Upload
erin-sweeney
View
143
Download
1
Tags:
Embed Size (px)
DESCRIPTION
This session will examine how Intuit is using Splunk to prevent fraud and conduct forensic analysis. We’ll show how Splunk helps Intuit monitor for known fraudsters and fraudulent patterns and then speeds forensic investigations to understand which systems may have been compromised.
Citation preview
Understanding Security Issues as Pa2erns in Data
Mark Seward, Director, Security and Compliance Marke=ng
© Copyright Splunk 2011 2 The 2nd Annual Splunk Worldwide Users’ Conference
A ShiA in A2ack Vectors
Known signatures
based threats and a2acks
Time Today 1998
Unknown behavior based
a2acks
1998
Data Explosion (‘Big-‐data’)
2005
Dat
a Vo
lum
e
The increasing number of a2ack signatures
Splunk meets the challenge of detec=ng pa2ern-‐based behaviors in a ‘Big-‐data’ context
© Copyright Splunk 2011 3 The 2nd Annual Splunk Worldwide Users’ Conference
ü A move to a behavioral approach demands more emphasis on people and less on pure technology
ü Behavioral approaches to security require a con=nuous applica=on of human observa=on and judgment
ü Allows the analyst is to take the “actor view” to understanding the goals and methods of persistent adversaries
ü Requires you to baseline pa2erns of normal or expected behavior; select thresholds and triggers that will alert administrators to suspicious ac=vi=es
Beyond Signatures and Rules: People Trump Technology in a Behavioral Approach
Implemen=ng a Pa2ern-‐based Strategy
for Security
© Copyright Splunk 2011 5 The 2nd Annual Splunk Worldwide Users’ Conference
ü Splunk supports pa2ern modeling and adapta=on for security for insider threats, fraud scenarios, and persistent adversaries
ü Pa2erns enable a risk-‐based approach to an=cipate a2ack vectors and a2ack pa2erns and behaviors
Enabling a Pa2ern-‐based Strategy for Security
Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases
Gartner Research © 2010
© Copyright Splunk 2011 6 The 2nd Annual Splunk Worldwide Users’ Conference
App Mgmt
Web Analy/cs Security IT
Ops
Security Event Pa2erns in Context Augmented View Security Events ü View the web analy=cs data pa2erns as
part of the web applica=on a2ack ü Monitor changes in server/applica=on
performance (CPU) against a baseline as an indicator of an a2ack
ü Understand authorized pa2erns of changes/ addi=ons to configura=ons and user accounts part of fraud surveillance
Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’
© Copyright Splunk 2011 7 The 2nd Annual Splunk Worldwide Users’ Conference
ü Rules View – Breaking the speed limit – If one or more of these things happen let me know – Watches for only what is known – No concept of what is ‘normal’
ü Pa2erns view – Watches for rhythms in your data over =me against what is ‘normal’ (normal will not be sta=c)
– Takes advantage of ‘weak signals’ from non-‐tradi=onal security data
– Watches for what you don’t know – Pa2erns + Analy=cs enables decisions
How is this Different from Tradi=onal SIEM?
Patterns allow for data to be viewed as a reflection of human
behavior over time
Analy=cs and data pa2erns in prac=ce
© Copyright Splunk 2011 9 The 2nd Annual Splunk Worldwide Users’ Conference
ü DoS a2acks at the network layer are massive floods of traffic from numerous sources, designed to overwhelm resources
ü DoS a2acks at the applica=on layer target layer-‐7 and the HTTP protocol
DoS A2acks
Recent
© Copyright Splunk 2011 10 The 2nd Annual Splunk Worldwide Users’ Conference
ü Source addresses usually spoofed – this also means no TCP session establishment possible
ü True iden=ty of source very difficult to obtain
ü A2acks of significance generally from a botnet ü TCP and UDP most common; ICMP happens as well
Common Anatomy of a Typical DoS
© Copyright Splunk 2011 11 The 2nd Annual Splunk Worldwide Users’ Conference
ü Client issues an HTTP POST to a server ü Client says “I’m going to post a gig of data.” ü Client sends the Host a gig but only 1 byte – 1 minute ü Service waits for the data transfer ü Usually in just a couple of minutes – La Morte
HTTP Slow POST A2ack
© Copyright Splunk 2011 12 The 2nd Annual Splunk Worldwide Users’ Conference
Dashboard – HTTP Slow POST
Slow Post Attack
© Copyright Splunk 2011 13 The 2nd Annual Splunk Worldwide Users’ Conference
ü Host opens a connec=on to a server but doesn’t send a single byte ü Each connec=on =es/up an Apache process. ü Apache waits for the connec=on =me out to expire then closes the connec=on
ü Connec=ons fill up the Queue faster than they =me out ü Default connec=on queue for Apache is set to 511
Connec=on Exhaus=on Based A2acks
© Copyright Splunk 2011 14 The 2nd Annual Splunk Worldwide Users’ Conference
Dashboard – Connec=on Exhaus=on
Attacks detected
© Copyright Splunk 2011 15 The 2nd Annual Splunk Worldwide Users’ Conference
Example: Time-‐based Pa2ern-‐detec=on for Malware Ac=vity Discovery
Pa2ern: request for download immediately followed by more requests ü Fast requests following the download of a
PDF, java, zip, or exe. If a download is followed by rapid requests for more files this is a poten=al indicator of a dropper.
