Splunk for Security: What is Enterprise Security? | Data, Dashboards & Darjeeling Webinar Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so my name is ben merrible i'm a splunk security strategist here at summerfield associates um essentially what that means is i talk a lot of security with uh with our clients um talk about enterprise security and the splunk security stack um all the way through from yeah a splunk course splunk enterprise security supporting applications uh phantom uh uba splunk security cloud all of the great stuff that splunk can provide in the security space um but here we're focusing specifically on enterprise security and really where we can get value out of enterprise security and what kind of drives that and and a good route through it so um hopefully you're expecting to be here um just a reminder really i mean you've all been sent the sort of uh the agenda of today so uh the purpose of the session really is to you know look at how es can really transform the business um how we can get data from the cloud and work with new moving towards the cloud as as of organizations are going overcome common security challenges um also look at modernizing the whole securities approach um and also exploring some of the really key concepts within enterprise security so whether that's notable events assets identities threat intelligence risk-based alerting and mitre attack and how we can leverage the mitre attack so just quickly before we go into it because really i do just want to kind of show you the technology and show you around um so just a little bit more about us so we're summerfield associates um you've probably heard of us hopefully by now um so we are you know an elite partner of splunk um we've our elite partner for both being a reseller and also professional services um we're one of the leading professional services team in europe um and uh yeah we're getting a lot quite a few accolades through the splunk kind of partner ecosystem as well so that's just a little bit about us um so i'm just gonna move into the demo um so if you just bear with me as i switch tabs did just a little bit um okay someone's got unable to hear me um is that i presumably that might just be a one-off is anyone else able to hear me if you could just let me know in case i'm talking for and no one can actually hear what i'm saying that would be a bit of a problem yeah okay so yeah so uh maybe it's your your um thanks thanks all so just clarify excellent um not sure if it's a problem with your end with your speaker but um i'll uh i'll continue um if that's all right so so if we just go into it one of the first things i want to kind of explore with you guys um is really around how splunk core transitions into security and then that transitions into enterprise security and really how that kind of drives through so um presumably you've all seen splunk uh core um you understand how splunk enterprise works splunk cloud splunk core we kind of as a terminology to cover both of those um what is splunk essentially uh if you haven't then absolutely get in contact we'll be able to give you a different webinar on on splunk and how that really works but just for this is all on security so if we just leverage from one to the other what we really want to do to be able to use splunk for security is start thinking about the content that needs to be driving that that mission to get towards security okay and there is a lot of content right and we have an application here called splunk security essentials which really provides a big library of content to um uh to to their fingertips really of the splunk engineers those that are using splunk and really kind of being able to leverage all of the kind of useful things that are going on across the world right we're using splunk splunk's a leading technology it's used by many many organizations around the world they have their own security research team that develop their own security content and then they can produce that into the sprung security essentials to really allow you to get the value out of it so just quickly this is a free app with splunk core you don't need enterprise security to use it however it does have use cases that require enterprise security to get them leverage out of them and so we're just going to explore a little bit around here um to start with so one of the places i want to take you to start with is on a security data journey really and what we really need from data to provide security at the other end right so how do we know what data sources to to bring in um how do we know um how to kind of focus our our our efforts on making sure that we have the wider scope of security coverage really um so what we have is a a data journey this is splunk's vision essentially for steps or stages to go through to become more advanced in your detections okay so one of the first things to do is think about collecting the basic sign of logs okay and each stage without throughout this has you know a description of what we would expect to see from the stage milestones what we'll be looking for trying to achieve and any challenges we might see at that stage as we progress through and if you scroll down for each of these stage you'll also see the data sources that we deem to be the most valuable to provide the most content within that stage um and to provide the most sort of security coverage right so it's all well and good trying to look and leverage the stage six kind of advanced detections but if you've got the most advanced capabilities for security but you've left a simple back door open anniversary is not going to use the most advanced tools they don't need to i mean they're inherently lazy they have other things they would like to be doing um so they'll use the most easiest the most efficient way of getting in to break the defenses right so it's really important to use the building blocks and this staged approach can really help with that guide of going from essentially zero all the way up to a very advanced detection system okay so we've got that stages there is a nice big pdf um that you can find on our website you can also find a splunk's website the splunker produced essentially about this kind of guide and goes into a lot more detail around what you would expect to do in each of these stages but within the app they also include it here and as you kind of step through you'll see everything changes milestones challenges data sources and so forth you'll also see on the right hand side the amount of use cases that become applicable from that position so we're talking you know we get more security monitoring we have more compliance more instant response more stop more insider threat maybe some advanced threat detection as well so as we kind of progress through that that kind of opens up our capabilities a lot wider so we're talking about all this content this use cases okay so where is it what is it um well within the security content page you can kind of see the whole lot so in this we've got 654 different use cases that are available and 313 of them are filtered with the current filter set that i've got here you can filter on a number of different things so if you want to filter on the data sources that you have um you can do that there's also or specific data sources that you want to filter down on so if we're looking for cloud aws we could filter on aws we simply just check that box and then below what we'll get is all of the aws relevant kind of uh use cases okay so we kind of really match down and filter down and as we scroll through you kind of see things that are relevant to aws um and so forth that's suspicious container image name you know all sorts of different things and whether they need core or they can be leveraged with es it's really down to that kind of uh that kind of color in the top left corner with enterprise security or this is splunk core essentially but if i want to just come back to all you can see all of the different ones that might be coming up um you can filter based on mitre attack if of course you're against you're targeting the mitre attack framework as a way of coverage you can also filter on the kill chain phases if you need to think about certain areas within the kill chain that maybe you're a little bit uh lacking in coverage you can do that and have have a kind of an approach from that perspective for you of course you can do both right which is really really useful um you can also look for the security use case areas right so if you're interested inside a threat or application security you can do that as well and it's really good to be able to filter this all down and then kind of target what it is that's important to the business right now and kind of work from that approach one of the other really good things about security essentials is the ability to bookmark and and uh tick off certain use cases when you've got them implemented so you can track the use cases as they go through the progress so this is something that's of interest you can bookmark it this is something that you've actually fully implemented you can go and check that off and there's also different stages within those bookmarks to say okay i'm waiting for some data i've tested this or i'm waiting for a test it's ready to be deployed and it's now deployed so you can kind of progress those use cases and have a use case tracker that kind of allows you to kind of progress them um a lot along with notes for each of these but if we just click on one of these so um i'll just pick this one um this takes us to a new page that actually shows us the breakdown of the search and how it kind of works so across the top what you're going to see is um the details around the search what it is the description and that side of things uh what use case error it comes into security monitoring and compliance the number of alerts we'd expect to see so medium the difficulty of the spl so whether it's easy medium hard that side of things um whether you're bookmarking it you can bookmark it and also all the mitre attack tactics and techniques that are relevant and the threat groups of course um and the kill chain phases right and what's really key of course is the data sources that this could be driven from okay so audio user activity order azure gcp aws windows security that side of things okay um and then as you scroll down you can actually see the search so here's the search um this is how it's constructed um now if you're kind of new to splunk or you know uh you're not very um experienced with the spl side of things this is a really good tool to actually allow you to learn from those that are generating these searches and what the each different step within the search means because it has full comments on all of this so you know we're looking at the change data model we're filtering on deletes we're listing the number of deletions by source user that's what the stats is really doing um and then we're doing we've got a way where clause is saying okay we're at least one account involved and then we're getting information from the asset and identity information around it that's what this is doing for the user to get more context around that user account so we know who their manager is who their uh what their phone number is where they work what sort of location they're in um any categories like whether their privileged account all that sort of thing and that's what this search category is so we're only looking where they're privileged accounts sort of thing so that's how we kind of break it down and build it and also with this you get a few more a bit