splunk>

Taking on Security from a Data

Analytics Point-of-View
FST Media's 7th annual ASEAN Banking Conference
Philip Sow, CISSP
SE Manager, SEA
2
Top Security Concerns from CISO

Advanced Cyber-Attacks

Malicious Insider Threats

Ransomware
Online Account Take
over
3
 Ransomware : Cybercriminals new attack of choice

http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/
 Ransomware : Cybercriminals new attack of choice

http://blog.checkpoint.com/2016/04/06/ransomware-cybercriminals-new-attack-of-choice/
Advance Malware is hard to
prevent
- signature update is always not
fast enough
- On target ( phishing email )
- Cannot be found in Security Logs
 Machine data contains a definitive record
of all interactions
Human Machine

Machine Machine

Splunk is a very effective platform to collect,

store, and analyze all of that data
 Security Analytic Example
Sources
2013-08-09T12:40:25.475Z,,exch-hub-den-01,,exch-mbx-cup- User Name
00,,,STOREDRIVER,DELIVER,79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1
,,, hacker@neverseenbefore.com , Please open this attachment with payroll information,, ,2013-08-
09T22:40:24.975Z
Email Server Rarely seen email domain

Rarely visited
2013-08-09 16:21:38web site
10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET
www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; InfoPath.1; MS-RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
Web Proxy User Name

User Name
08/09/2013 16:23:51.0128event_status="(0)The operation completed successfully. "pid=1300
process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe registry_type
Endpoint ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Printers
Logs Print\Providers\ John Doe-PC\Printers\{}\ NeverSeenbefore" data_type"" Rarely seen service

All three occurring within a 24-hour period

Time Range

8
8
 Critical Security, Fraud & Compliance Insights
Sources
[2013-09-04-14.45.54.608000] proc_source="B24A", tmst_target="2013-09-04-14.45.54.724000", serv_id="ISS",
Card ID Amount
proc_input="MAST", proc_target="B24H", interface_acq="BNET_1", interface_iss="02008", cod_msg="1110",
oper_rrn="090448764439", card_id="526430VS350Y2992", oper_amount="000000008000", oper_
Merchant oper_country="380",
currency="978", ID term_id="00599307", circuito="", sett_merc="4722", bin_acq="002111",
id_merc="329017246168", prcode="003000", action_code="000", approval_code ="H8H766", oper_
Client ID auth_rout_dst="INTFHI93", auth_
mod_input="1", channel="O", flag_dupl="Y", flag_onus="N",
Card Payment
System rout_id="HISO_AUTH", msg_subst="", ndg="0000000078507391", station_acq="STA-BNET-MI1", acceptor =
TRAWEL SPA\\MILANO\ 380", tmst_ins="2013-09-04-14.48.56.277466", lpar="B"

2013-08-09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 - - OBSERVED GET HTTP/1.1 0 "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; www.neverbeenseenbefore.com InfoPath.1; MS-
Source IP
RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
Referring URL
Web Proxy

20130806041221.000000 Caption=ACME-2975EB\JohnDoe Description=User account Built-in account for

administering the computer/domainDo\n=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
User Name
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Source IP
Authentication
Status=Degradedwmi_ type=UserAccounts

9
9
 Find Advanced, Hidden Threats
Step 1 Collect ALL the data in one location

Step 2 Baseline/identify normal activity

Step 3 Find outliers/anomalies

Abnormal patterns/correlations within normal activities
What is rarely seen or standard deviations off the norm
What is different/new/changed
Helpful Splunk search commands using math/stats
include: stddev, outlier, count, rare, top, stats, cluster,
transaction, predict
10
 Advance Threat Detection example : URL Length Analysis
Compare each URL Investigate long URLs
statistically to where no referrer
identify outliers exists

See how many assets

are talking to the URL

Look for long URLs that

may include embedded
C&C instructions

11
A lot of web-based attack are using VERY long URL
Mean URL length for 128 Byte looks
Normal

But for Max URL length for 9KB size, it

looks suspicious.

We found a lot of LONG URLs which is

trying to access the external site :
http://103.7.28.187/pingd?type-1&dm=
www.discouss.com.hk

After verified with

http://urlquery.net/report.php?id=2182484,
they are Tencent QQ/wechat
Message. The long http packages are encrypted
SMS.

