Enabled SOC - SIEM Use Cases (PDFDrive)

Copyright
© 2014 Splunk Inc.
The Analy<cs-‐Enabled
SOC > SIEM Use Cases
Fred Wilmot (CISSP)
Director, Global Security Prac<ce
Sanford Owings
Principle Consultant, Splunk Services
Disclaimer
During the course of this presenta<on, we may make forward looking statements regarding future events or the
expected performance of the company. We cau<on you that such statements reflect our current expecta<ons and
es<mates based on factors currently known to us and that actual events or results could differ materially. For
important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presenta<on are being made as
of the <me and date of its live presenta<on. If reviewed aVer its live presenta<on, this presenta<on may not contain
current or accurate informa<on. We do not assume any obliga<on to update any forward looking statements we may
make. In addi<on, any informa<on about our roadmap outlines our general product direc<on and is subject to change
at any <me without no<ce. It is for informa<onal purposes only and shall not, be incorporated into any contract or
other commitment. Splunk undertakes no obliga<on either to develop the features or func<onality described or to
include any such feature or func<onality in a future release.
2
Fred Wilmot | Director, Global Security Prac<ce
(fred|Securityczar)@splunk.com
•  Strategy
§  Drives Security Prac<ce Strategy globally
§  Works on Splunk’s hardest Security Use Cases
§  Visualiza<on and Analy<cs using Splunk
§  Solves strategic product/implementa<on challenges
•  Research
Minister of Silly Walks •  Digital Forensics /Assessment Tools
“Electric Mayhem”
@fewdisc •  Social Risk/User behavior modeling
•  ML/Advanced Sta<s<cal Analysis
•  Threat Intelligence
•  Product
§  Influence product strategy for security content and features
in the field and through the factory.
3
Sanford Owings| Principal Consultant, Splunk Services
sowings@splunk.com
Sanford Owings (Sowings) began his compu<ng career in 1990 in a word
processing lab with network administra<on on PCs and various flavors of
Unix. A computer science educa<on at Berkeley (with more system and
network administra<on thrown in) showed him the light twenty years
later.

sowings Sanford began using Splunk in early 2010, working to integrate it as an
(muppet disguise) OEM repor<ng solu<on into an email appliance. Since March 2012, he
has worked as a member of the Professional Services team at Splunk,
leveraging his development background while assis<ng customers.

In his free <me, he enjoys spending <me with his wife Erin, cooking,
cycling and traveling.

4
Agenda
"  Why do we use SIEMs?
"  How to Achieve these ‘SIEM’ use cases?
"  Security Maturity Model: How do I get there?
"  Where do we Start?
"  Ques<ons?
"  Appendix
5
Why do we use
SIEMS?
Not Really…
But we may feel that way
because we don’t really
know what problem we are
solving, we don’t have the
right people, or process to
leverage our technology.

Lack of internal knowledge
leads to external guidance…
Gartner SIEM MQ 2014
AccelOps
“…the rise in successful
Product/Service Rating
targeted a/acks has caused a
growing number of Real-Time Monitoring 3.50 3
2013
organiza<ons to use SIEM for
threat management to Threat Intelligence 3.00 3
improve security monitoring
and early breach detec<on” Behavior Profiling 2.50 3
2012
Data and User Monitoring 2.97 2
Threat Management Application Monitoring 2.90 3

Real-‐<me monitoring and
repor<ng of user ac<vity, data Analytics 2.44 3
access and applica<on ac<vity,
in combina<on with effec<ve ad Log Management and Reporting 2.75 3
hoc query capabili<es….
Deployment/Support Simplicity 3.50 4

capabili<es that aid in targeted Source: Gartner (June 2014)
aoack detec<on”
8
What capabili<es are you looking for from SIEM?
9
Why Splunk Compared to SIEM
Legacy SIEM Splunk
Data sources Limited Any technology, device
Custom Device Support Difficult Easy
Add Intelligence Difficult Easy

Built-‐in
Customized Repor<ng Required 3rd party App
(from search)
Speed of Search/Repor<ng Slow and Unusable Fast and Responsive
Difficult Easy
Correla<on
(rule-‐based) (search-‐based)
Scalability Limited Extensible
10
Be Pragma<c, not Dogma<c. Be prepared to
challenge your asser<ons if you want to
mature your opera<ons
11
Top Five Splunk Security Use Cases
More than a SIEM; a Security Intelligence Pla5orm
Splunk Can Complement OR Replace Exis<ng SIEMs
Real-‐<me Real-‐<me
Incident Security & Monitoring of
Monitoring of
Inves<ga<ons Compliance Fraud detec<on
Known Unknown
& Forensics Repor<ng
Threats Threats
12
Moving Past SIEM to Security Intelligence
INCIDENT SECURITY & REAL-‐TIME MONITORING FRAUD INSIDER

INVESTIGATIONS COMPLIANCE MONITORING OF OF UNKNOWN DETECTION THREAT
& FORENSICS REPORTING KNOWN THREATS THREATS
Small Data. Big Data. Huge Data.
Splunk soVware complements, replaces and goes beyond tradi<onal SIEMs.

How do we achieve
Analy<cs Enabled SOC?
A journey of a thousand miles begins with a
single step. Lao-‐tzu, The Way of Lao-‐tzu
15
A Methodology for Analy<cs-‐Enabled SOC:
Map the Business to the Threat Model
What does the business care about?
•  Market Sen<ment?
•  Fraud?
•  Denial of Service?
•  Intellectual property theV?
•  Sensi<ve data/customer data leak?
•  Brand reputa<on?
•  Industrial sabotage?
•  Corporate espionage?
16
Construct a Hypothesis
•  How could someone gain access
to data that should be kept
private?
•  What could cause a mass system
outage does the business care
about?
•  How could we find exfiltra<on of
sensi<ve informa<on if it was
happening?
17
It’s about the Data
•  What visibility do we need?
•  For data exfiltra<on, start with
URLs.
•  DNS requests, proxy logs, web
logs, mail logs
•  Beg, borrow, and steal SME
exper<se from system owners
18
Data Evalua<on
•  For data exfiltra<on, start with
what’s normal and what’s not
(create a sta<s<cal model)
•  How do we ‘normally’ behave?
•  What paoerns would we see to
iden<fy outliers?
•  Look for other paoerns based on
uniqueness, frequency,
periodicity, volume, dura<on,
newness, dura<on, locality, etc.
19
Spoiler Alert! DNS Exfiltra<on Indicators
•  1) Look @ all DNS traffic for mul<ple levels of DNS strings. look for hexadecimal strings.
•  2) Look for this 3rd level to be less than 40 bytes in length... like *.domain.com, where * is longer than 40 bytes
•  3) Look for mul<ple DNS Name lookups to sketchy foreign domains, and look at the frequency in a short <me
span.
•  4) DNS TXT or SRV record queries to any foreign or high entropy domains
•  5) ANY DNS response to a loopback or RFC 1918 space/bogon space. (5.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16,
172.16.0.0/12) could indicate a C2 channel
•  6) Look for mul<ple DNS queries to the same non-‐obvious or foreign domain during off-‐hours <mes in the office
= check for frequency, and periodicity.
•  7) DNS queries to dynamic DNS providers (like OpenDNS)
•  8) DNS queries not followed by a proxy request for connec<on
•  9) Iden<fy recurring interval or beaconing following any of the above (zero variance behavior)
•  10) Look for Teredo IPv6 addresses
•  11) Look for large TXT or NULL payloads (tunneling), and TXT that isn’t 7-‐bith clean
•  12) Look for CNAME chains if they resolve internally
•  13) look for changes in authorita<ve name servers and their IP addresses as well.
20
Analysis + context
•  Increase in business communica<ons
overseas?
•  Does your sta<s<cal model need to change
due change, business growth, or volume of
data?
•  Implemented a new service or applica<on?
•  Added employees overseas?
•  Enriching/synthesizing outliers with
visualiza<ons?

21
Need to Connect the “Data-‐dots” to See the Whole Story
Delivery, exploit Gain trusted Upgrade (escalate) Data Gathering ExfiltraRon Persist, Repeat
Persist, Repeat
installaRon access Lateral movement
Aoacker, know relay/C2 sites, infected sites, IOC, Subscrip<on feeds Internal black lists
aoack/campaign intent and aoribu<on Open source Intelligence Sharing …

Threat intelligence
Firewalls Email, Web, DNS Malware

Where they went to, who talked to whom, aoack analysis
…
Network transmioed, abnormal traffic, malware download IDS/IPS Infrastructure Net flow
AcRvity/Security
Endpoint Threat
What process is running (malicious, abnormal, etc.) Detec<on and Malware
analysis
Vulnerability
Assessment
Process owner, registry mods, aoack/malware Response (ETDR) …
OS, App ,
Host
ar<facts, patching level, aoack suscep<bility Endpoint Security database logs Patching
AcRvity/Security
LDAP,
Access level, privileged users, likelihood of infec<on, Ac<ve Directory, Asset databases
where they might be in kill chain Authen<ca<on, CMBD, …
Auth -‐ User Roles, SSO inventory,
Corp Context
22
Methodology Par<ng Thoughts
Security Intelligence requires tradiRonal IT data sources,
not just security technology.

