4. Transforming Security
Alert Based
Timestamp Monitor Event Result
08.07.2015 … SMTP 465 @ smtp.gmail … Can not connect to port
08.07.2015 … POP 110 @ pop.gmail.co … Can not connect to port
08.07.2015 … IMAP 143 @ imap.gmail. … Can not connect to port
08.07.2015 … Check DNS (53) @ Code … Success
08.07.2015 … Ping my new device @ M … Average roundtrip time is …
08.07.2015 … Physical memory usage l … Used physical memory p …
5. Transforming Security
Attack Based
Timestamp Monitor Event Result
08.07.2015 … SMTP 465 @ smtp.gmail … Can not connect to port
08.07.2015 … POP 110 @ pop.gmail.co … Can not connect to port
08.07.2015 … IMAP 143 @ imap.gmail. … Can not connect to port
08.07.2015 … Check DNS (53) @ Code … Success
08.07.2015 … Ping my new device @ M … Average roundtrip time is …
08.07.2015 … Physical memory usage l … Used physical memory p …
22. Splunk for Enterprise Security
Optimize your SOC Team and Augment/Replace your SIEM
Risk-Based
Analytics
Incident
Investigation
& Response
Enrich Security
Analysis with
Threat Intelligence
Hello!!!!!! and
Welcome to SplunkLIve – Stockholm 2016
I am…..
I look after security markets for EMEA
As some of you know, we had our global customer conference last week in Orlando (.conf 206) – 200 breakout session’s, 60 sponsors & partners, multiple product releases, significant new security advancements and use cases
We had many of security customers come together and hear about:
the changing trends in the secuity markets (with a focus on what we see in EMEA)
but we also shared vison for the Splunk security products and partneships that is driving our customer’s security capabilities forward
I want to share both of these with you today!
We are in an exciting and blessed age of change
Digital transformation is changing every aspect of our all of our lives – from personal, business and leisure– smart cities, drones (Go pro karma vs Mavic Pro) , connected cars, fitness IoT, business digitization (deep learning, big data for connected cars)
Digital transformation is driving new needs for security!
I am lucky as I get to meet and talk with Splunk customers all around EMEA who are living this change in their daily business lives:
[3 examples from my role]
1. Business insights - [Gatwick/WP use case – do not name]
2. Manufacturing companies who are embracing IoT and cloud to differentiate [Bosch use case but do not name]
Those who building CDC/SOC [Travis Perkins/ Rolls Royce /Williams Hill [do not use William Hill ame]]
This transformation is creating vast digital or data imprint for society, encoding our DNA. This imprint provides valuable insights but also allows a futile ground for a adversary and threat actors to operate in growing dark economy
Data Facts: http://www.forbes.com/sites/bernardmarr/2015/09/30/big-data-20-mind-boggling-facts-everyone-must-read/#6786d2d36c1d
4.4 zettabytes today, will be 44 zettabytes by 2020 (more bytes on earth than visible stars in the sky)
By 2020, a third of all data will be passed by the cloud
Only 0.5% of all data is ever analysed!
Within 5 years, there will be 50b connected devices
Retailers could increase operating margins by 60% by levering big data
More: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html
[Next Slide]
Gatwick Airport: http://blogs.splunk.com/tag/gatwick/
At Splunk .conf2015, Joe Hardstaff, Business Systems Architect at Gatwick Airport, spoke about the challenges his organization faced as an airport, trying to compete with other local airports with more runways. To give us background on the size of Gatwick Airport, he shared the following stats (you can share them too):
Gatwick is the busiest single-runway airport in the world hosting 925 flights per day
By 2016, the airport will have serviced 40 million passengers
52 airlines flying to 200 locations in 90 countries (more destinations than any other UK airport)
Hardstaff explained that to set themselves apart, his colleagues developed an on-time efficiency solution for Gatwick to allow for an increased number of slots/flights per hour.
However, the problem Gatwick still faced was IT architecture monitor processes, specifically:
Radar – Zoned, Finals, Landed
Flight Information Displays
Resource on Stand
Stand Entry Guidance System
Fixed Electrical Ground Power
Steps & Air-bridge Attached
Service Vehicles Geo Tag & Fence
Baggage Reconciliation System
People Counting System
Electronic Flight Progress Strips
Airport Operational Database – Flight Status
Gatwick implemented Splunk Cloud in July 2014. In doing so, Hardstaff’s team realized that combining ops data in Splunk Cloud gave them the agility and scalability they needed while providing insight into airport performance.
Travis Perkins & Rolls Royce:
his week we attended the Gartner Security & Risk Management Summit in London. IT-Security Managers from across Europe came together to network, exchange information about the latest cyber security strategies and understand Gartner’s perspective on the market.
As every industry continues to focus on digital transformation and move services online, security has become an even greater organizational priority. Organizations that customers trust and are confident in using will be clear winners in the long term. For many organizations IT related risk has become a major part of their corporate risk assessment that the board of directors has to review regularly .
As a result, many organizations have identified the need to build up Security Operations Centers (SOC) or Computer Emergency Response Team’s (CERTs) to act as the nerve center for any digital incidents. The focus for such teams is not just on protecting internal company IT systems but to also protect digital services and products involved in the core business. One key to the success of a SOC or CERT is establishing a big data and analytics platform where the team can get insight into what’s going on, correlating and processing threat intelligence in real time. It’s also used as a “Time Machine“ to go back into historical data and assess whether any threat information they have received could have affected the organisation previously. This helps teams to understand the where and how of security incidents and further improve their resilience against cyber attacks.
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC' from Splunk
At the Gartner Security & Risk Management Summit, Nick Bleech, the CISO at Travis Perkins Group and the former CISO at Rolls-Royce, shared insights into how it has moved from an on-premise legacy SOC to a lean cloud based SOC, detailing how they work to protect the organisation through the adoption of Splunk’s data driven approach. Travis Perkins operates in a complex IT environment with a mixture of on-premise systems steadily being replaced by cloud services. The organisation needs to have secure and flexible technology that can adapt to support the business, with Splunk helping to identify incidents, lead data investigations as well as supporting compliance. During its deployment Travis Perkins has learnt many lessons, including how they define the roles and processes within their IT Operations Services Team.
We are faced by new security challenges every day.
Last few weeks we saw the largest DDoS attacks in history: OVH and Krebs. OVH saw the 1TB per sec from over 150K smart devices! (Krebs was 620GB)
- Nordics is not immune. We have seen significant cyber attacks in the Nordics to:
Russia blamed for Crashing Swedish air traffic control to test electronic warfare capabilities – left domestic airtravel grounded for 4 days
Last year in November, public news in April this year. it was even escalated to NATO
2. Ransomware Targets Millions by Spoofing Nordic Telco Telia – attackers tried to phish the Telia customer base and load ransomware (also happened to IKEA and Post Denmark)
As a security professionals, we have a mandate to protect and defend.
But…..... we also must transform and adapt as our business and personal lives alter through digital transformation. We must think differently, augment humans & dare to imagine what we can achieve
[Next slide]
Reference 1: http://www.ibtimes.co.uk/russia-blamed-bringing-down-swedish-air-traffic-control-test-electronic-warfare-capabilities-1554895
Reference 2: http://www.infosecurity-magazine.com/news/ransomware-targets-millions-by/
Swedish Air traffic:
Sources in the Swedish government have blamed Russian intelligence for causing a major cyberattack on Sweden's air traffic control system that lasted for at least five days in November 2015, allegedly due to Russia testing out its electronic warfare capabilities.
Between 4-9 November 2015, hundreds of domestic and international flights were grounded at multiple airports across Sweden due to its air traffic control system going offline. The attack caused the radar systems to stop working, which made the computer screens to go blank. This meant that air traffic controllers were unable to see any aircraft on their screens at all.
