Splunk and Big Data for Insider Threats

Similar documents
Comprehensive Security with Splunk and Cisco

Splunk Company Overview

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Computer Security Incident Handling Detec6on and Analysis

Tim Blevins Execu;ve Director Labor and Revenue Solu;ons. FTA Technology Conference August 4th, 2015

Sophos Ltd. All rights reserved.

End-user Security Analytics Strengthens Protection with ArcSight

Security Leadership: Preven4ng and Responding to Future Cyber A<acks. Mark Seward, Sr. Director, Security and Compliance

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Kaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

FTC Data Security Standard

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

ISSA Phoenix Chapter Meeting Topic: Security Enablement & Risk Reducing Best Practices for BYOD + SaaS Cloud Apps

Financial Fraud Threats & Preven3on. Mark Frank EVP, Senior Opera3ons Officer Colorado Business Bank

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Splunk for Networking and SDN

Your Network Has Been Compromised. Is It Time To Reevaluate Your Traditional Cybersecurity Paradigms?

Member Municipality Security Awareness Training. End- User Informa/on Security Awareness Training

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

The Cloud App Visibility Blindspot

This is a picture of a kiqen

A Love Affair: Cyber Security, Big-data and Risk

/Endpoint Security and More Rondi Jamison

Splunk: Using Big Data for Cybersecurity

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

Secure Because Math: Understanding ML- based Security Products (#SecureBecauseMath)

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Copyright 2013 Splunk, Inc. Splunk 6 Overview. Presenter Name, Presenter Title

Developing a successful Big Data strategy. Using Big Data to improve business outcomes

Handling Modern Security Issues

The Key to Successful Monitoring for Detection of Insider Attacks

Patching, AlerFng, BYOD and More: Managing Security in the Enterprise with Splunk Enterprise

Realm of Big Data Ini0a0ves

Incident Response. Six Best Practices for Managing Cyber Breaches.

HIGH-RISK USER MONITORING

RETHINKING CYBER SECURITY Changing the Business Conversation

Secret Server Splunk Integration Guide

Main Research Gaps in Cyber Security

August Investigating an Insider Threat. A Sensage TechNote highlighting the essential workflow involved in a potential insider breach

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Compliance Overview: FISMA / NIST SP800 53

The CERT Top 10 List for Winning the Battle Against Insider Threats

Securing SharePoint 101. Rob Rachwald Imperva

SANS Top 20 Critical Controls for Effective Cyber Defense

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

INCIDENT RESPONSE CHECKLIST

High-Risk User Monitoring

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Big Data and Security: At the Edge of Prediction

Adventures in Bouncerland. Nicholas J. Percoco Sean Schulte Trustwave SpiderLabs

Always Worry About Cyber Security. Always. Track 4 Session 8

Cyber Security for SCADA/ICS Networks

PALO ALTO SAFE APPLICATION ENABLEMENT

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Data Security What are you waiting for? Lior Arbel General Manager Europe Performanta

The Elusive U,lity Customer: How Big Data & Analy,cs Connects U,li,es & Their Customers

Protect Your Universe with ArcSight

Securing Business Informa9on in the Cloud

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT

Defending Against Data Beaches: Internal Controls for Cybersecurity

Industry leading Education

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

SUMMIT. November 2010

B2B Offerings. Helping businesses op2mize. Infolob s amazing b2b offerings helps your company achieve maximum produc2vity

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Enabling Business Beyond the Corporate Network. Secure solutions for mobility, cloud and social media

Windows Server 2003 End of Support. What does it mean? What are my options?

Modern IT Security. Jerry Craft Sr. Security & Networking Consultant

How To Grow A Data Center System

DNS Traffic Monitoring. Dave Piscitello VP Security and ICT Coordina;on, ICANN

SIEM is only as good as the data it consumes

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Trend Micro Cloud App Security for Office 365. October 27, 2015 Trevor Richmond

CyberArk Privileged Threat Analytics. Solution Brief

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

Reali9es of Being PCI Compliant

Evolving Threat Landscape

How To Buy Nitro Security

Combating the Insider Threat at the FBI: Real World Lessons Learned

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Find the intruders using correlation and context Ofer Shezaf

Hunk & Elas=c MapReduce: Big Data Analy=cs on AWS

Fight fire with fire when protecting sensitive data

Privileged Administra0on Best Prac0ces :: September 1, 2015

Data Privacy and Data Security in Telemedicine Applica5ons. Patrick Harpes it.lu

Agenda , Palo Alto Networks. Confidential and Proprietary.

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Enabling Security Operations with RSA envision. August, 2009

Estate Agents Authority

Rogue Programs. Rogue Programs - Topics. Security in Compu4ng - Chapter 3. l Rogue programs can be classified by the way they propagate

The webinar will begin shortly

Transcription:

Copyright 2014 Splunk Inc. Splunk and Big Data for Insider Threats Mark Seward Sr. Director, Public Sector

Company Company (NASDAQ: SPLK)! Founded 2004, first sohware release in 2006! HQ: San Francisco / Regional HQ: London, Hong Kong! Over 1000 employees, based in 12 countries! Annual Revenue: $299M (YoY +53%)! $5+ billion market valua]on Fast Company 2014: #4 Big Data Innovator Leader: Gartner SIEM Magic Quadrant, 2013 Business Model / Products! Free download to massive scale! On- premise, in the cloud and SaaS 7,000+ Customers; 2800 w/security Use Cases! Customers in over 90 countries! 60 of the Fortune 100! Largest license: 150 Terabytes per day 2

Machine Generated Data is a Defini]ve Record of Human- to- Machine and Machine- to- Machine Interac]on 3

