Essentials to creating your own Security Posture using Splunk Enterprise

Similar documents
FFIEC Cybersecurity Assessment Tool

Data Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC

Dashboard Time Selection

Create Dashboards that People Love

DB Connect Is Back. and it is better than ever. Tyler Muth Denis Vergnes. September 2017 Washington, DC

Building a Threat-Based Cyber Team

Compare Security Analytics Solutions

Modernizing InfoSec Training and IT Operations at USF

Measuring HEC Performance For Fun and Profit

Need for Speed: Unleashing the Power of SecOps with Adaptive Response. Malhar Shah CEO, Crest Data Systems Meera Shankar Alliance Manager, Splunk

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

The Power of Data Normalization. A look at the Common Information Model

Docker and Splunk Development

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Running Splunk Enterprise within Docker

Introducing Splunk Validated Architectures (SVA)

Click to edit Master title style. DIY vs. Managed SIEM

Scaling Indexer Clustering

Building Resilience in a Digital Enterprise

Dashboards & Visualizations: What s New

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Using Splunk Enterprise To Optimize Tailored Long-term Data Retention

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

ISO27001 Preparing your business with Snare

Making the Most of the Splunk Scheduler

RSA NetWitness Suite Respond in Minutes, Not Months

IT Services IT LOGGING POLICY

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

CIS Controls Measures and Metrics for Version 7

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Data Obfuscation and Field Protection in Splunk

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

Dashboard Wizardry. Advanced Dashboard Interactivity. Siegfried Puchbauer Principal Software Engineer Yuxiang Kou Software Engineer

Dragons and Splunk Do Not Do Well In Captivity

Evolution Of Cyber Threats & Defense Approaches

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

RSA ECAT DETECT, ANALYZE, RESPOND!

ForeScout CounterACT. Configuration Guide. Version 1.4

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ForeScout Extended Module for Splunk

CIS Controls Measures and Metrics for Version 7

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Next Generation Dashboards

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Preventing the Next Insider Threat from Leveraging Cross Domain Data Movement

Deep Instinct v2.1 Extension for QRadar

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Search Head Clustering Basics To Best Practices

Enterprise Security Biology

Un SOC avanzato per una efficace risposta al cybercrime

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

CloudSOC and Security.cloud for Microsoft Office 365

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Visualizing the Health of Your Mobile App

Notices. Third Party Project Usage. Sample Code in Documentation

Be effective in protecting against the cybercrime

Cryptography and Network Security Chapter 1

Squeezing all the Juice out of Splunk Enterprise Security

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Symantec Network Access Control Starter Edition

Integrate Palo Alto Traps. EventTracker v8.x and above

Bring Context To Your Machine Data With Hadoop, RDBMS & Splunk

ForeScout ControlFabric TM Architecture

Best Practices for Scoping Infections and Disrupting Breaches

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

UPDATED: 10/17/16. Senior Level. Senior Specialty Threat, Consultant, Engineer, Manager. Mid Level Analyst

Seceon s Open Threat Management software

Examining the Evolution of CERT Operations. Managed Incident Program Prevention & Response. The Methodology of INTEL

RSA Security Analytics

SOC Operations on the Autobahn. Don t let the green grass fool you

Best practices with Snare Enterprise Agents

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Synchronized Security

Intrusion Prevention Signature Failures Symantec Endpoint Protection

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Indexer Clustering Internals & Performance

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

CyberArk Privileged Threat Analytics

Cyber Security For Business

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

One Hospital s Cybersecurity Journey

Metrics Analysis with the Splunk Platform

Security+ SY0-501 Study Guide Table of Contents

<Partner Name> <Partner Product> RSA NETWITNESS Security Operations Implementation Guide. Gurucul Risk Analytics

Security Operations & Analytics Services

ForeScout Research and Intelligent Analytics Program

Advanced Endpoint Protection

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Comodo cwatch Network Software Version 2.23

NETWORK THREATS DEMAN

Mcafee Network Intrusion Detection System. Project Report >>>CLICK HERE<<<

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Using Splunk to Assess and Implement Critical Security Control #3

Transcription:

Essentials to creating your own Security Posture using Splunk Enterprise Using Splunk to maximize the efficiency and effectiveness of the SOC / IR Richard W. McKee, MS-ISA, CISSP Principal Cyber Security Analyst Nevada National Security Site September 28, 2017 Washington, DC

Forward-Looking Statements During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.

