Splunk, profile picture
Uploaded bySplunk
1,313 views

Operational Security Intelligence

The document discusses the concept of security intelligence, which involves gathering and analyzing information to protect organizations from various threats. It highlights challenges organizations face, such as insider threats and the need for new security approaches using data science and machine learning for detection and response. The evolution of security operations is emphasized as being collaborative and dynamic, requiring integration of technology, people, and processes.

Embed presentation

Operationalizing Security Intelligence Jack Lamirande
2 What is Security Intelligence? Information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. http://whatis.techtarget.com/definition/security-intelligence-SI
3 • Your adversaries are organized • Your adversaries are adaptable • Your defenses are static • Your defenses are predictable • Your defenses will be breached Challenges Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
4 Growing adoption of cloud, mobile and new application workloads requiring hybrid deployment across on-premise and cloud infrastructures Growing concern of insider threat & privileged users On-going skills/knowledge training 4 More Challenges SOC Director SOC Manager SOC Architect Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Forensics Specialist Malware Engineer Counter- Intel
5 Skills/Training 5
6
7 Solutions and security approaches that: – Use threat Intelligence, security services and coordinated defense (sharing) – Rapid response using ad-hoc analysis to handle advanced threats – Utilize data science, machine learning and analytics for security 7 What is Required
New Approach to Security Needed Traditional Methods New Requirements Data reduction Data completeness & coverage Event correlation Multiple, dynamic relationships Detect attacks Detect & respond to attack lifecycle – Disrupt it! Needle in a haystack Hay in haystack Power user All users Severity based Risk-based 8 Event based … and time, user, phase, more…
New Approach to Security Needed Traditional Methods New Requirements 9 Situational awareness Analysis & rapid response Operation / Monitoring Center Nerve Center / Command Center
Drivers to Operationalizing Security Intelligence Detection Early detection and disruption 10 Event driven Analytics driven Correlation Correlation, pattern, anomaly detection Human rule authoring Data science & machine learning Silo’d approach Collaborative and orchestrated
The Evolution of Security Operations is Needed • Human directed • Goal-oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 11 TECHNOLOGY PEOPLE PROCESS
12 Connect the “Data-Dots” to See the Whole Story Persist, Repeat 1 Deliver, Exploit Install Gain Trusted Access ExfiltrationData GatheringUpgrade (Escalate) Lateral Movement Persist, Repeat Threat Pattern Threat Intelligence Attacker, know C2 sites, infected sites, IOC, attack/campaign intent and attribution • External threat intel • Internal threat intel • Indicators of compromise Network Activity/Security Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download • Malware sandbox • Web proxy • NetFlow • Firewall • IDS / IPS • Vulnerability scanner Endpoint Activity/Security What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility • DHCP • DNS • Patch mgmt • Endpoint (AV/IPS/FW) • ETDR • OS logs Authorization – User/Roles Access level, privileged users, likelihood of infection, where they might be in kill chain • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
13 Connecting People and Data Through a Nerve Center
Operationalizing Security Intelligence Risk-Based Context and Intelligence Connecting People and Data 14
15 Machine Generated Data is a Definitive Record of Human-to-Machine and Machine- to-Machine Interaction 1
16 Security Relevant Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication = Big DataAll Data is
17 1 Network Endpoint Access Data Sources Threat Intelligence
18 Risk Based Analytics Network Endpoint AccessThreat Intelligence Pattern/String/Regex matching Statistical outliers and anomalies Scoring and aggregation Session and Behavior profiling
19 Context and Intelligence Integrate across technologies Automated context matching Automated context acquisition Post processing and post analysis Threat Intelligence Asset & CMDB API/SDK Integrations Data Stores Applications
20 Connecting People and Data Any data, all data Interact with views and workflows Free form investigation – human intuition Human mediated automation Sharing and collaboration Automation Collaboration Investigation Workflows All data
Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet Remote Site Wi-fiFirewall Wi-fi Information Technology (IT) Monitor Troubleshoot CollaborateTriage ConfigureReport
Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet Remote Site Wi-fiFirewall Wi-fi http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB .pdf .pdf executes & unpacks malware overwritingand running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Information Security (InfoSec) Information Technology (IT) Monitor Investigate CollaborateTriage ScopeReport Monitor Troubleshoot CollaborateTriage ConfigureReport Recover
Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet Remote Site Wi-fiFirewall Wi-fi http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB .pdf .pdf executes & unpacks malware overwritingand running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Information Security (InfoSec) Information Technology (IT) Monitor Investigate CollaborateTriage ScopeReport Recover Monitor Troubleshoot CollaborateTriage ConfigureReport …
