Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco

•Télécharger en tant que PPT, PDF•

2 j'aime•708 vues

Jeff Bollinger

How Cisco Infosec uses Splunk to develop and execute their Incident Response playbook strategy.

Technologie

Copyright © 2014 Splunk Inc.
Splunk the SIEM
Jeff Bollinger 0x506682C5
Technical Leader and Infosec Investigator: CSIRT
Cisco Systems, Inc.
https://blogs.cisco.com/author/jeffbollinger/
https://twitter.com/jeffbollinger

About Me...
– Cisco Computer Security Incident Response Team (CSIRT)
– CSIRT = Security Monitoring and Incident Response
– Architecture, Engineering, Research, and Investigations
– Enterprise global threat and 24x7 incident response

The Numb3rs
Cisco Systems Inc.:
–100 countries
–130,000 employees (with laptops and phones)
–150,000 servers of all types
–40,000 routers
–1,500 labs
–1 CSIRT analyst for every 7,000 employees

The Numb3rs
Cisco indexes almost 1Tb of log data per day

Incident Response Basics
•What am I trying to protect?
•What are the threats?
•> How do I detect them?
•How do we respond?

Out With The Old
• You don’t know what you don’t
know
• Buy and trust a SIEM to run canned
reports
• Wait for updates from the vendor
• Try to edit/create custom reports
• Build your own collection infrastructure
• Data-centric approach
• Build your own reports
• Research your own intelligence
• Operationalize and optimize!
The Old Way The New Way

playbook | plā bŏk|ˈ ˌ
(noun)
A prescriptive collection of repeatable
queries (reports) against security event data
sources that lead to incident detection and
response.
Analyze: SIEM

A Note on Strategy
Hunting vs. Gathering

Hunting: Build a Query – Find Bad Stuff
• Start with the obvious and simple:
index=wsa earliest=-24h x_wbrs_score=ns
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score.

Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns
Let me stop you right there…

Hunting: Build a Query – Find Bad Stuff
• Filter based on unique attributes:
index=wsa earliest=-24h x_wbrs_score=ns |where isnull(cs_referer)
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score, and there was no HTTP referrer.

Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns | where isnull(cs_referer)
Ok getting better, sort of…

Hunting: Build a Query – Find Bad Stuff
• Filter, refine, filter, refine:
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)
English translation: Splunk, query our web proxy logs over the past
24 hours, and give me all the web sites (objects) that had no known
reputation score, and there was no HTTP referrer, where either
Java or Internet Explorer successfully downloaded an executable
file from a site that didn’t have ‘mirror’ or ‘CDN’ in the URL.

Hunting: Build a Query – Find Bad Stuff
Here we go!
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)

Gathering: Build a Query – Find Bad Stuff
If you can find or create a re-usable pattern, you
can save a search, make a report, and
automate!
16

$Gathering: Build a Query – Find Bad Stuff For example: this query will detect the Tracur clickfraud trojan: index=wsa earliest=-6h@h m cs_url="*/m/*” MSIE (NOT (cs_referer="*")) | regex cs_url="^http://(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?). (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/m/[A-Za-z0-9/+] {50,1000}$" http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fTracur$

Do It Yourself
Once you have:
• Solid, repeatable, saved searches
• Research and intelligence gathering
• Consistent handling procedures
• Documentation and tuning
You have your own SIEM, running in Splunk, and completely custom to
your organization.

Contenu connexe

Tendances

SplunkLive! Customer Presentation - Cardinal Health

Splunk

SplunkLive! Customer Presentation – athenahealth

Splunk

SplunkLive! Customer Presentation - Penn State Hershey Medical Center

Splunk

Getting Started with Splunk Enterprise

Splunk

Splunk for Developers

Splunk

Yodlee Customer Presentation

Splunk

Splunk at Weill Cornell Medical College

Splunk

Getting Started with Splunk Enterprise Hands-On Breakout Session

Splunk

Getting Started with Splunk Enterprise Hands-On

Splunk

AdvancedMD Customer Presentation

Splunk

DevSum - Top Azure security fails and how to avoid them

Karl Ots

Group Health Cooperative Customer Presentation

Splunk

Wipro Customer Presentation

Splunk

Security as Code owasp

Shannon Lietz

Principles of Chaos Engineering

h_marvin

FAUG Jyväskylä 28.5.2019 - Azure Monitoring

Karl Ots

SplunkLive! Customer Presentation - Satcom Direct

Splunk

Splunking configfiles 20211208_daniel_wilson

Becky Burwell

In this session Karl will walk you through the fundamentals of building a comprehensive Azure Governance model, based on real-life experiences with working on multi-vendor hybrid IaaS / PaaS projects in the enterprise. When proper governance model is followed, you can ensure your teams are operating in a secure and compliant Azure environment during design, development and operations. After this session, you should have a better understanding of Azure governance best practices and in-house team roles & responsibilities. You should also have an overview of the technical implementation of governance controls. As presented in Antwerpen, Belgium at 22nd of May 2019.

Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise

Karl Ots

SplunkLive! Austin Customer Presentation - Baylor

Splunk

Tendances (20)

SplunkLive! Customer Presentation - Cardinal Health

SplunkLive! Customer Presentation – athenahealth

SplunkLive! Customer Presentation - Penn State Hershey Medical Center

Getting Started with Splunk Enterprise

Splunk for Developers

Yodlee Customer Presentation

Splunk at Weill Cornell Medical College

Getting Started with Splunk Enterprise Hands-On Breakout Session

Getting Started with Splunk Enterprise Hands-On

AdvancedMD Customer Presentation

DevSum - Top Azure security fails and how to avoid them

Group Health Cooperative Customer Presentation

Wipro Customer Presentation

Security as Code owasp

Principles of Chaos Engineering

FAUG Jyväskylä 28.5.2019 - Azure Monitoring

SplunkLive! Customer Presentation - Satcom Direct

Splunking configfiles 20211208_daniel_wilson

Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise

SplunkLive! Austin Customer Presentation - Baylor

En vedette

Tim Lee, CISO, City of Los Angeles Learn how the City of Los Angeles, faced with tight budgets and limited security personnel, successfully implemented a data-focused approach to ensuring cybersecurity across departments. The CISO of the City, Timothy Lee, details how the City built an Integrated Security Operations Center, analyzing 14 million+ events per day, using Splunk Cloud and the Splunk App for Enterprise Security.

Gov & Education Day 2015 - Tim Lee, City of Los Angeles

Splunk

Using Big Data for Cybersecurity

Splunk

SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...

Splunk

Splunk Webinar: Splunk App for Palo Alto Networks

Georg Knon

SplunkLive! Splunk for Security

Splunk

Splunk for DevOps - Faster Insights - Better Code

Philipp Drieger

This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

Splunk for Enterprise Security and User Behavior Analytics

Splunk

Splunk Enterprise Security (ES) ist ein Analytics-getriebenes SIEM, das Security Operations Teams erfolgreich bei der Gefahrenbekämpfung unterstützt. Aber wussten Sie auch schon, dass es aus einem Framework aufgebaut ist, das ganz individuell genutzt werden kann, um spezifische Sicherheitsanforderungen angehen zu können? In unserem Webinar zeigen wir Ihnen die technischen Details hinter dem ES-Framework: - Asset- und Identitäts-Korrelationen - beachtenswerte Events - Threat intelligence - Risikoanalyse - Investigation und Adaptive Response Wir werden Alltags-Beispiele besprechen und Ihnen anhand einer Demo die Schlüssel-Frameworks zeigen, die Ihnen dabei helfen werden, Securityprobleme zu lösen.

Webinar: Splunk Enterprise Security Deep Dive: Analytics

Splunk

QRadar, ArcSight and Splunk

M sharifi

En vedette (9)

Gov & Education Day 2015 - Tim Lee, City of Los Angeles

Using Big Data for Cybersecurity

SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...

Splunk Webinar: Splunk App for Palo Alto Networks

SplunkLive! Splunk for Security

Splunk for DevOps - Faster Insights - Better Code

Splunk for Enterprise Security and User Behavior Analytics

Webinar: Splunk Enterprise Security Deep Dive: Analytics

QRadar, ArcSight and Splunk

Similaire à Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco

The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments. In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company. Visualization. Data science. No machine learning. But pretty pictures. Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence: http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?

Creating Your Own Threat Intel Through Hunting & Visualization

Raffael Marty

The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform. Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security. For more signup(it's free): www.cisoplatform.com

RIoT (Raiding Internet of Things) by Jacob Holcomb

Priyanka Aash

My tryst with sourcecode review

Anant Shrivastava

Splunk Enterprise for InfoSec Hands-On Breakout Session

Splunk

Splunk Enterprise for Information Security Hands-On Breakout Session

Splunk

Splunk September 2023 User Group PDX.pdf

Amanda Richardson

Splunk Enterprise for Information Security Hands-On Breakout Session

Splunk

Zane lackey. security at scale. web application security in a continuous depl...

Yury Chemerkin

Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.

Splunk Enterpise for Information Security Hands-On

Splunk

Using Security Incident Response Simulations (SIRS--also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, we will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

Amazon Web Services

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Chris Gates

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

lior mazor

Hacking WebApps for fun and profit : how to approach a target?

Yassine Aboukir

Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware

Lastline, Inc.

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...

grecsl

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck

North Texas Chapter of the ISSA

It is well known that computer exploitation will continue to increase in prevalence and sophistication. Computer network attacks and data exfiltrations are most successful when the methods of exploitation traverse the entry and egress vectors that are least expected and least defended in your network. Most of the time, no matter how well your perimeter is guarded, the user still represents the weakest avenue into that network. A clear need exists to better protect data transmitted and received by the user. But what are we to do when signature-based detection has long been defeated and anomaly/heuristic-based detection is not yet where we need it to be? The solution lies in enhancing the defense paradigm via the incorporation of intelligence-based security (Threat Intelligence) in the analysis of threats and discovery of malicious activity affecting your network, data, and your protected clients.

Incorporating Threat Intelligence into Your Enterprise Communications Systems...

EC-Council

BSides_Charm2015_Info sec hunters_gathers

Andrew McNicol

Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016

grecsl

Did you know that today's cyber threat landscape costs companies BILLIONS in damages each year? We want to help protect your company, employees and customers from the rising threat landscape! This presentation includes: • The state of cybersecurity and the threat landscape • How a threat-focused approach is changing the ability to detect and respond to breaches • How to develop a security game plan around a proven process • How to automatically defend your network with Cisco’s Advanced Malware Protection (AMP) http://www.utgsolutions.com/solutions/security-compliance

CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th

United Technology Group (UTG)

Similaire à Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco (20)