Splunk pa2ern search ü Time based transac=ons sorted by length ü source=proxy [search file=*.pdf OR
file=*.exe | dedup clien=p | table clien=p] | transac=on maxspan=60s maxpause=5s clien=p | eval Length=len(_raw) | sort -‐ Length
© Copyright Splunk 2011 16 The 2nd Annual Splunk Worldwide Users’ Conference
Example: Pa2erns of Beaconing Hosts to Command and Control
Pa2ern: ü APT malware ‘beacons’ to command
and control at specific intervals
Splunk pa2ern search ü Watching for hosts that talk to the same
URL at the same interval every day
ü … | streamstats current=f last(_=me) as next_=me by site | eval gap = next_=me -‐ _=me | stats count avg(gap) var(gap) by site
ü What you’d be looking out for are sites that have a low var(gap) value.
Fraud Hand off to Intuit…
Other Pa2ern Uses
Intuit, Financial Services Division
Jaime Rodriguez, Senior Fraud Analyst, Intuit
© Copyright Splunk 2011 19 The 2nd Annual Splunk Worldwide Users’ Conference
Jaime Rodriguez ü Securing banks and financial ins=tu=ons since 1999 ü Presented and keynoted at numerous Informa=on Security conferences all around the US.
ü Contributor to a variety of open-‐source projects related to many of today's most popular security tools.
“Fraud team's goal is to provide fraud analysis on a proactive basis--we're currently reactive.”
© Copyright Splunk 2011 20 The 2nd Annual Splunk Worldwide Users’ Conference
Intuit—Financial Services Division ü One of largest providers of outsourced online financial management solu=ons ü Serving 1800+ financial ins=tu=ons and 4 million+ end customers ü Applica=ons include: - Consumer and business internet banking - Electronic bill payment and presentment - Personal online financial management - Website hos=ng and development for financial ins=tu=ons
© Copyright Splunk 2011 21 The 2nd Annual Splunk Worldwide Users’ Conference
All of Your Data Is Security Relevant ü Indexing our infrastructure: - Cisco Firewalls - Snort - App logs, WebSense - TippingPoint, IPS
ü Integra=ng data from outside partners: - Known fraud rings - Bad IP addresses - Bad actors
© Copyright Splunk 2011 22 The 2nd Annual Splunk Worldwide Users’ Conference
Splunk Speeds Remedia=on
• Previously had customized parser • Searches conducted in batch taking 3+ hours via chron job
• Reports came in piecemeal across 5000 emails with different syntax
• Only sophis=cated (aka highly-‐paid) users could track pa2erns
• Splunk provides a single view
• Role-‐based access provides secure views into data
• Customer service and banking customer teams can begin queries on their own—no wai=ng for access/ permission—no highly paid engineer required
• Results in 5 minutes
© Copyright Splunk 2011 23 The 2nd Annual Splunk Worldwide Users’ Conference
From Reac=ve to Proac=ve ü Using Splunk for historical analysis ü New fraud pa2erns iden=fied drive reviews of past 30 day / 90 day / all =me periods
ü As pa2erns emerge we build alerts when evidence of similar pa2erns of known fraudsters emerge (SMS, email)
ü Showing monthly trending ü We’ve modified our logs to be2er capture and expose the informa=on we need to see
© Copyright Splunk 2011 24 The 2nd Annual Splunk Worldwide Users’ Conference
Splunk for the Ops Team ü Outages unacceptable ü OAen caused by unauthorized change ü Splunk tracks changes to pinpoint issues for remedia=on ü Monitoring throughput and access for each financial ins=tu=on - Usages stats good for re-‐sell/ upsell
ü Dashboards show system health and performance—execs love visibility
© Copyright Splunk 2011 25 The 2nd Annual Splunk Worldwide Users’ Conference
Truth From The Trenches: Wire Transfers
ü Watching fraudster in real-‐=me—seeing $5M, $7M, $8M wire a2empts
ü Splunk exposed every element of our infrastructure that he touched
ü Next we could correlate ac=vi=es based on =me to understand his pa2ern of ac=vity
© Copyright Splunk 2011 26 The 2nd Annual Splunk Worldwide Users’ Conference
Truth from the Trenches: Geoloca=on
ü We no=ced a similar fraud pa2ern across 15 banks
ü Then we mapped them to see they were within 15 miles of one another
ü Fraud was coming from one data processing vendor who they all shared
© Copyright Splunk 2011 27 The 2nd Annual Splunk Worldwide Users’ Conference
The World of Compliance FFIEC • Federal Financial Institutions Exam Council • Ensures financial organizations follow uniform principles,
standards and methods of reporting • Splunk empowers auditors to ask—and us to quickly and easily answer—any question
SAS70 • Certification of standard controls, communications mechanisms
and monitoring procedures • Required by may financial services clients • Subset of Sarbanes Oxley Compliance
PCI • PCI: Payment card industry data security Standard • Promotes trust with customers • Required by various payment card providers
© Copyright Splunk 2011 28 The 2nd Annual Splunk Worldwide Users’ Conference
Ge~ng Started ü Just get started—Splunk is great out of the box for quick and dirty analysis
ü It only gets be2er when you customize it ü Demo Splunk to others—people are amazed at how much data and depth we can get based on pivo=ng
ü Follow the install guide! ü Consider how you’ll expand—and plan in advance for that expansion
ü Move to 4.2-‐-‐-‐it’s fast!
August 15, 2011
Ques=ons?
Jaime Rodriquez, Intuit