additional context to it right so how we implement it any known false positives how we would respond so you know as a kind of a a starting point you've got a you've got a use case that you you know you need to look at or you you found it what would you do if you see it in the environment right even if it's just the basic kind of things that you would want to look at um and then yeah as i say name false positives for it and so forth okay so one final place i want to just take you within security essentials before we crack into es really um is a viewpoint of all this content right so you know we've got 650 pieces of content we've got a track of all our data that we have in the system splunk knows what data we've got in the system so if we want to map all of that against the mitre attack framework what we can do is we have an analytics advisor for this microstat framework and we can draw a picture of all the use cases that you have in um the environment uh so the 654 here with totaling um and the darker the color for this particular piece the more that we have active and available um and so forth right so you know the lighter the color maybe we don't have use cases in this particular area of the mitral attack matrix maybe splunk's not the right tool for that um you could still use splunk to track that and build this use case up even if something else some other tool that you've got like a varnish or a centrify or an octa or whatever the external tools are that you're using to cover that particular use case um you can still bring that into this reporting engine okay to be able to report on this particular miter attack matrix all the use cases that you have and of course this is currently the enterprise one but if you're interested in cloud one then of course we can just do that and filter based on cloud and that will bring up the cloud matrix and also color code it based on all the different content that we have available this is coloring by total but we can also color by active or available or needs data so we can track and you know cover what we're really actually interested in and kind of where we can get to i can see more people are asking questions so i will come to the questions at the end if that's all right um but you know i checked earlier just because i wanted to check no one's having problems but okay so we'll come to the questions at the end so please fire them away into there though okay so massive splunk security essentials and that is a a key companion app really to any splunk security journey whether you're using splunk core splunk ascent like splunk cloud bunk enterprise or if you're using splunk enterprise security or if you're using anything else uba or phantom you know it's a really good kind of assistance to all of those um so it's really fundamental but it's important to cover that and how that really kind of helps so if we just take a look at es and just now so just bear with me well i'll just take a sip of water um so splunk enterprise security this is generally uh the front page of splunk enterprise security um this is what's known as the security posture everything that i show you in this demo is all going to be out of the box there's no custom additions to it um you know this is what you would expect to see if you have technology and expect to see what what's going on of course we're generating data here uh on a very regular occurrence all of its demo data um it's over and over again so you will see significantly high numbers um because we're just exploring everything that we can and being able to cover every single point that we can um and because of that yeah we get high numbers so i wouldn't expect your environment to have you know 10 15k um notable events on a daily basis at all um in fact you wouldn't have a chance of being able to deal with those so but just so you're aware this is what was kind of that's a really key point really is it's demo data so what do we actually see so this is the first point of call that you would usually go to as a security analyst at the beginning of the day um you would come in here and you would look at the number of uh notable events um within potentially your area right so you might have a speciality you might have a domain speciality you might be someone who knows about authentication you might be someone who knows about network kind of security or even endpoint security you might have those kind of differential kind of areas and that might be your key point of focus um as you come and kind of start dealing with these alerts that are coming through what do we mean by notable event well a notable event is a is an alert that's generated from what we call a correlation search a search is able to uh correlate over one or many different data sources to generate a uh indicator of compromise okay and we use a notable event as a way of kind of um tracking that and the process of creating that notable event takes into account both the actual correlation search severity so um whether that's something like a brute force maybe that's a low severity or high severity whatever however you view that and also the user that might be involved in that right so if you've got a brute force against the ceo that's probably a critical issue if you've got a brute force attempt against a new graduate that's just got a new laptop and they've just joined the company probably not as critical still could well be you know medium they might be in the administrative team they might have admin rights privilege rights they you know you could leverage different levels of of that priority for these user accounts based on all these different factors so what we really do is we create a notable event based on the severity of the correlation search and the priority of the asset or the identity that's involved and that's