SlideShare une entreprise Scribd logo

Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring

Splunk
Splunk

This document describes a case study where an organization was experiencing W-2 fraud during tax season. To detect the fraudulent activity, the author consolidated log data from multiple sources into Splunk. They then calculated a risk score for each W-2 transaction based on factors like source IP country, IP usage uniqueness, and day of the week. This risk scoring approach identified suspicious activity without needing a specific fraud signature and helped resolve the organization's W-2 fraud issues.

Technologie
1  sur  41
Télécharger pour lire hors ligne
Copyright  ©  2014  Splunk  Inc.   Rob  Perdue   VP  Prof  Services,  8020  Labs   Robert.perdue@8020labs.com   Detect  Fraud  and   Suspicious  Events     Using  Risk  Scoring  
IntroducKon   !   Rob  Perdue,  VP  Professional  Services  at  8020  Labs   –  Cyber  security  professional  for  12  years   –  Specialize  in  Security  OperaKons,  DFIR  in  financial  sector   –  Previously  held  posiKons  at  IBM,  ADP,  Viacom  and  ThreatGRID   –  Splunking  since  2008     2  
Agenda   !   What  I  hope  you  will  learn   !   Why  am  I  talking  about  fraud?   !   Case  Study:  W-­‐2  fraud   !   Fraud  DetecKon  Framework  (FDF)   !   CreaKng  Baselines   !   Risk  Scoring   !   Cyber  use  cases  for  FDF   !   Key  takeaways   !   Q  &  A     3  
What  I  Hope  You  Will  Learn   !   New  and  exciKng  ways  to  mine  your  data   !   The  power  of  the  eval  command  to  score  risk   !   The  usefulness  of  lookup  tables  for  baselining     –  Inputlookup   –  outputlookup   !   Different  ways  to  detect  suspicious  acKviKes       4  
Why  Am  I  Talking  About  Fraud?   !   Contacted  to  assist  in  an  IR  invesKgaKon   !   Turned  out  not  to  be  a  typical  IR  engagement   !   Ever  hear  of  W-­‐2  fraud?  I  hadn’t.   –  Steal  a  W-­‐2  and  file  taxes  before  the  real  person  does     5  
Case  Study:  W-­‐2  Fraud     !   Tasked  with  finding  unauthorized  access  to  W-­‐2’s   –  During  tax  season   !   Huge  amount  of  data   –  Millions  of  rows  of  logs   !   Relevant  logs  spread  across  several  database  tables  and  files   !   Not  really  sure  what  W-­‐2  fraud  looked  like   6  
Case  Study:  W-­‐2  Fraud     !   How  the  data  was  distributed:     7   Summary   Tables   Main  DB   Stand-­‐alone   Splunk   Several  CSV   Files  
Case  Study  Con’t   !   An  idea…consolidate  data  into  a  single  Splunk  instance   !   No  signature  for  fraud,  no  problem   !   Score  a  risk  value  for  each  W-­‐2  transacKon   –  Country  of  origin   –  Uniqueness  of  Source  IP   –  Day  of  Week   –  History  of  IP   !   All  of  that  resulted  in  one  ugly  search…     8  
Case  Study  Con’t   !   One  ugly  search…   9   index=w2  source="summarytable.csv"  webpage="*administrator*"  |eval  daymonth=date_month+date_mday   |eval  full_user=username+"@"+group|eval  full_user=lower(full_user)  |iplocaKon  src   |stats  values(Country)  AS  Country  values(Region)  AS  State  values(City)  AS  City  values(date_wday)  AS  Day  dc(daymonth)  AS  Unique_Days  count  as   user_ip_count  by  src,  full_user|join  full_user  [search  index=w2  source="  summarytableall.csv"  webpage="*administrator*"       |  eval  full_user=username+"@"+group    |  eval  full_user=lower(full_user)  |stats  count  as  total_W2_events  by  full_user]   |eval  traffic_per_IP=round((user_ip_count/total_W2_events)*100)|join  full_user  src[search  index=w2_history  |stats  values(days_seen)  AS   days_seen  values(total_count)  AS  hist_total_count  by  src,  full_user|fields  src,full_user,days_seen,  hist_total_count]     |eval  Risk_Score=0|eval  Risk_Score=if(traffic_per_ip<100  AND  days_seen<14,  Risk_Score+3,Risk_Score+0)|eval  Risk_Score=if(traffic_per_ip   ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)|eval  Risk_Score=if(Day=="saturday"  OR  Day=="sunday",Risk_Score+1,  Risk_Score+0)|eval   Risk_Score=if(Unique_Days=="1",  Risk_Score+2,  Risk_Score+0)|eval  Risk_Score=if(total_W2_events=="1",  Risk_Score+2,  Risk_Score+0)|eval   Risk_Score=if(Country!="United  States",  Risk_Score+2,  Risk_Score+0)|eval  Risk_Score=if(days_seen>60,  Risk_Score-­‐3,  Risk_Score+0)|eval   Risk_Score=if(traffic_per_ip  <100  AND  days_seen>13,  Risk_Score+1,Risk_Score+0)   |fields  full_user,  src,  Country,  State,  City,  Risk_Score    |sort  -­‐Risk_Score  
Let’s  Break  it  Down   10   index=w2  source="summarytable.csv"  webpage="*administrator*"     |eval  daymonth=date_month+date_mday   |eval  full_user=username+"@"+group   |eval  full_user=lower(full_user)       |iplocaKon  src   |stats  values(Country)  AS  Country  values(Region)  AS  State  values(City)  AS  City  values(date_wday)   AS  Day  dc(daymonth)  AS  Unique_Days  count  as  user_ip_count  by  src,  full_user  
Let’s  Keep  Breaking  it  Down   11   |join  full_user  [search  index=w2  source="  summarytableall.csv"  webpage="*administrator*"       |  eval  full_user=username+"@"+group       |  eval  full_user=lower(full_user)     |stats  count  as  total_W2_events  by  full_user]   |eval  traffic_per_IP=round((user_ip_count/total_W2_events)*100)     Should  have  used  the  eventstats  funcKon…more  on  that  later.  
…and  Down   12   |join  full_user  src[search  index=w2_history     |stats  values(days_seen)  AS  days_seen  values(total_count)  AS  hist_total_count  by  src,   full_user|fields  src,full_user,days_seen,  hist_total_count]    
…and  Down   13   |eval  Risk_Score=0   |eval  Risk_Score=if(traffic_per_ip<100  AND  days_seen<14,  Risk_Score+3,Risk_Score+0)   |eval  Risk_Score=if(traffic_per_ip  ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)   |eval  Risk_Score=if(Day=="saturday"  OR  Day=="sunday",Risk_Score+1,  Risk_Score+0)   |eval  Risk_Score=if(Unique_Days=="1",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(total_W2_events=="1",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(Country!="United  States",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(days_seen>60,  Risk_Score-­‐3,  Risk_Score+0)   |eval  Risk_Score=if(traffic_per_ip  <100  AND  days_seen>13,  Risk_Score+1,Risk_Score+0)     And  finally…     |fields  full_user,  src,  Country,  State,  City,  Risk_Score    |sort  -­‐Risk_Score    
Where’s  the  Magic?   14   !   CreaKon  of  a  composite  event   –  Join   –  Stats   !   Use  of  eval  to  score  the  event   –  |eval  Risk_Score=if(traffic_per_ip  ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)   !   Know  the  data   –  What  did  the  URL  for  W-­‐2  access  look  like?   –  What  could  I  extract  from  the  logs  to  build  a  profile?        
Closing  the  Case  Study   !   It  worked,  but…   !   ReacKve  in  nature   !   Not  terribly  efficient   !   Risk  scoring  could  be  be{er   !   Spawned  the  Fraud  DetecKon  Framework  (FDF)   15  
Fraud  DetecKon  Framework   !   UKlize  everything  you  can  from  a  single  log  event     –  Timestamp   –  Time  of  Day   –  User  Agent  String   –  URL   –  IP  Info   –  User  Name   !   Enrich  the  log   –  Even{ypes   –  GeoIP   –  IP  History   –  User  History   –  Watch  lists   –  Tags   !   ConKnuous  Baselining   !   Risk  Scoring   16  
What’s  in  a  Log?   17   2002-­‐05-­‐02  17:42:15  172.22.255.255  -­‐  172.30.255.255  80  GET  /images/picture.jpg  robper  200   Mozilla/4.0+(compaKble;MSIE+5.5;+Windows+2000+Server)   Day  of  Week   Time  of  Day   Source  IP   Method   URI  Stem   User  Agent   Server  IP   User  Name  
Enriching  Your  Logs   !   EventTypes/Tags   –  What  kind  of  transacKon  was  this?   !   GeoIP  (iplocaKon)   –  Where  is  this  IP  coming  from?   !   IP  History   –  Have  I  ever  seen  this  IP  before?   !   User  History   –  When’s  the  last  Kme  I’ve  seen  this  ID  before?   –  Is  this  an  inacKve  account?   !   User  Agent  String   –  Is  this  UAS  unusual?     –  Have  I  seen  it  before  from  this  user?   –  Is  there  a  non-­‐English  language  preference?   !   Watch  lists   –  Is  this  IP  on  any  threat  or  fraud  watchlists?     18  
Building  Event  Types   !   No  need  to  score  a  GET  request  to  a  jpg  file   !   Fully  understand  the  applicaKon  you  are  scoring   –  App  Dev  guys  are  our  friends   –  Don’t  assume  you  now  what  a  parKcular  URL  is,  or  isn’t,  for   !   Build  even{ypes  for  transacKons  of  interest   –  W-­‐2  reports   –  Payroll  ExecuKon   –  Beneficiary  Change   –  Direct  Deposit  Change   –  Successful  Logons       19  
Baselining   !   What  does  this  usually  look  like?   !   Enables  risk  scoring   !   Relies  heavily  on  lookup  tables   !   Lesser  known  lookup  commands   –  Inputlookup   –  Outputlookup       20  
FDF:  Baselines   !   GeoIP   –  Where  does  this  client  usually  log  in  from?     !   User  Profiles   –  User  Agent  String   –  IP  Info   –  User  Logon  History       21  
FDF:  GeoIP   !   Determine  primary  locaKon  of  client   !   Feeds  into  Haversine  formula   –  h{ps://apps.splunk.com/app/936/   !   Scheduled  search   !   UKlizes  inputlookup  and  outputlookup     22  
FDF:  GeoIP   23   index=hrapp|iplocaKon  allfields=true  src|eval  clientlat=lat|eval  clientlon=lon|  stats  min(_Kme)   AS  firstTime  max(_Kme)  AS  lastTime  count  by  client,Region,Timezone,clientlat,clientlon  | eventstats  sum(count)  as  client_total  by  client|  inputlookup  append=T  client_geoProfiles.csv| eventstats  sum(client_total)  AS  client_total  by  client,Region,Timezone,clientlat,clientlon|stats   min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  sum(count)  AS  count  by  client_total,   client,Region,Timezone,clientlat,clientlon|eval  percent=round((count/client_total)*100)| outputlookup  client_geoProfiles.csv|where  percent>75|outputlookup  client_geoBase.csv   !   GeoIP  Baseline  Search:    
Let’s  Break  it  Down   24   index=hrapp|iplocaKon  allfields=true  src   |eval  clientlat=lat|eval  clientlon=lon   |  stats  min(_Kme)  AS  firstTime  max(_Kme)  AS  lastTime  count  by   client,Region,Timezone,clientlat,clientlon     |eventstats  sum(count)  as  client_total  by  client   |  inputlookup  append=T  client_geoProfiles.csv   |eventstats  sum(client_total)  AS  client_total  by  client,Region,Timezone,clientlat,clientlon   |stats  min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  sum(count)  AS  count  by   client_total,  client,Region,Timezone,clientlat,clientlon   |eval  percent=round((count/client_total)*100)   |outputlookup  client_geoProfiles.csv   |where  percent>75  |outputlookup  client_geoBase.csv   How  this  data  is   used  is  shown  on   slide  32  
How  it  Looks…   25  
FDF:  User  Baseline   !   Create  profiles  for  each  users   –  First/Last  Time   –  User  Agent  String   –  IP  Address   !   Scheduled  search   !   UKlizes  inputlookup  and  outputlookup     26  