2017 SPLUNK INC. It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle. The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. Sun Tzu, The Art of War https://en.wikiquote.org/wiki/sun_tzu

Richard W. McKee Background Experience and Education Principal Cyber Security Analyst Nevada National Security Site 25 years in law enforcement Last 11 years in computer forensics and cyber investigations (criminal and national security) Master of Science Information Security and Assurance Bachelor of Business Administration Management Information Systems Certifications CISSP, Splunk Certified Power User, EnCE, GPEN, GCIH, GREM, GMON, GNFA, GISP

Background How the NNSS Splunk experience relates to your enterprise

What is the NNSS?

Prevention is Ideal But Detection is a Must Splunk is the primary SIEM for the NNSS All hosts and devices capable of sending logs to Splunk do so Cyber has made logging a policy requirement and all in-house developers or hired consultants must write software capable of logging and sending events to Splunk

Data Sources know yourself... Windows Hosts Linux Hosts Mac Hosts Routers and Switches Firewalls Endpoint Protection Syslog Internal Splunk servers Databases VPN RSA Active Directory VoIP Phones and Servers Email Security Appliance Malware Sandbox FortiMail DLP Mobile Device Management

Configuration A physical syslog server is the primary feed for Splunk For security, only the syslog server can communicate directly with the Splunk indexers All forwarders and devices feed the syslog box directly* A 10Gbps tap is also feeding the syslog server If Splunk fails, logs are also temporarily stored on Syslog

Host Logs Enterprise Snare is used to grab logs from sources. NNSS brought the Snare developer in from Australia to custom create agents for Windows, Mac, Linux, SQL, and Epilog The Snare Agents are highly customizable and act as the first filter prior to Splunk, allowing the reduction of unnecessary data

Snare Configuration

Snare Custom Config

Epilog Agent Possible uses: AV Logs from Linux hosts DNS Logs from Domain Controllers DHCP Logs from Domain Controllers Can be used to monitor any flat text files from any directory or UNC path

Epilog Agent

Splunk Searching & Reporting Highly Customized for IR

Quick Investigative Searches These searches are complete except for areas for the incident responder to put a username, IP, hostname, etc.

Search Examples - DNS

Search Examples Files Written to USB Serial number of the USB device is captured, allowing CIRT to do serial number lookups and correlation

Search Examples Possible Compromised Hosts Firewall logs are examined daily and hosts that meet two or three of the following are highlighted: 1 Hosts with the most data flowing out 2 Hosts with the highest number of connections 3 Hosts with the longest duration of connections

Search Examples GET Requests

Search Examples IOCs

Search Examples RSA Activity RSA Activity includes PIN resets, token failures, and emergency backup PIN access

Search Examples Process Execution This search identifies software, versions, PID, PPID, Hash values of executable, path, etc. This is used with a lookup table to identify new software and find malware based on path and hash

Splunk Alert Example

Account Activity Dashboard

Authentication Dashboard

Defense in Depth Dashboard

File Activity Dashboard

Foreign Activity Dashboard

Network Access Dashboard

Network Traffic Dashboard

Outbound Data Dashboard

2017 SPLUNK INC. 1. Identify all of your logging sources Key Takeaways 2. Identify what information from those sources can indicate malicious behavior 3. Prepare alerts and dashboards based upon those indicators 4. Prepare and save searches for repetitive, common searches 5. ACT ON THE INFORMATION!!!!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback