Copyright 2014 Splunk Inc. Splunk and Big Data for Insider Threats Mark Seward Sr. Director, Public Sector
Company Company (NASDAQ: SPLK)! Founded 2004, first sohware release in 2006! HQ: San Francisco / Regional HQ: London, Hong Kong! Over 1000 employees, based in 12 countries! Annual Revenue: $299M (YoY +53%)! $5+ billion market valua]on Fast Company 2014: #4 Big Data Innovator Leader: Gartner SIEM Magic Quadrant, 2013 Business Model / Products! Free download to massive scale! On- premise, in the cloud and SaaS 7,000+ Customers; 2800 w/security Use Cases! Customers in over 90 countries! 60 of the Fortune 100! Largest license: 150 Terabytes per day 2
Machine Generated Data is a Defini]ve Record of Human- to- Machine and Machine- to- Machine Interac]on 3
Splunk as a Security Intelligence Solu]on INCIDENT INVESTIGATIONS & FORENSICS SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS REAL-TIME MONITORING OF UNKNOWN THREATS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces, and Goes Beyond Existing SIEMs
What is meant by an Insider Threat? A current or former employee, contractor, or business partner who Has or had authorized access to an organiza]on s network, system, or data: And Inten]onally exceeded or misused that access in a manner that nega]vely affected the confiden]ality, integrity or availability of the organiza]on s informa]on or informa]on systems Common Sense Guide to Preven]on and Detec]on of Insider Threats 2010 5
Employee Insider threats Are! Authorized users! Doing authorized things! Of malicious intent! A people centric behavioral problem Are not! Hackers using specialized tools! A technical or "cybersecurity" issue alone! Escala]ng their privileges for purposes of espionage
Security Incidents and Insider Threats 58% 33% 7% 18% Percent of security incidents can be amributed to insider threats Percent from employees Percent from ex- employees Percent from partners or suppliers Infosecurity May 2013 7
The Difficulty Detec]ng Insider Threats 76% of respondents indicate insider threat not gepng any easier or gepng harder. 8
Mo]va]ons for malicious insider ac]vi]es Insider IT Sabotage The1 or modifica5on for financial gain The1 of informa5on for business advantage The conscien5ous objector 9
Data Collec]on Requirements/Guidelines Federal Intelligence Community Standards ICS 500-27 Collec]on and Sharing of Audit Data Appendix B Set of Auditable Events Lists Auditable events or ac]vi]es Event details Events that indicate a viola]on of system ICS 700-2 Use of Audit Data for Insider Threat Detec]on Goes beyond tradi]onal IT data Facility access informa]on Foreign contact informa]on Foreign travel informa]on Financial disclosure informa]on Personnel security informa]on Context for External / Internal Ac]vi]es 10
Analysis Types for Detec]ng Insider Threats StaIsIcal Context Personal Context AcIvity Context Rela%onship between analysis types indicates malicious intent 11
Sta]s]cal Analysis / Watching for Outliers DetecIon Type Detail Analysis Printer usage Number of print jobs over a given period of ]me Baseline/Outlier Logins to AD, SharePoint, custom applica]on or use of SSO Abrupt change in the ra]o of website categories visited Increase in size of print jobs Unusual ]mes of day Rare network printer use (the one not closest employee) Local vs. remote Time of day / aher or before normal shih During vaca]on ]mes / aher termina]on Access from IPs or subnets not normal for the employee Monitor s employee behavior and aptude changes (proxy data) Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Outlier/Context Recent address changes Mul]ple address changes in a given period of ]me are a red flag Context/Look- up 12
External Personal Context Context Type Detail InformaIon Type Transfer / demo]on / poor service review (HR records) Unused Vaca]on - 18 months or longer Lay- off no]fica]on Always first in / first out of the office Personal life change According to CERT nearly 50% of all insiders acted out of revenge for a nega]ve event such as demo]on, new supervisor, transfer, or demo]on Employee remains in control - - work not turned over to others for review Monitor for file transfers by individuals that occur immediately before and aher lay- offs are announced Badge data, AD or applica]on data. Desire to control situa]on Marital status change stress trigger. Can jeopardize emo]onal stability HR system data Context / Look- up Context / Look- up Context / Look- up Context / Look- up Context / Look- up Non- business use of the internet Use proxy data to categorize internet usage Context / Look- up Credit report / Start a business Dunn and Bradstreet / Equifax Context / Look- up 13
Ac]vity Context Detec]ons for Insider Threats DetecIon Detail Type Unusual physical access amempts Monitor physical access logs to unauthorized loca]ons Direct indicator Amempts to use USB or CD Rom Log data events Direct indicator Use of back door and default accounts Access to network diagrams and code repositories Remote Logins to Infrastructure The two- man rule Monitor shared accounts, use of default user names, post employee or contractor termina]on Monitor for unauthorized reconnaissance for informa]on used to amack or steal data from systems Monitor the login and web surfing from data center infrastructure If ins]tuted monitor separa]on of du]es for administra]ve func]ons such as privileged user ac]ons and account changes Direct indicator Direct indicator Direct indicator Direct indicator 14
A Word or two on privacy! You mileage may vary based on! Employment contracts! Union rules! Agency / Department culture! Agency mission! Data sensi]vity However most companies/agencies and their employment agreements/contracts allow for some forms of data collec5on 15
Combina]on of Two Strategies for Comba]ng Primary Preven]on/Deterrence Pamern based Mul]ple factors Uses heuris]cs and sta]s]cal models Requires base lining / watching for outlier behaviors Secondary Detec]on Specific indicators or alerts Defini]ve evidence Physical detec]on (stolen documents) Rather than gecng wrapped up in predic5on or detec5on organiza5ons should start first with deterrence. Patrick Reidy CISO FBI 16
Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are some]mes mis- treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data from SharePoint servers Below explains how Splunk could be use to detect/ mi]gate that type of behavior: Data Sources: Host based FW logs, Single Sign- on(sso) logs, SharePoint connec]on logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look- up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk CapabiliIes: lookup, trends, reports, real- ]me alerts, index, correla]on analy]cs, real- ]me rules 17
Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor poten]al data leakage/spill of very sensi]ve intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensi]ve R&D projects and/or suppor]ng Govt programs, data leakage is highly likable. An employee can inten]onal/uninten]onal download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss preven]on (DLP) logs, key words, email logs, An]- virus logs(usb) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualiza]on & monitor Data Sources: Data Loss preven]on (DLP) logs, key words, email logs, AV, Splunk CapabiliIes: lookup, search processing language, real- ]me alerts, reports, visualiza]on, advance correla]on, real- ]me rules 18
Thank You