•  What paoerns/correla<ons of weak-‐signals in ‘normal’ IT ac<vi<es would

represent ‘abnormal’ ac<vity?
•  Heuris<c detec<on approaches (SIEM historical standard) are best used with other
detec<on approaches (Sta<s<cal/Behavioral)
•  Threat modeling MUST be associated with cri<cal data assets and employees
•  Context is hardest and most cri<cal to add, give yourself lead <me…BUT DO IT
•  What is rarely seen, newly seen, or a behavioral/sta<s<cal devia<on?
•  What normal ac<vi<es occur during abnormal <mes?
23
Security Maturity
Model with Splunk:
How do I get there?
Maturity Model for Security Opera<ons
Real-‐<me
q  APT detec<on/hun<ng (kill chain method) Risk
Insight ProacRve
q  Counter threat automa<on Security
Situa<onal
q  Threat Intelligence aggrega<on (internal & external) Awareness
q  Fraud detec<on – ATO, account abuse,
q  Insider threat detec<on Proac<ve
Monitoring
and Aler<ng
Search
q  Replace SIEM @ lower TCO, increase maturity and
q  Augment SIEM @ increase coverage & agility Inves<gate
q  Compliance monitoring, repor<ng, audi<ng

q  Log reten<on, storage, monitoring, audi<ng ReacRve

q  Con<nuous monitoring/evalua<on
Security OperaRons Roles/FuncRons
q  Incident response and forensic inves<ga<on
q  Event searching, repor<ng, monitoring & correla<on q  Tier 1 Analyst q  Security Analyst q  Fraud analyst
q  Rapid learning loop, shorten discover/detect cycle q  Tier 2 Analyst q  CSIRT q  Threat research/Intelligence
q  Tier 3 Analyst q  Forensics q  Malware research
q  Rapid insight from all data q  Audit/Compliance q  Engineering q  Cyber Security/Threat
25
Honest Ques<ons, Honest Answers
"  What is the talent level of my (Security) team?
"  Do I have exis<ng mature skill sets I can leverage/need to keep?
"  What is the business’s appe<te for change?
"  Am I building a Security Organiza<on for Hun<ng and Advanced Threats, or
doing what I can with the team/resources I have?
"  Can I be successful implemen<ng new processes around this methodology?
26
How Do I Determine My Maturity Level?
Pre-‐Engagement Posture Discussion
"  What is your current SecOps model?
–  Insourced/outsourced/hybrid?
–  Incident Response plan? BIA?
–  what do you when you find something significant?
Threat Priority Matrix

•  What are the risks to the business?
–  Establish business priori<es
–  Model Threats and Business process
–  Design detec<on/preven<on logic
Talent Capability Model

•  How capable are my people?
–  Beginner/Intermediate/Advanced responders
–  are you inves<ng in Threat Intelligence and Malware analysts?
–  How much collabora<on happens between security and subject experts?
27
How Do I Determine My Maturity Level? (cont’d)
Content Strategy
–  Data Acquisi<on mapped to threats/use cases
–  Response by: Alerts/repor<ng/integra<on
–  Manifest process and methodology into technology
–  “How will I implement my playbook?”
Post-‐Engagement EvaluaRon
–  Does the work we did, translate to reducing business Risk?
–  Is it measurable?
–  Does it enable Security team to iterate and automate?
–  Does it move the organiza<on up the Security Maturity Model?

28
Talent Capability Model Scale
29
Cyber Opera<ons Model
Forensics and Incident Audit
Incident Applica<on
Root Cause Response Repor<ng and
Handling Security Design
Analysis Process Assessment
Monitor
Fraud and Secure Coding & Network
Security Collabora<on
Technologies TheV Analysis Development Security Design
Itera<on Counter
Malware Behavioral Vulnerability Intelligence
Analysis Analysis Automa<on Remedia<on
Threat
Cyber Network Threat Cyber Network Modeling
Defense Intelligence Offense
REACTIVE PROACTIVE
30
Cyber Opera<ons Model
AutomaRon IteraRon
Machine-‐<me response Threat Modeling,
Triage using machine Intelligence Gathering,
data and context Research, hun<ng
CollaboraRon
In order to gain a CollaboraRon
Communica<on Incident Response
complete view of
OperaRonal Security, Automa<on
Forensic analysis
we need to see the Operate on machine
Itera<on data and Threat
iteraRon of Counter
Intelligence
Intelligence in
Monitoring Incident Response
31
Security Intelligence combines methodology,
technology, collabora<on as context for smarter
security decisions
32
Where do we start?
Integra<on Examples
Maturity Model Type Integra<ons
1)  I have no visibility into my data, and I need to operate on that data
2)  I have a SIEM, it doesn’t do what I want. I need to augment with
visibility and context
3)  I have visibility, and context, I need threat intelligence and
workflow and integra<on
4)  I don’t have a SIEM, but I also don’t have any resources to do that
Lets look at an MSSP that supports your threat profile
Applica<on Performance Monitoring,
No SIEM: Ge{ng Visibility First

