Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I N
T2E0R1NA
7 SLPU
LUSE
N KO N
I NC
LY..
Agenda:
Course Outline
2 0 1 7 S P LU N K I NC .
3
2 0 1 7 S P LU N K I NC .
Section 1:
good news | bad news
2 0 1 7 S P LU N K I NC .
Web
Threat Data Portal
.pdf
Events that
contain link to file
Endpoint
Access/Security Process making
C2 traffic
13
2 0 1 7 S P LU N K I NC .
First
the bad news
2 0 1 7 S P LU N K I NC .
Security Today:
2 0 1 7 S P LU N K I NC .
30% of phishing
emails get opened
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
3% of users alert
management of a
possible phishing email
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
99% of attacks
compromise
systems within days
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
59,476 un-investigated
tickets.
1 single incident.
40,000,000 customer
records.
2 0 1 7 S P LU N K I NC .
46% of organizations
dont even have a SOC
** 2016
2016 Verizon
Verizon breach
breach digest
digest
and no one is immune
2 0 1 7 S P LU N K I NC .
** 2016
2016 Verizon
Verizon breach
breach digest
digest
2 0 1 7 S P LU N K I NC .
Process
Technology People
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
according to Optiv
2 0 1 7 S P LU N K I NC .
20 days.
2 0 1 7 S P LU N K I NC .
166 hours
2
= 83 hours
2 0 1 7 S P LU N K I NC .
88 hours
8
= 10 days
2 0 1 7 S P LU N K I NC .
per month.
2 0 1 7 S P LU N K I NC .
write a haiku?
up your security training?
write a haiku?
up your security training?
write a haiku?
up your security training?
escalate or ignore.
2 0 1 7 S P LU N K I NC .
Section 2:
Whats a SIEM?
2006 called. They want their SIEM back.
2 0 1 7 S P LU N K I NC .
Legacy SIEM
Threat Intelligence
Email Web Desktops Servers DHCP/ DNS CMBD
Traditional SIEM
Custom Apps Network
Hypervisor Badges Firewall Authentication Vulnerability Flows
Scans
learning objectives
Overview to Splunk Enterprise Security (ES)
Introduce notable event
How to login to ES
Introduce ES home page
Enterprise Security Overview
2 0 1 7 S P LU N K I NC .
2011 2016
Leader
Niche Player
Splunk Positioned as a Leader in Security Analytics Platforms
2 0 1 7 S P LU N K I NC .
Splunk is a Leader in
The Forrester Wave:
Security Analytics
Platforms, Q1 2017*
Splunk receives highest possible
scores in 17 criteria
Normalization
Any Source, Type, Volume
Security Domains
Online
Services
On-the-Fly
Access
Web
On-
Premises
Services
Data Normalization
Security GPS
Servers
Location
Endpoint
Packaged
Applications
Networks
Desktops
Private Storage
Custom
Cloud Messaging Applications
Telecoms
RFID Network
Online Energy
Shopping Meters
Cart Databases
Public Web Call Detail Identity
Cloud Clickstreams Records
Smartphones
and Devices
Data Sources Required
2 0 1 7 S P LU N K I NC .
3rd party threat data Known relay/C2 sites, infected sites, IOC,
Open source blacklist attack/campaign intent and attribution
Internal threat intelligence
Threat intelligence
Click Documentation to
view the Splunk App for
Enterprise Security
documentation
Click Community to
connect with other Splunk
users on Splunk Answers
2 0 1 7 S P LU N K I NC .
lab time!
lets get ready to rumble!
Enterprise Security Hands-On: Whats your Birth Month?
Section 2:
Dashboard Overview
2 0 1 7 S P LU N K I NC .
Many dashboards have a filter bar to restrict the view on the current dashboard to
events that match the selected criteria
Dashboard Drilldowns
2 0 1 7 S P LU N K I NC .
In the Malware Center dashboard, the Key Security Indicator Total Infections
displays the total number of systems with malware infections over the last 24 hours
Extreme Search
2 0 1 7 S P LU N K I NC .
The same indicator using Extreme search displays the relevant information, but
includes a depth that was not available with the prior Total Infections indicator
Key Indicators
2 0 1 7 S P LU N K I NC .
Section 3:
Security Posture &
Incident Review
2 0 1 7 S P LU N K I NC .
The severity of an event and the priority are combined to generate the urgency of an event.
The urgency allows events to be weighted according to the asset, thus causing events
against higher priority assets to be treated with higher urgency.
Incident Review Dashboard
2 0 1 7 S P LU N K I NC .
56
2 0 1 7 S P LU N K I NC .
lab time!
Start high. Get low. From Security Posture to Incident Review.
now its your turn.
add some additional KPIs to your
dashboard.
drilldown into critical urgency.
where does that take you?
explore some of the notable events in the
Incident Review dashboard.
take ownership of an alert.
now investigate.
whats your next step?
