Building a Cyber Security Program

Copyright 2015 Splunk Inc. Building a Cyber Security Program With Splunk App for Enterprise Security Jeff Campbell CISSP+ISSAP, Splunk CerBfied Architect Cyber Security Splunk Architect Penn State Hershey Medical Center

Disclaimer During the course of this presentabon, we may make forward looking statements regarding future events or the expected performance of the company. We caubon you that such statements reflect our current expectabons and esbmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentabon are being made as of the Bme and date of its live presentabon. If reviewed auer its live presentabon, this presentabon may not contain current or accurate informabon. We do not assume any obligabon to update any forward looking statements we may make. In addibon, any informabon about our roadmap outlines our general product direcbon and is subject to change at any Bme without nobce. It is for informabonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligabon either to develop the features or funcbonality described or to include any such feature or funcbonality in a future release. 2

Jeff Campbell 3

Focus shiu towards Cyber More people w/specializabon New tech More data! 4

5

6

Dedicated Search Head 16 CPU cores Indexers 1 per 100 GB indexed 16 GB RAM review the online documentabon @ docs.splunk.com DocumentaBon > Splunk App for Enterprise Security > InstallaBon and ConfiguraBon Manual > Splunk Enterprise deployment planning 7

8

9

IdenBty Data AcBve Directory Exchange IdenBty Management Asset Data Asset & Inventory Management ConfiguraBon Management Data Center Management System 10

_Bme host source sourcetype user_priority user_category user_bunit user vendor_product src_bunit Common response_bme Network Sessions InformaBon dest_ip Model dest_bunit dest_category dest_dns signature dest_mac dest_nt_host dest_priority src_category src_dns src_ip tag src_mac src_nt_host src_priority durabon acbon 11

Alerts tag=alert ApplicaBon State (tag=listening tag=port) OR (tag=process tag=report) OR (tag=service tag=report) Interprocess Messaging Email tag=email tag=messaging JVM tag=jvm VulnerabiliBes tag=vulnerability tag=report CerBficates tag=cerbficate Common Change Analysis tag=change Network Sessions tag=network tag=session InformaBon Intrusion DetecBon Network Model Traffic tag=network tag=communicate Ticket Management tag=bckebng 12 Performance tag=performance tag=ids tag=aoack Database tag=database Network ResoluBon (DNS) Inventory tag=inventory Web tag=web tag=network tag=resolubon tag=dns Malware tag=malware tag=aoack Updates tag=update tag=status AuthenBcaBon tag=authenbcabon NOT (acbon=success user=*$)

tag=network tag=communicate - - - 3000 lines later - - - 13

14

15 use the datamodelinfo command for at- a- glance view of accelerabon status

16

17

$SPLUNK_HOME/etc/log.cfg ##log.cfg category.savedsplunker = DEBUG,scheduler 18

splunk> (index=* OR index=_*) (tag=network tag=communicate) 19

20

add more indexers for beoer performance splunk> (index=* OR index=_*) (tag=network tag=communicate) 21

Splunk packages CIM- compliant technology add- ons with Enterprise Security Splunk_TA_bro Splunk_TA_cisco- asa Splunk_TA_cisco- esa Splunk_TA_cisco- wsa Splunk_TA_flowfix Splunk_TA_mcafee Splunk_TA_nessus Splunk_TA_nix Splunk_TA_norse Splunk_TA_sophos Splunk_TA_windows TA- airdefense TA- alcatel TA- bluecoat TA- cef TA- fireeye TA- forbnet TA- Up TA- juniper TA- ncircle TA- nmap TA- oracle TA- ossec TA- paloalto TA- rsa TA- sav TA- sep TA- snort TA- sos TA- Bppingpoint TA- trendmicro TA- websense 2: enable relevant TAs one- by- one to ensure CIM- compliant extracbons 22

23

$SPLUNK_HOME/etc/apps/Splunk_SA_CIM/local/datamodels.conf ##datamodels.conf [Authentication] acceleration = true acceleration.manual_rebuilds = true CIM datamodels in Splunk for Enterprise Security do not automabcally rebuild #configure to limit backfill during initial build # - only effective when rebuild initiated acceleration.backfill_time = - 7d 24 limit backfill range for faster producbon readiness

25

26 scale out for beoer performance

*nix Splunk Add- on for Unix and Linux $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/evenoypess.conf ##eventtypes.conf data models search across all indexes consider modifying evenoypes (tags) with addibonal constraints [iptables_firewall_accept] #search = = (NOT sourcetype=stash) signature=firewall action=pass OR action=permit #tags search = = os index=os unix host (NOT firewall sourcetype=stash) communicate signature=firewall success action=pass OR action=permit #tags = os unix host firewall communicate success line wrapping for readability only >300% increase in data model accelerabon performance auer adding index constraints in select TAs 27

28

29

30

31

32

33

34

35

run -me: 12:31 run -me: 0:21 run -me: 0:16 Dear Splunk, please stop using datamodel to search in your drilldowns Love, your users run -me: 0:07 36

37

Prepare infrastructure may need more hardware than you think Think through your authoritabve user and asset inventories Be selecbve in your TAs and apps on the ES search head Consider adding constraints to the TA evenoypes Take advantage of the accelerabon you worked so hard for Where possible, use tstats with summariesonly=t 38

QuesBons? 39

THANK YOU