Building a cloud- based SIEM with Splunk Cloud and AWS

Copyright 2014 Splunk Inc. Building a cloud- based SIEM with Splunk Cloud and AWS Joe Goldberg Product MarkeAng, Splunk Gary Mikula Senior Director InformaAon Security, FINRA Sivakanth Mundru Product Manager, AWS

Disclaimer During the course of this presentaaon, we may make forward- looking statements regarding future events or the expected performance of the company. We cauaon you that such statements reflect our current expectaaons and esamates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentaaon are being made as of the Ame and date of its live presentaaon. If reviewed aver its live presentaaon, this presentaaon may not contain current or accurate informaaon. We do not assume any obligaaon to update any forward- looking statements we may make. In addiaon, any informaaon about our roadmap outlines our general product direcaon and is subject to change at any Ame without noace. It is for informaaonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaaon either to develop the features or funcaonality described or to include any such feature or funcaonality in a future release. 2

Agenda! Splunk for security and cloud offerings! AWS CloudTrail! FINRA using Splunk Cloud as a SIEM! Demo of Splunk App for Enterprise Security & AWS CloudTrail 3

Splunk for Security and Cloud Offerings

Use Cases for Machine Data AnalyAcs Core Use Cases Today s Focus Emerging Use Cases App Dev and App Mgmt. IT OperaAons Security and Compliance Digital Intelligence Business AnalyAcs Industrial Data and Internet of Things Developer Pla[orm (REST API, SDKs) Small Data. Big Data. Huge Data. 5

Sources AWS CloudTrail Endpoint Security Machine Data Contains CriAcal Insights Example Correla0on Data Loss {"requestparameters": {"duraaonseconds": 43200}, "responseelements": {"credenaals": {"sessiontoken": "AQoDYXdzEPP///==", "accesskeyid": "ASIAJWQDLBKDOAKEWNIQ", "expiraaon": "Nov 13, 2013 5:22:32 AM"}, "eventsource": "sts.amazonaws.com", "sourceipaddress": 10.11.36.1", "eventtime": "2013-11- 12T17:22:32Z", "useridenaty": {Administrator:root", "principalid": "930458123955", "accountid": "930458123955", "type": Source IP "Root"}, "eventname": "GetSessionToken", "useragent": "signin.amazonaws.com"} Default Admin Account Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,computer name: ACME- 002,Source: Real Time Scan,Risk name: Hackerremotetool.rootkit,Occurrences: 1,C:/Documents and Sejngs/smithe/Local Sejngs/Temp/evil.tmp,"""",Actual acaon: QuaranAned,Requested acaon: Cleaned, Malware Found Ame: 2009-01- 23 03:19:12,Inserted: 2009-01- 23 03:20:12,End: 2009-01- 23 03:19:12,Domain: Source Default,Group: IP My Company\ACME Remote,Server: acmesep01,user: smithe,source computer:,source IP: 10.11.36.20 Intrusion Detec2on Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 - > 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [ClassificaAon: PotenAal Corporate Privacy ViolaAon] Credit Card Number Detected in Clear Text Source IP [Priority: 2]: Data Loss Time Range All three occurring within a 24- hour period 6

Big Data SIEM All Data is Security Relevant Databases Email Web CloudTrail OSes Tradi0onal SIEM DHCP/ DNS Network Flows Hypervisor Badges Firewall AuthenAcaAon Vulnerability Scans Custom Apps Service Desk Storage Mobile Intrusion DetecAon Data Loss PrevenAon AnA- Malware Industrial Control Call Records 7

Top Splunk Security Use Cases A SIEM Plus Much More Splunk Can Complement OR Replace an ExisAng SIEM Incident InvesAgaAons & Forensics Security & Compliance ReporAng Real- Ame Monitoring of Known Threats Real- Ame Monitoring of Unknown Threats Insider Threat Fraud detecaon 8

Over 2800 Global Security Customers 9

Gartner SIEM MQ Leading Big Data SIEM (plus more!) Best SIEM & Enterprise Security Solu2on Best SIEM 10

Cloud Offerings For Security and Compliance SaaS SoEware Applica2ons Splunk Enterprise as a service Full app, SDK, API, pla[orm support Self- deploy in cloud or on- premises Centralized view across cloud and on- premises App for AWS CloudTrail FREE Splunk App for Enterprise Security Amazon Machine Images (AMI) Splunk Enterprise and Hunk AMIs Accelerate deployment in AWS 11

AWS CloudTrail

Agenda Overview and Use cases Regional availability and support for AWS services Event payload review Aggregation of log files across accounts and services Amazon Confidential

CloudTrail Overview Customers are making API calls... On a growing set of services around the world CloudTrail is continuously recording API calls And delivering log files to customers Amazon Confidential

Use Cases Enabled By CloudTrail Security Analysis v Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns Track Changes to AWS Resources v Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues v Quickly identify the most recent changes made to resources in your environment Compliance Aid v Easier to demonstrate compliance with internal policies and regulatory standards Amazon Confidential

CloudTrail Regional Availability Amazon Confidential

Services Supported by CloudTrail Amazon Confidential

What s in a CloudTrail Event? Who made the API call? When was the API call made? What was the API call? What were the resources that were acted up on in the API call? Where was the API call made from? Amazon Confidential

Who Made the API Call? Records detailed information for all AWS identity types v Root user v IAM user v Federated user v Role Information includes v Friendly user name v AWS AccessKeyId v 12 digit AWS account number v Amazon Resource Name (ARN) v Session context and issuer information, if applicable v invokedby section identifies the AWS service making request on behalf of the user Amazon Confidential

Who Made the API Call? IAM user Bob making an API call "useridentity": { "accesskeyid": "AKEXAMPLE123EJVA", "accountid": 123456789012", "arn": "arn:aws:iam::123456789012:user/bob", "principalid": "AIEXAMPLE987ZKLALD3HS", "type": "IAMUser", "username": Bob" } Amazon Confidential

Who Made the API Call? Federated user Alice making an API call "useridentity":{ "type":"federateduser", "principalid":"123456789012:alice", "arn":"arn:aws:sts::123456789012:federated-user/alice", "accountid":"123456789012", "accesskeyid":"asexample1234wtrox8f", "sessionissuer":{ "type":"iamuser", "accountid":"123456789012", "username": Bob" } } Amazon Confidential

When Was the API Call Made? Time and Date of the event in ISO 8601 format "eventtime": "2013-10-23T23:30:42Z Event time is captured on the service host where the API call is executed Event time is NOT the time log file is written to S3 Amazon Confidential

What Was the API Call? What Resources Were Acted Up On? API call and the service the API call belongs to. "eventname": "RunInstances" "eventsource": "EC2" Request parameters provided by the requester and Response elements returned by the AWS service Response elements for read only API calls (Describe*, Get*, List*) are not recorded to prevent event size inflation Amazon Confidential

Where Was the API Call Made From and To? Apparent IP address of the requester making the API call Records the apparent IP address of the requester when making API calls from AWS Management Console AWS region to which the API call was made. Global services ( Examples: IAM/STS) will be recorded as us-east-1 "sourceipaddress": "54.234.127.135", "awsregion": "us-east-1 Amazon Confidential

Client Errors, Server Errors & Authorization Failures Detailed and Descriptive error codes and error messages, recorded only when errors occur. Examples v Client error code: TagLimitExceeded v Server error code: Internal Error v Authorization failure: UnauthorizedOperation Authorization Failure Example eventname": TerminateInstances", errorcode": UnauthorizedOperation, errormessage : You are not authorized to perform this operation Amazon Confidential

SNS Notifications for Log File Delivery Optionally, CloudTrail will publish SNS notification of each new log file Notifications contain the address of the log file delivered to your S3 bucket and allow you to take immediate action Does not require you to continuously poll S3 to check whether new log files were delivered Multiple subscribers can subscribe to the same SNS topic and retrieve the log files for analysis Amazon Confidential

Aggregate Log Files Across Regions and Accounts Default descriptive folder structure makes it easier to store log files from multiple accounts and regions in the same S3 bucket Detailed log file name helps identify the contents of the log file, regardless of where they are stored Time stamp of the log file is the event time of the first event in chronological order In the rare event of duplicate file delivery, unique identifier in the file name prevents overwriting log files Amazon Confidential

FINRA using Splunk Cloud as a SIEM Amazon Confidential

Who We Are n FINRA the Financial Industry Regulatory Authority is an independent, non-governmental regulator for all securities firms doing business with the public in the United States n FINRA protects investors by regulating brokers and brokerage firms and by monitoring trading on U.S. stock markets n FINRA monitor over 6 billion shares traded on the stock market each day n FINRA handles more big data on a daily basis than the Library of Congress or Visa to build a holistic picture of the trading market n FINRA Deter, Detect, Discipline FINRA Splunk Presentation Copyright 2014FINRA

So You Want to Own a SIEM? Now Double It FINRA Splunk Presentation Copyright 2014FINRA

What We Learned Owning a SIEM n Wanted ALL logs Centralized n Enterprise Resource n Maintenance <<< Analytics n Push Changes Centrally n Integrated into Process Flow n Ease/Flexibility in Reporting n Avoid Hidden Costs n Relational DB Independent n Tech Refreshes Hurt FINRA Splunk Presentation Copyright 2014FINRA

n n n n n n n n Offload HW/SW Worries Can Collect Anything Widened Our User Base Granular AC Where We Are: Splunk Cloud Easily Duplicated All Reporting & Alerting Vendors Give Us Apps Great User Community Easily Determine Actual Costs FINRA VPC S AWS FINRA DATA CENTERS SplunkCloud VPC s FINRA Splunk Presentation Copyright 2014FINRA

Why the AWS CloudTrail Application? n FINRA Moving Applications into the Cloud n AWS is Currently FINRA s Primary Cloud Provider n Data Collection via AWS s3 Bucket Objects Not Trivial n CloudTrail Captures Everything, Well Almost n Splunk App for AWS Allows for Filtering n Fully Extracted & Tagged AWS CloudTrail Records in an Easy, Flexible UI n CloudTrail is Transactional FINRA Splunk Presentation Copyright 2014FINRA

Ad-Hoc Queries/Reporting n Who Spun Up/Terminated that ec2 FINRA Use Cases n Show me Everything Done by Role X Yesterday Alerting n Has Anyone Used the Root Account n Does the Security Group Contain a Class A Compliance & Governance n Do the Policies Adhere to FINRA Standards** Notify When to Re-Run Compliance FINRA Splunk Presentation Copyright 2014FINRA

AWS CloudTrail Overview FINRA Splunk Presentation Copyright 2014FINRA

Use Case: Ensure User Permissions in the Cloud FINRA Splunk Presentation Copyright 2014FINRA

How We Do It Overview of FINRA AWS Compliance System AWS S3 Buckets AWS SNS AWS CloudTrail AWS Identity Access and Management Search API calling records for CreateRole, PutRolePolicy, DeleteRolePolicy SPLUNK SAVED SEARCH: iam_change_detection (daily) Cron AWS IAM Compliance Dashboard Finra Cloudpass aws_daily_check.py aws_monthly_check.py Subversion Compliance Results FINRA Splunk Presentation Copyright 2014FINRA

Executive Summary FINRA Splunk Presentation Copyright 2014FINRA

Remediation Report FINRA Splunk Presentation Copyright 2014FINRA

Demo of Splunk App for Enterprise Security & AWS CloudTrail FINRA Splunk Presentation Copyright 2014FINRA

! Splunk Cloud h p://www.splunk.com/cloud! Splunk App for AWS CloudTrail h p://apps.splunk.com/app/1274/ Resources! Splunk App for Enterprise Security h p://www.splunk.com/view/enterprise- security- app/sp- CAAAE8Z 41

Q&A FINRA Splunk Presentation Copyright 2014FINRA

THANK YOU