splunk> - fst.net.au · taking on security from a data analytics point-of-view fst media's...
TRANSCRIPT
Taking on Security from a Data Analytics Point-of-View
FST Media's 7th annual ASEAN Banking Conference Philip Sow, CISSP SE Manager, SEA
splunk>
Top Security Concerns from CISO
3
Advanced Cyber-Attacks
Malicious Insider Threats
Online Account Take over
Ransomware
http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/
Ransomware : Cybercriminals new attack of choice
http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/
Ransomware : Cybercriminals new attack of choice
Advance Malware is hard to prevent - signature update is always not
fast enough - On target ( phishing email ) - Cannot be found in Security Logs
Machine data contains a definitive record of all interactions
Splunk is a very effective platform to collect, store, and analyze all of that data
Human Machine
Machine Machine
8
2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type""
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup-00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this attachment with payroll information,, ,2013-08-09T22:40:24.975Z
8
Security Analytic Example Sources
Time Range
Endpoint Logs
Web Proxy
Email Server
All three occurring within a 24-hour period
User Name
User Name
Rarely seen email domain
Rarely visited web site
User Name
Rarely seen service
9
2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; www.neverbeenseenbefore.com InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
[2013-09-04-14.45.54.608000] proc_source="B24A", tmst_target="2013-09-04-14.45.54.724000", serv_id="ISS", proc_input="MAST", proc_target="B24H", interface_acq="BNET_1", interface_iss="02008", cod_msg="1110", oper_rrn="090448764439", card_id="526430VS350Y2992", oper_amount="000000008000", oper_ currency="978", oper_country="380", term_id="00599307", circuito="", sett_merc="4722", bin_acq="002111", id_merc="329017246168", prcode="003000", action_code="000", approval_code ="H8H766", oper_ mod_input="1", channel="O", flag_dupl="Y", flag_onus="N", auth_rout_dst="INTFHI93", auth_ rout_id="HISO_AUTH", msg_subst="", ndg="0000000078507391", station_acq="STA-BNET-MI1", acceptor =“ TRAWEL SPA\\MILANO\ 380", tmst_ins="2013-09-04-14.48.56.277466", lpar="B"
9
Critical Security, Fraud & Compliance Insights Sources
Authentication
Web Proxy
Card Payment System
Referring URL
20130806041221.000000 Caption=ACME-2975EB\JohnDoe Description=User account Built-in account for administering the computer/domainDo\n=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts
Source IP User Name
Card ID Amount
Source IP
Client ID
Merchant ID
10
Find Advanced, Hidden Threats
Step 1 • Collect ALL the data in one location
Step 2 • Baseline/identify normal activity
Step 3 • Find outliers/anomalies • Abnormal patterns/correlations within ‘normal’ activities
• What is rarely seen or standard deviations off the norm
• What is different/new/changed
• Helpful Splunk search commands using math/stats include: stddev, outlier, count, rare, top, stats, cluster, transaction, predict
Advance Threat Detection example : URL Length Analysis
11
Compare each URL statistically to
identify outliers
Investigate long URLs where no referrer
exists
See how many assets are talking to the URL
Look for long URLs that may include embedded
C&C instructions
A lot of web-based attack are using VERY long URL
12
Mean URL length for 128 Byte looks Normal But for Max URL length for 9KB size, it looks suspicious. We found a lot of LONG URLs which is trying to access the external site : “http://103.7.28.187/pingd?type-1&dm= www.discouss.com.hk … “ After verified with http://urlquery.net/report.php?id=2182484, they are Tencent QQ/wechat Message. The long http packages are encrypted SMS.
Six Windows Events to monitor
Win ID What Impact to Security Activity detected
4688/592 New Process executed Malware executed or malware actor trying to take action
New programs installed by attacker (not by user)
4624/528 /540 Some account logged in Attacker authenticated to the endpoint
What accounts did and what accounts at what times are normal?
