Upload
hahanh
View
214
Download
0
Embed Size (px)
Citation preview
Copyright © 2015 Splunk Inc.
Introducing Splunk Enterprise 6.2 Stefano Radaelli Senior Sales Engineer
Copyright © 2014 Splunk Inc.
Splunk Company Overview
2
Company
Global HQs: § San Francisco § London § Hong Kong
1,300 employees globally Annual Revenue: $302.6M (YoY +52%) NASDAQ: SPLK
Products
Free trial to massive scale Splunk products:
§ Splunk Enterprise § Splunk Cloud § Hunk § Splunk MINT § Premium Apps
Customers
7,900+ customers Across 100 countries Small to large organiza�ons 70+ of the Fortune 100 Largest license:
§ 300+ Terabytes/day
Copyright © 2014 Splunk Inc.
Big Data Comes from Machines Volume | Velocity | Variety | Variability
GPS, RFID,
Hypervisor, Web Servers,
Email, Messaging Clickstreams, Mobile,
Telephony, IVR, Databases, Sensors, Telema�cs, Storage,
Servers, Security Devices, Desktops 3
Machine Data Contains Cri�cal Insights Customer ID Order ID
Customer’s Tweet
Time Wai�ng On Hold
Twi�er ID
Product ID
Company’s Twi�er ID
Customer ID Order ID
Customer ID
Sources
Order Processing
Twi�er
Care IVR
Middleware Error
5
Machine Data Contains Cri�cal Insights Order ID
Customer’s Tweet
Time Wai�ng On Hold
Product ID
Company’s Twi�er ID
Order ID
Customer ID
Twi�er ID
Customer ID
Customer ID
Sources
Order Processing
Twi�er
Care IVR
Middleware Error
6
Copyright © 2014 Splunk Inc.
Industry Leading Pla�orm For Machine Data Machine Data: Any Loca�on, Type, Volume
Online Services Web
Services
Servers Security GPS
Loca�on
Storage Desktops
Networks
Packaged Applica�ons
Custom Applica�ons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-‐ Premises
Private Cloud
Public Cloud
Pla�orm Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Ques�on
Developer Pla�orm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Copyright © 2014 Splunk Inc.
Industry Leading Pla�orm For Machine Data Machine Data: Any Loca�on, Type, Volume
Online Services Web
Services
Servers Security GPS
Loca�on
Storage Desktops
Networks
Packaged Applica�ons
Custom Applica�ons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-‐ Premises
Private Cloud
Public Cloud
Pla�orm Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Ques�on
Developer Pla�orm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Any amount, any loca�on, any source
Schema-‐on-‐the-‐fly
Universal indexing
No back-‐end RDBMS
No need to filter data
Copyright © 2014 Splunk Inc.
Security Intelligence
12
Developer Pla�orm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica�ons
Online Services
Web Services
Security GPS
Loca�on
Storage
Desktops
Networks
Packaged Applica�ons
Custom Applica�ons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Firewall
Authen�ca�on
Threat Intelligence
Servers
Endpoint
External Lookups
Copyright © 2014 Splunk Inc.
Big Data Pla�orm: Insight for Business Risk
13
LDAP, AD Watch Lists
App Monitoring Data Security Data IT Operations Data
Business Process Data
Distribution System
Data
Business Analy�cs Web Intelligence IT Opera�ons Management Security & Compliance
Business Risk and Security Applica�on Monitoring
Copyright © 2014 Splunk Inc.
Case #1 -‐ Incident Inves�ga�on/Forensics O�en ini�ated by alert in another product May be a “cold case” inves�ga�on requiring machine data going back months
Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false posi�ve? – How did the threat get in, where have they
gone, and did they steal any data?
– Has this occurred elsewhere in the past?
Take results and turn them into a real-‐�me search/alert if needed
14
Suspect A Suspect B
Suspect C
client=unknown[99.120.205.249]<160>Jan 2616:27 (cJFFNMS
DHCPACK=ASCII from host=85.196.82.110
truncating integer value > 32 bits <46>Jan ASCII from client=unknown
Accomplice A
Accomplice B
January February March April
Copyright © 2014 Splunk Inc.
Case #2 – Security/Compliance Repor�ng
15
Many types of visualiza�ons
Easy to create in Splunk – Ad-‐hoc auditor reports – New incident list – Historical reports
– SOC/NOC dashboards – Execu�ve/auditor dashboards
Copyright © 2014 Splunk Inc.