Metrics, and Drill-‐down
Helpdesk
Staff
“I’m not a security shop, I just need
to see all my data first”
•  Splunk for incident inves<ga<ons/
forensics
Real-‐Rme
Data
Machine •  Splunk for aler<ng/repor<ng/
dashboarding
•  Begin building data consump<on
towards use cases
Security
Analysts
35
Legacy SIEM: Limited Visibility

Helpdesk
Staff
Search/Alert Splunk App for CEF “I have a subset of security in my SIEM, I need
more visibility across IT data”
Different data sent to Splunk and SIEM
Real-‐Rme •  Splunk for log aggrega<on, incident
Machine Data inves<ga<on/forensics, enrichment
ArcSight for correla<on, alerts, Analyst

• 
workflow
opRons for Splunk-‐to-‐ESM data flow:
Logger
1.  At index <me, Splunk can forward data to

ESM ArcSight: SplunkSight
2.  At search <me, Splunk can forward CEF
Security
format to ArcSight: Splunk App for CEF
Analysts
3.  Splunk alerts to ArcSight ESM via SNMP trap,

e-‐mail, web services
36
Legacy SIEM: Splunk to ArcSight ESM

Helpdesk
Staff
“I have a mature playbook my analysts use
in SIEM”
•  Splunk for log aggrega<on, incident
Search/Alert Splunk App for CEF inves<ga<on/forensics, enrichment
Real-‐Rme •  ArcSight for correla<on, alerts, Analyst
Data
Machine
workflow
Filter/Forward SplunkSight
opRons for Splunk-‐to-‐ESM data flow:
Mail/SNMP
CEF syslog collector 1.  At index <me, Splunk can forward raw or
filtered data to ArcSight: SplunkSight
2.  At search <me, Splunk can forward
ESM selected, and/or enriched events in CEF
Security
format to ArcSight: Splunk App for CEF
Analysts
Using Splunk Forwarders for na<ve log consump<on 3.  Splunk alerts to ArcSight ESM via SNMP
trap, e-‐mail, web services
37
SOC Integrated components Metrics, and Drill-‐down

Helpdesk
Staff
“II have many products leveraging my
methodology and playbook”
Ad hoc Monitor Report and Custom
search and alert analyze dashboards
Decisions on workflow made by automaRon/
prioriRzaRon feeding mulRple tuned products
SIEM •  CriRcal è AutomaRc Rckets for SME resoluRon,
InvesRgaRon (i.e. Archer)
Real-‐Rme

Machine Data •  High/Medè Triage by type: automated acRon
result/analyst acRon (i.e. SIEM)
•  Low è prioriRzed and funneled (i.e. Remedy)
•  Methodology driven, business process melded with
technology and analyst skill sets
•  Archer, JIRA, Remedy, ServiceNow integra<ons,
Security
Asset Employee Threat Data Security tools like Palo Alto, Mandiant, FAnalysts
ireEye,
& CMDB Info Intelligence ApplicaRons Stores Checkpoint, Sourcefire
•  Packets, flows, Threat Intel, enrichment, context
38
Adding Context
Faster/Beoer Decisions with Context
Online
Services
Web
Ad hoc Monitor Report and Custom Developer
Services search and alert analyze dashboards Placorm
Security
GPS
Servers Loca<on
Packaged
Applica<ons
Desktops
Networks Real-‐Rme

Storage
Custom
Machine Data
Messaging
Applica<ons
Telecoms
RFID External Lookups
Online Energy
Shopping Meters References – Coded fields, mappings, aliases
Cart Databases Dynamic informaRon – Stored in non-‐tradi<onal formats
Call Detail
Web Records Environmental context – Human maintained files, documents
Clickstreams
System/applicaRon – Available only using applica<on request
Smartphones
and Devices Intelligence/analyRcs – Indicators, anomaly, research, white/blacklist
AND MORE…
40
Encoded log with threat and asset context
Asset # IP Address
File code
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for
2172618992@splunktel.com 10.164.232.181 from 12.130.60.5 recorded OK.!
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 -
10.164.232.181 "Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML,
Log Code
like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for
.csv file CMBD Vendor Threat Intelligence

mapping mapping
41
Asset # IP Address
File code
Log Code
like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
.csv file CMBD Vendor Threat Intelligence

mapping mapping
File code Hash value Variants Filenames
✓
42
Log like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3" 503 0 0 825 1680!
External Lookup using .csv
Threat info (various)