FDF:  User  Baseline   27   index=hrapp|  fillnull  value=unknown  tag::src  |  stats    min(_Kme)  AS  firstTime  max(_Kme)  AS   lastTime  first(date_wday)  AS  weekday  by  user,client,src,user_agent,tag::src,  tag  |inputlookup     append=T  user_Profiles.csv  |  stats    min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime   values(weekday)  AS  weekday  by  user,client,src,user_agent,tag::src,tag  |  outputlookup     user_Profiles.csv   !   User  baseline  search:    
Breaking  it  Down   28   index=hrapp|  fillnull  value=unknown  tag::src     |  stats    min(_Kme)  AS  firstTime  max(_Kme)  AS  lastTime  first(date_wday)  AS  weekday  by   user,client,src,user_agent,tag::src,  tag     |inputlookup    append=T  user_Profiles.csv     |  stats    min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  values(weekday)  AS  weekday  by   user,client,src,user_agent,tag::src,tag     |  outputlookup    user_Profiles.csv   How  this  data  is   used  is  shown  on   slide  32  
How  it  Looks   29  
FDF:  Risk  Engine   !   Anomaly  detecKon  using  the  baseline  data   !   Enriches  the  log  data   –  Watchlists   –  Tags   –  Haversine     30  
FDF:  Risk  Engine   31   |inputlookup  user_Profiles.csv|search  tag=w2  OR  tag=payroll|lookup  client_geoBase.csv  client   OUTPUT  clientlat,clientlon|iplocaKon  allfields=true  src|lookup  threatlist  ip  as  src  OUTPUT   descripKon|  eval  short_lon=round(lon,  2)|  eval  short_lat=round(lat,  2)|eval   c_lon=round(clientlon,  2)|  eval  c_lat=round(clientlat,  2)|strcat  c_lat  ","  c_lon  as  latlon|  strcat   short_lat  ","  short_lon  as  latlon2|  haversine  originField=latlon  latlon2  unit=mi  |eval   diff=(round((lastTime-­‐firstTime)/86400))|eval  risk=0|eval  risk=if(distance>0  AND  disance<300,   risk+5,  risk+0)|eval  risk=if(distance>299,  risk+15,  risk+0)|eval  risk=if(diff<5,  risk+10,  risk+0)|eval   risk=if(Country!="United  States",  risk+50,  risk+0)|eval  risk=if('tag::src'="malicious",  risk+30,  risk +1)|eval  risk=if(weekday="Saturday"  OR  weekday="Sunday",  risk+10,  risk+1)|eval   risk=if(descripKon="KnownBad",  risk+10,  risk+0)|eval  risk=if('tag::src'="whitelisted",  risk-­‐10,  risk +1)|eval  risk=if(risk<0,  1,  risk+0)|eval  distance=round(distance)|fields   src,Country,Region,distance,  client,  user,  tag::src,descripKon,tag,risk|search  risk>0  
Let’s  Break  it  Down   32   |inputlookup  user_Profiles.csv       |search  tag=w2  OR  tag=payroll   |lookup  client_geoBase.csv  client  OUTPUT  clientlat,clientlon   |iplocaKon  allfields=true  src   |lookup  threatlist  ip  as  src  OUTPUT  descripKon   |  eval  short_lon=round(lon,  2)   |  eval  short_lat=round(lat,  2)   |eval  c_lon=round(clientlon,  2)   |  eval  c_lat=round(clientlat,  2)   |strcat  c_lat  ","  c_lon  as  latlon   |  strcat  short_lat  ","  short_lon  as  latlon2   |  haversine  originField=latlon  latlon2  unit=mi   From  Slide  28   From  Slide  24  
Let’s  Keep  Breaking  it  Down…   33   |eval  diff=(round((lastTime-­‐firstTime)/86400))   |eval  risk=0   |eval  risk=if(distance>0  AND  disance<300,  risk+5,  risk+0)   |eval  risk=if(distance>299,  risk+15,  risk+0)   |eval  risk=if(diff<5,  risk+10,  risk+0)   |eval  risk=if(Country!="United  States",  risk+50,  risk+0)   |eval  risk=if('tag::src'="malicious",  risk+29,  risk+1)   |eval  risk=if(weekday="Saturday"  OR  weekday="Sunday",  risk+10,  risk+1)   |eval  risk=if(descripKon="KnownBad",  risk+10,  risk+0)   |eval  risk=if('tag::src'="whitelisted",  risk-­‐10,  risk+1)   |eval  risk=if(risk<0,  1,  risk+0)   |eval  distance=round(distance)   |fields  src,Country,Region,distance,  client,  user,  tag::src,descripKon,risk   |search  risk>0  
What  it  Looks  Like…   34  
FDF:  Scoring  Review   !   In  its  current  state:   –  EssenKally  scores  the  risk  of  the  session   –  Can  focus  score  on  parKcular  event  types  (e.g.,  direct  deposit,  payroll)   –  Does  not  score  behavior  while  in  the  app   –  Good  job  of  detecKng  compromised  creds   !   Can  easily  be  modified  to…   –  Detect  transacKon  anomalies  (e.g.,  wire  transfers,  payroll  fraud)   –  Incorporate  Bremford’s  law   ê  h{p://apps.splunk.com/app/355/   –  Score  other  risks     35  
FDF:  Other  Cyber  Use  Cases   !   Compromised  creds   –  FTP   –  OWA   –  VPN   –  Custom  apps   !   User  profiles   –  Proxy  logs   –  Logon  Kmes   !   Risk  scoring   –  IPS  Alert  +  AV  Hit  +  Failed  Logon  +  ?     36  
FDF:  Side  Story   !   One  compromised  FTP  account  reported   –  The  client  wanted  to  know  how  many  other  accounts  were  used  for   unauthorized  access   –  ~600  acKve  FTP  accounts   !   Fortunately  the  client  had  a  year’s  worth  of  FTP  logs  in  Splunk   !   UKlized  the  FDF  framework  to  detect  14  addiKonal  accounts     37  
Key  Takeaways   !   Baseline  your  data   !   Inputlookup  and  outputlookup  very  powerful  baselining  tools   !   Chaining  eval  statements  is  an  effecKve  way  of  scoring  risk   !   Use  every  bit  of  informaKon  found  in  an  individual  log   !   Enrich  what  you  can     38  
Q&A     39  
40   Security  office  hours:  11:00  AM  –  2:00  PM  @Room  103  Everyday    Geek  out,  share  ideas  with  Enterprise  Security  developers   Red  Team  /  Blue  Team  -­‐  Challenge  your  skills  and  learn  new  tricks   Mon-­‐Wed:  3:00  PM  –  6:00  PM  @Splunk  Community  Lounge   Thurs:  11:00  AM  –  2:00  PM   Learn,  share  and  hack   Birds  of  a  feather-­‐  Collaborate  and  brainstorm  with  security  ninjas       Thurs:  12:00  PM  –  1:00  PM  @Meal  Room    
THANK  YOU  

