Splunk Plataforma de Datos Denise Roca / droca@tecnoav.com Gerente de Software
2017 SPLUNK INC. This digital evolution is changing everything There s an explosion of data beyond anything our world has experienced SELF-DRIVING EVERYTHING MACHINE LEARNING 3D PRINTING SMART PHONES SMART APPLIANCES CLOUD SMART CITIES SMART BUILDINGS AUTONOMOUS EVERYTHING DRONES
2017 SPLUNK INC. Cómo convertir los datos del mundo en evolución en RESULTADOS DEL NEGOCIO SIGNIFICATIVOS?
The traditional approach to managing complexity Building relational, structured databases and heavy integrations 2017 SPLUNK INC. Hardened systems and databases Never Change! (or face never-ending integration and MDM projects) Attempt to gather all present and future requirements
But the traditional approach can t adapt to digital evolution Your structured systems miss critical business outcomes Machine data is messy and unpredictable Requires massive scale You don t always know which questions to ask
2017 SPLUNK INC. Splunk delivers a holistic approach to turning data into business outcomes Any User, Anywhere IT On-Premises Security IoT Business Users Powered by AI and ML Access to Expanding Data Universe Developers Cloud
Splunk Analytics-Driven Security Index Untapped Data: Any Source, Type, Volume Containers Online Services On-Premises Servers Security Web Services GPS Location Ad hoc search Monitor and alert Report and analyze Custom dashboards Developer Platform Private Cloud Storage Desktops Networks RFID Packaged Applications Messaging Custom Applications Real-Time Machine Data Online Shopping Cart Telecoms NGFW Firewall Call Detail Records Databases Threat Intelligence References Coded fields, mappings, aliases Public Cloud Smartphones and Devices Web Clickstreams Intrusion Prevention Dynamic information Stored in non-traditional formats Environmental context Human maintained files, documents System/application Available only using application request Intelligence/analytics Indicators, anomaly, research, white/blacklist
Splunk Features Search and investigate Search and navigate all of your machine data in real time Correlate and analyze Easily find relationships between events or activities. Correlate based on time, location, or custom search results. Monitor and alert Prioritize investigation + response with threshold based alerting Visualize and report Visualize long-term and historical trends; build reports and dashboards suited to any business, operational, or security need.
Security Investigation
Developing an Investigative Mindset What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT What specific questions do I want answered? What is the logic / methodology to apply? What s an example? Where do I look?
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data Why did an alert trigger? Has a system actually been compromised? Search for events that match alert criteria and similar events leading up to the alert Find all failed authentication attempts by a user Endpoint logs Authentication logs Network logs Threat intelligence
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data What accounts / users are associated with that system? Determine event to identity mapping John s account attempted to access a system it has never logged into before Identity system Authentication logs
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data What does the timeline of activities leading up to and during the alert look like? Histogram and timeline Widen search to look over a wider set of historical data All Available Data
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data What devices / assets are associated with the alert? Determine event to asset mapping IP 10.1.12.12 has the hostname of DC-Seltzer, is a Windows 10 Workstation and has 2 critical vulnerabilities Endpoint Network devices CMDB/Asset
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data Is there a logical connection to other activity, IPs, hosts, malware, or other alerts? Search network and host event logs to determine initial entry USB key opened an infected ransomware file, user email indicates victim of spear phishing Endpoint Network devices Web proxy Mail proxy DNS Authentication
Investigative Mindset Questions to Ask What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT Question Logic Example Data Has the attack progressed beyond system infection? Identify whether malware has spread Observe indicators on other hosts or on the network Threat intelligence Endpoint Firewall Web proxy Mail proxy Wire data
Security Intelligence Use Cases Security Monitoring Compliance Fraud Detection Incident Response Advanced Threat Detection Insider Threat Incident Investigation & Forensics SOC Automation
Answer: Start with Top 5 CIS Controls Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. SOURCE: Center for Internet Security https://www.cisecurity.org/critical-controls.cfm Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
CIS Critical Security Controls https://splunkbase.splunk.com/app/3064/#/overview https://www.splunk.com/goto/top20csc
THANK YOU Log, I am your father