Pivot through some of the links.
Full disclosure: Some of the external links arent configured.
2 0 1 7 S P LU N K I NC .
Section 4:
Asset investigator, identity
investigator, adaptive response
Event Investigator Dashboards
2 0 1 7 S P LU N K I NC .
An analyst can visually link activity across the event categories, and
form a complete view of a host or a users interactions in the
environment
2 0 1 7 S P LU N K I NC .
Asset Investigator
Asset Investigator
2 0 1 7 S P LU N K I NC .
Also available for ad-hoc searching by browsing to Event Investigator > Asset Investigator in the
main menu: An analyst uses the dashboard to triage an asset's interactions with the environment
2 0 1 7 S P LU N K I NC .
lab time!
lets do this together
make sure 10.11.36.20 is in your search bar.
change timeline to Last 7 days.
click one of the blue bars.
If this were an actual breach,
what shape would this be in?
2 0 1 7 S P LU N K I NC .
Identity Investigator
2 0 1 7 S P LU N K I NC .
Identity Investigator
Displays information about known or unknown user identities across a pre-defined set of
event categories, such as change analysis and malware
Initiated through a workflow action from any dashboard that displays events with network
source or destination address
Available for ad-hoc searching by browsing to Security Intelligence > User Intelligence in the
Enterprise Security app, typing in the user credential in the search bar with an optional wildcard,
setting a time range, and choosing Search
2 0 1 7 S P LU N K I NC .
lab time!
lets do this together!
Navigate to: Security Intelligence >
User Intelligence > Identity Investigator
search for user Hax0r
(yes. Im serious.)
lets switch back to the Incident Review tab.
2 0 1 7 S P LU N K I NC .
adaptive response
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
lab time!
(that was quick.)
Adaptive Response
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
Adaptive Response
2 0 1 7 S P LU N K I NC .
your turn. peruse the response actions.
see what comes out of the box.
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Section 5:
Security Domains
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Access Domain
2 0 1 7 S P LU N K I NC .
Endpoint Domain
2 0 1 7 S P LU N K I NC .
Network Domain
2 0 1 7 S P LU N K I NC .
Identity Domain
2 0 1 7 S P LU N K I NC .
lab time!
Security Domains
youre trying to track down lateral movement.
what dashboards would help identify it?
what would cause a time skew on hosts?
why is that important?
2 0 1 7 S P LU N K I NC .
Section 6:
Security Intelligence
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
Risk Analysis
2 0 1 7 S P LU N K I NC .
Use to review changes to an object's risk score, determine the source of the
risk increase, and decide if additional action is warranted
2 0 1 7 S P LU N K I NC .
lab time!
is it getting risky in here?
what users are the highest risk in an organization?
2 0 1 7 S P LU N K I NC .
Protocol Intelligence
2 0 1 7 S P LU N K I NC .
Protocol Center
2 0 1 7 S P LU N K I NC .
lab time!
Whats the protocol?
2 0 1 7 S P LU N K I NC .
DNS Activity
2 0 1 7 S P LU N K I NC .
DNS Search
2 0 1 7 S P LU N K I NC .
SSL Activity
2 0 1 7 S P LU N K I NC .
Email Activity
2 0 1 7 S P LU N K I NC .
Email Search
2 0 1 7 S P LU N K I NC .
Threat Intelligence
2 0 1 7 S P LU N K I NC .
lab time!
are you threatening me?
2 0 1 7 S P LU N K I NC .
User Intelligence
2 0 1 7 S P LU N K I NC .
Access Anomalies
2 0 1 7 S P LU N K I NC .
User Activity
2 0 1 7 S P LU N K I NC .
Web Intelligence
2 0 1 7 S P LU N K I NC .
https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874
2 0 1 7 S P LU N K I NC .
lab time!
well thats new
Under New Domain Analysis, find a
list of machines that went to that
URL, and the activity taken.
2 0 1 7 S P LU N K I NC .
lab time!
security intelligence
the average breach lasts (roughly) 240 days.
where would you look to identify a breach
happening on day one?
2 0 1 7 S P LU N K I NC .
Section 7:
Investigative Journal
2 0 1 7 S P LU N K I NC .
2 0 1 7 S P LU N K I NC .
lab time!
security intelligence
its your turn!
- create an investigation.
- add some notable events.
- add some notes to describe the activity.
2 0 1 7 S P LU N K I NC .
Section 8:
Wrap-Up
2 0 1 7 S P LU N K I NC .
Infrastructure Quick Start Apps / Add-Ons Endpoint Quick Start Apps / Add-Ons
2 0 1 7 S P LU N K I NC .
continuing education
Splunk Tutorial (The Free eLearning Module):
Search Tutorial Manual:
Splunkbook.com
Splunk Education Videos:
2 0 1 7 S P LU N K I NC .
to action
2 0 1 7 S P LU N K I NC .