The source says that Swedish authorities were particularly concerned that Vattenfall, the Swedish state-owned power company, would be targeted by Russian hackers. As Vattenfall is one of the largest energy providers in Europe and owns several nuclear power plants in both Sweden and Germany, the potential damage from a cyberattack could have been astronomical.
The source also says that at the same time that Sweden issued its warning to neighbouring Nato countries, at the same time Nato independently detected that Russia instigated electronic warfare activity in the Baltic Sea region that was jamming air traffic communication channels. Nato traced the signals and they led to a large radio tower in the Russian enclave of Kaliningrad, to the south of Lithuania.
In October 2015, a month before the cyberattack on Sweden's air traffic control systems, a leading electronic warfare expert reported that Russia was using electronic warfare to both jam Islamic State (Isis) communications in Syria, as well as to mask its military activities from Nato.
The Swedish Civil Aviation Administration is currently investigating the true cause of the air traffic control system outage, but currently is not ready to release results from its analysis of data during the attack. Nato and the Swedish Armed Forces have both said they cannot comment on the issue.
Ransomware Spoofs hit Telia:
A new ransomware campaign is being mounted by cyber-criminals impersonating Telia, the Nordic telecom giant with operations in Europe and Asia.
Telia has hundreds of millions of customers who could all become targets for the attack, which, according to Heimdal Security, is a highly targeted campaign using a mix of attack vectors.
Victims are first baited with a link to an invoice which appears to come from Telia, a trusted telecom company. The primary target for the attack is Sweden, but additional campaigns may follow, replicating the same model.
Once the victim triggers the infection, the attack unfolds. When the victim clicks the link, he/she will be redirected to the webpage where a Captcha code is displayed. When the victim fills out the code, the TorrentLocker payload will be downloaded.
“The Torrentlocker family is well known for its highly targeted spam email campaigns,” said Heimdal Security researcher Andra Zaharia, in an analysis. “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.”
Interestingly, the payload is only downloaded if the victim’s IP is from Sweden. If an IP from another country is used, the victim will be redirected to Google.
The moment the malicious code is run, it will connect to a central C & C server and register the infected computer and the data harvested from it, which includes certificates from the infected device. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.
The next step is for TorrentLocker to encrypt all the data files available on the local drive and on connected network drives, if there are any. Victims are extorted to pay approximately 1.15 Bitcoins, which is worth around 4099 SEK (441 EUR). There’s a time limit for the payment, which, if surpassed, will double the ransom value.
“We can’t emphasize this enough: a backup is the best protection for your data in case of a ransomware attack,” said Zaharia. “Actually, you should have multiple backups. We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cybersecurity education and proactive protection.”
She added, “Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and Portnord. And we’ve seen not once, not twice, but tens of times in the past year alone.”
DDoS Attacks: https://fossbytes.com/1tbps-worlds-largest-ddos-attack-launched-152000-hacked-iot-devices/
[Short Bytes]: Hosting provider OVH has witnessed the world’s largest DDoS attack. This attack of 1Gpbs intensity was launched by a botnet network of 152,463 smart devices. The same network was also responsible for the recent DDoS assault on security publication Krebs On Security. Sadly, more than 15k new cameras have participated in the attack on OVH in the last 48 hours.
It looks like we have a new record for the biggest DDoS attack ever seen. This time, the attack has managed to touch the magical 1Tbps mark. This attack was faced last week by the hosting provider OVH. The OVH founder and CTO Octave Klaba shared a screenshot of the multiple sources of the ongoing attack.
Klaba’s posts reveal that OVH’s website was flooded with a massive torrent of traffic on September 20. It claims that more than 25 colossal DDoS attacks were faced by the company in 48 hours.
Klaba has also added further information that the attack has been clocked from a network of 152,463 hacked low-powered cameras and smart devices. The overall attack capacity of the botnet is being estimated to 1.5Tbps.
The same botnet network also crippled the security publication Krebs On Security with an intensity of 620Gbps. Eventually, Krebs got help from Google’s Project Shield to protect the website. Krebs took this step after Akamai withdrew its expensive support, saying that the DDoS was “nearly double the size of the largest attack they’d seen previously.”