Product code (file)
Asset (CMDB, various)
43
Automate Context: IOC lookups -‐ Filename

44
Automate Context: IOC lookups -‐ CIDR

45
Adding Intelligence
Internal Threat Intelligence
Context for Security
•  Directory User Informa<on •  Applica<on Usage &

(personal e-‐mail, access, user privs) Consump<on (In House)
•  Proxy informa<on (content) •  Database Usage /Access
Monitoring (privileged)
•  DLP & Business Unit Risk (trade
•  En<tlements/ Access Outliers
secrets/IP lists)
(In House)
•  Case History/Ticket Tracking •  User associa<on based on
•  Malware/AV geography, frequency,
•  HR/Business Role uniqueness and privilege
47
External Threat Intelligence
Consumable Sources
•  OSINT (free Sources) •  Palo Alto Wildfire
•  Dell SecureWorks •  Crowdstrike
•  Verisign iDefense •  AlienVault OTX
•  Symantec Deepsight •  RecordedFuture
•  McAfee Threat Intelligence •  Team Cymru
•  SANS/Whitelist/Blacklist •  ISACs or US-‐CERT
•  CVEs CWEs, OSVDB (Vulns) •  FireEye/Mandiant
•  iSight Partners •  Vorstack
•  ThreatStream •  cyberUnited
•  ATLAS •  ThreatGrid
•  ThreatConnect •  ZeroFox
•  Farsight •  Norse CorporaRon
48
External Threat Intelligence Integra<on
import hoplib, urllib
params = urllib.urlencode({'apikey':
'f6dbdee2dc8c6118933b90178657877cc2cede3023ce0eba4xxxxxxxxxxxxxxx', 'ip': ’46.229.160.7', 'method':
'ipview'})
#headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "text/plain"}
headers = {"Content-‐type": "applica<on/x-‐www-‐form-‐urlencoded", "Accept": "applica<on/json"}
conn = hoplib.HTTPConnec<on("us.api.ipviking.com:80")
conn.request("POST", "/api/", params, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()
print(data)
Most IntegraRons are APIs or Modular Inputs – EASY!
conn.close()
49
External Threat Intelligence
50
51
Raw IOC
Not Easy
52
53
Context+Threat Intelligence:TLD against GeoIP
How would I find all the URLs by their Top Level Domain, and compare
them with their geoloca<on to validate they are legi<mate on a map?
54
Matching against TLD & GeoIP
sourcetype=bluecoat url=* | lookup faup url | fields url_domain url_tld |
geoip url_domain | eval
url_domain_country_code=lower(url_domain_country_code) | eval
tld_match=if(url_tld == url_domain_country_code, "true", "false")

#Run FAUP as a lookup across all bluecoat URLS
#generate the geoloca<on telemetry for url_domain
#determine if the url country code is = to the TLD
Now, show me on the map where they are…
55
56
Ques<ons?
Some Content For You
•  Archer Integra<on Technology add-‐on template

•  Scripts for <cket system aler<ng
•  SA-‐VA, ES Vulnerability Assessment/Risk calcula<on tool

Follow @Splunksec on twi/er for these releases today
aqer our session!
58
What You Can Do for the Security Prac<ce
•  We love to dig through new data sets
•  Share cool, hard use cases with us
•  Share knowledge to help us beoer the product
•  All your desires and concerns for features and uses

Partner with us, we will do the same!
•  Help with integra<ons, use cases, features func<ons.
•  Our job is to help you get to your highest maturity level
59
Thank you!

@SplunkSec
security@splunk.com

Appendix
•  SA-‐VA (How it works)
•  SplunkSight (How it works)
•  TA-‐Archer (How it works)

Adding Context:
Splunk > Nmap +
CVE=Risk Score
Problem
•  Network complexity and aoack surface is growing

•  No central loca<on for exploit informa<on

•  Manual system priori<za<on based on risk is (nearly) impossible

•  Analysis must be done regularly as new exploits are released
Solu<on: SA-‐VA
•  Automated exploit database aggrega<on
•  SA-‐VA automa<cally parses Na<onal Vulnerability
Database hop://nvd.nist.gov/ and Offensive Security’s
Exploit-‐DB
hops://github.com/offensive-‐security/exploit-‐
database
•  Scheduled vulnerability scan
•  Integra<on with Splunk Enterprise Security
assets
•  SA-‐VA integrates with your exis<ng security solu<ons
to give a clearer picture
Solu<on: SA-‐VA
Monitor network risk trends

Solu<on: SA-‐VA
Isolate exploits affec<ng a large number of hosts

Solu<on: SA-‐VA
Access to informa<on on thousands of exploits

Solu<on: SA-‐VA
View all hosts affected by specific exploits

Calcula<ng Risk for Assets.csv
•  Risk Percentage
•  Δ Risk Score / Reference Score (Gold Standard)
•  Risk Score
•  Σ Service Score
•  Service Score
•  CVSS Severity / (Current Year – Release Year)
•  Every host scanned is assigned a risk percent as a func<on of the
reference score, and an overall risk score
•  Every service is assigned a risk percent score as a percentage of
host’s overall risk
Example
Configurability
•  Provide custom arguments to Nmap scan in addi<on to preset scan
arguments
•  Whitelist to exclude sensi<ve hosts from scans
•  Block specific vulnerabili<es scoring on a host specific and global
level
•  Schedule and automate database updates and network scans
based on your network needs
Summary
•  Automate vulnerability database aggrega<on
•  Schedule scans and database updates
•  Whitelist machines sensi<ve to scans
•  Mul<ple scan intensity op<ons including custom arguments for
VoIP, printers, and other sensi<ve systems
•  Integra<on with Enterprise Security assets model
•  Appends fields to exis<ng assets.csv
•  Create new assets.csv based on scan
•  Calculated Risk priori<za<on score
•  Risk % = Δ Risk Score / Gold Standard
•  Risk Score = Σ (CVSS severity /(Current Year – Release Year))
SIEM Augmenta<on:
SplunkSight
Splunk > Arcsight
Delivering Context to CEF for Analy<cs-‐driven Security
Connect and Visualize Automa<cally Deliver

Datamodel Enrichments
Disparate Data In Familiar Insight from Splunk to the
Enhance Decision Making
Tools Front Lines
•  Add context to events by •  Gain faster, easier and •  Organiza<ons where an
using Splunk Add-‐ons deeper insights across all incumbent SIEM is the
and custom lookups machine data Tier 1 tool can now
•  Constrain, filter, or •  Simply map Splunk fields receive augmented
augment data via CIM or to CEF fields without events and alerts
custom datamodels knowledge of the Splunk •  Increase the value of
•  Aggregate events from search syntax, using a threat intelligence by
mul<ple sources before new Guided UI indica<ng important
forwarding events
Inside Splunk App for CEF
Use Common
Informa<on Model
or custom
datamodels
OUTPUT
RAW DATA INDEXED IN TECHNOLOGY COMMON
DATA MODELS SEARCH
SPLUNK ADD-‐ONS EVENT FORMAT
OVER TCP
Gather and enrich Guided search

data as needed wizard helps users
using full power of construct powerful
Splunk searches
75
Why Splunk app for CEF?
•  For many data sources, dual feeding both Arcsight and
Splunk , the same events is not feasible

•  Splunk App for CEF enables CEF-‐formaoed output based on
search results in Splunk

•  Field mappings from Splunk CIM to Arcsight CEF make
configura<on easy
76
Inside SplunkSight
Use Common
Informa<on Model
and pre-‐indexed
keys
OUTPUT
RAW DATA INDEXED IN TECHNOLOGY COMMON
INDEX PIPELINE
SPLUNK ADD-‐ONS EVENT FORMAT
OVER TCP
Gather and enrich Configurable

data as needed dynamic mapping
using full power of of CIM fields to CEF
Splunk fields
77
Why SplunkSight?
•  Scaling your CEF output structure should scale with Splunk
architecture

•  SplunkSight enables CEF formaoed output based indexed
fields in Splunk

•  SplunkSight uses TCPOUT to process events directly on each
indexer

•  Index and sourcetype filters enable flexibility

•  Field mappings from Splunk CIM to Arcsight CEF make
configura<on easy
78
Integra<on Challenges
•  Splunk currently, cannot send CEF data directly to Arcsight
ESM at scale, or index <me.
•  Logger agents tend to lose data in transla<on via Snare and
syslog
•  Splunk forwarders are not distributed across the en<re
infrastructure to capture raw windows events
•  Target’s challenge is 100% visibility, and ubiquity in their
collec<on environment for host data collec<on
•  single agent to feed both their collec<on and correla<on
technology.
We built SplunkSight to deal with these challenges
79
SplunkSight
Designed to be Highly scalable
•  Located on each Indexer as a separate socket-‐ized
process