24 Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Modern Attacks Look Like a Transaction Email Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc.
25 Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Connect the “Data-dots” to See the Whole Story phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. Threat Intelligence Data Email Data Or Web Data Host or ETDR Data Web or Firewall Data Threat Intelligence Data Identity Data
26 Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Start anywhere, analyze up-down-across-backwards-forward phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. • 3rd party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
Subject: new commission report breakdown From: Jose Dave <jose.dave@butercupgames.com> To: <chris.gilbert@buttercupgames.com> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop chris.gilbert@buttercupgames.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop monte@demo.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 27 bad_ip,threat_intel_source 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http 54.211.114.134 - - [05/May/2014:22:40:54 -0400] "POST /portal/wp-login.php HTTP/1.1" 200 4395 "-” 54.211.114.134 - - [06/May/2014:00:05:47 -0400] "GET /tech/wp-content/uploads/2014/05/Q2_commission.pdf HTTP/1.1" 206 2475168 "- ” {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} {"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http {"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop chris.gilbert@buttercupgames.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop monte@demo.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} Subject: new commission report breakdown From: Jose Dave <jose.dave@butercupgames.com> To: <chris.gilbert@buttercupgames.com> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" 115.29.46.9 9 115.29.46.9 9 Q2_commission.pdf Q2_commission.pdf chris.gilbert@buttercupgames.com192.168.56.102 chris.gilbert@buttercupgames.com "process_guid": “3259531”"process_guid": “-7751687” "action": "create” Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http {"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop chris.gilbert@buttercupgames.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop monte@demo.com Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop modesto@demo.com Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} Subject: new commission report breakdown From: Jose Dave <jose.dave@butercupgames.com> To: <chris.gilbert@buttercupgames.com> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" 115.29.46.9 9 115.29.46.9 9 Q2_commission.pdf Q2_commission.pdf chris.gilbert@buttercupgames.com192.168.56.102 chris.gilbert@buttercupgames.com "process_guid": “3259531”"process_guid": “-7751687” "action": "create” Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst SOC Mgr Hunters Response Teams Breach Investigator Forensics Counter Threat Team Research/Intelligence Malware research Analytics Security Analyst IT admin/engr Network engr Identity, infrastructure Auditor IT team Network team Security team Monitor Alert Breach Detection & Scoping, CSIRT Share Collaborate Incident response Investigation Contain Remediate Audit, Report, Awareness
30 Demo
31 Examples 31 Attack Phase What Threat is Doing What to Look For Data Source Lateral movement Creating new admin accounts Account creation without corresponding IT service desk ticket AD/ Service Desk logs Data gathering Stealing credentials For single employee: Login at one location, then logs in again miles away in a timeframe that is not physically possible Badge/ VPN/ Auth Data gathering Gathering confidential data for theft Employee deviates from normal behavior – more requests for confidential data than normal OS Exfiltration Exfiltration of info Larger traffic flows then usual (incl DNS) from a host to a given IP NetFlow
32 Insider Threat What To Look For Data Source Abnormally high number of file transfers to USB or CD/DVD OS Abnormally large amount of data going to personal webmail account or uploaded to external file hosting site Email / web server Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD Above actions + employee is on an internal watchlist as result of transfer / demotion / poor review / impending layoff HR systems / above User name of terminated employee accessing internal system AD / HR systems
33 Example Patterns of Fraud in Machine Data Industry Type of Fraud/Theft/Abuse Pattern Financial Services Account takeover Abnormally high number or dollar amounts of wire transfer withdrawals Healthcare Physician billing Physician billing for drugs outside their expertise area E-Tailing Account takeover Many accounts accessed from one IP Telecoms Calling plan abuse Customer making excessive amount of international calls on an unlimited plan Online Education Student loan fraud Student receiving federal loan has IP in “high-risk” overseas country and is absent from online classrooms and forums
34 SECURITY USE CASES In SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT 3 Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
35 SPLUNK FOR SECURITY 3 SECURITY APPS & ADD-ONS SPLUNK APP FOR PCI SIEM Security Analytics Fraud, Theft and Abuse Platform for Security Services SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data SPLUNK ENTERPRISE SECURITY
36 SPLUNK IS THE NERVE CENTER 36 App Endpoint/ Server Cloud Threat Intelligence Firewall Web Proxy Internal Network Security Identity Network
37 Getting Started Splunk Enterprise Free Download Enterprise Security Cloud Trial Splunk UBA Proof of Value
38 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
3 Thank You

More Related Content

PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PPTX
Symantec Data Loss Prevention 9
byAriel Martin Beliera
 
PPTX
Operational Security Intelligence
bySplunk
 
PPTX
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
PPTX
Osint {open source intelligence }
byAkshayJha40
 
PPTX
POLICE INTELLIGENCE ppt.pptx
byRoland994165
 
PPTX
Intelligence and counter terrorism
byAishaAL9
 
PPT
Information Gathering in Intelligence Agencies
byNora A. Rahim
 
Threat Intelligence
byDeepak Kumar (D3)
 
Symantec Data Loss Prevention 9
byAriel Martin Beliera
 
Operational Security Intelligence
bySplunk
 
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
Osint {open source intelligence }
byAkshayJha40
 
POLICE INTELLIGENCE ppt.pptx
byRoland994165
 
Intelligence and counter terrorism
byAishaAL9
 
Information Gathering in Intelligence Agencies
byNora A. Rahim
 

What's hot

PPTX
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
PDF
Addressing the cyber kill chain
bySymantec Brasil
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PDF
SIEM and Threat Hunting
byn|u - The Open Security Community
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Understanding Cyber Kill Chain and OODA loop
byDavid Sweigert
 
PPTX
Red team Engagement
byIndranil Banerjee
 
PDF
What is Open Source Intelligence (OSINT)
byMolfar
 
PDF
Proactive Defense: Understanding the 4 Main Threat Actor Types
byRecorded Future
 
PPTX
Cybercrime And Cyber forensics
bysunanditaAnand
 
PPTX
A military perspective on cyber security
byJoey Hernandez
 
PPTX
Investigating Using the Dark Web
byCase IQ
 
PDF
Open Source Intelligence (OSINT)
byfestival ICT 2016
 
PPTX
Anti terrorism brief_
byzaffar abbasi
 
PDF
OSINT with Practical: Real Life Examples
bySyedAmoz
 
PPTX
National Cyber Security Policy-2013
byVidushi Singh
 
PPTX
402 chapter 7 counterintelligence
byDoing What I Do
 
PPTX
La cybersécurité, c'est quoi? Forum Attractivité 25/05/2023
byLisa Lombardi
 
PPTX
Concepts of Intelligence Led Policing
bygroundskeeper20
 
PPTX
Vigilance
byNCDB
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
byAaron White
 
Addressing the cyber kill chain
bySymantec Brasil
 
Next-Gen security operation center
byMuhammad Sahputra
 
SIEM and Threat Hunting
byn|u - The Open Security Community
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Understanding Cyber Kill Chain and OODA loop
byDavid Sweigert
 
Red team Engagement
byIndranil Banerjee
 
What is Open Source Intelligence (OSINT)
byMolfar
 
Proactive Defense: Understanding the 4 Main Threat Actor Types
byRecorded Future
 
Cybercrime And Cyber forensics
bysunanditaAnand
 
A military perspective on cyber security
byJoey Hernandez
 
Investigating Using the Dark Web
byCase IQ
 
Open Source Intelligence (OSINT)
byfestival ICT 2016
 
Anti terrorism brief_
byzaffar abbasi
 
OSINT with Practical: Real Life Examples
bySyedAmoz
 
National Cyber Security Policy-2013
byVidushi Singh
 
402 chapter 7 counterintelligence
byDoing What I Do
 
La cybersécurité, c'est quoi? Forum Attractivité 25/05/2023
byLisa Lombardi
 
Concepts of Intelligence Led Policing
bygroundskeeper20
 
Vigilance
byNCDB
 

Viewers also liked

PDF
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
PDF
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
PPT
Employee Security Training[1]@
byR_Yanus
 
PPT
8. operations security
by7wounders
 
PPTX
Operational Security
bySplunk
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
The Cyber Threat Intelligence Matrix
byFrode Hommedal
 
PPSX
4 Operations Security
byAlfred Ouyang
 
PDF
Building an Analytics Enables SOC
bySplunk
 
PDF
Operations Security Presentation
byWajahat Rajab
 
PPSX
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
byAlbert Hui
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PPTX
Infosec 2015 - Using threat intelligence to improve security response
byHuntsman Security
 
PDF
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
Employee Security Training[1]@
byR_Yanus
 
8. operations security
by7wounders
 
Operational Security
bySplunk
 
Cyber Threat Intelligence
bymohamed nasri
 
The Cyber Threat Intelligence Matrix
byFrode Hommedal
 
4 Operations Security
byAlfred Ouyang
 
Building an Analytics Enables SOC
bySplunk
 
Operations Security Presentation
byWajahat Rajab
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
byAlbert Hui
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
Infosec 2015 - Using threat intelligence to improve security response
byHuntsman Security
 
Top 12 Cybersecurity Predictions for 2017
byIBM Security
 

Similar to Operational Security Intelligence

PPTX
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
PPTX
Splunk for Security-Hands On
bySplunk
 
PDF
Road map for actionable threat intelligence
byabhisheksinghcs
 
PPTX
Splunk for Security Breakout Session
bySplunk
 
PDF
Security Breakout Session
bySplunk
 
PDF
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
PPTX
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
byCNSHacking
 
PPTX
Operational Security Intelligence Breakout Session
bySplunk
 
PDF
Cyber Security
byNC Military Business Center
 
PPTX
Best Practices for Scoping Infections and Disrupting Breaches
bySplunk
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PDF
SplunkLive! Stockholm 2015 breakout - Analytics based security
bySplunk
 
PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
bySplunk
 
PPTX
SplunkLive! - Splunk for Security
bySplunk
 
PPT
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
bySurfWatch Labs
 
PDF
SecurityOperations
byAntonio (Tony) Robinson
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
bySplunk
 
PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PDF
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 
PDF
Before the Breach: Using threat intelligence to stop attackers in their tracks
by- Mark - Fullbright
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
Splunk for Security-Hands On
bySplunk
 
Road map for actionable threat intelligence
byabhisheksinghcs
 
Splunk for Security Breakout Session
bySplunk
 
Security Breakout Session
bySplunk
 
Hunting for cyber threats targeting weapon systems
byFidelis Cybersecurity
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
byCNSHacking
 
Operational Security Intelligence Breakout Session
bySplunk
 
Cyber Security
byNC Military Business Center
 
Best Practices for Scoping Infections and Disrupting Breaches
bySplunk
 
Operationalizing Security Intelligence
bySplunk
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
bySplunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
bySplunk
 
SplunkLive! - Splunk for Security
bySplunk
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
bySurfWatch Labs
 
SecurityOperations
byAntonio (Tony) Robinson
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
bySplunk
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
byCODE BLUE
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
by- Mark - Fullbright
 

More from Splunk

PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
PDF
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
PDF
Building Resilience with Energy Management for the Public Sector
bySplunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
PDF
.conf Go 2023 - Data analysis as a routine
bySplunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
Building Resilience with Energy Management for the Public Sector
bySplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
.conf Go 2023 - Data analysis as a routine
bySplunk
 

Recently uploaded

PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
MathML Core in WebKit
byIgalia
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

Operational Security Intelligence

  • 1.
  • 2.
    2 What is SecurityIntelligence? Information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. http://whatis.techtarget.com/definition/security-intelligence-SI
  • 3.
    3 • Your adversariesare organized • Your adversaries are adaptable • Your defenses are static • Your defenses are predictable • Your defenses will be breached Challenges Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
  • 4.
    4 Growing adoption ofcloud, mobile and new application workloads requiring hybrid deployment across on-premise and cloud infrastructures Growing concern of insider threat & privileged users On-going skills/knowledge training 4 More Challenges SOC Director SOC Manager SOC Architect Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Forensics Specialist Malware Engineer Counter- Intel
  • 5.
  • 6.
  • 7.
    7 Solutions and securityapproaches that: – Use threat Intelligence, security services and coordinated defense (sharing) – Rapid response using ad-hoc analysis to handle advanced threats – Utilize data science, machine learning and analytics for security 7 What is Required
  • 8.
    New Approach toSecurity Needed Traditional Methods New Requirements Data reduction Data completeness & coverage Event correlation Multiple, dynamic relationships Detect attacks Detect & respond to attack lifecycle – Disrupt it! Needle in a haystack Hay in haystack Power user All users Severity based Risk-based 8 Event based … and time, user, phase, more…
  • 9.
    New Approach toSecurity Needed Traditional Methods New Requirements 9 Situational awareness Analysis & rapid response Operation / Monitoring Center Nerve Center / Command Center
  • 10.
    Drivers to OperationalizingSecurity Intelligence Detection Early detection and disruption 10 Event driven Analytics driven Correlation Correlation, pattern, anomaly detection Human rule authoring Data science & machine learning Silo’d approach Collaborative and orchestrated
  • 11.
    The Evolution ofSecurity Operations is Needed • Human directed • Goal-oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 11 TECHNOLOGY PEOPLE PROCESS
  • 12.
    12 Connect the “Data-Dots”to See the Whole Story Persist, Repeat 1 Deliver, Exploit Install Gain Trusted Access ExfiltrationData GatheringUpgrade (Escalate) Lateral Movement Persist, Repeat Threat Pattern Threat Intelligence Attacker, know C2 sites, infected sites, IOC, attack/campaign intent and attribution • External threat intel • Internal threat intel • Indicators of compromise Network Activity/Security Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download • Malware sandbox • Web proxy • NetFlow • Firewall • IDS / IPS • Vulnerability scanner Endpoint Activity/Security What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility • DHCP • DNS • Patch mgmt • Endpoint (AV/IPS/FW) • ETDR • OS logs Authorization – User/Roles Access level, privileged users, likelihood of infection, where they might be in kill chain • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
  • 13.
    13 Connecting People andData Through a Nerve Center
  • 14.
    Operationalizing Security Intelligence Risk-BasedContext and Intelligence Connecting People and Data 14
  • 15.
    15 Machine Generated Datais a Definitive Record of Human-to-Machine and Machine- to-Machine Interaction 1
  • 16.
    16 Security Relevant Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication = Big DataAll Data is
  • 17.
    17 1 Network EndpointAccess Data Sources Threat Intelligence
  • 18.
    18 Risk Based Analytics NetworkEndpoint AccessThreat Intelligence Pattern/String/Regex matching Statistical outliers and anomalies Scoring and aggregation Session and Behavior profiling
  • 19.
    19 Context and Intelligence Integrateacross technologies Automated context matching Automated context acquisition Post processing and post analysis Threat Intelligence Asset & CMDB API/SDK Integrations Data Stores Applications
  • 20.
    20 Connecting People andData Any data, all data Interact with views and workflows Free form investigation – human intuition Human mediated automation Sharing and collaboration Automation Collaboration Investigation Workflows All data
  • 21.
    Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet RemoteSite Wi-fiFirewall Wi-fi Information Technology (IT) Monitor Troubleshoot CollaborateTriage ConfigureReport
  • 22.
    Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet RemoteSite Wi-fiFirewall Wi-fi http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB .pdf .pdf executes & unpacks malware overwritingand running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Information Security (InfoSec) Information Technology (IT) Monitor Investigate CollaborateTriage ScopeReport Monitor Troubleshoot CollaborateTriage ConfigureReport Recover
  • 23.
    Remote Site Headquarters Firewall Database Server File Server Intranet Server Applica on Server Wi-fiFirewall Internet RemoteSite Wi-fiFirewall Wi-fi http (web) session to command & control server Remote control Steal data Persist in company Rent as botnet WEB .pdf .pdf executes & unpacks malware overwritingand running “allowed” programs Svchost.exeCalc.exe Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment Information Security (InfoSec) Information Technology (IT) Monitor Investigate CollaborateTriage ScopeReport Recover Monitor Troubleshoot CollaborateTriage ConfigureReport …
  • 24.
    24 Threat intelligence Auth -User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Modern Attacks Look Like a Transaction Email Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc.
  • 25.
    25 Threat intelligence Auth -User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Connect the “Data-dots” to See the Whole Story phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. Threat Intelligence Data Email Data Or Web Data Host or ETDR Data Web or Firewall Data Threat Intelligence Data Identity Data
  • 26.
    26 Threat intelligence Auth -User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Start anywhere, analyze up-down-across-backwards-forward phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. • 3rd party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
  • 27.
    Subject: new commissionreport breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 27 bad_ip,threat_intel_source 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http 54.211.114.134 - - [05/May/2014:22:40:54 -0400] "POST /portal/wp-login.php HTTP/1.1" 200 4395 "-” 54.211.114.134 - - [06/May/2014:00:05:47 -0400] "GET /tech/wp-content/uploads/2014/05/Q2_commission.pdf HTTP/1.1" 206 2475168 "- ” {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} {"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  • 28.
    Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http {"domain":"115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} Subject: new commission report breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" 115.29.46.9 9 115.29.46.9 9 Q2_commission.pdf Q2_commission.pdf [email protected] [email protected] "process_guid": “3259531”"process_guid": “-7751687” "action": "create” Reconnaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  • 29.
    Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Securit y 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_http {"domain":"115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443} dest_ip cmdb_bu_owner cmdb_application_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_software cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marketing Laptop [email protected] Production No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes {"action": "create", "path": ”…Content.OutlookQ2_commission.pdf”, "process_guid": “-7751687”} Subject: new commission report breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-type: multipart/mixed; Content-type: application/pdf; name=”Q2_commission.pdf" 115.29.46.9 9 115.29.46.9 9 Q2_commission.pdf Q2_commission.pdf [email protected] [email protected] "process_guid": “3259531”"process_guid": “-7751687” "action": "create” Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst SOC Mgr Hunters Response Teams Breach Investigator Forensics Counter Threat Team Research/Intelligence Malware research Analytics Security Analyst IT admin/engr Network engr Identity, infrastructure Auditor IT team Network team Security team Monitor Alert Breach Detection & Scoping, CSIRT Share Collaborate Incident response Investigation Contain Remediate Audit, Report, Awareness
  • 30.
  • 31.
    31 Examples 31 Attack Phase What Threat isDoing What to Look For Data Source Lateral movement Creating new admin accounts Account creation without corresponding IT service desk ticket AD/ Service Desk logs Data gathering Stealing credentials For single employee: Login at one location, then logs in again miles away in a timeframe that is not physically possible Badge/ VPN/ Auth Data gathering Gathering confidential data for theft Employee deviates from normal behavior – more requests for confidential data than normal OS Exfiltration Exfiltration of info Larger traffic flows then usual (incl DNS) from a host to a given IP NetFlow
  • 32.
    32 Insider Threat What ToLook For Data Source Abnormally high number of file transfers to USB or CD/DVD OS Abnormally large amount of data going to personal webmail account or uploaded to external file hosting site Email / web server Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD Above actions + employee is on an internal watchlist as result of transfer / demotion / poor review / impending layoff HR systems / above User name of terminated employee accessing internal system AD / HR systems
  • 33.
    33 Example Patterns ofFraud in Machine Data Industry Type of Fraud/Theft/Abuse Pattern Financial Services Account takeover Abnormally high number or dollar amounts of wire transfer withdrawals Healthcare Physician billing Physician billing for drugs outside their expertise area E-Tailing Account takeover Many accounts accessed from one IP Telecoms Calling plan abuse Customer making excessive amount of international calls on an unlimited plan Online Education Student loan fraud Student receiving federal loan has IP in “high-risk” overseas country and is absent from online classrooms and forums
  • 34.
    34 SECURITY USE CASES In SECURITY& COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT 3 Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
  • 35.
    35 SPLUNK FOR SECURITY 3 SECURITYAPPS & ADD-ONS SPLUNK APP FOR PCI SIEM Security Analytics Fraud, Theft and Abuse Platform for Security Services SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data SPLUNK ENTERPRISE SECURITY
  • 36.
    36 SPLUNK IS THENERVE CENTER 36 App Endpoint/ Server Cloud Threat Intelligence Firewall Web Proxy Internal Network Security Identity Network
  • 37.
  • 38.
    38 SEPT 26-29, 2016 WALTDISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
  • 39.

