GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Similar documents
BIG DATA FOR SECURITY: HOW CAN I PUT BIG DATA TO WORK FOR ME? Joe Goldberg. Splunk. Session ID: HT-T08 Session Classification: Intermediate

Splunk: Using Big Data for Cybersecurity

Security & Threat Detection: Go Beyond Monitoring

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

A Love Affair: Cyber Security, Big-data and Risk

Using Big Data to Align IT Security with Business Risk Mark Seward, Senior Director, Security and Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

RSA Security Analytics

Splunk, Big Data and the Future of Security WHITE PAPER

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Concierge SIEM Reporting Overview

Active Response: Automated Risk Reduction or Manual Action?

Speed Up Incident Response with Actionable Forensic Analytics

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Security Analytics for Smart Grid

Building a cloud- based SIEM with Splunk Cloud and AWS

Big Data and Security: At the Edge of Prediction

All Information is derived from Mandiant consulting in a non-classified environment.

Software that provides secure access to technology, everywhere.

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

RSA Security Anatomy of an Attack Lessons learned

Modern Approach to Incident Response: Automated Response Architecture

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

QRadar SIEM and FireEye MPS Integration

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Evolution Of Cyber Threats & Defense Approaches

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Innovations in Network Security

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Breach Found. Did It Hurt?

Agenda , Palo Alto Networks. Confidential and Proprietary.

Endpoint Threat Detection without the Pain

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Performing Advanced Incident Response Interactive Exercise

Protection Against Advanced Persistent Threats

Advanced Threats: The New World Order

Hunting for the Undefined Threat: Advanced Analytics & Visualization

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Enabling Security Operations with RSA envision. August, 2009

Breaking the Cyber Attack Lifecycle

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Effective Methods to Detect Current Security Threats

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

REVOLUTIONIZING ADVANCED THREAT PROTECTION

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

Advanced Persistent Threats

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Comprehensive Advanced Threat Defense

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Unified Security Management and Open Threat Exchange

A New Perspective on Protecting Critical Networks from Attack:

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

IBM QRadar Security Intelligence April 2013

Effective Methods to Detect Current Security Threats

The Role of Security Monitoring & SIEM in Risk Management

Enterprise Cybersecurity: Building an Effective Defense

Unified Security, ATP and more

Analyzing HTTP/HTTPS Traffic Logs

24/7 Visibility into Advanced Malware on Networks and Endpoints

Security Analytics The Beginning of the End(Point)

Memory Forensics & Security Analytics: Detecting Unknown Malware

Evolving Threat Landscape

The Hillstone and Trend Micro Joint Solution

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Fighting Advanced Threats

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

APPLICATION PROGRAMMING INTERFACE

Speaker Info Tal Be ery

Sygate Secure Enterprise and Alcatel

Using SIEM for Real- Time Threat Detection

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

05 June 2015 A MW TLP: GREEN

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Security Information & Event Management (SIEM)

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

SourceFireNext-Generation IPS

Malicious Network Traffic Analysis

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Jort Kollerie SonicWALL

Sicurezza & Big Data: la Security Intelligence aiuta le aziende a difendersi dagli attacchi

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Can We Become Resilient to Cyber Attacks?

Rashmi Knowles Chief Security Architect EMEA

How To Create Situational Awareness

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Cisco Cyber Threat Defense - Visibility and Network Prevention

A Case for Managed Security

The Cloud App Visibility Blindspot

Transcription:

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS Joe Goldberg Splunk Session ID: SPO-W09 Session Classification: Intermediate

About Me Joe Goldberg Current: Splunk - Security Evangelist and Technical Product Marketing Past: Symantec/Vontu - Data Loss Prevention, Technical Product Marketing VMware - Technical Product Marketing Sun Microsystems - Product Marketing

Security Presentation Template Scare them Unscare them

Security Presentation Template Advanced Threat Big Data

Here Comes the Scary Part..

Advanced Threats Outpace the Defenders Adversary Technical Capabilities You Time

Advanced Threats Are Hard to Detect 100% Valid credentials were used 243 Median # of days before detection 40 Average # of systems accessed 63% Of victims were notified by external entity Source: Mandiant M-Trends Report 2012 and 2013

Advanced Threat Pattern Infiltration Back Door Recon Data Exfiltration Gathering Phishing or web driveby. Email has attached malware or link to malware Malware installs remote access toolkit(s) Malware obtains credentials to key systems and identifies valuable data Data is acquired and staged for exfiltration Data is exfiltrated as encrypted files via HTTP/S, FTP, DNS

Here Comes The Solution Big Data

Big Data is Used Across IT and the Business App Mgmt IT Ops Security Compliance Web Intelligence Business Analytics Big Data

Big Data Definition Wikipedia: Collection of data sets so large and complex that it becomes difficult to process using database management tools Gartner: The Three Vs Data volume Data variety Data velocity Security has always been a Big Data problem; now it has a solution