The current situation of OVH isn’t good. Recently, Klaba tweeted that some new IoT devices have participated in the DDoS attack.
1. So we need to transform and adapt:
From alert based security to contextual based security
[Next slide]
Additional notes:
Alert fatigue (like target)
Knowing what is important to our business (i.e. target breach issue)
2. So we need to transform and adapt:
From human based authoring to human and machine based learning approaches
[Next slide]
Additional comments:
Significant global lack of security professionals
But still need a “human break” – automated financial trading platforms and need for human oversight
See previous
2. So we need to transform and adapt:
From human based authoring to human and machine based learning approaches
[Next slide]
Additional comments:
Significant global lack of security professionals
But still need a “human break” – automated financial trading platforms and need for human oversight
3. So we need to transform and adapt:
From simply monitoring for security operations to becoming a security command center (that provides automated, contextual intelligence through combined human and machine learning for security)
[Next slide]
Additional comments:
Knowing is not enough (check box approach to security)
Need contextual information - digestible, timely, relevant, appropriate,
See previous
3. So we need to transform and adapt:
From simply monitoring for security operations to becoming a security command center (that provides automated, contextual intelligence through combined human and machine learning for security)
[Next slide]
Additional comments:
Knowing is not enough (check box approach to security)
Need contextual information - digestible, timely, relevant, appropriate,
Our Vision:
Allow you to build and operate the next generation security command or neve center, regardless of your maturity that deals with the legacy challenges and provides flexibility of operating in our rapidly changing digital world.
Focus on:
Break down all legacy silo’s
Support flexibility & Innovation (consume how you will, change and update use cases as the threat landscape changes)
Automates and supports the human analyst
Provide context
Key: get to the “why” and “what is coming next”
To do this, we are:
Building from our core platform for operational intelligence
Providing solutions to power critical security use cases but always staying true to our vision with advanced new capabilities with:
(Automaton) Adaptive response capabilities
(Machine Learning) Machine learning security capabilities
(breaking down silo’s) Building the nerve center
Post Finance is nice: https://www.splunk.com/en_us/resources/video.9oMGI5MzE6pX2zLFOsqUYEiwVRjcJBVm.html
[2.48mins, Swiss]
Enterprise Security 4.5: Released October 31st
What is ES: (for those of you who don’t know):
Security analytics platform to augment your SOC capability or replace your legacy SIEM. It includes:
Contextualize, prioritize & visualize to find threats fast
Enable rapid threat hunting/relationship discovery
Risk-Based Analytics
Enrich security analysis with threat intelligence
New Features:
Adaptive Response
Enhanced Visual Analytics
Improved threat detection/UBA integration
Adaptive Response:
Splunk Adaptive Response helps extend security architecture beyond legacy preventative technologies and events-based monitoring to connected intelligence for security operations. This provides full visibility and responsiveness across the entire security ecosystem.
By combining alert and threat information from multiple security domains and technologies for collective insight, Adaptive Response enables better-informed human-assisted and automated decisions across the entire kill chain and when validating threats and applying analytics-driven response directives to a security environment.
Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation times
Improve operational efficiency using workflow-based context with automated and human-assisted decisions
Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners
Use UI wizards and dashboards to specify the nature of actions, categorizing actions, receive feedback on status of actions and results across a wide range set of entities.
Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and more
Detect, investigate and respond by overcoming silos
ES Glass Tables: (Making security digestible for non security stakeholder => security gold-dust)
Simplify analysis by understanding the impact of security metrics within a logical or physical Glass Table view
Improve response times with nested views to display what’s important or relevant
Optimize workflow with drill-down to the supporting criteria of the metric
Custom visualizations that reflect workflows, topology, detect, investigate and respond sequences with dashboards, summary
Views with relevant context to suit your needs
Improved Threat Detection/Response & UBA Integration:
Use the correlation search builder to configure, automate and attach the results to notable events
In incident review, configure and execute responses and queries across the security ecosystem
Use the audit dashboard to search and review responses taken and their results