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-‐002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Se�ngs/smithe/Local Se�ngs/Temp/evil.tmp,"""",Actual ac�on: Quaran�ned,Requested ac�on: Cleaned, �me: 2009-‐01-‐23 03:19:12,Inserted: 2009-‐01-‐23 03:20:12,End: 2009-‐01-‐23 03:19:12,Domain: Default,Group: My Company\ACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -‐> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classifica�on: Poten�al Corporate Privacy Viola�on] Credit Card Number Detected in Clear Text [Priority: 2]:
20130806041221.000000Cap�on=ACME-‐2975EB\Administrator Descrip�on=Built-‐in account for administering the computer/domainDomain=ACME-‐2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts
16
Case #3 – Real-‐�me Monitoring of Known Threats Sources
Time Range
Intrusion Detec�on
Endpoint Security
Windows Authen�ca�on
All three occurring within a 24-‐hour period
Example Correla�on – Data Loss
Source IP
Source IP
Source IP Data Loss
Default Admin Account
Malware Found
Copyright © 2014 Splunk Inc.
2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET www.neverbeenseenbefore.com HTTP/1.1 0 "Mozilla/4.0 (compa�ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
08/09/2013 16:23:51.0128event_status="(0)The opera�on completed successfully. "pid=1300 process_image="\John Doe\Device\HarddiskVolume1\Windows\System32\neverseenbefore.exe“ registry_type ="CreateKey"key_path="\REGISTRY\MACHINE\SOFTWARE\Microso�\Windows NT\CurrentVersion\ Printers Print\Providers\ John Doe-‐PC\Printers\{}\ NeverSeenbefore" data_type""
2013-‐08-‐09T12:40:25.475Z,,exch-‐hub-‐den-‐01,,exch-‐mbx-‐cup-‐00,,,STOREDRIVER,DELIVER,79426,<[email protected]>,[email protected],,685191,1,,, [email protected] , Please open this a�achment with payroll informa�on,, ,2013-‐08-‐09T22:40:24.975Z
17
Case #4 – Real-‐�me Monitoring of Unknown Threats Sources
Time Range
Endpoint Logs
Web Proxy
Email Server
All three occurring within a 24-‐hour period
Example Correla�on -‐ Spearphishing User Name
User Name
Rarely seen email domain
Rarely visited web site
User Name
Rarely seen service
Copyright © 2014 Splunk Inc.
Case #4 – More Examples
18
A�ack Phase What Threat is Doing What to Look For Data
Source Lateral movement
Crea�ng new admin accounts Account crea�on without corresponding IT service desk �cket
AD/ Service Desk logs
Data gathering
Stealing creden�als
For single employee: Badges in at one loca�on, then logs in countries away
Badge/ VPN/ Auth
Data gathering
Gathering confiden�al data for the�
Employee makes standard devia�ons more data requests from file server with confiden�al data than normal
OS
Exfiltra�on Exfiltra�on of info Standard devia�ons larger traffic flows (incl DNS) from a host to a given IP
NetFlow
Copyright © 2014 Splunk Inc.
Case #5 – Insider Threat
19
What To Look For Data Source
Abnormally high number of file transfers to USB or CD/DVD OS
Abnormally large amount of data going to personal webmail account or uploaded to external file hos�ng site
Email / web server
Unusual physical access a�empts (a�er hours, accessing unauthorized area, etc) Physical badge records / AD
Above ac�ons + employee is on an internal watchlist as result of transfer / demo�on / poor review / impending layoff
HR systems / above
User name of terminated employee accessing internal system AD / HR systems
Copyright © 2014 Splunk Inc. 20
Case #6 – Fraud Detec�on Sample Pa�erns of Fraud in Machine Data:
Type of Fraud Pa�ern of fraud Ver�cal
Financial Services
E-‐tailing
Healthcare
Telecom
Online educa�on
Account takeover Many transac�ons between $9-‐10k
Many accounts accessed from one IP
Physician billing Physician billing for drugs outside their exper�se area
Roaming abuse Excessive roaming on partner network by unlimited use customers
Student loan fraud Student IP in “high-‐risk” country and student absent from classes & assignments
Account takeover
Copyright © 2014 Splunk Inc.
A 3-‐YEAR JOURNEY
Completeness of Vision As of June 2014
CHALLENGERS LEADERS
NICHE PLAYERS VISIONARIES
Ability to
Execute
2012
2014 2013
21
Copyright © 2014 Splunk Inc.
Industry Accolades
22
BEST ENTERPRISE SECURITY SOLUTION SC Magazine Awards, Europe 2013 & US 2014
BEST SIEM Informa�on Security Magazine Readers’ Choice Awards, 2013
BEST SIEM SOLUTION SC Magazine Awards, 2013
Copyright © 2014 Splunk Inc.
“Defense-‐in-‐depth” Requires a New Strategy
24
Two types of analysis to fight today’s threats
Tradi�onal Monitoring for Known Events
In the ‘wild’ but prevalent Uses vendor supplied signatures Generally caught by IDS/IPS, AV or firewall
Reported to tradi�onal SIEM
Sta�s�cal Analysis for Unknown Events
Hidden in terabytes of ‘normal’ user ac�vity
Circumvents perimeter defenses O�en uses HTTP to communicate Much harder to find without advanced analy�cs
Copyright © 2014 Splunk Inc.
Analysis of real-‐�me and historical data using Splunk sta�s�cal analy�cs to be�er understand, detect and
address unknown threats.
25
Enterprise Security Content Focus
Copyright © 2014 Splunk Inc.
Dashboard: Traffic Size Analysis
26
Compare traffic data with sta�s�cal data to find outliers
Iden�fy suspicious data exfiltra�on
pa�erns
Drill-‐down to look for anomalous source/
dest traffic
Copyright © 2014 Splunk Inc.
Dashboard: HTTP Category Analysis
27
Inves�gate ‘unknown’ HTTP
traffic
Find low volume traffic ac�vity
Compare with sta�s�cal data to find
outliers
Look for suspicious pa�erns of ac�vity by
category
Copyright © 2014 Splunk Inc.
Dashboard: URL Length Analysis
28
Compare each URL sta�s�cally to iden�fy outliers
Inves�gate long URLs where no referrer
exists
See how many assets are talking to the URL
Look for long URLs that may include embedded
C&C instruc�ons
Copyright © 2014 Splunk Inc.
Dashboard: New Domain Analysis
29
Iden�fy unexpected top level domain
ac�vity
Hosts talking to recently registered domains
Discover outlier ac�vity to newly registered
domains
Copyright © 2014 Splunk Inc.
Dashboard: HTTP User Agent Analysis
30
Whitelist or blacklist specific user agents
Visualize outliers as compared to sta�s�cally
normal ac�vity
Evaluate user agents for command and control
ac�vity
Find unexpected HTTP communica�on ac�vity
Copyright © 2014 Splunk Inc.
Asset and User Iden��es Lookup Editor
31
More easily edit values in each of the columns Color coding for specialized fields for added visual clarity Add new rows of data with a single right-‐click ac�on
Copyright © 2014 Splunk Inc.
Security Threat Indicator Library Key Security Indicators (over 100 available) The ability to set a threshold for each metric that indicates if the value is acceptable or not
Change in color (good or bad) based on customer defined threshold A descrip�on of the trend (increasing or decreasing) depending on whether the an increase or a decrease ought to be interpreted as good or bad)
Drill-‐down from the metric to a dashboard that provides more informa�on
Copyright © 2014 Splunk Inc.
Threat Visualizer Search for unusual behavior pa�erns based on Asset and/or Iden�ty
Pre-‐determined (by the customer) events in �me-‐synchronized swim lanes
Select specific events to create visual correla�ons across known assets or iden��es in a single view
The selec�ons create a “story board” (shown on the right) for inves�ga�on
Copyright © 2014 Splunk Inc.
Pivot Tables for Security Repor�ng
Driving down report crea�on complexity
Create Pivot-‐based reports Customize as needed graph type, color, detail, etc.
Create and circulate as a report
Add to or create a dashboard
34
Copyright © 2014 Splunk Inc.
Faster Protocol Inves�ga�ons
37
Important protocol fields are exposed for fast access
Enter into workflows for inves�ga�on
Create new reports or export inves�ga�on results
Copyright © 2014 Splunk Inc. 41
Oltre 8.400 aziende di tu�o il mondo, incluse 70 tra le Fortune 100 usano Splunk® Enterprise per trasformare i da� macchina in preziose informazioni in grado di garan�re un rapido ROI e un valore reale per il reparto IT e il business in generale. Partecipando a SplunkLive! Italia potrai : Scoprire la straordinaria rapidità e semplicità delle funzioni di analisi
di Splunk Enterprise 6.2 Imparare come o�enere in modo eficiente, informazioni da data store
�po Hadoop e NoSQL Ascoltare casi di successo dire�amente dai clien� e capire come
hanno ricavto valore dai loro da� grazie a Splunk. Assistere a nuovi training che insegnano come massimizzare
l’inves�mento fa�o e risolvere nuovi problem di business. Qualunque sia la tua a�vità, dallo sviluppo di applicazioni o generazione di analisi a fini aziendali, alla ges�one, protezione e verifica in ambito IT, Splunk può aiutar� ad acquisire rapidamente valore dai tuoi da�.. Iscrivi� oggi stesso : h�p://live.splunk.com/italia_2015 A presto, Il team Splunk Any ques�on? [email protected]
Tes�monianze clien� Milano Cerved Group S.P.A Alma Mater Studiorum –
Università di Bologna Fastweb S.P.A. Tes�monianze clien� Roma HBG Connex S.P.A. Università La Sapienza Poste Italiane
De�agli evento Milano: 24 marzo 2015, ore 9.30-‐16.30 presso NHOW Milano -‐ Via Tortona 35 Roma: 26 marzo 2015, ore 9.30-‐16.30 presso Wes�n Excelsior -‐ Via Vi�orio Veneto 125