•  Mul<-‐threaded process to deal with scale

•  Operates at index-‐<me as opposed to search-‐<me

•  Does not impact the parsing or indexing queues in
indexing pipeline

•  Does not directly impact search behaviors or search
pipeline performance
80
SplunkSight
Designed to be easily configurable
•  Enable mapping from CIM to CEF in a .csv file

•  Designed to work with metadata wrioen at index <me
using Technology Add-‐on framework

•  Allows Target to specify specific fields to consume in
Splunk for consump<on in ESM

•  Manageable via the deployment server
81
Current Architecture Challenge

ArcSight Architecture
aoed
form
g CEF
Syslo
82
Architecture with SplunkSight
Real-‐Rme

Machine Data
SplunkSight CEF formaoed
83
How it Works
•  Communica<on from forwarder
–  We configure the forwarder to send data to the Splunk Indexer, as you have
currently deployed Splunk today.
–  For data types requiring transforma<on at index <me (either on a Heavy
Forwarder, or on the Indexer) we send either Cooked or Uncooked data.
–  The indexer listens on 9997 as usual, receives data into Splunk and consumes it.
84
How it Works
•  Communica<on from indexer to SplunkSight
–  The Splunk Indexer sends via outputs.conf, data to SplunkSight, which lives on a
configurable socket on the indexer (we are using 9996 as example)
–  We are sending data using our TCPOUT op<on in our proprietary S2S protocol,
which allows us to field map, and transform data into CEF Output.
85
How it Works
•  Sending data to Arcsight ESM
–  Defined in splunksight.conf Splunksight.conf
–  Output is UDP syslog [daemon]
–  SplunkSight runs as a service and includes a few listen_ip = 0.0.0.0
python processes: listen_port = 9996
ê  Process.py log_file = /tmp/splunksight.log
ê  Cefobjec<zer.py pid_file = /tmp/splunksight.pid
ê  Daemon.py log_type = standard
ê  U<ls.py
ê  Read-‐conf.py [syslog]
proto = udp
ê  Splunksightsyslog.py
dest_ip = x.x.x.x
ê  Splunksight.py
dest_port = 514

86
How it Works
•  Configuring SplunkSight Splunk_TA_Windows
–  Requires WRITE_META = true for Technology
add-‐ons (This creates an indexed field), fields Transforms.conf
and props configura<on. [Target_Server_Name_as_dest]
–  Provide mapping of CIM (Splunk) fields, to CEF SOURCE_KEY = Target_Server_Name
(Arcsight) fields i.e. default.csv REGEX = ([\\]+)?([^-‐].*)
WRITE_META = True
Default.csv FORMAT = dest::"$2”
#cim,cef
dest,CEF_dest Fields.conf
session_id,CEF_session_id [dest]
dest_nt_host,CEF_dest_host INDEXED = true
src_ip,src
dest_ip,dst
src_port,spt

87
How it Works
•  Configuring SplunkSight Splunksight.conf
–  Enables filtering based on Sourcetypes and
indexes. By default, we remove all the _* [filters]
indexes indexes_to_discard = _internal _introspec<on
–  Can configure whether we send ALL data, _thefishbucket _audit _blocksignature
or just metadata
#sourcetypes_to_discard =sourcetype::syslog
sourcetypes_to_discard
=sourcetype::sep::risk

88
CEF Output example
Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.11.36.20

end=179 fileType=applica<on/x-‐fcs in=24804 request=hop://199.9.251.150/idle/1021363361/6290 xreferrer=-‐
requestMethod=POST suser=-‐ act=TCP_NC_MISS xstatus=200 requestCookies="Flash\"" out=212
Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|
Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|
Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.44.38.116
end=125 fileType=-‐ in=39 request=tcp://216.219.113.250:443/ xreferrer=-‐ requestMethod=CONNECT suser=-‐
act=TCP_TUNNELED xstatus=200 requestCookies=-‐ out=67
89
Workflow Example:

Splunk > Archer
91
Splunk / Archer Integration Workflow - v1.0
START
Event Escalation Review Resolve Mark for
Review Notification Incident Incident Closure
1.0 3.1a 4.0 4.1 4.2
YES
Escalate Review Review Escalation

Event Escalate? Mgr Closed
Incident 3.1 Closure Notification
1.1 3.0 5.0 4.2a
NO
Monitor New Splunk Resolve Mark for Monitor

