USE CASE IN ACTION Splunk + Komand

Similar documents
USE CASE IN ACTION Vulnerability Management

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

USM Anywhere AlienApps Guide

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Incident Response and Forensics in your Pyjamas

Security Automation Case Study Maricopa Community Colleges. Watch the full webinar replay

The Rise of the Purple Team

McAfee Skyhigh Security Cloud for Amazon Web Services

The Resilient Incident Response Platform

Novetta Cyber Analytics

CyberArk Privileged Threat Analytics

Integrated, Intelligence driven Cyber Threat Hunting

RSA Security Analytics

Security Automation Best Practices

Reducing the Cost of Incident Response

RSA INCIDENT RESPONSE SERVICES

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Pieter Wigleven Windows Technical Specialist

Compare Security Analytics Solutions

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

SnowAlert Documentation. Snowflake Security

Ad Hoc to Coordinated

An All-Source Approach to Threat Intelligence Using Recorded Future

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

ForeScout Extended Module for Splunk

McAfee Skyhigh Security Cloud for Citrix ShareFile

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

RSA INCIDENT RESPONSE SERVICES

IBM services and technology solutions for supporting GDPR program

Top 10 use cases of HP ArcSight Logger

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

McAfee Investigator Product Guide

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Ekran System v Program Overview

ForeScout Extended Module for ServiceNow

IBM Resilient Incident Response Platform On Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

THE EVOLUTION OF SIEM

GDPR: An Opportunity to Transform Your Security Operations

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

The Cognito automated threat detection and response platform

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

EXTENDING BEHAVIORAL INSIGHTS INTO RISK-ADAPTIVE PROTECTION & ENFORCEMENT

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

SentinelOne Technical Brief

IBM Resilient Incident Response Platform On Cloud

A Practical Guide to Efficient Security Response

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

MEETING ISO STANDARDS

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

RULES VERSUS MODELS IN YOUR SIEM

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

A Security Admin's Survival Guide to the GDPR.

Security from the Inside

White Paper IMPLEMENTING PCI DSS CONTROLS WITH EXABEAM

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

10 FOCUS AREAS FOR BREACH PREVENTION

Ekran System v Program Overview

ForeScout Extended Module for ServiceNow

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Colin Gibbens Director, Product Management

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

esendpoint Next-gen endpoint threat detection and response

SIEM Solutions from McAfee

One Hospital s Cybersecurity Journey

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Detector Service Delivery System (SDS) Version 3.0

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Not your Father s SIEM

HIPAA Requirements. and Netwrix Auditor Mapping. Toll-free:

NEXT GENERATION SECURITY OPERATIONS CENTER

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

PROTECT AND AUDIT SENSITIVE DATA

DEFINITIONS AND REFERENCES

CYBER THREATS: REAL ESTATE FRAUD ADVISORY COUNCIL

Incident Play Book: Phishing

USING SPLUNK ADAPTIVE RESPONSE

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

THE CYBERX PLATFORM: PROTECT YOUR PEOPLE, PRODUCTION, AND PROFITS HIGHLIGHTS SOLUTION BRIEF

IBM Resilient Incident Response Platform On Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Eyes Everywhere: Monitoring Today's Borderless Landscape

Transcription:

USE CASE IN ACTION Splunk + Komand USE CASE IN ACTION - SPLUNK + KOMAND - 1

Automating response to endpoint threats using using Sysdig Falco, Splunk, Duo, and Komand Many security teams use endpoint threat detection solutions to detect and respond to threats like malware, credential theft, and more. In a common architecture using a SIEM or Log Management solution, alerts from endpoint detection products can be managed and correlated with telemetry from other solutions or logs, and validated: Generally, a human being has to get involved anywhere from the third step forward. Can we do better? Using a typical architecture with a real endpoint threat detection solution (Sysdig Falco) along with Splunk acting as our SIEM, we ll show you how you can use Komand to automate detection, enrichment, notification, and response. The Setup: Our Threat Detection Architecture Below, we have a typical architecture for an AWS environment. Our bastion host represents the centralized chokepoint for all login activity - any user must log in here before they can access any of the servers in our virtual private cloud. All login activity is protected by Duo Security 2FA authentication. USE CASE IN ACTION - SPLUNK + KOMAND - 2

On each EC2 server in our VPC, we ve configured an open source endpoint threat detection and response tool, Sysdig Falco, to perform security monitoring. Falco is a simple product that allows you to configure rules to trigger on suspicious behaviors on Linux hosts. Alerts from Falco are fed right into Splunk, which trigger meta alerts we ll be able to instrument via the Komand automation platform. For example, we have configured a Splunk alert that triggers on unauthorized Privilege Escalations on our servers, as reported by Sysdig Falco. Here is what the raw event looks like: 20:27:05.363221899: Warning Sudo/su privilege escalation detected. (rule=privilege_escalation user=jandre command='sudo bash') As part of their workflow to validate and respond to this potential threat, a security team responding to this alert will need to perform additional steps in various stages of that workflow. USE CASE IN ACTION - SPLUNK + KOMAND - 3