how we generate this urgency of how to deal with things so one of the first points you might want to deal with of course is the critical urgency those were events um these are the things that really should be looked at first that's why we give it the urgency because we know sometimes seams can produce quite a bit of noise um and i'll talk about how we can reduce that noise using risk-based alerting a little bit later but for now we're talking kind of for that kind of situation where we're getting alert because we've seen an indicator of compromise um and as i say i'll move to respect to lighting a little bit later so um the other things that we can see on here of course is notable event occurrences so you might get very popular notable events now do we need to tune that note that correlation search is triggering that is it creating too much um notable events you know um and with all of these you might get like a you get a sparkline which is uh really useful so say if you've got something like excessive failed logins you might get a spike at 9am that's probably reasonable um you know people just starting for the day and just forgotten their passive maybe they changed it the day before or the last weekend it's a monday um or you might have more of a heartbeat right and a heartbeat is more indicative of a scripted attack and therefore something that you should be more concerned about so that's why the sparkline is there could be really helpful as well um such such as this one right this short-lived account seems to be very occurring very repetitive okay we're demo data we're creating it every 15 minutes or so um top notes of event occurrence by host of course right so we've got hosts that are particularly getting a lot of alerts um and that's another place that we could look at and drive down and drill down into the information now with splunk everything is clickable and drillable this dashboard is just a viewpoint to the starting point okay so if i want to look at this particular host i can go ahead and click on that and that will take me into the incident review page now the instant review page has come on quite a bit since the version that i've got here in the demonstration okay and if we want to explore later versions of what they can do absolutely we could do that in a little bit more closely um but right now this is the the environment that i have available to be able to show you with all the con data um but as i say this has come on quite a little bit away since since you've got this viewpoint now um but fundamentally it's still the same right so we have a collection of all our notable events um they come up below we've got a filters across the top that kind of allow us to filter down on all that information so we can filter based on the urgency the status of that notable event so this is a sim right this is for actually dealing with the events um event management it's not just a case of notifying you so because of that you know you've got the process of being able to create as new in progress closing it out all of the different steps that you might want to do and you can add your own steps in here as well if you need to um you can filter by student the owner so if you want to look at just your own events you can filter based on that domain like i mentioned before whether you access you're interested in or network or whatever um you can filter based on a particular search of course everything that's blank is searchable or you can filter on a specific correlation search if you're just looking at specific um notables that you're of interest to and of course you can filter on time so once you've done all of that you can go ahead and hit submit and then basically what will happen is you'll filter down everything below so i've added in these two security domains so it's going to filter based on those two particular domains and you'll see these events now if you want to look at one of these you can expand it so this is a brute force by the looks of it there's failed authentications 1394 times and successfully authenticated 345 times in an hour um it's got a very high risk score this particular asset it also tells you all the information around this asset so it's owned by bill williams um it's in pleasanton in the usa um uh it's getting some tags around what it's trying what's going on with it as well so you can tag all these notables as well um and really get all that information around it on the left hand side now on the right hand side you're going to get the correlation search a direct link to that correlation search so one of the ways of of tuning these is really coming in here going right okay i need to go and actually have a look at that correlation search now i'm not going to break down the correlation search in this demo but if you wanted to have a look at that we could go into another time absolutely um and how that gets kind of all built up you know the schedule the throttling um the the notable event the severity it creates the drill down which i'll come to in a second all these sort of things that you can kind of add to as well as the next steps right so there's no next steps defined for this but for any correlation search any notable event that you create you can create a number of next steps to really get to that sort of that progress of kind of being able to progress to the next for the analyst to kind of know what to do about it right so what do i do about it where you can build that into the actual content so that when someone finds the notes or event they know how to progress through and those next steps can be shown down that bottom right one of the other links of course you can see who's been dealing with it so we're auditing everything in splunk right so we audit who's being uh actioning on this particular use case