Sources Email Server Machine Data / Logs are Big Data 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup- 00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,, hacker@neverseenbefore.com, Please open this attachment with payroll information,,,2013-08- 09T22:40:24.975Z Web Proxy Endpoint Logs Windows Authentication Endpoint Security 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8;.NET CLR 1.1.4322;.NET CLR 3.0.4506.2152; ) User John Doe," 20130806041221.000000Caption=ACME-2975EB\Administrator Description=Built-in account for administering the computer/domaindomain=acme-2975eb InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=useraccounts 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\john Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type"" Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,user: smithe,source computer:,source IP: 10.11.36.20

Big Data Analytics [Security teams need] an analytical engine to sift through massive amounts of real-time and historical data at high speeds to develop trending on user and system activity and reveal anomalies that indicate compromise. Security for Business Innovation Council report, When Advanced Persistent Threats Go Mainstream, Chuck Hollis VP CTO, EMC Corporation The core of the most effective [advanced threat] response appears to be a new breed of security analytics that help quickly detect anomalous patterns -- basically power tools in the hands of a new and important sub-category of data scientists: the security analytics expert..

Step 1: Collect ALL The Data in One Location Databases Email Web Desktops Servers DHCP/ DNS Network Flows Hypervisor Badges Firewall Traditional SIEM Authentication Vulnerability Scans Custom Apps Service Desk Storage Mobile Intrusion Detection Data Loss Prevention Anti- Malware Industrial Control Call Records

Need Both Network and Endpoint And Inbound/Outbound!

Step 2: Identify Threat Activity What s the modus operandi of the attacker? (think like a criminal) What/who are the most critical data assets and employees? What patterns/correlations of weak-signals in normal IT activities would represent abnormal activity? What in my environment is different/new/changed? What is rarely seen or standard deviations off the norm?

Big Data Solution Big Data Architecture Data Inclusion Model One product, UI, and datastore Scales horizontally to many TBs a day on commodity H/W All the original data from any source No database schema to limit investigations/detection Search & reporting flexibility Advanced correlations Math/statistics to baseline and find outliers/anomalies Real-time indexing and alerting Known and Unknown threat detection Open platform with API, SDKs, App framework

Big Data Solutions NoSQL, distributed search, commodity H/W More than a SIEM: Incident investigations, custom reports, SIEM/correlations, APT detection, fraud detection

Is Packet Capture Big Data? make your own Fantastic technology for detecting anomalous traffic and for incident investigations Handles volume and velocity, but not variety

Sample Correlation of Unknown Threats Sources Email Server Web Proxy 2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup- 00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,, hacker@neverseenbefore.com, Please open this attachment with payroll information,,,2013-08- 09T22:40:24.975Z Rarely seen email domain Rarely visited web site Example Correlation - Spearphishing User Name 2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8;.NET CLR 1.1.4322;.NET CLR 3.0.4506.2152; ) User John Doe," User Name Endpoint Logs User Name 08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\john Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type"" Rarely seen service All three occurring within a 24-hour period Time Range

Fingerprints of an Advanced Threat What to Look For Why Source URL length on web app is standard deviations longer than normal SQL injection. Hacker puts SQL commands in the URL. Web Attack Phase Infiltration Rarely seen registry, service, DLL. Or they fail hash checks. Account creation without corresponding IT help desk ticket For single employee: Badges in at one location, then VPNs or logs in countries away Employee makes standard deviations more data requests from a file server with confidential data than normal Malware or remote access toolkit OS Back Door Hacker is creating new admin accounts Stolen credentials AD/ Help Desk logs Badge/ VPN/ Auth Recon Data gathering Gathering confidential data for theft OS Data gathering

Fingerprints of an Advanced Threat What to Look For Why Source Standard deviations more DNS requests from a single IP Hackers exfiltrate the data in DNS packets; also fast-flux DNS DNS Attack Phase Exfiltration Standard deviations larger DNS data flows from a single host Hackers exfiltrate the data in DNS packet; standard deviations more DNS requests from a single IP NetFlow / DNS Exfiltration Standard deviations larger traffic flows from a host to a given IP Hacker exfiltrating info NetFlow Exfiltration Long outbound URL w/o referrer Botnets often embed long CnC message in the URL Web Exfiltration

Step 3: Remediate and Automate Where else in my environment do I see the Indicators of Compromise (IOC)? Remediate infected machines Fix weaknesses, including employee education Turn IOC into a real-time search for future threats

Security Realities Big Data is only as good as the data it holds and the people behind the UI There is no replacement for capable practitioners Put math and statistics to work for you Encourage IT Security creativity and thinking outside the box Fine tuning needed; always will be false positives

Other Tactics From Forward - Thinking Practitioners Virtual sandbox for signature-less malware detection Network forensics/packet capture Web application firewalls Application whitelisting Honeypots Red team exercises Spearphishing employee training Air gapped network

Splunk For Security Big Data platform for ingesting machine data; 500MB to 100+ TB/day Many use cases within security Forensics, incident investigation, known and unknown threat detection, fraud detection, and compliance Many use cases outside security: IT Operations, Application Management, web analytics Over 6000 customers total; 2500+ primary security use case customers Free download and tutorial at www.splunk.com

Questions?

Thank you! Joe Goldberg Splunk jgoldberg@splunk.com www.splunk.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information