Recommandé

SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 

Recommandé

SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Using Big Data for Cybersecurity
Using Big Data for CybersecurityUsing Big Data for Cybersecurity
Using Big Data for CybersecuritySplunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitSplunk .conf2011: Splunk for Fraud and Forensics at Intuit
Splunk .conf2011: Splunk for Fraud and Forensics at IntuitErin Sweeney
 
User and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solutionUser and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solutionYolanta Beresna
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudyAndrew Gerber
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourSplunk
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsSplunk
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesSpectorsoft
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsSplunk
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
UEBA
UEBAUEBA
UEBAChristophe M. Anciaux ☁
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsSplunk
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoESplunk
 
Data Mining with Splunk
Data Mining with SplunkData Mining with Splunk
Data Mining with SplunkDavid Carasso
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer PresentationSplunk
 

Contenu connexe

Tendances

User and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solutionUser and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solutionYolanta Beresna
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudyAndrew Gerber
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourSplunk
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsSplunk
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesSpectorsoft
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsSplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsSplunk
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 

Tendances (19)

User and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solutionUser and entity behavior analytics: building an effective solution
User and entity behavior analytics: building an effective solution
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Splunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case StudySplunk for Security: Background & Customer Case Study
Splunk for Security: Background & Customer Case Study
 
Hands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided TourHands-On Security Breakout Session- ES Guided Tour
Hands-On Security Breakout Session- ES Guided Tour
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To Companies
 
Gov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior AnalyticsGov & Education Day 2015 - User Behavior Analytics
Gov & Education Day 2015 - User Behavior Analytics
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
UEBA
UEBAUEBA
UEBA
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior Analytics
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBA
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! Houston
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 

En vedette

Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoESplunk
 
Data Mining with Splunk
Data Mining with SplunkData Mining with Splunk
Data Mining with SplunkDavid Carasso
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer PresentationSplunk
 
Virtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersVirtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersSplunk
 
.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and IntuitErin Sweeney
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DayZivaro Inc
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use CasesBeth Goldman
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringErin Sweeney
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in SplunkSplunk
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingTripwire
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Rapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDealRapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDealSplunk
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentationIISPEastMids
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 

En vedette (20)

Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoE
 
Data Mining with Splunk
Data Mining with SplunkData Mining with Splunk
Data Mining with Splunk
 
Molina Healthcare Customer Presentation
Molina Healthcare Customer PresentationMolina Healthcare Customer Presentation
Molina Healthcare Customer Presentation
 
Virtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersVirtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/Customers
 
.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit.conf2011: Web Analytics Throwdown: with NPR and Intuit
.conf2011: Web Analytics Throwdown: with NPR and Intuit
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use Cases
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and Monitoring
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data Science
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in Splunk
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-On
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Rapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDealRapidly Improving Security Posture - CanDeal
Rapidly Improving Security Posture - CanDeal
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 

Similaire à Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring

conf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Securityconf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Securitypeter lam
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunk
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Sean White- Kansas City
Sean White- Kansas CitySean White- Kansas City
Sean White- Kansas CitySplunk
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesAmanda Richardson
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleTimur Bagirov
 
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby SheltonA Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby SheltonJohn Billings CISSP
 
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunk
 
SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015Jon Papp
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuSplunk
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
Un-broken logging - the foundation of software operability - Operability.io -...
Un-broken logging - the foundation of software operability - Operability.io -...Un-broken logging - the foundation of software operability - Operability.io -...
Un-broken logging - the foundation of software operability - Operability.io -...Matthew Skelton
 

Similaire à Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring (20)

conf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Securityconf2014_PeterLam_Splunk_Security
conf2014_PeterLam_Splunk_Security
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
SplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – VirtustreamSplunkLive! Customer Presentation – Virtustream
SplunkLive! Customer Presentation – Virtustream
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security NinjitsuSplunkSummit 2015 - Security Ninjitsu
SplunkSummit 2015 - Security Ninjitsu
 
Splunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident InvestigationSplunk Webinar Best Practices für Incident Investigation
Splunk Webinar Best Practices für Incident Investigation
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Sean White- Kansas City
Sean White- Kansas CitySean White- Kansas City
Sean White- Kansas City
 
July 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group SlidesJuly 2021 Virtual PNW Splunk User Group Slides
July 2021 Virtual PNW Splunk User Group Slides
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
 
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby SheltonA Risk Based Approach to Security Detection and Investigation by Kelby Shelton
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
 
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at BirminghamSplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
SplunkLive! Atlanta Mar 2013 - University of Alabama at Birmingham
 
SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015SL_Long Beach_Creative Artists_12_04_2015
SL_Long Beach_Creative Artists_12_04_2015
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew Skelton
 
Un-broken logging - the foundation of software operability - Operability.io -...
Un-broken logging - the foundation of software operability - Operability.io -...Un-broken logging - the foundation of software operability - Operability.io -...
Un-broken logging - the foundation of software operability - Operability.io -...
 

Plus de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Plus de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Dernier

