SlideShare a Scribd company logo

Wipro Customer Presentation

Splunk
Splunk

This document discusses Wipro's experience helping a customer transition from their existing SIEM platform to Splunk for security monitoring and analytics. It describes how Wipro guided the customer through a two-phase implementation: first standing up a hybrid on-premise/cloud Splunk deployment to address immediate needs, and now expanding that deployment to 500GB/day in Splunk Cloud and 200GB/day on-premise to accommodate growing data and use cases. The transition yielded significant improvements in search performance, data ingestion and parsing flexibility, and enhanced security visualization and analytics capabilities.

Related slideshows

CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
1 of 29
Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security:   Background  &  Customer  Case  Study  
2   Wipro  Technologies     Andrew  Gerber  &   Saurabh  GulaG  
3   Agenda   Background   Why  Splunk  for  Security   Customer  Case  Study   •  Build  out  and  architecture   •  Phased  approach   •  Hybrid  Cloud/on-­‐premise  soluGon   Example  Security  Use  Cases   Roadmap  &  Key  Takeaways  
4   Wipro  Overview   •  Wipro  Ltd.  (NYSE:WIT)  is  a  global  informaGon  technology,  consulGng,  and  outsourcing   company   •  158,000+  employees  in  175  ciGes+  across  6  conGnents   •  Revenues  of  $7.5  billion  for  the  financial  year  ended  March  31,  2015   •  Wipro  uses  and  supports  Splunk  in  many  areas  for  our  customers,  including:   •  transacGon  analysis   •  fraud  detecGon   •  business  &  IT  operaGons  monitoring   •  process  improvement   •  informaGon  security    
5   Speaker  Bio   "   Saurabh  GulaG:  Program  Director,  Enterprise  Security  SoluGons,  Wipro     –  Discovered  Splunk  about  2  years  ago   "   Andrew  Gerber:  Architect  &  Consultant,  Enterprise  Security  SoluGons,  Wipro   –  Discovered  Splunk  about  4  years  ago   "   Our  mission  is  to  help  our  customers  manage  their  security  requirements  efficiently  and   effecGvely,  and  to  provide  meaningful  and  measurable  benefits  while  improving  their   security  posture.  
6   Why  Splunk  for  Security   • Slow  SIEM  plahorm   • Limited  capabiliGes  and  limited  customizaGon  opGons   • Data  source  integraGon  and  parsing  challenges   • Lots  of  effort  to  create  workarounds  instead  of  creaGng  new  capabiliGes   Customer  challenges   • Great  user  interface  and  straighhorward/flexible  SPL   • Fast  results   • Ability  to  scale  flexibly  and  affordably   • Rapid  value  realizaGon   • Late-­‐binding  schema   • API  and  extensibility   • Higher  ROI  potenGal  with  a  compeGGve  TCO   Key  reasons  we  olen  see  Splunk  selected  for  Security  use  cases  over  other  SIEM  tools:  
7   Customer  Story  -­‐  SituaGon   SIEM  plahorm   deployed  for   several  years   Performance  was   limiGng  (could  take   days  to  search   hours’  worth  of   data)   Vendor   announced  End  of   Life/End  of   Support  for  SIEM   plahorm   Gap  Analysis  of   SIEM  Plahorm   Difficulty  to  gain   insight…  limited  by   supported  funcGons   (COUNT,  AVG,  MIN,   MAX,  …)   CreaGon  of  content   required  in-­‐depth   knowledge  about   data  sources  and   vendor  parsing   schema   Limited  datacenter   capacity  to  scale  the   exisGng  plahorm  
8   Splunk  –  Phase  1   Hybrid  POC/Pilot  over   only  12  weeks!   Partnered  with  Splunk  PS   200GB/day  On-­‐Premise   Deployment  Growing  to   400GB/day   IdenGfied  key  security   data  sources  to  integrate   IniGal  Content   Development   Dashboards  &  Demos  for   stakeholders  at  all  levels,   including  ExecuGves  