Events Incident Incident Closure Splunk
2.0 Notification 3.2 3.2 Incident
3.0a 6.0
END
Create Incident Mgr Close
Escalated Archer Closed Closed
NO Event? YES Notification NO Incident? YES
Splunk
2.1 Record Event
2.2 3.2a 6.1
6.2
Splunk Archer Integration Escalation Mgr. Incident Mgr. Operations
92
Ge{ng Data to Archer
python REST API interac<on with Splunk API for gathering things like asset info, vuln data, etc pulled
from the metadata ‘Notable Events’ correla<on framework.
The common set of fields in the correla<onsearches.conf specifica<on would be passed to archer,
driven by the rule_id

security_domain
severity
rule_name
descripRon
rule_Rtle
rule_descripRon
drilldown_name
drilldown_search
default_status
default_owner
93
94
•  Archer fields mapped to Splunk Notable Events field in python SOAP script
•  Splunk generates metadata events, and ‘Archer’ command, sends it to Archer via custom search in
Enterprise Security.

•  Workflow ac<on to escalate a Notable Event to Archer directly
•  Automated Splunk Search of the 'Notable Events' Macro every few minutes based on rule_id,
event_id and urgency (for aler<ng if desired)

Closing a Notable Event from Archer
Archer dashboard object or ac<on to close a 'Notable Event'. We use the ‘search’ REST endpoint to
allow a REST call, to change a status or close a status.

This hander takes some input and writes a properly forma/ed line of CSV to incident_review.csv.
incident_review.csv's header contains the following fields:
Rme
rule_id
Owner
Urgency
Status
Comment
user

Enabled SOC - SIEM Use Cases (PDFDrive)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enabled SOC - SIEM Use Cases (PDFDrive)

Uploaded by

Copyright:

Available Formats

Copyright

© 2014 Splunk Inc.

Threat Management Application Monitoring 2.90 3

Data sources Limited Any technology, device

Custom Device Support Diﬃcult Easy

Add Intelligence Diﬃcult Easy

Splunk Can Complement OR Replace Exis<ng SIEMs

INCIDENT SECURITY & REAL-­‐TIME MONITORING FRAUD INSIDER

Small Data. Big Data. Huge Data.

Splunk soVware complements, replaces and goes beyond tradi<onal SIEMs.

aoack/campaign intent and aoribu<on Open source Intelligence Sharing …

Firewalls Email, Web, DNS Malware

• What paoerns/correla<ons of weak-­‐signals in ‘normal’ IT ac<vi<es would

q Compliance monitoring, repor<ng, audi<ng

" What is the business’s appe<te for change?

Threat Priority Matrix

Talent Capability Model

No SIEM: Ge{ng Visibility First

Legacy SIEM: Limited Visibility

1. At index <me, Splunk can forward data to

3. Splunk alerts to ArcSight ESM via SNMP trap,

Legacy SIEM: Splunk to ArcSight ESM

SOC Integrated components Metrics, and Drill-­‐down

.csv ﬁle CMBD Vendor Threat Intelligence

.csv ﬁle CMBD Vendor Threat Intelligence

File code Hash value Variants Filenames

External Lookup using .csv

Threat info (various)

• Directory User Informa<on • Applica<on Usage &

• SA-­‐VA, ES Vulnerability Assessment/Risk calcula<on tool

• SA-­‐VA (How it works)

• SplunkSight (How it works)

• TA-­‐Archer (How it works)

• Network complexity and aoack surface is growing

Monitor network risk trends

Isolate exploits aﬀec<ng a large number of hosts

Access to informa<on on thousands of exploits

View all hosts aﬀected by speciﬁc exploits

Connect and Visualize Automa<cally Deliver

Gather and enrich Guided search

Gather and enrich Conﬁgurable

We built SplunkSight to deal with these challenges

Sep 4 20:30:03 172.16.130.1 CEF: 0|Splunk|sourcetype::bluecoat|1.0|100000|generic event|5|src=10.11.36.20

Escalate Review Review Escalation

Monitor New Splunk Resolve Mark for Monitor

Splunk Archer Integration Escalation Mgr. Incident Mgr. Operations

You might also like

INCIDENT SECURITY & REAL-‐TIME MONITORING FRAUD INSIDER

•  What paoerns/correla<ons of weak-‐signals in ‘normal’ IT ac<vi<es would

q  Compliance monitoring, repor<ng, audi<ng

"  What is the business’s appe<te for change?

1.  At index <me, Splunk can forward data to

3.  Splunk alerts to ArcSight ESM via SNMP trap,

SOC Integrated components Metrics, and Drill-‐down

•  Directory User Informa<on •  Applica<on Usage &

•  SA-‐VA, ES Vulnerability Assessment/Risk calcula<on tool

•  SA-‐VA (How it works)

•  SplunkSight (How it works)

•  TA-‐Archer (How it works)

•  Network complexity and aoack surface is growing