Wipro Customer Presentation
- 1. Copyright
©
2015
Splunk
Inc.
Splunk
for
Security:
Background
&
Customer
Case
Study
- 3. 3
Agenda
Background
Why
Splunk
for
Security
Customer
Case
Study
• Build
out
and
architecture
• Phased
approach
• Hybrid
Cloud/on-‐premise
soluGon
Example
Security
Use
Cases
Roadmap
&
Key
Takeaways
- 4. 4
Wipro
Overview
• Wipro
Ltd.
(NYSE:WIT)
is
a
��global
informaGon
technology,
consulGng,
and
outsourcing
company
• 158,000+
employees
in
175
ciGes+
across
6
conGnents
• Revenues
of
$7.5
billion
for
the
financial
year
ended
March
31,
2015
• Wipro
uses
and
supports
Splunk
in
many
areas
for
our
customers,
including:
• transacGon
analysis
• fraud
detecGon
• business
&
IT
operaGons
monitoring
• process
improvement
• informaGon
security
- 5. 5
Speaker
Bio
" Saurabh
GulaG:
Program
Director,
Enterprise
Security
SoluGons,
Wipro
– Discovered
Splunk
about
2
years
ago
" Andrew
Gerber:
Architect
&
Consultant,
Enterprise
Security
SoluGons,
Wipro
– Discovered
Splunk
about
4
years
ago
" Our
mission
is
to
help
our
customers
manage
their
security
requirements
efficiently
and
effecGvely,
and
to
provide
meaningful
and
measurable
benefits
while
improving
their
security
posture.
- 6. 6
Why
Splunk
for
Security
• Slow
SIEM
plahorm
• Limited
capabiliGes
and
limited
customizaGon
opGons
• Data
source
integraGon
and
parsing
challenges
• Lots
of
effort
to
create
workarounds
instead
of
creaGng
new
capabiliGes
Customer
challenges
• Great
user
interface
and
straighhorward/flexible
SPL
• Fast
results
• Ability
to
scale
flexibly
and
affordably
• Rapid
value
realizaGon
• Late-‐binding
schema
• API
and
extensibility
• Higher
ROI
potenGal
with
a
compeGGve
TCO
Key
reasons
we
olen
see
Splunk
selected
for
Security
use
cases
over
other
SIEM
tools:
- 7. 7
Customer
Story
-‐
SituaGon
SIEM
plahorm
deployed
for
several
years
Performance
was
limiGng
(could
take
days
to
search
hours’
worth
of
data)
Vendor
announced
End
of
Life/End
of
Support
for
SIEM
plahorm
Gap
Analysis
of
SIEM
Plahorm
Difficulty
to
gain
insight…
limited
by
supported
funcGons
(COUNT,
AVG,
MIN,
MAX,
…)
CreaGon
of
content
required
in-‐depth
knowledge
about
data
sources
and
vendor
parsing
schema
Limited
datacenter
capacity
to
scale
the
exisGng
plahorm
- 8. 8
Splunk
–
Phase
1
Hybrid
POC/Pilot
over
only
12
weeks!
Partnered
with
Splunk
PS
200GB/day
On-‐Premise
Deployment
Growing
to
400GB/day
IdenGfied
key
security
data
sources
to
integrate
IniGal
Content
Development
Dashboards
&
Demos
for
stakeholders
at
all
levels,
including
ExecuGves
- 9. 9
Splunk
–
Phase
1
Architecture
" Handled
200GB/day
&
10
users
comfortably
" Grew
to
400GB/day
while
sGll
providing
sufficient
performance
" >300
Universal
Forwarder
instances
deployed
On-‐Premise
Cluster
Master
Deployment
Server
300+
Forwarders
Syslog-‐NG
NAS
- 10. 10
Splunk
–
Phase
1
Results
Speed
• Searching
performance
–
went
from
days
to
seconds
to
get
results
• IntegraGng
data
sources
–
ingest
first,
parse
later
as
needed
• CreaGng
searches/dashboards
–
powerful
and
straighhorward,
fast
to
create
Power
• SPL,
stats,
subsearches,
graphical
reporGng,
mapping,
API,
Apps
Use
cases
transformed
• Went
from
lisGng
top
machines
by
#
of
malware
detecGon
alerts
to
mapping
out
trends
and
idenGfying
effecGve
points
of
intervenGon/remediaGon
• Went
from
seeing
a
list
of
failed
VPN
login
auempts
by
user
to
mapping
VPN
authenGcaGon
acGvity
and
idenGfying
anomalous
acGvity
for
further
invesGgaGon
Ability
to
demo
dashboards
all
the
way
up
to
execu:ve
leadership
- 11. 11
Scaling
successfully:
Enter
Splunk
Cloud
Dynamic
business
context
Rapid
pace
of
acquisiGons
Datacenter
transformaGon
project
underway
Cloud
strategy
evolving
Flexibility
of
Splunk
Cloud
was
key
Availability,
capacity,
retenGon,
scalability
Safeguards
&
security
–
beyond
the
basics
Extensive
review
with
Splunk
and
customer
Enterprise
Architecture
&
Security
teams
Audited
Security:
Splunk
SOC
2
Type
1
&
2
in
addiGon
to
AWS
controls
&
auestaGons
Flexibility
to
specify
geographic
restricGons
on
where
data
travels/resides
Ability
to
configure
encrypGon
on
data
at
rest
Hybrid
search
heads
–
can
have
indexes
reside
enGrely
on-‐prem
as
needed,
on-‐prem
search
heads
can
search
cloud
- 12. 12
Splunk
–
Phase
2
(in
progress)
Added
capacity:
500GB/
day
Splunk
Cloud
+
200GB/day
on-‐premise
Increasing
data
source
variety,
adding
apps
and
integraGons
(i.e.
Remedy
for
GckeGng)
Accommodate
data
center
capacity
constraints
(transformaGon
project
underway)
Add
and
integrate
users
across
business
units
Create
processes
around
security
monitoring
and
SOC
operaGons
Deploying
Splunk
App
for
Enterprise
Security
+
- 13. 13
Splunk
Phase
2
Architecture
On-‐Premise
AWS
Cluster
Master
Deployment
Server
500+
Forwarders
Syslog-‐NG
~30%
NAS
S3
- 14. 14
Example
Use
Cases
Use
Case
1
-‐
VPN
AcGvity
Profiling
• Detect
inappropriate
or
malicious
remote
access
• Profiling
of
employees,
contractors,
vendors,
and
other
insiders
Use
Case
2
–
Malware
Analysis
• Detect
new
signatures
&
hashes
seen
• Enhance
informaGon
with
threat
intelligence
• Profile
acGvity
by
host
and
user
• Monitor
Gme
to
resoluGon
Use
Case
3
–
Off-‐Network
Jumping
• Detect
auempted
and
actual
bypass
of
network
controls
• Detect
network
jumping
and
off-‐network
acGvity
- 15. 15
Use
Case:
VPN
AcGvity
Profiling
• Find
abnormal
remote
access
usage
paJern
in
remote
access
– VPN
access
with
valid
credenGals
used
in
major
auacks,
including
recent
healthcare
industry
breach
• Profile
remote
usage
by
employees,
contractors,
vendors,
and
other
insiders
• Look
for:
– Indicators
of
Delivery,
C2,
ExfiltraGon,
as
well
as
employee
or
insider
FTA
– IdenGfy
potenGally
compromised
credenGals
• Key
points
to
look
for:
– Increase
in
login
frequency
– Odd
Gmes/locaGons
– Improbable
travel
distance
between
logins
or
login
auempts
(velocity
requirements
between
consecuGve
geographical
login
locaGons
too
high)
- 16. 16
Use
Case:
VPN
AcGvity
Profiling
User
level
VPN
Trends
• MulGple
login
failures
by
count
and
over
Gme
and
successful
logins
provide
insight
into
VPN
behavior.
• IdenGfy
repeat
VPN
login
failure
trends
by
user
Easy
to
spot
outlier
and
clustered
events
Geographic
&
Network
VPN
Trends
• At-‐a-‐glance
profiling
of
VPN
login
success
and
failures
• GeolocaGon
and
domain
charGng
idenGfy
normal
vs.
abnormal
access
• Top
Level
Domains
and
other
domain
names
to
find
anomalies,
i.e.
connecGons
from
.edu
TLD
or
external
VPN
services
- 17. 17
Use
Case:
VPN
AcGvity
Profiling
Geographic
Analysis
with
“Traveler”
iden:fica:on
• Per-‐country
trends
&
users
with
mulGple
locaGons
in
a
given
Gme
period
• Also
idenGfy
relaGve
distances
for
users
from
a
relevant
fixed
locaGon
“Traveler”
mapping
&
improbable
behavior
analysis
• Determine
unlikely
distance/Gme
combinaGons
between
VPN
logins
• IdenGfy
credenGal
thel
and/or
sharing
- 18. 18
Use
Case:
Malware
Analysis
• Understand
malware
persistence
and
ac:vity
levels
– IdenGfy
duraGon
of
malware
persistence
– IdenGfy
malware
by
acGvity
levels
• Further
priori:ze
remedia:on
– IdenGfying
hosts
of
interest
• Review
new
signatures
and
hashes
– Understand
new
threats
– Include
data
enrichment
via
threat
feeds
- 19. 19
Use
Case:
Malware
Analysis
Max
Malware
File
Dura:on
• Malware
File
DuraGon
reflects
length
of
Gme
between
first
SEP
message
about
a
specific
file
and
the
last
message
(a
combinaGon
of
automated
and
manual
resoluGon
is
reflected
in
this)
Max
Malware
File
Events
• Malware
File
Events
reflects
#
of
events
referencing
a
specific
file
(highlights
high-‐acGvity
files)
- 20. 20
Use
Case:
Malware
Analysis
Iden:fying
Outliers
• Mapping
#
of
malware
indicators
against
Gmeline
and
duraGon
of
indicator
presence
allows
for
easy
profiling
and
idenGficaGon
of
hosts
- 21. 21
Use
Case:
Malware
Analysis
Tracking
new
signatures
&
hashes
seen
• Understand
new
threats
• Data
enrichment
with
threat
intelligence
feeds
- 22. 22
Use
Case:
Off-‐Network
Jumping
• Find
assets
&
users
jumping
from
corporate
LAN,
WLAN
to
Guest
Network
– Detect
auempts
to
bypass
security
controls
– Detect
malware
vector
of
“benign”
off-‐network
browsing
1
in
566
websites
host
malware
(Symantec
2014
Internet
Security
Threat
Report)
• Profile
jumping
behavior
to
look
for
paJerns
and
anomalies
– IdenGfy
the
User,
IP
address,
MAC
address
– IdenGfy
acGvity
before
and
aler
jumping
• Key
points
to
look
for
include
– Assets
and
users
jumping
periodically
–
Normal
business
users
should
be
on
corporate
network
– Network
jumps
which
don’t
appear
to
be
pre-‐meditated
(i.e.
looking
for
programmaGc
jumps)
– Volume,
periodicity,
desGnaGon,
traffic
type
can
all
be
indicators
of
potenGal
ExfiltraGon
“40%
[of
companies]
reported
that
they
had
been
exposed
to
a
security
threat
as
a
direct
consequence
of
an
off-‐network
user’s
laptop
ge}ng
compromised
within
the
last
twelve
months.”
From
Google
report,
“Off-‐Network
Workers
–
The
Weakest
Link
to
Corporate
Web
Security”
- 23. 23
Key
event:
Guest
network
DHCP
request
Key
search
to
idenGfy
this
acGvity
• Look
at
guest
network
firewall
logs
which
logs
DHCP
requests
(IP
à
MAC
à
hostname)
• Look
at
DHCP
requests
using
IP
address
of
one
of
our
corporate
networks,
and
the
MAC
address.
• Eliminate
mobile
devices,
limit
results
to
our
corporate
hostname
naming
convenGon
• Database
of
internal
IP
space,
hostnames,
and
associated
MAC
addresses
is
being
built
to
further
refine
this.
Use
Case:
Off-‐Network
Jumping
- 24. 24
Use
Case:
Off-‐Network
Jumping
SelecGon
to
lookup
user
SelecGon
determines
drill
down
Long/Short
Term
Off-‐Net
Jumping
Trends
• Visual
analysis
to
determine
what
looks
abnormal
• At-‐a-‐glance
profiling
of
corporate
resources
used
on
guest
network
–
acGvity
for
today,
7-‐days,
etc.
Rapid
inves:ga:on
to
iden:fy
users
of
interest
• SelecGon
enables
deep
invesGgaGon
via
drilldown
into
user
acGvity
details
• Dynamic
drilldown
is
a
key
Splunk
feature
for
effecGve
invesGgaGon
dashboards
- 25. 25
Use
Case:
Off-‐Network
Jumping
Behavior
Inves:ga:on
–
Longitudinal
Trending
• Pauerns
idenGfy
potenGal
repeat
offender,
or
possible
C2/
exfiltraGon
• Compare
to
guest
network
acGvity
trend
to
idenGfy
likely
scenario
Having
quickly
found
a
user
of
interest,
we
can
now
dig
into
the
details
of
their
acGvity…
- 26. 26
Use
Case:
Off-‐Network
Jumping
Overview
of
behavior
before/during/aeer
the
jump
• Looking
back
in
Gme
from
the
jump
• User
acGvity
on
the
corporate
network
preceding
the
jump
• Looking
at
the
jump
• User
device
mapping
to
IP
address
of
jumper
• Looking
in
Gme
aler
the
jump
• User
acGvity
on
the
guest
network
aler
the
jump
Behavior
Inves:ga:on
–
Pre-‐Jump
Ac:vity
• Does
the
jump
make
sense?
–
driven
by
business
logic
or
“benign”
behavior
• Does
the
jump
look
like
auacker
trying
to
get
out?
–
more
“random”
pauerns
• Does
the
jump
look
like
insider
threat?
–
exfiltraGon,
etc.
- 27. 27
What’s
Next
• SOC
OperaGons
with
Splunk
as
core
tool
• Splunk
Enterprise
Security
App
• Extreme
Search
• D3JS
• Endpoint
• Stream
What
excites
us
about
future
projects
we
are
planning
to
leverage
our
data
and
Splunk
products?
- 28. 28
Top
Takeaways
You
can
get
value
out
of
Splunk
quickly
Splunk
Cloud
is
a
flexible
opGon
for
growth
Basics
mauer!
Process,
People,
Technology
in
Balance