12
 Six Windows Events to monitor
Win ID What Impact to Security Activity detected
4688/592 New Process executed Malware executed or New programs installed by
malware actor trying to attacker (not by user)
take action
4624/528 /540 Some account logged in Attacker authenticated to What accounts did and what
the endpoint accounts at what times are
normal?
5140/560 A share was accessed What endpoints were C$ share or File share
accessed accessed
5156 Windows Firewall Network Command and Control or What application was used to
connection by process origin of attack communicate with external
or internal IP
7045/601 Service added to the endpoint Persistence to load malware Service added or modified
on restart
4663/567 File & Registry auditing Modifications to the system Files added and Registry Keys
that create holes or payloads added to audited locations
used at a later time
 Detect CryptoLocker Type attack
View of a typical CryptoLocker
events.
EventID4663 = file
deleted/write success

sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip

you can see the events and setup alerts to trigger when a threshold outside the norm of your users is reached. E.g.
"> 250 events per hour"

sourcetype="WinEventLog:Security" AND EventCode=4663 | stats count by src_ip

| where count > 250

http://hackerhurricane.blogspot.hk/2014/01/how-to-detect-cryptolocker-type-attack.html

14
Sample Use Cases of Security Analytics Detection
Data Attack
What to Look For Why
Source Phase
On single endpoint: Rarely seen inbound email Spear-phishing attack. Malicious link in Mail/ Web/ Infiltration
domain, then visit to rarely seen web site, then email leads to malware being installed. OS / Back
rarely seen service starts Door
Account creation without corresponding IT help Hacker is creating new admin accounts AD/ Help Recon
desk ticket Desk logs

For single employee: Badges in at one location, Stolen credentials Badge/ Data
then logs in countries away VPN/ Auth gathering
Employee makes standard deviations more data Gathering confidential data for theft OS Data
requests from file server with confidential data gathering
than normal
Standard deviations larger traffic flows (incl DNS) Hacker exfiltrating info NetFlow Exfiltration
from a host to a given IP

15
 Security Analytics Needs >
What are some of the technical challenges in managing data?

Ability to process Ability to process Ability to analyze

large volumes of transactions in complex patterns
transactional data real-time for of transactions and
for long period of detection of fraud be able to profile
time. user objects
18
 Internal Threat Intelligence
Context for Security

Directory user information Application usage &

(personal e-mail, access, user
privilege)
Proxy information (content)
DLP & business unit risk (trade
secrets / IP)
Case history / ticket tracking
Malware / AV
HR / business role
consumption (in-house)
Database usage / access
monitoring (privileged)
Entitlements / access outliers
(in-house)
User association based on
geography, frequency,
uniqueness, and privilege

19
Threat Data from Mandiant APT1

20
 New Paradigm for Threat intelligence
Needs to be live and real-time
Needs to be current Many services provide information thats days old
Needs to provide risk scoring for prioritization
Correlates among commercial/public threat feeding

21
 Splunk + Threat Intelligence Framework
Predictive Custom
analytics Alert dashboard
DNS
SIEM Incident
dashboard
Firewall

Web Forwarder
merge

App Open Source Threat

Intelligence
Custom Threat List
Internet
Mail
Paid Threat
Internal Threat DB Intelligence

22
 Real time Threat Intelligence Correlation:
Threat List Activity Dashboard

Most active threat

lists
Most active IPs
across all threat lists
Threat list activities
over time
Threat list activity
detail (not shown)

23
Customer Case: Client running P2P ( BT bit torrent )
Client IP : 172.26.228.230
Time : 18:10 5/3/14

Threats :
Accessing following Bad IP

- Tor (anonymous proxy)

- Piratebay (BT host)
- Blocked IP site
- Known spyware site

Verified with PC configuration

and this PC has installed the
BT client software.

24
 Answers to When, What, Where = Visibilty

Databases Email Web Desktops Servers DHCP/ DNS Network

Flows
Traditional SIEM
Custom
Hypervisor Badges Firewall Authentication Vulnerability Apps Service
Scans Desk

Storage Intrusion Data Loss Anti- Industrial Call

Mobile
Detection Prevention Malware Control Records
 Data Security Consideration
Minimise Risk Compliance &
Risk to Data Data Breach
of Data Policy

Security Legal
Data Theft SOP
Control Requirements

Insecure Data Disposal Industry Communication

Practices Guidelines
 Splunk Solutions
Across Data Sources, Use Cases and Consumption Models
Splunk Premium Solutions Ecosystem of Apps

ITSI UBA

Security IT Svc Int VMware Exchange PCI UBA

Platform for Machine Data

IoT Network Hadoop Relational Mainframe

Forwarders Syslog/TCP Mobile
Devices Wire Data & NoSQL Databases Data

27
 Splunk Enterprise Security
Gartner SIEM Magic Quadrant*

Completeness of
2016: LEADER Vision Leader

2015: Leader
2014: Leader
2013: Leader

*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in
its research publication and not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartners research organization and should not
be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.

28 28
 Splunk for Security

DETECTION OF DETECTION OF INVESTIGATION OPTIMIZED SECURITY &

INSIDER THREATS CYBERATTACKS OF THREATS AND INCIDENT COMPLIANCE
INCIDENTS RESPONSE AND REPORTING
BREACH ANALYSIS
splunk>
Thank you