splunksummit 2015 - es hands on workshop
TRANSCRIPT
2
DisclaimerDuring the course of this presentation, we may make forward looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
3
About Me
1.5 Years
4
What’s a sandbox?
5
What’s a sandbox?• A 100% free, fully featured 15 day trial of Splunk products: Cloud, Light, or ES
• Hosted in AWS• Authenticates off of your Splunk account• Has sample data for you to play with• Supports onboard of your own data
Today’s session: A hands-‐on activity with your very own Enterprise Security sandbox!
6
Let’s create a sandbox
8
9
10
11
12
13
14
15
Let’s fix a few things!
16
Let’s fix a few things!
• Choose a timezone• Correlation search enablement• Scheduled search enablement
17
Click Here
18
Pick “Hobart”, and save
19
20
Click Here
21
Click Here
22
Click Here
23
Type “High” to filter
24
Click “Enable” for “High or Critical Priority Host with
Malware Detected”
25
Click Here
26
27
Click Here
28
Search for “30m”
29
Enable the two disabled rules
30
What’s ES anyway?
Machine data contains a definitive record of all interactions
Splunk is a very effective platform to collect, store, and analyze all of that data
Human Machine
Machine Machine
MainframeData
VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
RelationalDatabases
MobileForwarders Syslog / TCP / Other
Sensors & Control Systems
Across Data Sources, Use Cases & Consumption Models
Wire Data
Mobile Intel
Splunk Premium Apps Rich Ecosystem of Apps
MINT
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-‐2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor toimprove its visionary position
2014 Leader 2013 Leader2012 Challenger2011 Niche Player
2015
35
AppServers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network Security
Endpoints
Splunk as the Security Nerve Center
ES Fast Facts● Current version: 3.3, 4.0 just recently announced! ● Two releases per year● Content comes from industry experts, market analysis, but most
importantly YOU● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable● ES has its own development team, dedicated support, services
practice, and training courses
4.0 not in sandbox…yet
37
WARNING: It’s really rich!
You can’t eat all of ES in one sitting, so we won’t.
Security Posture
39
Security Posture
How do you start and end your day?
Key Security Indicators
Sparklines
Editable
HOW DO WE GET DATA IN?
Data comes from…
You can actually do this in the sandbox, if you want.
Data Ingest + Common Information Model● You’ve got a bunch of systems…● How to bring in:● Network AV● Windows + OS X AV● PCI-‐zone Linux AV● Network Sandboxing● APT Protection
● CIM = Data Normalization
NORMALIZATION?!?
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.
Data Normalization is Mandatory for your SOC
“The organization consuming the data must develop and consistently
use a standard format for log normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck creating investigative queries
Free. Supported. Fully documented.
Lots of apps support CIM.
CIM Compliant!
Click “Data models” under
settings
Click “>” next to Malware
Data Models are Accelerated
Let’s Pivot!
Click MalwarePivot allows non-‐technical interaction with data models.
Let’s Pivot!
Click Malware Attacks
Change to “Last 24 hours”
Total # attacks
1
2
Let’s Pivot!
Click Area Chart
Let’s Pivot!
Click Color
Let’s Pivot!
SCROLL and find Signature, and click
Let’s Pivot!
You can save as reports and dash
panels…
Let’s Pivot!
Let’s Pivot!
Click “Malware Attacks” and then
Edit Object
Data Models map to CIM-‐compliant tagged data
SCROLL to see more
Fields relevant to Malware data source
Appropriate tags
So what?
Click to return to Enterprise Security
So what?
Security Domains, then Endpoint, then Malware
Center
KSI specific to malware
Let’s drill into two examples
Click “Hacktool.Rootkit” bar
Normalized fields to CIM from Symantec
Click browser back button…
We know about this.
Second example
Click “Mal/Packer” bar
Normalized fields to CIM from Sophos
Where are my gaps in coverage?
Click Audit and then “Content Profile” – takes
about 30s
Which models could I be using, but I’m not?
QUESTIONS ON CIM/DATA MODELS?
THREAT INTELLIGENCE
75Attack Map
The Challenge:• Industry says Threat Intel is
key to APT Protection• Management wants all
threat intel checked against every system, constantly
• Don’t forget to keep your 15+ threat feeds updated
The Solution:
Verizon 2015 DBIR
“…the percentage of indicators unique to only one (outbound
destination) feed…is north of 97% for the feeds we have sampled…”
Threat list aggregation = more complete intelligence
77
Under Advanced Threat click “Threat Activity”
78
SCROLL
KSIs specific to threat
79
Threat categories
Threat specifics
80
Click Configure, “Data Enrichment” and then “Threat Intelligence
Downloads”
81
Various community threat lists
Local ones too
TAXII support
82
Click “Malware Domains”
83
Various community threat lists
Local ones too
TAXII support
Weight used for risk scoring
Interval
SCROLL for additional config
84
Various community threat lists
Local ones too
TAXII support
Hit “back” button twice
QUESTIONS ON THREAT INTEL?