Sample activities include: STAGE ABOUT EXAMPLES FREQUENCY ERROR SENSITIVITY Enrichment, or context gathering Before a security analyst can scope a threat & determine if it is a false positive or a real violation, context from additional systems are needed. Querying Splunk for related login activity logs on the bastion host Enrichment the IP addresses in the login activity logs with GeoIP information Very frequent Low Notification, or escalation Once a potential threat is suspicious, additional team members may be notified for more investigation, or a ticket created to track this incident with other suspected artifacts. Creating a ticket and assigning it to a senior team member for investigation Asking the employee to verify if they can remember conducting the suspicious behavior Medium Low to Medium (could lead to frustration or inefficiencies too many false positive notifications happen) Response If a threat is confirmed, steps should be taken to contain the threat. If a breach is suspected, additional forensic activity may be required Disabling a user account Infrequent High (could cause business disruption of an error occurs) A process like this may take hours to perform manually. Using Komand, we can automate activities across all stages of investigation -> response, reducing that time to 30 minutes or even less. As part of our response to the endpoint threat, we ll demonstrate automating the notification portions using Slack, and the containment of user accounts in Duo Security by disabling the user accounts. USE CASE IN ACTION - SPLUNK + KOMAND - 4

PART 1 Reacting to to Splunk Alerts: Configuring the Komand Splunk Trigger Using Komand s Splunk Alert trigger, we can hook our Privilege Escalation alert for automation. It s as easy as supplying the name of the Splunk alert we want to instrument: Above: Configuring Our Splunk Trigger to Hook Alert for Automation That s it! Now we Komand ready to execute automation against our Splunk alerts. USE CASE IN ACTION - SPLUNK + KOMAND - 5

PART 2 Enriching the Original Alert The alert we ll get from Splunk isn t very useful. Remember, this what the alert looks like coming from Sysdig Falco: 20:27:05.363221899: Warning Sudo/su privilege escalation detected. (rule=privilege_escalation user=jandre command='sudo bash') We ll also get some information from Splunk (the source hostname). As an analyst, one thing I may want to correlate this activity with is the login activity of the user account; just a quick check against a history to see if the user is logged in from a new or unusual location. Remember, the logs are on the bastion host. Using another Splunk query, I can pull some of this information from the bastion host: Above: Querying Splunk for Login Activity The IP addresses shown as login_ip can then be evaluated against a GeoIP lookup database to get me a full picture of who logged in, and where they logged in from. USE CASE IN ACTION - SPLUNK + KOMAND - 6

Great news is we can automate these follow-on queries using Komand, and then use our GeoIP plugin to lookup host information! Using the Splunk search action, let s perform a query on bastion host for the user account referenced in the logs: Above: Performing Splunk Query via Komand We can also add use the GeoIP plugin to correlate the login_ip information with location lookups: Above: Correlating Splunk Login IP data with GeoIP This is just one example of enrichment tasks you can perform against your Splunk alert. From here, you can add additional enrichment steps: querying the endpoint for active command activity, looking up the employee information, adding more Splunk queries, the sky s the limit! USE CASE IN ACTION - SPLUNK + KOMAND - 7

PART 3 Notifying the Security Team Armed with this additional information, let s create a notification for the security team via Slack with the additional context attached: Above: Creating Slack Message to Notify Security Team You may choose at this point to create a ticket in a solution like JIRA, ServiceNow, or another case management platform; it s really up to you and your process. Komand makes it easy to modify your processes, and using our Test Feature right in the workflow builder you can validate your changes. Switching the notification mechanism in Komand is only a few clicks away. USE CASE IN ACTION - SPLUNK + KOMAND - 8

PART 4 Performing Human-Validated Response If it turns out credentials have been compromised, it may be appropriate to disable them as part of our incident response process. We can easily add a human decision point here which allows us to validate whether or not credentials should be disabled in Duo, or if the alert should be dismissed. Above: Creating a Human Decision Point to Take Action or Dismiss Using the Duo modify user action via the Duo Admin API, we can set an account to disabled, effectively preventing a user from logging into the bastion host until more thorough investigation actions can be taken. (see next page for this screen shot) USE CASE IN ACTION - SPLUNK + KOMAND - 9

Above: Disabling a user account with Duo Wrapping It Up That s how easy it is to build a detect <-> investigate <-> notify <-> response workflow in Komand. By instrumenting existing tools with Komand s simple workflow automation layer, you can take process execution time from hours to minutes, accelerating your team s productivity and reliability. To realize the power of Komand's automation platform in your environment, contact sales@komand.com USE CASE IN ACTION - SPLUNK + KOMAND - 10

About Komand Komand is a security orchestration and automation platform that gives security teams the power to quickly automate and streamline security operations, with no need for code. Teams can integrate their tools, build automated workflows, and utilize human decision points to accelerate incident response and move security initiatives forward, faster. Learn more at www.komand.com USE CASE IN ACTION - SPLUNK + KOMAND - 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback