Embed Size (px)
Citation preview
Copyright © 2012 Splunk Inc.
Paul Pang Chief Security Strategist, APAC & Japan
Best Practices for Scoping Infections & Disrupting Breaches
Expecta;on VS Reality
How to be a successful CISO without a 'real' cybersecurity budget
hFp://www.csoonline.com/ar;cle/2977609/data-‐protec;on/how-‐to-‐be-‐a-‐successful-‐ciso-‐without-‐a-‐real-‐cybersecurity-‐budget.html
Top 3 Sugges;ons to you
3
1. Stop figh;ng the malware game. Learn to co-‐exist in a malware-‐infested environment with a zero-‐trust model. Time to treat the internal network as if it were the Internet.
2. Stop focusing on the latest and greatest tools from the hoFest vendors; because more tools are not stopping security breaches, they only slow them down.
3. Focus on the cri;cal systems that maFer for data protec;on (systems with PII data, Social Security number data, and credit cards, intellectual property, etc.). Do your best with the rest of the company environment, but don’t put your career on the line with baFles that don’t maFer.
hFp://www.csoonline.com/ar;cle/2977609/data-‐protec;on/how-‐to-‐be-‐a-‐successful-‐ciso-‐without-‐a-‐real-‐cybersecurity-‐budget.html
New Types of Security Guru
4
Mul$ple roles with different background, skills, pay levels, personali$es
SOC Manager
SOC Admin & Architect
Project Manager
Tier 1 Analyst
Tier 2 Analyst
Forensics Specialist
Malware Engineer
Counter-‐Intel
" On-‐the-‐job training and mentoring, and external training & cer;fica;ons " Opera;ng hours and SOC scope play key role in driving headcount " Tier3 Analyst focus on NG SOC technology such as Risk-‐based analy;cs, APT Hun;ng, Threat Intelligence …
Tier 3 Analyst (CSIRT) Key APT Hunter
SIGNATURES
RULES HUMAN ANALYSIS
Behavioral Analy$cs
BIG DATA DRIVEN
SECURITY ANALYTICS
MACHINE LEARNING
A NEW PARADIGM
DATA-‐SCIENCE DRIVEN BEHAVIORAL ANALYTICS
SIGNATURES
RULES HUMAN ANALYSIS
All Data is Security Relevant = Big Data
7
Security Relevant Data All Security Relevant Data
• “Non-‐security” user and machine generated data behind creden;als. Includes “Unknown” threats.
• AD, OS, DNS, DHCP, email, proxy, badge, industrial control systems, etc.
• “Security” data, or alerts from point security products. “Known” threats.
• Firewall, an;-‐malware, IDS, DLP, vulnerability scan
Tradi;onal SIEM
Real ;me sta;s;cal analy;cs example " Counting “User_̲Agent” Length
8
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Characters count:74
UserAgent content inside logs PatternLength Count
A lot of web-‐based aFack are using VERY long URL
9
Mean URL length for 128 Byte looks Normal But for Max URL length for 9KB size, it looks suspicious. We found a lot of LONG URLs which is trying to access the external site : “hFp://103.7.28.187/pingd?type-‐1&dm= www.discouss.com.hk … “ Aner verified with hFp://urlquery.net/report.php?id=2182484, they are Tencent QQ/wechat Message. The long hFp packages are encrypted SMS.
Visualize the Pattern in Real time
10
件数
Count
Fraud Detection
Insider Threat
Advanced Threat
Detection
Security & Compliance Reporting
Incident Analysis &
Investigations
Real-time Monitoring & Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Tradi;onal SIEM (Security Log Focus) Next Gen SOC (All machine data)
• Tier 1 Event Analysis group • Tier 2 Event Analysis group • Tier 3 Incident Response team (Global)
Cisco:The CSIRT Team The Computer Security Incident Response Team (CSIRT) reduces the risk of loss as a result of security incidents for Cisco-owned business. CSIRT regularly engages in proactive threat assessment, mitigation planning, incident trending with analysis, security architecture, incident detection and response.
Proac;ve Security Monitoring and Forensics
13
Splunk allows us to quickly consolidate and correlate disparate log sources, enabling previously imprac;cal monitoring and response scenarios.