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring

  • 1. Copyright  ©  2014  Splunk  Inc.   Rob  Perdue   VP  Prof  Services,  8020  Labs   Robert.perdue@8020labs.com   Detect  Fraud  and   Suspicious  Events     Using  Risk  Scoring  
  • 2. IntroducKon   !   Rob  Perdue,  VP  Professional  Services  at  8020  Labs   –  Cyber  security  professional  for  12  years   –  Specialize  in  Security  OperaKons,  DFIR  in  financial  sector   –  Previously  held  posiKons  at  IBM,  ADP,  Viacom  and  ThreatGRID   –  Splunking  since  2008     2  
  • 3. Agenda   !   What  I  hope  you  will  learn   !   Why  am  I  talking  about  fraud?   !   Case  Study:  W-­‐2  fraud   !   Fraud  DetecKon  Framework  (FDF)   !   CreaKng  Baselines   !   Risk  Scoring   !   Cyber  use  cases  for  FDF   !   Key  takeaways   !   Q  &  A     3  
  • 4. What  I  Hope  You  Will  Learn   !   New  and  exciKng  ways  to  mine  your  data   !   The  power  of  the  eval  command  to  score  risk   !   The  usefulness  of  lookup  tables  for  baselining     –  Inputlookup   –  outputlookup   !   Different  ways  to  detect  suspicious  acKviKes       4  
  • 5. Why  Am  I  Talking  About  Fraud?   !   Contacted  to  assist  in  an  IR  invesKgaKon   !   Turned  out  not  to  be  a  typical  IR  engagement   !   Ever  hear  of  W-­‐2  fraud?  I  hadn’t.   –  Steal  a  W-­‐2  and  file  taxes  before  the  real  person  does     5  
  • 6. Case  Study:  W-­‐2  Fraud     !   Tasked  with  finding  unauthorized  access  to  W-­‐2’s   –  During  tax  season   !   Huge  amount  of  data   –  Millions  of  rows  of  logs   !   Relevant  logs  spread  across  several  database  tables  and  files   !   Not  really  sure  what  W-­‐2  fraud  looked  like   6  
  • 7. Case  Study:  W-­‐2  Fraud     !   How  the  data  was  distributed:     7   Summary   Tables   Main  DB   Stand-­‐alone   Splunk   Several  CSV   Files  
  • 8. Case  Study  Con’t   !   An  idea…consolidate  data  into  a  single  Splunk  instance   !   No  signature  for  fraud,  no  problem   !   Score  a  risk  value  for  each  W-­‐2  transacKon   –  Country  of  origin   –  Uniqueness  of  Source  IP   –  Day  of  Week   –  History  of  IP   !   All  of  that  resulted  in  one  ugly  search…     8  
  • 9. Case  Study  Con’t   !   One  ugly  search…   9   index=w2  source="summarytable.csv"  webpage="*administrator*"  |eval  daymonth=date_month+date_mday   |eval  full_user=username+"@"+group|eval  full_user=lower(full_user)  |iplocaKon  src   |stats  values(Country)  AS  Country  values(Region)  AS  State  values(City)  AS  City  values(date_wday)  AS  Day  dc(daymonth)  AS  Unique_Days  count  as   user_ip_count  by  src,  full_user|join  full_user  [search  index=w2  source="  summarytableall.csv"  webpage="*administrator*"       |  eval  full_user=username+"@"+group    |  eval  full_user=lower(full_user)  |stats  count  as  total_W2_events  by  full_user]   |eval  traffic_per_IP=round((user_ip_count/total_W2_events)*100)|join  full_user  src[search  index=w2_history  |stats  values(days_seen)  AS   days_seen  values(total_count)  AS  hist_total_count  by  src,  full_user|fields  src,full_user,days_seen,  hist_total_count]     |eval  Risk_Score=0|eval  Risk_Score=if(traffic_per_ip<100  AND  days_seen<14,  Risk_Score+3,Risk_Score+0)|eval  Risk_Score=if(traffic_per_ip   ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)|eval  Risk_Score=if(Day=="saturday"  OR  Day=="sunday",Risk_Score+1,  Risk_Score+0)|eval   Risk_Score=if(Unique_Days=="1",  Risk_Score+2,  Risk_Score+0)|eval  Risk_Score=if(total_W2_events=="1",  Risk_Score+2,  Risk_Score+0)|eval   Risk_Score=if(Country!="United  States",  Risk_Score+2,  Risk_Score+0)|eval  Risk_Score=if(days_seen>60,  Risk_Score-­‐3,  Risk_Score+0)|eval   Risk_Score=if(traffic_per_ip  <100  AND  days_seen>13,  Risk_Score+1,Risk_Score+0)   |fields  full_user,  src,  Country,  State,  City,  Risk_Score    |sort  -­‐Risk_Score  
  • 10. Let’s  Break  it  Down   10   index=w2  source="summarytable.csv"  webpage="*administrator*"     |eval  daymonth=date_month+date_mday   |eval  full_user=username+"@"+group   |eval  full_user=lower(full_user)       |iplocaKon  src   |stats  values(Country)  AS  Country  values(Region)  AS  State  values(City)  AS  City  values(date_wday)   AS  Day  dc(daymonth)  AS  Unique_Days  count  as  user_ip_count  by  src,  full_user  
  • 11. Let’s  Keep  Breaking  it  Down   11   |join  full_user  [search  index=w2  source="  summarytableall.csv"  webpage="*administrator*"       |  eval  full_user=username+"@"+group       |  eval  full_user=lower(full_user)     |stats  count  as  total_W2_events  by  full_user]   |eval  traffic_per_IP=round((user_ip_count/total_W2_events)*100)     Should  have  used  the  eventstats  funcKon…more  on  that  later.  
  • 12. …and  Down   12   |join  full_user  src[search  index=w2_history     |stats  values(days_seen)  AS  days_seen  values(total_count)  AS  hist_total_count  by  src,   full_user|fields  src,full_user,days_seen,  hist_total_count]    