9   Splunk  –  Phase  1  Architecture   "   Handled  200GB/day  &  10  users  comfortably   "   Grew  to  400GB/day  while  sGll  providing  sufficient  performance   "   >300  Universal  Forwarder  instances  deployed   On-­‐Premise   Cluster   Master   Deployment   Server   300+  Forwarders   Syslog-­‐NG   NAS  
10   Splunk  –  Phase  1  Results   Speed   • Searching  performance  –  went  from  days  to  seconds  to  get  results   • IntegraGng  data  sources  –  ingest  first,  parse  later  as  needed   • CreaGng  searches/dashboards  –  powerful  and  straighhorward,  fast  to  create   Power   • SPL,  stats,  subsearches,  graphical  reporGng,  mapping,  API,  Apps   Use  cases  transformed   • Went  from  lisGng  top  machines  by  #  of  malware  detecGon  alerts  to  mapping  out  trends  and  idenGfying   effecGve  points  of  intervenGon/remediaGon   • Went  from  seeing  a  list  of  failed  VPN  login  auempts  by  user  to  mapping  VPN  authenGcaGon  acGvity  and   idenGfying  anomalous  acGvity  for  further  invesGgaGon   Ability  to  demo  dashboards  all  the  way  up  to  execu:ve  leadership  
11   Scaling  successfully:  Enter  Splunk  Cloud   Dynamic   business   context   Rapid  pace  of  acquisiGons   Datacenter  transformaGon  project  underway   Cloud  strategy  evolving   Flexibility  of   Splunk  Cloud   was  key   Availability,  capacity,  retenGon,  scalability   Safeguards  &   security  –   beyond  the   basics   Extensive  review  with  Splunk  and  customer  Enterprise  Architecture  &  Security  teams   Audited  Security:  Splunk  SOC  2  Type  1  &  2  in  addiGon  to  AWS  controls  &  auestaGons   Flexibility  to  specify  geographic  restricGons  on  where  data  travels/resides   Ability  to  configure  encrypGon  on  data  at  rest   Hybrid  search  heads  –  can  have  indexes  reside  enGrely  on-­‐prem  as  needed,  on-­‐prem  search  heads  can  search  cloud      
12   Splunk  –  Phase  2  (in  progress)   Added  capacity:  500GB/ day  Splunk  Cloud  +   200GB/day  on-­‐premise   Increasing  data   source  variety,  adding   apps  and  integraGons   (i.e.  Remedy  for   GckeGng)   Accommodate  data   center  capacity   constraints   (transformaGon   project  underway)   Add  and  integrate   users  across  business   units   Create  processes   around  security   monitoring  and  SOC   operaGons   Deploying  Splunk  App   for  Enterprise  Security   +  
13   Splunk  Phase  2  Architecture   On-­‐Premise   AWS   Cluster   Master   Deployment   Server   500+  Forwarders   Syslog-­‐NG   ~30%   NAS   S3  
14   Example  Use  Cases   Use  Case  1  -­‐  VPN  AcGvity  Profiling   •  Detect  inappropriate  or  malicious  remote  access   •  Profiling  of  employees,  contractors,  vendors,  and  other  insiders     Use  Case  2  –  Malware  Analysis   •  Detect  new  signatures  &  hashes  seen   •  Enhance  informaGon  with  threat  intelligence   •  Profile  acGvity  by  host  and  user   •  Monitor  Gme  to  resoluGon   Use  Case  3  –  Off-­‐Network  Jumping   •  Detect  auempted  and  actual  bypass  of  network  controls     •  Detect  network  jumping  and  off-­‐network  acGvity  
15   Use  Case:  VPN  AcGvity  Profiling   •  Find  abnormal  remote  access  usage  paJern  in  remote  access   –  VPN  access  with  valid  credenGals  used  in  major  auacks,  including  recent  healthcare   industry  breach   •  Profile  remote  usage  by  employees,  contractors,  vendors,  and  other  insiders   •  Look  for:   –  Indicators  of  Delivery,  C2,  ExfiltraGon,  as  well  as  employee  or  insider  FTA   –  IdenGfy  potenGally  compromised  credenGals   •  Key  points  to  look  for:   –  Increase  in  login  frequency     –  Odd  Gmes/locaGons   –  Improbable  travel  distance  between  logins  or  login  auempts     (velocity  requirements  between  consecuGve  geographical  login  locaGons  too  high)    