um so we can go and click on that and show who's been doing what with the notable event and we can also look at the underlying events right so if we want to go and have a look at the contributing events to this we can go ahead and click on that and that will show you all the logon attempts by the system okay so um we can go and do that from this particular source um how many authentication events they're trying to get to and all that sort of things um now you'll also see these adaptive responses popped up so a line to this correlation search um that generated this noticeable you've got a number of adapter responses that have been run against it because it's been alerted now one of them was to create a notable which we're seeing here the other one was to actually generate some risk into the risk the risk index essentially or the risk framework now the risk framework has been progressed um to be able to do risk-based alerting and what do i mean by risk-based alerting it's really about being able to kind of take a number of different not very indicative on their own uh that there's a problem that someone's there but more indicative of um potentially leading to something but really what you want to be able to do is leverage lots of different pieces of information like potentially someone uh creating a new account on a system now on its own that doesn't mean that there's a security breach that's occurred in the business but if i create an account on that system and then that system goes out and connects to a known threat ip or domain um and then that system then makes some changes that it wouldn't normally change and so forth you've got three different things here across different miter tactics they're involved or cyber guild chain in fact right um they're involved over that and so what we do is we we we basically take a record of all of these which is what we call as a risk rule um to risk to to track and then we create a risk indicator rule to coverage across all of those and say okay well if we see three different tactics involved in a particular system or a particular user because we're leveraging over the asset our identity frameworks um then let's alert on it and that's you know it's not a pattern of specifically this then this then this i mentioned it in that way but it could be anything across any number of different tactics that suddenly then it gets alerts on it so what we can really do is take in those noisy events taking those things like someone creating a new new account that's quite quite generally can be quite noisy in environments but you don't have the time to triage it on its own but take that information in and correlate it with other information using the risk-based alerting approach to really narrow down the number of alerts um and that's the same with something like this for brute force where you wouldn't you wouldn't then create a notable you would just go straight into creating a risk and and you would leverage the risk and you would say okay give it 20 points of risk so not only can you track it for certain number of tactics you can also track if suddenly this system or users just got a certain amount of risk right this is 32 000 points of risk that's quite a lot um you know if you wanted to alert anytime someone got over you usually would build it around 100 points this is obviously excessive um you would want to alert on that as well and then you would have a look and you would investigate that which i'll come to about how we can investigate this actual asset itself now the other thing about automation is these have done these have been done automatically right so we've triggered a noticeable event and they know so we triggered a correlation search and that's created a notable let's create a risk analysis some of the other things that we can do out of automation essentially is run adapter response actions so we could have these in the next steps down the bottom here as you know get the engineer to click on it and run it or we can go ahead and run it straight against this right so um we could um send stuff titanium to ask a question get results for an external technology we could go ahead and order a pizza right so if we see a certain critical level event that happens after 5 pm um you've got okay well we need to order pizza because we know that the engineers need to stay behind and deal with this we can't leave it till 9 a.m in the morning so let's just order them a pizza and not let them worry about it right so you can hook into all of these different things um and you can expand this adaptive response action framework and you can kind of expand it and kind of get a lot of other things in there as well of course going into phantom and doing the phantom automation which is another topic for another day to some extent um or you can go and open tickets close tickets you can go and talk to semantic um you can add the threat intelligence because this is now something that's interested you want to track it again all of these different response actions to automate the process of going through the whole steps good right so as you know to a framework one of the other things that you can do with this okay is actually pivot from here so um if we take in context this source 10.11.36.20 we click on here and this will allow us to pivot from here to other areas of the environment so if we want to see who's accessed to it he's logged on to it who's logged on from it um who's if we want to map it or google it if we want to see what the ids or ips is saying about it if we want to see what malware is involved in it um if we want to start a stream capture if we want to actually pack a capture on it okay we can use splunk stream um that's another technology within the splunk ecosystem that allows you to basically capture off the wire