  • 13. …and  Down   13   |eval  Risk_Score=0   |eval  Risk_Score=if(traffic_per_ip<100  AND  days_seen<14,  Risk_Score+3,Risk_Score+0)   |eval  Risk_Score=if(traffic_per_ip  ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)   |eval  Risk_Score=if(Day=="saturday"  OR  Day=="sunday",Risk_Score+1,  Risk_Score+0)   |eval  Risk_Score=if(Unique_Days=="1",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(total_W2_events=="1",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(Country!="United  States",  Risk_Score+2,  Risk_Score+0)   |eval  Risk_Score=if(days_seen>60,  Risk_Score-­‐3,  Risk_Score+0)   |eval  Risk_Score=if(traffic_per_ip  <100  AND  days_seen>13,  Risk_Score+1,Risk_Score+0)     And  finally…     |fields  full_user,  src,  Country,  State,  City,  Risk_Score    |sort  -­‐Risk_Score    
  • 14. Where’s  the  Magic?   14   !   CreaKon  of  a  composite  event   –  Join   –  Stats   !   Use  of  eval  to  score  the  event   –  |eval  Risk_Score=if(traffic_per_ip  ==100  AND  days_seen<14,  Risk_Score+1,Risk_Score+0)   !   Know  the  data   –  What  did  the  URL  for  W-­‐2  access  look  like?   –  What  could  I  extract  from  the  logs  to  build  a  profile?        
  • 15. Closing  the  Case  Study   !   It  worked,  but…   !   ReacKve  in  nature   !   Not  terribly  efficient   !   Risk  scoring  could  be  be{er   !   Spawned  the  Fraud  DetecKon  Framework  (FDF)   15  
  • 16. Fraud  DetecKon  Framework   !   UKlize  everything  you  can  from  a  single  log  event     –  Timestamp   –  Time  of  Day   –  User  Agent  String   –  URL   –  IP  Info   –  User  Name   !   Enrich  the  log   –  Even{ypes   –  GeoIP   –  IP  History   –  User  History   –  Watch  lists   –  Tags   !   ConKnuous  Baselining   !   Risk  Scoring   16  
  • 17. What’s  in  a  Log?   17   2002-­‐05-­‐02  17:42:15  172.22.255.255  -­‐  172.30.255.255  80  GET  /images/picture.jpg  robper  200   Mozilla/4.0+(compaKble;MSIE+5.5;+Windows+2000+Server)   Day  of  Week   Time  of  Day   Source  IP   Method   URI  Stem   User  Agent   Server  IP   User  Name  
  • 18. Enriching  Your  Logs   !   EventTypes/Tags   –  What  kind  of  transacKon  was  this?   !   GeoIP  (iplocaKon)   –  Where  is  this  IP  coming  from?   !   IP  History   –  Have  I  ever  seen  this  IP  before?   !   User  History   –  When’s  the  last  Kme  I’ve  seen  this  ID  before?   –  Is  this  an  inacKve  account?   !   User  Agent  String   –  Is  this  UAS  unusual?     –  Have  I  seen  it  before  from  this  user?   –  Is  there  a  non-­‐English  language  preference?   !   Watch  lists   –  Is  this  IP  on  any  threat  or  fraud  watchlists?     18  
  • 19. Building  Event  Types   !   No  need  to  score  a  GET  request  to  a  jpg  file   !   Fully  understand  the  applicaKon  you  are  scoring   –  App  Dev  guys  are  our  friends   –  Don’t  assume  you  now  what  a  parKcular  URL  is,  or  isn’t,  for   !   Build  even{ypes  for  transacKons  of  interest   –  W-­‐2  reports   –  Payroll  ExecuKon   –  Beneficiary  Change   –  Direct  Deposit  Change   –  Successful  Logons       19  
  • 20. Baselining   !   What  does  this  usually  look  like?   !   Enables  risk  scoring   !   Relies  heavily  on  lookup  tables   !   Lesser  known  lookup  commands   –  Inputlookup   –  Outputlookup       20  
  • 21. FDF:  Baselines   !   GeoIP   –  Where  does  this  client  usually  log  in  from?     !   User  Profiles   –  User  Agent  String   –  IP  Info   –  User  Logon  History       21  
  • 22. FDF:  GeoIP   !   Determine  primary  locaKon  of  client   !   Feeds  into  Haversine  formula   –  h{ps://apps.splunk.com/app/936/   !   Scheduled  search   !   UKlizes  inputlookup  and  outputlookup     22  
  • 23. FDF:  GeoIP   23   index=hrapp|iplocaKon  allfields=true  src|eval  clientlat=lat|eval  clientlon=lon|  stats  min(_Kme)   AS  firstTime  max(_Kme)  AS  lastTime  count  by  client,Region,Timezone,clientlat,clientlon  | eventstats  sum(count)  as  client_total  by  client|  inputlookup  append=T  client_geoProfiles.csv| eventstats  sum(client_total)  AS  client_total  by  client,Region,Timezone,clientlat,clientlon|stats   min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  sum(count)  AS  count  by  client_total,   client,Region,Timezone,clientlat,clientlon|eval  percent=round((count/client_total)*100)| outputlookup  client_geoProfiles.csv|where  percent>75|outputlookup  client_geoBase.csv   !   GeoIP  Baseline  Search:    
  • 24. Let’s  Break  it  Down   24   index=hrapp|iplocaKon  allfields=true  src   |eval  clientlat=lat|eval  clientlon=lon   |  stats  min(_Kme)  AS  firstTime  max(_Kme)  AS  lastTime  count  by   client,Region,Timezone,clientlat,clientlon     |eventstats  sum(count)  as  client_total  by  client   |  inputlookup  append=T  client_geoProfiles.csv   |eventstats  sum(client_total)  AS  client_total  by  client,Region,Timezone,clientlat,clientlon   |stats  min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  sum(count)  AS  count  by   client_total,  client,Region,Timezone,clientlat,clientlon   |eval  percent=round((count/client_total)*100)   |outputlookup  client_geoProfiles.csv   |where  percent>75  |outputlookup  client_geoBase.csv   How  this  data  is   used  is  shown  on   slide  32  
  • 26. FDF:  User  Baseline   !   Create  profiles  for  each  users   –  First/Last  Time   –  User  Agent  String   –  IP  Address   !   Scheduled  search   !   UKlizes  inputlookup  and  outputlookup     26  
  • 27. FDF:  User  Baseline   27   index=hrapp|  fillnull  value=unknown  tag::src  |  stats    min(_Kme)  AS  firstTime  max(_Kme)  AS   lastTime  first(date_wday)  AS  weekday  by  user,client,src,user_agent,tag::src,  tag  |inputlookup     append=T  user_Profiles.csv  |  stats    min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime   values(weekday)  AS  weekday  by  user,client,src,user_agent,tag::src,tag  |  outputlookup     user_Profiles.csv   !   User  baseline  search:    