16   Use  Case:  VPN  AcGvity  Profiling   User  level  VPN  Trends   •  MulGple  login  failures  by  count  and  over  Gme  and   successful  logins     provide  insight  into  VPN  behavior.   •  IdenGfy  repeat  VPN  login  failure  trends  by  user   Easy  to  spot  outlier  and  clustered  events   Geographic  &  Network  VPN  Trends   •  At-­‐a-­‐glance  profiling  of  VPN  login  success  and  failures   •  GeolocaGon  and  domain  charGng  idenGfy  normal  vs.   abnormal  access   •  Top  Level  Domains  and  other  domain  names  to  find   anomalies,     i.e.  connecGons  from  .edu  TLD  or  external  VPN  services  
17   Use  Case:  VPN  AcGvity  Profiling   Geographic  Analysis  with  “Traveler”  iden:fica:on   •  Per-­‐country  trends  &  users  with  mulGple  locaGons  in  a   given  Gme  period   •  Also  idenGfy  relaGve  distances  for  users  from  a  relevant   fixed  locaGon   “Traveler”  mapping  &  improbable  behavior  analysis   •  Determine  unlikely  distance/Gme  combinaGons  between   VPN  logins   •  IdenGfy  credenGal  thel  and/or  sharing  
18   Use  Case:  Malware  Analysis   •  Understand  malware  persistence  and  ac:vity  levels   –  IdenGfy  duraGon  of  malware  persistence   –  IdenGfy  malware  by  acGvity  levels   •  Further  priori:ze  remedia:on   –  IdenGfying  hosts  of  interest   •  Review  new  signatures  and  hashes   –  Understand  new  threats   –  Include  data  enrichment  via  threat  feeds  
19   Use  Case:  Malware  Analysis   Max  Malware  File  Dura:on   •  Malware  File  DuraGon  reflects  length  of  Gme  between  first   SEP  message  about  a  specific  file  and  the  last  message  (a   combinaGon  of  automated  and  manual  resoluGon  is   reflected  in  this)   Max  Malware  File  Events   •  Malware  File  Events  reflects  #  of  events  referencing  a   specific  file  (highlights  high-­‐acGvity  files)  
20   Use  Case:  Malware  Analysis   Iden:fying  Outliers   •  Mapping  #  of  malware  indicators  against  Gmeline  and   duraGon  of  indicator  presence  allows  for  easy  profiling  and   idenGficaGon  of  hosts  
21   Use  Case:  Malware  Analysis   Tracking  new  signatures  &  hashes  seen   •  Understand  new  threats   •  Data  enrichment  with  threat  intelligence  feeds  
22   Use  Case:  Off-­‐Network  Jumping   •  Find  assets  &  users  jumping  from  corporate  LAN,  WLAN  to  Guest  Network   –  Detect  auempts  to  bypass  security  controls   –  Detect  malware  vector  of  “benign”  off-­‐network  browsing     1  in  566  websites  host  malware  (Symantec  2014  Internet  Security  Threat  Report)   •  Profile  jumping  behavior  to  look  for  paJerns  and  anomalies   –  IdenGfy  the  User,  IP  address,  MAC  address   –  IdenGfy  acGvity  before  and  aler  jumping   •  Key  points  to  look  for  include   –  Assets  and  users  jumping  periodically  –     Normal  business  users  should  be  on  corporate  network   –  Network  jumps  which  don’t  appear  to  be  pre-­‐meditated   (i.e.  looking  for  programmaGc  jumps)     –  Volume,  periodicity,  desGnaGon,  traffic  type  can  all  be   indicators  of  potenGal  ExfiltraGon   “40%  [of  companies]  reported   that  they  had  been  exposed  to  a   security  threat  as  a  direct   consequence  of  an  off-­‐network   user’s  laptop  ge}ng  compromised   within  the  last  twelve  months.”   From  Google  report,  “Off-­‐Network  Workers  –   The  Weakest  Link  to  Corporate  Web  Security”  
23   Key  event:  Guest  network  DHCP  request   Key  search  to  idenGfy  this  acGvity   •  Look  at  guest  network  firewall  logs  which  logs  DHCP  requests  (IP  à  MAC  à  hostname)   •  Look  at  DHCP  requests  using  IP  address  of  one  of  our  corporate  networks,  and  the  MAC  address.     •  Eliminate  mobile  devices,  limit  results  to  our  corporate  hostname  naming  convenGon   •  Database  of  internal  IP  space,  hostnames,  and  associated  MAC  addresses  is  being  built  to  further  refine  this.   Use  Case:  Off-­‐Network  Jumping  