“
” " Enabled proac;ve threat assessment, mi;ga;on planning, incident trending with analysis, security architecture, incident detec;on and response
" Delivered a centralized view into user ac;vi;es and in-‐scope systems
Dave Schwartzburg Computer Security Incident Response Team
14
0-‐day detec;on : Real ;me Anomalty Detec;on (Machine Learning -‐ Protected by Maths)
15
CSIRT Logging Deployment
16
• 25 indexers / 7 clusters • HA, load balanced, & scalable
• Index up to multi-TB/day
• Hundreds of TB storage
17
Next-‐Gen SOC Architecture Best-‐of-‐Breed Management Systems
Early Detec$on System
Situa$on Awareness & Incident Management System
Real $me Machine Data Asset & Provisioning Management
Security Intelligence PlaPorm
Advanced Data Analy$cs System
18
THE OVERALL SOLUTION
Online Services
Web Services
Servers
Security GPS
Loca;on
Storage
Desktops Networks
Packaged Applica;ons
Custom Applica;ons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
Real-‐Time
Machine Data
DEVELOPER PLATFORM REPORT & ANALYZE CUSTOM DASHBOARDS MONITOR & ALERT AD HOC SEARCH
MACHINE LEARNING
BEHAVIOR ANALYTICS
ANOMALY DETECTION
THREAT DETECTION
SECURITY ANALYTICS
UBA
Threat intelligence
Auth -‐ User Roles
Host Ac$vity/Security
Network Ac$vity/Security
19
(Kill-‐Chain) Advanced Threat Detec;on and Response
WEB
Conduct Business
Create addi$onal environment
Gain Access to system Transac$on
.pdf Svchost.exe Calc.exe
Events that contain link to file
Proxy log C2 communica;on to blacklist
How was process started?
What created the program/process?
Process making C2 traffic
Web Portal .pdf
Connect the “Data-‐Dots” to See the Whole Story Persist, Repeat
20
Delivery, Exploit Installa$on
Gain Trusted Access
Exfiltra$on Data Gathering Upgrade (Escalate) Lateral Movement
Persist, Repeat
Threat Pa)ern
Threat Intelligence
AFacker, know C2 sites, infected sites, IOC, aFack/campaign intent and aFribu;on
• External threat intel • Internal threat intel • Indicators of compromise
Network Ac$vity/Security
Where they went to, who talked to whom, aFack transmiFed, abnormal traffic, malware download
• Malware sandbox • Web proxy • NetFlow
• Firewall • IDS / IPS • Vulnerability scanner
Endpoint Ac$vity/Security
What process is running (malicious, abnormal, etc.) Process owner, registry mods, aFack/malware ar;facts, patching level, aFack suscep;bility
• DHCP • DNS • Patch mgmt
• Endpoint (AV/IPS/FW) • ETDR • OS logs
Authoriza$on – User/Roles
Access level, privileged users, likelihood of infec;on, where they might be in kill chain
• Ac;ve Directory • LDAP • CMDB
• Opera;ng System • Database • VPN, AAA, SSO
Subject: new commission report breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-‐type: mul;part/mixed; Content-‐type: applica;on/pdf; name=”Q2_commission.pdf"
dest_ip cmdb_bu_owner cmdb_applica;on_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_sonware cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marke;ng Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes
21
From a Log Analysis Perspec;ve bad_ip,threat_intel_source 115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_hFp
Asset and Iden$ty
Network
Threat Intel
54.211.114.134 -‐ -‐ [05/May/2014:22:40:54 -‐0400] "POST /portal/wp-‐login.php HTTP/1.1" 200 4395 "-‐” 54.211.114.134 -‐ -‐ [06/May/2014:00:05:47 -‐0400] "GET /tech/wp-‐content/uploads/2014/05/Q2_commission.pdf HTTP/1.1" 206 2475168 "-‐” {"ac;on": "create", "path": ”…\Content.Outlook\Q2_commission.pdf”, "process_guid": “-‐7751687”} {"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443}
Endpoint
Threat intelligence
Auth -‐ User Roles
Host Ac$vity/Security
Network Ac$vity/Security
Kill Chain Analysis
22
115.29.46.99/32,zeus_c2s 61.155.30.0/24,cymru_hFp
{"domain": "115.29.46.99", "protocol": 6, "ipv4": "115.29.46.99", "process_guid": “3259531”, "port": 443}
dest_ip cmdb_bu_owner cmdb_applica;on_name cmdb_system_owner cmdb_app_lifecycle cmdb_s_ox cmdb_GLBA cmdb_app_uses_ssn cmdb_credit_card_data cmdb_priority cmdb_server_sonware cmdb_supported_by cmdb_server_phase cmdb_db_server cmdb_db_name cmdb_PCI cmdb_PII cmdb_safe_harbor 192.168.56.102 Sales Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.12.224 Marke;ng Laptop [email protected] Produc;on No No No No Tier 3 Windows7 Internal Deployed N N/A No No No 172.20.10.217 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes 172.20.15.229 eCommerce Laptop [email protected] Staging Yes Yes No Yes Tier 1 Windows7 Internal Deployed Y Oracle Yes Yes Yes
{"ac;on": "create", "path": ”…\Content.Outlook\Q2_commission.pdf”, "process_guid": “-‐7751687”}
Subject: new commission report breakdown From: Jose Dave <[email protected]> To: <[email protected]> Content-‐type: mul;part/mixed; Content-‐type: applica;on/pdf; name=”Q2_commission.pdf"
115.29.46.99
115.29.46.99
Q2_commission.pdf”
” Q2_commission.pdf”
[email protected] 192.168.56.102
"process_guid": “3259531” "process_guid": “-‐7751687”
"ac$on": "create”
SPLUNK UBA (User Behavior Analy$cs)
MACHINE LEARNING
BEHAVIOR ANALYTICS
ANOMALY DETECTION
THREAT DETECTION
SECURITY ANALYTICS
23
