essentials to creating your own security posture using ... · pdf filerichard w. mckee,...
TRANSCRIPT
![Page 1: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/1.jpg)
Essentials to creating your own Security Posture using SplunkEnterpriseUsing Splunk to maximize the efficiency and effectiveness of the SOC / IR
Richard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security SiteSeptember 28, 2017 | Washington, DC
![Page 2: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/2.jpg)
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
![Page 3: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/3.jpg)
© 2017 SPLUNK INC.
Sun Tzu, The Art of War
“ It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one
and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him;
not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
https://en.wikiquote.org/wiki/Sun_Tzu
![Page 4: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/4.jpg)
▶ Principal Cyber Security Analyst – Nevada National Security Site
▶ 25 years in law enforcement• Last 11 years in computer forensics and cyber investigations (criminal and national security)
▶ Master of Science – Information Security and Assurance▶ Bachelor of Business Administration – Management Information Systems▶ Certifications – CISSP, Splunk Certified Power User, EnCE, GPEN, GCIH,
GREM, GMON, GNFA, GISP
Richard W. McKeeBackground – Experience and Education
![Page 5: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/5.jpg)
BackgroundHow the NNSS Splunk experience relates to your enterprise
![Page 6: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/6.jpg)
What is the NNSS?
![Page 7: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/7.jpg)
![Page 8: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/8.jpg)
PreventionisIdeal…ButDetectionisaMust
▶SplunkistheprimarySIEMfortheNNSS▶AllhostsanddevicescapableofsendinglogstoSplunkdoso
▶Cyberhasmadeloggingapolicyrequirementandallin-housedevelopersorhiredconsultantsmustwritesoftwarecapableofloggingandsendingeventstoSplunk
![Page 9: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/9.jpg)
DataSources
▶ WindowsHosts▶ LinuxHosts▶ MacHosts▶ RoutersandSwitches▶ Firewalls▶ EndpointProtection▶ Syslog▶ InternalSplunkservers▶ Databases
• VPN• RSA• ActiveDirectory• VoIPPhonesandServers• EmailSecurityAppliance• MalwareSandbox• FortiMail• DLP• MobileDeviceManagement
“…know yourself...”
![Page 10: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/10.jpg)
Configuration
▶AphysicalsyslogserveristheprimaryfeedforSplunk▶Forsecurity,onlythesyslogservercancommunicatedirectlywiththeSplunk indexers
▶Allforwardersanddevicesfeedthesyslogboxdirectly*▶A10Gbpstapisalsofeedingthesyslogserver▶ IfSplunk fails,logsarealsotemporarilystoredonSyslog
![Page 11: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/11.jpg)
![Page 12: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/12.jpg)
HostLogs
▶EnterpriseSnareisusedtograblogsfromsources.NNSSbroughttheSnaredeveloperinfromAustraliatocustomcreateagentsforWindows,Mac,Linux,SQL,andEpilog
▶TheSnareAgentsarehighlycustomizableandactasthefirstfilterpriortoSplunk,allowingthereductionofunnecessarydata
![Page 13: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/13.jpg)
SnareConfiguration
![Page 14: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/14.jpg)
SnareCustomConfig
![Page 15: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/15.jpg)
EpilogAgent
▶Possibleuses:• AVLogsfromLinuxhosts• DNSLogsfromDomainControllers• DHCPLogsfromDomainControllers
▶CanbeusedtomonitoranyflattextfilesfromanydirectoryorUNCpath
![Page 16: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/16.jpg)
EpilogAgent
![Page 17: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/17.jpg)
Splunk Searching&ReportingHighlyCustomizedforIR
![Page 18: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/18.jpg)
QuickInvestigativeSearches
▶ Thesesearchesarecompleteexceptforareasfortheincidentrespondertoputausername,IP,hostname,etc.
![Page 19: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/19.jpg)
SearchExamples- DNS
![Page 20: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/20.jpg)
SearchExamples– FilesWrittentoUSB
SerialnumberoftheUSBdeviceiscaptured,allowingCIRTtodoserialnumberlookupsandcorrelation
![Page 21: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/21.jpg)
SearchExamples– PossibleCompromisedHosts
Firewalllogsareexamineddailyandhoststhatmeettwoorthreeofthefollowingarehighlighted:1– Hostswiththemostdataflowingout2– Hostswiththehighestnumberofconnections3– Hostswiththelongestdurationofconnections
![Page 22: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/22.jpg)
SearchExamples– GETRequests
![Page 23: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/23.jpg)
SearchExamples– IOCs
![Page 24: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/24.jpg)
SearchExamples– RSAActivity
RSAActivityincludesPINresets,tokenfailures,andemergencybackupPINaccess
![Page 25: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/25.jpg)
SearchExamples– ProcessExecution
Thissearchidentifiessoftware,versions,PID,PPID,Hashvaluesofexecutable,path,etc.Thisisusedwithalookuptabletoidentifynewsoftwareandfindmalwarebasedonpathandhash
![Page 26: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/26.jpg)
Splunk AlertExample
![Page 27: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/27.jpg)
AccountActivityDashboard
![Page 28: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/28.jpg)
AuthenticationDashboard
![Page 29: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/29.jpg)
DefenseinDepthDashboard
![Page 30: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/30.jpg)
FileActivityDashboard
![Page 31: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/31.jpg)
ForeignActivityDashboard
![Page 32: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/32.jpg)
NetworkAccessDashboard
![Page 33: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/33.jpg)
NetworkTrafficDashboard
![Page 34: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/34.jpg)
OutboundDataDashboard
![Page 35: Essentials to creating your own Security Posture using ... · PDF fileRichard W. McKee, MS-ISA, CISSP | Principal Cyber Security Analyst Nevada National Security Site September 28,](https://reader031.vdocuments.mx/reader031/viewer/2022030502/5aae58037f8b9a22118bdf6a/html5/thumbnails/35.jpg)
© 2017 SPLUNK INC.
1. Identify all of your logging sources
2. Identify what information from those sources can indicate malicious behavior
3. Prepare alerts and dashboards based upon those indicators
4. Prepare and save searches for repetitive, common searches
5. ACT ON THE INFORMATION!!!!
Key Takeaways