24   Use  Case:  Off-­‐Network  Jumping   SelecGon  to     lookup  user     SelecGon  determines  drill  down   Long/Short  Term  Off-­‐Net  Jumping  Trends   •  Visual  analysis  to  determine  what  looks  abnormal   •  At-­‐a-­‐glance  profiling  of  corporate  resources  used  on  guest   network  –  acGvity  for  today,  7-­‐days,  etc.   Rapid  inves:ga:on  to  iden:fy  users  of  interest   •  SelecGon  enables  deep  invesGgaGon  via  drilldown  into  user   acGvity  details   •  Dynamic  drilldown  is  a  key  Splunk  feature  for  effecGve   invesGgaGon  dashboards  
25   Use  Case:  Off-­‐Network  Jumping   Behavior  Inves:ga:on  –  Longitudinal  Trending   •  Pauerns  idenGfy  potenGal  repeat  offender,  or  possible  C2/ exfiltraGon   •  Compare  to  guest  network  acGvity  trend  to  idenGfy  likely   scenario   Having  quickly  found  a  user  of  interest,  we  can   now  dig  into  the  details  of  their  acGvity…  
26   Use  Case:  Off-­‐Network  Jumping   Overview  of  behavior  before/during/aeer  the  jump   •  Looking  back  in  Gme  from  the  jump   •  User  acGvity  on  the  corporate  network  preceding   the  jump   •  Looking  at  the  jump   •  User  device  mapping  to  IP  address  of  jumper   •  Looking  in  Gme  aler  the  jump   •  User  acGvity  on  the  guest  network  aler  the  jump   Behavior  Inves:ga:on  –  Pre-­‐Jump  Ac:vity   •  Does  the  jump  make  sense?  –  driven  by  business  logic  or   “benign”  behavior   •  Does  the  jump  look  like  auacker  trying  to  get  out?  –  more   “random”  pauerns   •  Does  the  jump  look  like  insider  threat?  –  exfiltraGon,  etc.  
27   What’s  Next   • SOC  OperaGons  with  Splunk  as  core  tool   • Splunk  Enterprise  Security  App   • Extreme  Search   • D3JS   • Endpoint   • Stream       What  excites  us  about   future  projects  we  are   planning  to  leverage   our  data  and  Splunk   products?      
28   Top  Takeaways   You  can  get   value  out  of   Splunk   quickly   Splunk  Cloud   is  a  flexible   opGon  for   growth   Basics   mauer!   Process,   People,   Technology   in  Balance  
Thank  You  

More Related Content

Wipro Customer Presentation

  • 1. Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security:   Background  &  Customer  Case  Study  
  • 2. 2   Wipro  Technologies     Andrew  Gerber  &   Saurabh  GulaG  
  • 3. 3   Agenda   Background   Why  Splunk  for  Security   Customer  Case  Study   •  Build  out  and  architecture   •  Phased  approach   •  Hybrid  Cloud/on-­‐premise  soluGon   Example  Security  Use  Cases   Roadmap  &  Key  Takeaways  
  • 4. 4   Wipro  Overview   •  Wipro  Ltd.  (NYSE:WIT)  is  a ��global  informaGon  technology,  consulGng,  and  outsourcing   company   •  158,000+  employees  in  175  ciGes+  across  6  conGnents   •  Revenues  of  $7.5  billion  for  the  financial  year  ended  March  31,  2015   •  Wipro  uses  and  supports  Splunk  in  many  areas  for  our  customers,  including:   •  transacGon  analysis   •  fraud  detecGon   •  business  &  IT  operaGons  monitoring   •  process  improvement   •  informaGon  security    
  • 5. 5   Speaker  Bio   "   Saurabh  GulaG:  Program  Director,  Enterprise  Security  SoluGons,  Wipro     –  Discovered  Splunk  about  2  years  ago   "   Andrew  Gerber:  Architect  &  Consultant,  Enterprise  Security  SoluGons,  Wipro   –  Discovered  Splunk  about  4  years  ago   "   Our  mission  is  to  help  our  customers  manage  their  security  requirements  efficiently  and   effecGvely,  and  to  provide  meaningful  and  measurable  benefits  while  improving  their   security  posture.  
  • 6. 6   Why  Splunk  for  Security   • Slow  SIEM  plahorm   • Limited  capabiliGes  and  limited  customizaGon  opGons   • Data  source  integraGon  and  parsing  challenges   • Lots  of  effort  to  create  workarounds  instead  of  creaGng  new  capabiliGes   Customer  challenges   • Great  user  interface  and  straighhorward/flexible  SPL   • Fast  results   • Ability  to  scale  flexibly  and  affordably   • Rapid  value  realizaGon   • Late-­‐binding  schema   • API  and  extensibility   • Higher  ROI  potenGal  with  a  compeGGve  TCO   Key  reasons  we  olen  see  Splunk  selected  for  Security  use  cases  over  other  SIEM  tools:  
  • 7. 7   Customer  Story  -­‐  SituaGon   SIEM  plahorm   deployed  for   several  years   Performance  was   limiGng  (could  take   days  to  search   hours’  worth  of   data)   Vendor   announced  End  of   Life/End  of   Support  for  SIEM   plahorm   Gap  Analysis  of   SIEM  Plahorm   Difficulty  to  gain   insight…  limited  by   supported  funcGons   (COUNT,  AVG,  MIN,   MAX,  …)   CreaGon  of  content   required  in-­‐depth   knowledge  about   data  sources  and   vendor  parsing   schema   Limited  datacenter   capacity  to  scale  the   exisGng  plahorm  
  • 8. 8   Splunk  –  Phase  1   Hybrid  POC/Pilot  over   only  12  weeks!   Partnered  with  Splunk  PS   200GB/day  On-­‐Premise   Deployment  Growing  to   400GB/day   IdenGfied  key  security   data  sources  to  integrate   IniGal  Content   Development   Dashboards  &  Demos  for   stakeholders  at  all  levels,   including  ExecuGves  
  • 9. 9   Splunk  –  Phase  1  Architecture   "   Handled  200GB/day  &  10  users  comfortably   "   Grew  to  400GB/day  while  sGll  providing  sufficient  performance   "   >300  Universal  Forwarder  instances  deployed   On-­‐Premise   Cluster   Master   Deployment   Server   300+  Forwarders   Syslog-­‐NG   NAS  
  • 10. 10   Splunk  –  Phase  1  Results   Speed   • Searching  performance  –  went  from  days  to  seconds  to  get  results   • IntegraGng  data  sources  –  ingest  first,  parse  later  as  needed   • CreaGng  searches/dashboards  –  powerful  and  straighhorward,  fast  to  create   Power   • SPL,  stats,  subsearches,  graphical  reporGng,  mapping,  API,  Apps   Use  cases  transformed   • Went  from  lisGng  top  machines  by  #  of  malware  detecGon  alerts  to  mapping  out  trends  and  idenGfying   effecGve  points  of  intervenGon/remediaGon   • Went  from  seeing  a  list  of  failed  VPN  login  auempts  by  user  to  mapping  VPN  authenGcaGon  acGvity  and   idenGfying  anomalous  acGvity  for  further  invesGgaGon   Ability  to  demo  dashboards  all  the  way  up  to  execu:ve  leadership  
  • 11. 11   Scaling  successfully:  Enter  Splunk  Cloud   Dynamic   business   context   Rapid  pace  of  acquisiGons   Datacenter  transformaGon  project  underway   Cloud  strategy  evolving   Flexibility  of   Splunk  Cloud   was  key   Availability,  capacity,  retenGon,  scalability   Safeguards  &   security  –   beyond  the   basics   Extensive  review  with  Splunk  and  customer  Enterprise  Architecture  &  Security  teams   Audited  Security:  Splunk  SOC  2  Type  1  &  2  in  addiGon  to  AWS  controls  &  auestaGons   Flexibility  to  specify  geographic  restricGons  on  where  data  travels/resides   Ability  to  configure  encrypGon  on  data  at  rest   Hybrid  search  heads  –  can  have  indexes  reside  enGrely  on-­‐prem  as  needed,  on-­‐prem  search  heads  can  search  cloud      
  • 12. 12   Splunk  –  Phase  2  (in  progress)   Added  capacity:  500GB/ day  Splunk  Cloud  +   200GB/day  on-­‐premise   Increasing  data   source  variety,  adding   apps  and  integraGons   (i.e.  Remedy  for   GckeGng)   Accommodate  data   center  capacity   constraints   (transformaGon   project  underway)   Add  and  integrate   users  across  business   units   Create  processes   around  security   monitoring  and  SOC   operaGons   Deploying  Splunk  App   for  Enterprise  Security   +  
  • 13. 13   Splunk  Phase  2  Architecture   On-­‐Premise   AWS   Cluster   Master   Deployment   Server   500+  Forwarders   Syslog-­‐NG   ~30%   NAS   S3  
  • 14. 14   Example  Use  Cases   Use  Case  1  -­‐  VPN  AcGvity  Profiling   •  Detect  inappropriate  or  malicious  remote  access   •  Profiling  of  employees,  contractors,  vendors,  and  other  insiders     Use  Case  2  –  Malware  Analysis   •  Detect  new  signatures  &  hashes  seen   •  Enhance  informaGon  with  threat  intelligence   •  Profile  acGvity  by  host  and  user   •  Monitor  Gme  to  resoluGon   Use  Case  3  –  Off-­‐Network  Jumping   •  Detect  auempted  and  actual  bypass  of  network  controls     •  Detect  network  jumping  and  off-­‐network  acGvity  
  • 15. 15   Use  Case:  VPN  AcGvity  Profiling   •  Find  abnormal  remote  access  usage  paJern  in  remote  access   –  VPN  access  with  valid  credenGals  used  in  major  auacks,  including  recent  healthcare   industry  breach   •  Profile  remote  usage  by  employees,  contractors,  vendors,  and  other  insiders   •  Look  for:   –  Indicators  of  Delivery,  C2,  ExfiltraGon,  as  well  as  employee  or  insider  FTA   –  IdenGfy  potenGally  compromised  credenGals   •  Key  points  to  look  for:   –  Increase  in  login  frequency     –  Odd  Gmes/locaGons   –  Improbable  travel  distance  between  logins  or  login  auempts     (velocity  requirements  between  consecuGve  geographical  login  locaGons  too  high)    
  • 16. 16   Use  Case:  VPN  AcGvity  Profiling   User  level  VPN  Trends   •  MulGple  login  failures  by  count  and  over  Gme  and   successful  logins     provide  insight  into  VPN  behavior.   •  IdenGfy  repeat  VPN  login  failure  trends  by  user   Easy  to  spot  outlier  and  clustered  events   Geographic  &  Network  VPN  Trends   •  At-­‐a-­‐glance  profiling  of  VPN  login  success  and  failures   •  GeolocaGon  and  domain  charGng  idenGfy  normal  vs.   abnormal  access   •  Top  Level  Domains  and  other  domain  names  to  find   anomalies,     i.e.  connecGons  from  .edu  TLD  or  external  VPN  services  
  • 17. 17   Use  Case:  VPN  AcGvity  Profiling   Geographic  Analysis  with  “Traveler”  iden:fica:on   •  Per-­‐country  trends  &  users  with  mulGple  locaGons  in  a   given  Gme  period   •  Also  idenGfy  relaGve  distances  for  users  from  a  relevant   fixed  locaGon   “Traveler”  mapping  &  improbable  behavior  analysis   •  Determine  unlikely  distance/Gme  combinaGons  between   VPN  logins   •  IdenGfy  credenGal  thel  and/or  sharing  
  • 18. 18   Use  Case:  Malware  Analysis   •  Understand  malware  persistence  and  ac:vity  levels   –  IdenGfy  duraGon  of  malware  persistence   –  IdenGfy  malware  by  acGvity  levels   •  Further  priori:ze  remedia:on   –  IdenGfying  hosts  of  interest   •  Review  new  signatures  and  hashes   –  Understand  new  threats   –  Include  data  enrichment  via  threat  feeds  
  • 19. 19   Use  Case:  Malware  Analysis   Max  Malware  File  Dura:on   •  Malware  File  DuraGon  reflects  length  of  Gme  between  first   SEP  message  about  a  specific  file  and  the  last  message  (a   combinaGon  of  automated  and  manual  resoluGon  is   reflected  in  this)   Max  Malware  File  Events   •  Malware  File  Events  reflects  #  of  events  referencing  a   specific  file  (highlights  high-­‐acGvity  files)  
  • 20. 20   Use  Case:  Malware  Analysis   Iden:fying  Outliers   •  Mapping  #  of  malware  indicators  against  Gmeline  and   duraGon  of  indicator  presence  allows  for  easy  profiling  and   idenGficaGon  of  hosts  
  • 21. 21   Use  Case:  Malware  Analysis   Tracking  new  signatures  &  hashes  seen   •  Understand  new  threats   •  Data  enrichment  with  threat  intelligence  feeds  