.conf2017
The 8th Annual Splunk Conference
conf.splunk.com
Thank you for your time!
We do appreciate it.
2 0 1 7 S P LU N K I NC .
Section 9:
Appendix
2 0 1 7 S P LU N K I NC .
A new notable event can be created from an event you are viewing in the Access Search,
Malware Search, Traffic Search, Intrusion Search, Proxy Search, or Search dashboards
Create a new notable event from an existing event shown as part of a search result or by using New
Notable Event in the Configure panel
Note: Do not create a new notable event from an existing notable event
For instance, do not create a new notable event from an event shown on the Incident
Review dashboard
Create a Notable Event from Existing Event
2 0 1 7 S P LU N K I NC .
A search filter that hides any notable events matching the search conditions
The suppression filter is created to stop an excessive or unwanted number of notable
events from being displayed on the Incident Review dashboard
Example | you may want to prevent certain types of notable events from appearing on
the Incident Review dashboard or contributing to defined alert thresholds
Throttling is applied to events before they are added to the notable index preventing
them from being created
Create a Suppression From Incident Review
2 0 1 7 S P LU N K I NC .
1. Find the notable event that you want to suppress in the Incident Review dashboard
2. From the Actions select: Suppress events to/from... which opens the New Notable
Event Suppression page
3. Review the contents of the fields
4. An Expiration Time field is available to define a time limit for the suppression filter and save
the changes
5. After the time limit is met, the suppression filter is disabled
6. To review the suppression filter, browse to Configure > Incident Management > Notable
Event Suppressions
Review Notable Event Suppressions
2 0 1 7 S P LU N K I NC .
To review the suppression filter, browse to Configure > Incident Management > Notable Event Suppressions
Create a Suppression from Configure
2 0 1 7 S P LU N K I NC .
Enterprise Security tracks all suppression activity for auditing on the Suppression Audit dashboard
2 0 1 7 S P LU N K I NC .
Predictive Analytics
2 0 1 7 S P LU N K I NC .
To analyze data, choose a data model, an object, a function, an attribute, and a time range and click Search
Dashboard Filters
2 0 1 7 S P LU N K I NC .
Data Model Specifies the data model for the search. Available data models are shown Drop-down: select to filter by
in the drop-down list.
Object Specifies the object within the data model for the search. There must be a Drop-down: select to filter in
Data Model selection to apply an Object.
Function Specifies the function within the object for the search. Functions specify Drop-down: select to filter in
the type of analysis to perform on the search results. For example, choose
"avg" to analyze the average of search results. Choose "dc" to create a
distinct count of the results.
Attribute Specifies the constraint attributes within the object for the search. Drop-down: select to filter in
Attributes are constraints on the search results. For example, choose
"src" to look at results from sources. There must be a Object selection to
apply an Attribute.
Time Range Select the time range to represent. Drop-down: select to filter by
Use the available
Advanced dashboard
Access to filtersoptions.
the advanced predict to refine the results displayed Link:
on the dashboard
A window of optional panels
predict settings
Dashboard Panels
2 0 1 7 S P LU N K I NC .
Panel Description
Prediction Over Time The Prediction Over Time panel shows a predictive
analysis of the results over time, based on the time
range you chose. The shaded area shows results that
fall within two standard deviations of the mean value of
the total search results.
Outliers The Outliers panel shows those results that fall outside
of two standard deviations of the search results.
For more info on data models, associated objects, functions, and attributes visit the following link:
docs.splunk.com/Documentation/CIM/latest/User/Overview
2 0 1 7 S P LU N K I NC .
The flow.
2 0 1 7 S P LU N K I NC .
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutdatamodels
2 0 1 7 S P LU N K I NC .
A correlation search is available to notify an analyst if a notable event has not been triaged
1. Under General > Custom Searches, search for the Untriaged Notable Events
correlation search
2. Modify the search, changing the notable event owner or status fields as desired
3. Set the desired alert action
4. Save the changes
5. Enable the Untriaged Notable Events correlation search
2 0 1 7 S P LU N K I NC .
lab time!
correlation rule creation!
Add Filter Screenshot
2 0 1 7 S P LU N K I NC .
Risk Scoring
Example Scenario
Risk Scoring | Example Scenario
2 0 1 7 S P LU N K I NC .
As the relative risk score goes up, RLOG-10 can be compared to all network servers
and to other jump servers:
If the relative risk score for RLOG-10 exceeds its peers, that host would be
investigated by an analyst
If the risk scores of all jump servers are higher relative to other network hosts, an
internal security policy may need to be reviewed or implemented differently