll Materials Available on Field Enablement Portal Unless Otherwise Specified
▶ Online Demo Experience -- Ransomware Investigation Exercises
▶ Splunk Security Essentials for Ransomware App on Splunkbase
▶ .conf2016 Hands-On session recording and slides
• Splunking the Endpoint: Hands On! Ransomware Edition
▶ Dec 2016 Webinar on Ransomware and Prevention Strategies
• Covers array of detection, prevention, and forensics techniques
▶ Ransomware Wrangling with Splunk .conf2016 session
▶ Blogs
• Steering Clear of the “WannaCry” Ransomware Attack
• Petya Strikes Europe. Are you Ready for the Next Ransomware Attack?
• How Splunk can Help you Prevent Ransomware from Holding your Business Hostage
• Detecting Ransomware Attacks with Splunk
• Enhancing Enterprise Security for Ransomware Detection
Resources (Cont’d)