  • 28. Breaking  it  Down   28   index=hrapp|  fillnull  value=unknown  tag::src     |  stats    min(_Kme)  AS  firstTime  max(_Kme)  AS  lastTime  first(date_wday)  AS  weekday  by   user,client,src,user_agent,tag::src,  tag     |inputlookup    append=T  user_Profiles.csv     |  stats    min(firstTime)  AS  firstTime  max(lastTime)  AS  lastTime  values(weekday)  AS  weekday  by   user,client,src,user_agent,tag::src,tag     |  outputlookup    user_Profiles.csv   How  this  data  is   used  is  shown  on   slide  32  
  • 29. How  it  Looks   29  
  • 30. FDF:  Risk  Engine   !   Anomaly  detecKon  using  the  baseline  data   !   Enriches  the  log  data   –  Watchlists   –  Tags   –  Haversine     30  
  • 31. FDF:  Risk  Engine   31   |inputlookup  user_Profiles.csv|search  tag=w2  OR  tag=payroll|lookup  client_geoBase.csv  client   OUTPUT  clientlat,clientlon|iplocaKon  allfields=true  src|lookup  threatlist  ip  as  src  OUTPUT   descripKon|  eval  short_lon=round(lon,  2)|  eval  short_lat=round(lat,  2)|eval   c_lon=round(clientlon,  2)|  eval  c_lat=round(clientlat,  2)|strcat  c_lat  ","  c_lon  as  latlon|  strcat   short_lat  ","  short_lon  as  latlon2|  haversine  originField=latlon  latlon2  unit=mi  |eval   diff=(round((lastTime-­‐firstTime)/86400))|eval  risk=0|eval  risk=if(distance>0  AND  disance<300,   risk+5,  risk+0)|eval  risk=if(distance>299,  risk+15,  risk+0)|eval  risk=if(diff<5,  risk+10,  risk+0)|eval   risk=if(Country!="United  States",  risk+50,  risk+0)|eval  risk=if('tag::src'="malicious",  risk+30,  risk +1)|eval  risk=if(weekday="Saturday"  OR  weekday="Sunday",  risk+10,  risk+1)|eval   risk=if(descripKon="KnownBad",  risk+10,  risk+0)|eval  risk=if('tag::src'="whitelisted",  risk-­‐10,  risk +1)|eval  risk=if(risk<0,  1,  risk+0)|eval  distance=round(distance)|fields   src,Country,Region,distance,  client,  user,  tag::src,descripKon,tag,risk|search  risk>0  
  • 32. Let’s  Break  it  Down   32   |inputlookup  user_Profiles.csv       |search  tag=w2  OR  tag=payroll   |lookup  client_geoBase.csv  client  OUTPUT  clientlat,clientlon   |iplocaKon  allfields=true  src   |lookup  threatlist  ip  as  src  OUTPUT  descripKon   |  eval  short_lon=round(lon,  2)   |  eval  short_lat=round(lat,  2)   |eval  c_lon=round(clientlon,  2)   |  eval  c_lat=round(clientlat,  2)   |strcat  c_lat  ","  c_lon  as  latlon   |  strcat  short_lat  ","  short_lon  as  latlon2   |  haversine  originField=latlon  latlon2  unit=mi   From  Slide  28   From  Slide  24  
  • 33. Let’s  Keep  Breaking  it  Down…   33   |eval  diff=(round((lastTime-­‐firstTime)/86400))   |eval  risk=0   |eval  risk=if(distance>0  AND  disance<300,  risk+5,  risk+0)   |eval  risk=if(distance>299,  risk+15,  risk+0)   |eval  risk=if(diff<5,  risk+10,  risk+0)   |eval  risk=if(Country!="United  States",  risk+50,  risk+0)   |eval  risk=if('tag::src'="malicious",  risk+29,  risk+1)   |eval  risk=if(weekday="Saturday"  OR  weekday="Sunday",  risk+10,  risk+1)   |eval  risk=if(descripKon="KnownBad",  risk+10,  risk+0)   |eval  risk=if('tag::src'="whitelisted",  risk-­‐10,  risk+1)   |eval  risk=if(risk<0,  1,  risk+0)   |eval  distance=round(distance)   |fields  src,Country,Region,distance,  client,  user,  tag::src,descripKon,risk   |search  risk>0  
  • 34. What  it  Looks  Like…   34  
  • 35. FDF:  Scoring  Review   !   In  its  current  state:   –  EssenKally  scores  the  risk  of  the  session   –  Can  focus  score  on  parKcular  event  types  (e.g.,  direct  deposit,  payroll)   –  Does  not  score  behavior  while  in  the  app   –  Good  job  of  detecKng  compromised  creds   !   Can  easily  be  modified  to…   –  Detect  transacKon  anomalies  (e.g.,  wire  transfers,  payroll  fraud)   –  Incorporate  Bremford’s  law   ê  h{p://apps.splunk.com/app/355/   –  Score  other  risks     35  
  • 36. FDF:  Other  Cyber  Use  Cases   !   Compromised  creds   –  FTP   –  OWA   –  VPN   –  Custom  apps   !   User  profiles   –  Proxy  logs   –  Logon  Kmes   !   Risk  scoring   –  IPS  Alert  +  AV  Hit  +  Failed  Logon  +  ?     36  
  • 37. FDF:  Side  Story   !   One  compromised  FTP  account  reported   –  The  client  wanted  to  know  how  many  other  accounts  were  used  for   unauthorized  access   –  ~600  acKve  FTP  accounts   !   Fortunately  the  client  had  a  year’s  worth  of  FTP  logs  in  Splunk   !   UKlized  the  FDF  framework  to  detect  14  addiKonal  accounts     37  
  • 38. Key  Takeaways   !   Baseline  your  data   !   Inputlookup  and  outputlookup  very  powerful  baselining  tools   !   Chaining  eval  statements  is  an  effecKve  way  of  scoring  risk   !   Use  every  bit  of  informaKon  found  in  an  individual  log   !   Enrich  what  you  can     38  
  • 40. 40   Security  office  hours:  11:00  AM  –  2:00  PM  @Room  103  Everyday    Geek  out,  share  ideas  with  Enterprise  Security  developers   Red  Team  /  Blue  Team  -­‐  Challenge  your  skills  and  learn  new  tricks   Mon-­‐Wed:  3:00  PM  –  6:00  PM  @Splunk  Community  Lounge   Thurs:  11:00  AM  –  2:00  PM   Learn,  share  and  hack   Birds  of  a  feather-­‐  Collaborate  and  brainstorm  with  security  ninjas       Thurs:  12:00  PM  –  1:00  PM  @Meal  Room