  • 22. 22   Use  Case:  Off-­‐Network  Jumping   •  Find  assets  &  users  jumping  from  corporate  LAN,  WLAN  to  Guest  Network   –  Detect  auempts  to  bypass  security  controls   –  Detect  malware  vector  of  “benign”  off-­‐network  browsing     1  in  566  websites  host  malware  (Symantec  2014  Internet  Security  Threat  Report)   •  Profile  jumping  behavior  to  look  for  paJerns  and  anomalies   –  IdenGfy  the  User,  IP  address,  MAC  address   –  IdenGfy  acGvity  before  and  aler  jumping   •  Key  points  to  look  for  include   –  Assets  and  users  jumping  periodically  –     Normal  business  users  should  be  on  corporate  network   –  Network  jumps  which  don’t  appear  to  be  pre-­‐meditated   (i.e.  looking  for  programmaGc  jumps)     –  Volume,  periodicity,  desGnaGon,  traffic  type  can  all  be   indicators  of  potenGal  ExfiltraGon   “40%  [of  companies]  reported   that  they  had  been  exposed  to  a   security  threat  as  a  direct   consequence  of  an  off-­‐network   user’s  laptop  ge}ng  compromised   within  the  last  twelve  months.”   From  Google  report,  “Off-­‐Network  Workers  –   The  Weakest  Link  to  Corporate  Web  Security”  
  • 23. 23   Key  event:  Guest  network  DHCP  request   Key  search  to  idenGfy  this  acGvity   •  Look  at  guest  network  firewall  logs  which  logs  DHCP  requests  (IP  à  MAC  à  hostname)   •  Look  at  DHCP  requests  using  IP  address  of  one  of  our  corporate  networks,  and  the  MAC  address.     •  Eliminate  mobile  devices,  limit  results  to  our  corporate  hostname  naming  convenGon   •  Database  of  internal  IP  space,  hostnames,  and  associated  MAC  addresses  is  being  built  to  further  refine  this.   Use  Case:  Off-­‐Network  Jumping  
  • 24. 24   Use  Case:  Off-­‐Network  Jumping   SelecGon  to     lookup  user     SelecGon  determines  drill  down   Long/Short  Term  Off-­‐Net  Jumping  Trends   •  Visual  analysis  to  determine  what  looks  abnormal   •  At-­‐a-­‐glance  profiling  of  corporate  resources  used  on  guest   network  –  acGvity  for  today,  7-­‐days,  etc.   Rapid  inves:ga:on  to  iden:fy  users  of  interest   •  SelecGon  enables  deep  invesGgaGon  via  drilldown  into  user   acGvity  details   •  Dynamic  drilldown  is  a  key  Splunk  feature  for  effecGve   invesGgaGon  dashboards  
  • 25. 25   Use  Case:  Off-­‐Network  Jumping   Behavior  Inves:ga:on  –  Longitudinal  Trending   •  Pauerns  idenGfy  potenGal  repeat  offender,  or  possible  C2/ exfiltraGon   •  Compare  to  guest  network  acGvity  trend  to  idenGfy  likely   scenario   Having  quickly  found  a  user  of  interest,  we  can   now  dig  into  the  details  of  their  acGvity…  
  • 26. 26   Use  Case:  Off-­‐Network  Jumping   Overview  of  behavior  before/during/aeer  the  jump   •  Looking  back  in  Gme  from  the  jump   •  User  acGvity  on  the  corporate  network  preceding   the  jump   •  Looking  at  the  jump   •  User  device  mapping  to  IP  address  of  jumper   •  Looking  in  Gme  aler  the  jump   •  User  acGvity  on  the  guest  network  aler  the  jump   Behavior  Inves:ga:on  –  Pre-­‐Jump  Ac:vity   •  Does  the  jump  make  sense?  –  driven  by  business  logic  or   “benign”  behavior   •  Does  the  jump  look  like  auacker  trying  to  get  out?  –  more   “random”  pauerns   •  Does  the  jump  look  like  insider  threat?  –  exfiltraGon,  etc.  
  • 27. 27   What’s  Next   • SOC  OperaGons  with  Splunk  as  core  tool   • Splunk  Enterprise  Security  App   • Extreme  Search   • D3JS   • Endpoint   • Stream       What  excites  us  about   future  projects  we  are   planning  to  leverage   our  data  and  Splunk   products?      
  • 28. 28   Top  Takeaways   You  can  get   value  out  of   Splunk   quickly   Splunk  Cloud   is  a  flexible   opGon  for   growth   Basics   mauer!   Process,   People,   Technology   in  Balance