MORE ADVANCED THREAT
87
STIX/TAXII feed
Browse through the tabs…
Investigate on your own time: Advanced Threat capabilities worth your while…and all areas
under Security Domains
ADDITIONAL REPORTS
89
Auditors / Management / Compliance Says…● Can you show me <Typical Report>?
● Reporting is easy in Splunk● But we have more than 300 standard reports too
90
Click “Reports” under Search
91
Almost 330 reports to use/customize
INCIDENT RESPONSE WORKFLOW
93
Click “High or Critical Priority Host with Malware Detected”
94
Checkbox Select the Critical Event
Highly filterable and tag-‐able
95
Click “Edit All Selected”
96
Fill out Status/Owner/Comment,
Click Save
Would contain all of your users
97
Confirm that event updates
Click “>” under Actions to see what you can do with
the event
98
Click “>” to view more details on the event
99
Last comment and link to review all activity
Every field “pivot-‐able”
100
Automatic attribution for asset data
101
Pivot internally within ES, or externally. Customizable.
Drill to Asset Investigator
102
Asset data
Customizable Swimlanes
Selectable Time
103
Hold down CTRL or CMD and click multiple bars
aligned vertically
104
Summarized info from “candlesticks” selected
Drill to search, make a notable event, share a link
105
Select one or two red “Malware Attacks” bars
106
Drill to search
107
Raw log data in the Search interface is only a click away.
108
“Browser Tab” back to Incident Review
109
Edit the event again and add some more comments…
110
Feel free to add whatever you wish here…click save
111
View the review activity for the event
112
113
Click on “Incident Review Audit” under Audit
Many aspects of ES are audited within the product
114
More users will make this more interesting…
115
Click on Identity Investigator
116
Type “htrapper” in search and click search
Set to “Last 24 hours”
2
1
117
Information about this identity
QUESTIONS ABOUT INCIDENT RESPONSE?
LOOKUPS AND CORRELATION SEARCHES
120
Select “Data Enrichment”, “Lists and Lookups” under
Configure
121
Many lookups to provide additional context to your data
122
Click on “Demonstration Identities”
123
We want to add “naughtyuser” to this list because it is showing up in our data.
SCROLL
124
Select last row, right click, and choose “Insert row
below.”
Add whatever you want, but make sure the first column says “naughtyuser”
When done click save
Extra credit: Check your work in Identity Center
2
1
125
Click on “General”, “Custom Searches” under
Configure
126
Click “New”
127
Click “Correlation Search”
128
Fill in Search Name, App Context, and Description
129
Click “Edit search in guided mode”
You could simply type a Splunk search in here if you wanted.
130
Click “Next”
131
Select “Data Model”, “Authentication”,
“Failed_Authentication” and click Next
132
Select “Last 60 minutes” and click Next
133
Observe search and click NextOptional: You can “Run search” at this point and see the events that will return.
134
Click “Add a new aggregate”
135
Choose “count” and then alias it as “failedlogincount” and
click Next
136
Click Next
137
SCROLL to select “Authentication.user” and click
Next
138
Type “user” in the Alias field and click Next
139
Lets match on “failedlogincount” being
greater than 1000
140
Click “run search” to test the search.
141
This should create two notable events…so let’s make sure that happens.
Make sure this is over 60 minutes, not “all time”.
142
Fill in “cron” style schedule –every 5 minutes
143
Put “86400” as the window duration. Put “user” as the field
to throttle by.
144
Check the “notable event” box and fill in the fields as shown. Note the “$” signs around the variables!
145
Let’s assign risk to the user. Check the box and fill in the
three fields as shown.
146
Save the search and go back to Incident Review.
147
Put “86400” as the window duration. Put “user” as the field
to throttle by.
As long as you have waited 5 minutes you should have new notable events!
148
Expand your new event
Variable substitution working
149
Launch Identity Investigator against “naughtyuser”
150
Data you added to the lookup
Notable Events and Risk
Bonus: Go find “naughtyuser” in Risk Analysis dashboard…
Final Questions?
152
Next Steps…• Play in your ES Sandbox for 15 days• Explore some of the areas we didn’t get to cover today
• Ask questions of your sales team• Once ES 4.0 releases, help yourself to another sandbox to see the new features
• TELL YOUR FRIENDS!
THANKYOU!