the actual uh traffic that's going on if you want to turn that on um if you want to see what your firewall is going you know where this is going to and from you can do that as well any updates are involved in it any vulnerabilities are on the system you can do that so you can really pivot from here to different areas of enterprise security and to really get a kind of a lot more information around it now one of the places i want to do is go into asset investigator so this is a um a form really that gives us all the symbols similar sort of information that we saw there across the top so um you know it's owned by bill williams it's in pleasanton um this is the ip address is attitude longitude um you can see this is in a ps pci domain trust okay so that's um that's interesting it's category pci um all of that information is also a critical asset um for whatever reason and then if you scroll down you can see a number of different swim lanes um is what they're called in splunk um and this is a really good way of kind of extrapolating out the information because this is a noisy box it's got a lot of things going on so really being able to kind of differentiate all the different areas that we might be interested in and what's really useful is being able to pattern match over this time period right so we're looking over a day here to last 24 hours um and we might see a number of failed authentications and a successful one we might then see a connection to a quantum control center we might see some malware might see a change on it we might see some threat you know all of that kind of over a period of time but it's not going to be a case of what happens it could be here it could be there could be there could be then over here and then they'll over here and so forth so you can kind of get an idea of how if you did that with the machine you'd have to crunch the whole 24 hours if it was even only in 24 hours could be in a wider period right crunch all of that together and then try and look at those patterns but for a human to see the patterns it's very very easy we can just see that from the visuals um and then in terms of what we want to look at if we hover over and select any of these you'll see on the right all the different events that have been selected um you can see the the sort of high-level fields that have been taken out um and extracted so you can see kind of information around it so uh scores severities users that are involved actions destinations sources um signatures all of this sort of thing and as you you know you can filter any of these you can kind of select out certain ones if you want to and it will regenerate all those events and if you want to see those events you can go ahead and click on go to search and it will show you the events that you've selected here in this viewpoint which is a really powerful way of just kind of selecting what you want to pinpointing narrow down what you need to if you want to share this link with anybody else in your team you can do that it creates a specific link with all of this information where you are with time frames all of the events that you've got selected and you can see this is like the longest link in the world because it really does take you to exactly the same point um that you're seeing right here and i never get to the end of the link by the time i've finished so um so that's really good and also you create a notable event straight from here as well so this is a really good kind of tool to kind of start exploring the asset around a wider kind of concepts and kind of looking in other ways um not only did we have it for assets we also have it for identities so very much if you want to look at a particular identity maybe bill williams here you can go and have a look at what bill williams is up to and you'll get swim lanes around machines they're connected to changes they've made now where they've been involved in all that sort of things as well which is great now we've deemed this to be of interest we've done some very initial triage okay so what we will do normally next is look at this particular thing click on edit so we're selecting it we're editing it maybe we're going to start you know progressing that status we're going to you know maybe we want to change the urgency maybe we don't maybe we want to sign it to me we can go ahead and do that and maybe we want to comment um looks suspicious maybe a bit more useful kind of things in there needs to be at least character 20 characters one two three four um so we can put in a comment that allow means that we can actually start actually tracking that and saving that so we're editing that event so we're starting to do some triaging on it the other thing that we can do is actually add this into an investigation right so um if you come back um so we can check it and we can also add that into the investigation so it's now owned by me we've got it it's in progress um we click this and add it to investigations so um i've got an investigation here from uh november 2020 let's create a new one my investigation uh july 2021 um it's new we click save and this is going to add it into this brand new investigation so with enterprise security what we have is an investigation framework that kind of allows us to track and triage different notable events different searches different dashboards that we've been viewing um different times with drunk tea if you want to you know talk about the t side of things um so one of the one of the viewpoints here of course is the timeline so we've got that notable event we've added that in um here's a list view of all of that okay um which is great maybe we also then want to add in a different engineer we could go ahead and do that you know maybe we need to pass it over to somebody at the end of the day maybe they can