Splunk as a Security Intelligence Solu]on INCIDENT INVESTIGATIONS & FORENSICS SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS REAL-TIME MONITORING OF UNKNOWN THREATS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces, and Goes Beyond Existing SIEMs

What is meant by an Insider Threat? A current or former employee, contractor, or business partner who Has or had authorized access to an organiza]on s network, system, or data: And Inten]onally exceeded or misused that access in a manner that nega]vely affected the confiden]ality, integrity or availability of the organiza]on s informa]on or informa]on systems Common Sense Guide to Preven]on and Detec]on of Insider Threats 2010 5

Employee Insider threats Are! Authorized users! Doing authorized things! Of malicious intent! A people centric behavioral problem Are not! Hackers using specialized tools! A technical or "cybersecurity" issue alone! Escala]ng their privileges for purposes of espionage

Security Incidents and Insider Threats 58% 33% 7% 18% Percent of security incidents can be amributed to insider threats Percent from employees Percent from ex- employees Percent from partners or suppliers Infosecurity May 2013 7

The Difficulty Detec]ng Insider Threats 76% of respondents indicate insider threat not gepng any easier or gepng harder. 8

Mo]va]ons for malicious insider ac]vi]es Insider IT Sabotage The1 or modifica5on for financial gain The1 of informa5on for business advantage The conscien5ous objector 9

Data Collec]on Requirements/Guidelines Federal Intelligence Community Standards ICS 500-27 Collec]on and Sharing of Audit Data Appendix B Set of Auditable Events Lists Auditable events or ac]vi]es Event details Events that indicate a viola]on of system ICS 700-2 Use of Audit Data for Insider Threat Detec]on Goes beyond tradi]onal IT data Facility access informa]on Foreign contact informa]on Foreign travel informa]on Financial disclosure informa]on Personnel security informa]on Context for External / Internal Ac]vi]es 10

Analysis Types for Detec]ng Insider Threats StaIsIcal Context Personal Context AcIvity Context Rela%onship between analysis types indicates malicious intent 11

Sta]s]cal Analysis / Watching for Outliers DetecIon Type Detail Analysis Printer usage Number of print jobs over a given period of ]me Baseline/Outlier Logins to AD, SharePoint, custom applica]on or use of SSO Abrupt change in the ra]o of website categories visited Increase in size of print jobs Unusual ]mes of day Rare network printer use (the one not closest employee) Local vs. remote Time of day / aher or before normal shih During vaca]on ]mes / aher termina]on Access from IPs or subnets not normal for the employee Monitor s employee behavior and aptude changes (proxy data) Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Baseline/Outlier Outlier/Context Recent address changes Mul]ple address changes in a given period of ]me are a red flag Context/Look- up 12

External Personal Context Context Type Detail InformaIon Type Transfer / demo]on / poor service review (HR records) Unused Vaca]on - 18 months or longer Lay- off no]fica]on Always first in / first out of the office Personal life change According to CERT nearly 50% of all insiders acted out of revenge for a nega]ve event such as demo]on, new supervisor, transfer, or demo]on Employee remains in control - - work not turned over to others for review Monitor for file transfers by individuals that occur immediately before and aher lay- offs are announced Badge data, AD or applica]on data. Desire to control situa]on Marital status change stress trigger. Can jeopardize emo]onal stability HR system data Context / Look- up Context / Look- up Context / Look- up Context / Look- up Context / Look- up Non- business use of the internet Use proxy data to categorize internet usage Context / Look- up Credit report / Start a business Dunn and Bradstreet / Equifax Context / Look- up 13

Ac]vity Context Detec]ons for Insider Threats DetecIon Detail Type Unusual physical access amempts Monitor physical access logs to unauthorized loca]ons Direct indicator Amempts to use USB or CD Rom Log data events Direct indicator Use of back door and default accounts Access to network diagrams and code repositories Remote Logins to Infrastructure The two- man rule Monitor shared accounts, use of default user names, post employee or contractor termina]on Monitor for unauthorized reconnaissance for informa]on used to amack or steal data from systems Monitor the login and web surfing from data center infrastructure If ins]tuted monitor separa]on of du]es for administra]ve func]ons such as privileged user ac]ons and account changes Direct indicator Direct indicator Direct indicator Direct indicator 14

A Word or two on privacy! You mileage may vary based on! Employment contracts! Union rules! Agency / Department culture! Agency mission! Data sensi]vity However most companies/agencies and their employment agreements/contracts allow for some forms of data collec5on 15

Combina]on of Two Strategies for Comba]ng Primary Preven]on/Deterrence Pamern based Mul]ple factors Uses heuris]cs and sta]s]cal models Requires base lining / watching for outlier behaviors Secondary Detec]on Specific indicators or alerts Defini]ve evidence Physical detec]on (stolen documents) Rather than gecng wrapped up in predic5on or detec5on organiza5ons should start first with deterrence. Patrick Reidy CISO FBI 16

Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are some]mes mis- treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data from SharePoint servers Below explains how Splunk could be use to detect/ mi]gate that type of behavior: Data Sources: Host based FW logs, Single Sign- on(sso) logs, SharePoint connec]on logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look- up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk CapabiliIes: lookup, trends, reports, real- ]me alerts, index, correla]on analy]cs, real- ]me rules 17

Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor poten]al data leakage/spill of very sensi]ve intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensi]ve R&D projects and/or suppor]ng Govt programs, data leakage is highly likable. An employee can inten]onal/uninten]onal download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss preven]on (DLP) logs, key words, email logs, An]- virus logs(usb) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualiza]on & monitor Data Sources: Data Loss preven]on (DLP) logs, key words, email logs, AV, Splunk CapabiliIes: lookup, search processing language, real- ]me alerts, reports, visualiza]on, advance correla]on, real- ]me rules 18

Thank You

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information