5140/560 A share was accessed What endpoints were accessed
C$ share or File share accessed
5156 Windows Firewall Network connection by process
Command and Control or origin of attack
What application was used to communicate with external or internal IP
7045/601 Service added to the endpoint Persistence to load malware on restart
Service added or modified
4663/567 File & Registry auditing Modifications to the system that create holes or payloads used at a later time
Files added and Registry Keys added to audited locations
Detect CryptoLocker Type attack
14
http://hackerhurricane.blogspot.hk/2014/01/how-to-detect-cryptolocker-type-attack.html
View of a typical CryptoLocker events. EventID4663 = file deleted/write success
sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip you can see the events and setup alerts to trigger when a threshold outside the norm of your users is reached. E.g. "> 250 events per hour" sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip | where count > 250
Sample Use Cases of Security Analytics Detection
15
What to Look For Why Data
Source Attack Phase
On single endpoint: Rarely seen inbound email domain, then visit to rarely seen web site, then rarely seen service starts
Spear-phishing attack. Malicious link in email leads to malware being installed.
Mail/ Web/ OS
Infiltration/ Back Door
Account creation without corresponding IT help desk ticket
Hacker is creating new admin accounts AD/ Help Desk logs
Recon
For single employee: Badges in at one location, then logs in countries away
Stolen credentials Badge/ VPN/ Auth
Data gathering
Employee makes standard deviations more data requests from file server with confidential data than normal
Gathering confidential data for theft OS Data gathering
Standard deviations larger traffic flows (incl DNS) from a host to a given IP
Hacker exfiltrating info NetFlow Exfiltration
Security Analytics Needs > What are some of the technical challenges in managing data?
Ability to process
transactions in
real-time for
detection of fraud
Ability to process
large volumes of
transactional data
for long period of
time.
Ability to analyze
complex patterns
of transactions and
be able to profile
user objects
Internal Threat Intelligence Context for Security
19
• Application usage & consumption (in-house)
• Database usage / access monitoring (privileged)
• Entitlements / access outliers (in-house)
• User association based on geography, frequency, uniqueness, and privilege
• Directory user information (personal e-mail, access, user privilege)
• Proxy information (content)
• DLP & business unit risk (trade secrets / IP)
• Case history / ticket tracking
• Malware / AV
• HR / business role
New Paradigm for Threat intelligence Needs to be live and real-time
Needs to be current – Many services provide information that’s days old
Needs to provide risk scoring for prioritization
Correlates among commercial/public threat feeding
21
Splunk + Threat Intelligence Framework
22
DNS
Firewall
Web
App
SIEM
Forwarder
dashboard
Incident
Predictive analytics Alert
Custom Threat List
Open Source Threat Intelligence
Paid Threat Intelligence
Internet
merge
Internal Threat DB
Custom dashboard
Real time Threat Intelligence Correlation: Threat List Activity Dashboard
23
Most active threat lists
Most active IPs across all threat lists
Threat list activities over time
Threat list activity detail (not shown)
Customer Case: Client running P2P ( BT bit torrent )
24
Client IP : 172.26.228.230 Time : 18:10 5/3/14 Threats : Accessing following Bad IP - Tor (anonymous proxy) - Piratebay (BT host) - Blocked IP site - Known spyware site
Verified with PC configuration and this PC has installed the BT client software.
25
Answers to When, What, Where = Visibilty
Servers
Service Desk
Storage
Desktops Email Web
Call Records
Network Flows
DHCP/ DNS
Hypervisor Custom
Apps
Industrial Control
Badges
Databases
Mobile Intrusion Detection
Firewall
Data Loss Prevention
Anti-Malware
Vulnerability Scans
Traditional SIEM
Authentication
Risk to Data Data Breach Minimise Risk
of Data
Compliance &
Policy
Data Security Consideration
Data Theft SOP Security
Control
Legal
Requirements
Insecure
Practices Communication Data Disposal Industry
Guidelines
27
Splunk Solutions
VMware
Platform for Machine Data
Exchange PCI Security
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Ecosystem of Apps
ITSI
UBA
UBA
Mainframe Data
Relational Databases
Mobile Forwarders Syslog/TCP IoT Devices
Network Wire Data
Hadoop & NoSQL
28
Splunk Enterprise Security
28
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in
its research publication and not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not
be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.
Completeness of Vision Leader 2016: LEADER
2015: Leader
2014: Leader
2013: Leader
Gartner SIEM Magic Quadrant*
Splunk for Security
DETECTION OF CYBERATTACKS
INVESTIGATION OF THREATS AND
INCIDENTS
OPTIMIZED INCIDENT
RESPONSE AND BREACH ANALYSIS
DETECTION OF INSIDER THREATS
SECURITY & COMPLIANCE REPORTING