get involved um maybe we want to add in any other investigation artifacts so one of the things you saw there is it took the 10.11.3620 and put it in my workbench which i'll come back to in just a sec uh maybe we want to do a quick search and add that in maybe we want to add in some notes we could add a new note started investigation that probably happened you know uh for 17 20 minutes ago i think that's an hour ago i think it's on utc time um add it in the timeline yeah that's cool um add in whatever and also you can add attachments right so if you're taking a screen capture or um you've got a csv file or something like that you could go and add that in as well so we've got a way of kind of tracking this taking notes of all the all the events that are going on um and then that goes into my timeline so they know event happened to 101 so um yeah okay uh and then we got slide views so we can see it from a slide perspective as well and we can go through that from from all of that which is fine and then another really key thing that you can do here is actually look at your previous actions right so i've looked at some dashboards i've done it in the last 30 minutes um i can just basically search and audit mine so i went into the asset investigator here it is essentially i can go ahead and add that into my investigation and that was you know that allows me to then have a drill down to that asset investigator and go back into it right so here it is and if i want to view the dashboard i can go ahead and do that it'll take me back to where it was a second ago with the asset investigator so what deemed and what i used as you know determining that this is actually something i need that need warrants investigating um i can add that in as well so i've got a track and trace of all the events that have actually been in this investigation whether that's notables whether that's dashboards being viewed whether that search has been run on the fly which you can add in of course as well which maybe i was investigating or notes right notes external tools you might have seen as well um and then just to come back to the workbench really if you want to then what's really cool is it pulls in the artifacts for you right and you can add in additional artifacts if you want to this is a particular asset and you can go ahead and select it and then you click explore and it will go and bring up a number of different dashboards that can be expanded if you want any specific addition one additional ones showing the risk score over time showing the idea that s alerts that's aligned to it showing the system vulnerabilities showing any notable events aligned to detailing around what this is apparently it's got a cisco router the os 10 of all necessarily saying this is cisco router which is interesting the last updates are available on it um that side of things um you know my endpoint data right what file system has been changed registry activity has been going on and that service activity so it's a cisco router it's got a lot of registry information probably got some sort of interesting os sort of thing here um poor activity is going on all this kind of ways of doing investigations really um within this um leveraging the artifacts within the investigation side of things which is uh really really good really nice um one of the other extensions to this and to enterprise security is an application called sa investigator okay so sa investigators have been around for a little while now um and splunk took a lot of what was in sa investigator and built this workbench kind of frame point out to kind of show you this side of things in the investigations which is really cool however investigate still has additional things that this does not and so it is a very good additional app to add on to an enterprise security environment um to really drill down even further right and do some more investigations go into more in-depth investigations across all sorts of different data sources and so forth so if again i look at this particular ip address um so much like you saw me just then in the workbench view we can go ahead and have a look across lots of different areas whether that's certificates whether that's dns whether it's updates authentication vulnerabilities and we've got all these different viewpoints that we can kind of drill down and provide all these dashboards for you um in the details what that detail is about the asset notable events by it um net events by source by destination um traffic that's going to and from right all of that side of things it's kind of an extension to that workbench as i say it kind of was a viewpoint of how they kind of leveraged that workbench but you know as a point it is an extension to it so it's a very good kind of add-on to it good okay now i'm just gonna take maybe five ten minutes just to kind of show you some of the dashboards that are in enterprise security now um by no means can i cover everything in enterprise security in an hour there is a lot of content here i do want you to take that away and think yeah there's a lot here that you get with enterprise security because there absolutely is um but i do want to just touch a few points to kind of show you different areas including the threat framework i've talked about rba i've talked about investigations and that side of things but i do want to talk about threat i do want to talk about generally how you would kind of go from a for a hunting kind of perspective right how you would use enterprise security to start hunting for things so well and good getting notified about stuff but you can't get notified about everything so what can you really do to kind of go hunting now i talked a little bit from the instant review page about how you can switch into um say seeing what asset what a system has been