Editor's Notes

  • #3  Activities and artifacts that enable you to make informed decisions so you can detect, respond and more effectively resolve issues from anywhere in the attack lifecycle/kill chain
  • #4  Which mean you are always on your heels reacting and trying plugging holes …
  • #7  As well as learning a myriad of options and solutions …
  • #9  Using a set of conditions UBA – data science – identify and relate anomalies and threats as well as ties them to entities (users/systems/devices) involved
  • #10  Automate
  • #12  Indicators Of Compromise
  • #13  “malware sandbox” – FireEye , Palo Alto Network’s Wildfire technology detonate email and web-based payloads and attachments and links in a virtual sandbox “payload analysis” or “advanced malware detection”. ETDR is Endpoint Threat Detection and Response, Cyvera (now part of Palo Alto Networks), Carbon Black (part of Bit9), RSA ECAT
  • #15  The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape. 
  • #21  Lock an account after 10 failed logins but if it an executive account someone has to authorize/approve it.
  • #25  The following is a very simplistic description of an attack sequence. The modern attacks look a lot like a transaction, meaning: There are multiple steps There is an objective/goal/mission Each step could be different Different technology components see different aspects of the “transaction” An attack sequence looks like the following: The attacker infects a site (which contains the malware) or creates malware that is embedded in an executable file (like a .pdf – which is capable of running java script) The attacker sends an email with the malware embedded in the file or the attacker sends an email with a link to the site that is infected or the victim visits the infected site (from a search or other means) The malware is on the “victim” machine (delivered by email or downloaded by the user) notice the malware can be downloaded but not executed The malware is then executed (it was hidden in the email attachment or it was hidden web page of the infected site) The malware creates processes, installs itself and performs a variety of task/operations/processes on the “victim” – often trying to hide itself The malware calls back to the attacker to get additional software and direction, typically using allowed outbound traffic like web or other allowed services through the firewall The attacker gains control of the “victim” machine and uses it’s “trusted access (the valid credentials)” to look for other machines to attack, The attacker uses the first victim as a gateway to access other systems, often creating additional user IDs, credentials, mapping the network to determine what is in the network and ultimately to accomplish the mission. At this stage, the attacker has gained persistence in the environment. Several things to notice: The sequence of events looks very similar to an ecommerce transaction or any other event chain across multiple devices and technologies Any step in the “event chain” has relationships from one event to the next Any activity along the event chain can be different from one attack to another The goal of any security program is to detect, prevent, respond and recover from attacks whether from the outside or from the inside.
  • #26  Endpoint Threat Detection and Response
  • #27  Where they went to, who talked to who, was an attack/payload transmitted, nay abnormal traffic, was malware downloaded What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain
  • #29  Identify a threat intelligence hit
  • #33  Insider threat is the current or former employee, contractor, or partner organization with malicious intent.
  • #34  Ultimately the patterns of fraud often are in machine data and searches can be written to look for these patterns and then alert on them.