going logging on to or from um so we have within here a number of domains so as a specialty you might take access within the access domain we've got some dashboards one of them we will have is called access center and this gives us a very high view a point view across the entire estate of what's going on in terms of authentication so as you kind of understand the day-to-day what we'd expect to see we can start seeing things that are out of the norm based on just generally knowing what's normal uh for the day you know are we getting more and more sources authenticating more and more destinations they're going up or down there's a trend lines are they authentications over time actions what users what systems are generally creating my most authentication events you probably understand that you might have a system that creates a lot of authentication events maybe it's a some sort of scanner that has to authenticate before it does whatever it needs to scan on the box that's fine you understand that that's good but if you start seeing something else come on the bot in the environment that's you know significantly creating a lot of events that's probably something you could investigate and look into so you create this kind of we have this dashboard to kind of look into it and if we filter down we can filter down on all the events right so maybe we're just looking at contractors right and we may be just looking at contractors that have privileged access so we can filter based on that and it will regenerate the alerts based on privileged contractors okay so we don't have any privileged contractors so that was good good uh good selection um so let's just filter on all um so any privileged accounts that we have across the estate what they're doing you know logging in failing that side of things okay so we can go ahead and do that and if we want to then go and click on any of these right we go and click on this particular thing or any of these dashboards and it will take us into access search and this is a really easy way of viewing the events for authentication so here we're looking at all of the authentication events from 10.9.8.8 between times of uh the last 43 minutes it looks like uh or 24 hours at an hour okay so the last 24 hours um and it groups them statistically groups them and gives you the count of the number of times this user has logged on from this source right so um there's sometimes a failure sometimes successfuls and then you can also see the events underneath right so if you really want to narrow down and say okay i'm interested where oracle has been logging on um across all of my systems within the last uh 15 minutes where's oracle being logging on um you go ahead and do that and that will show you all the systems that have oracle logging on within the last 15 minutes which i would always pick one in a live demo that didn't show me anything so here we've got route where route was involved in logging on for the last 15 minutes so you can see the slight difference in speed between the top one and the bottom one that's really just about the way that it's kind of being produced with data models versus non-data models um but you can see and ever so slightly and we do this because we create data models um within enterprise security we leverage the common information model to really progress and accelerate the search capabilities so we can scan hundreds and thousands of events every 15 minutes to be able to give the most up-to-date most information and really get narrow down on it so there's a lot of work that goes into building enterprise security by using all of all of the tools and toolbox for splunk to kind of get the most out of it in terms of search and resources so we've got an access center we've got an access search so we've got a high level view we've got a search and what we can also do within this is kind of look at kind of operational security side of things so you know users that have logged on for the first time in the last seven days okay so these users have logged onto this box these boxes the last seven days that's interesting um inactive accounts why are they still around um you know that sort of thing expired identities why is any accounts that have been expired are they still around that sort of thing so we've got dashboards that can kind of do your operational side of things to make sure that you're just doing the the the good stuff that you should be doing anyway um but most organizations aren't always doing um but it's a good way of just quickly viewing that side of things and kind of you know narrowing that down as well in this in this area we've got account management so who's making changes to accounts doing that quite common and default account activity right so people like guest administrator root um oracle all of those default accounts from different applications why are they being leveraged really they should be broken away put in a in a break class scenario we need to be have accountability for them so we can go and have a look at any of those default accounts being used and kind of really drill down on that so that's something else that we can look at okay now so in the interest of time i'm going to quickly just touch a few more so if we want to look at endpoint we can talk about malware center and search so similar to access center and search so you've got a high level view way of narrowing down if you want to look for particular signatures operations this is really good at showing you what client versions you've got in your malware client what um malware clients you have out there what signature versions you've got um you can see what my systems are doing in terms of os's uh in terms of updates we can see what's going on any particular changes to endpoints whether the time is in sync all of that kind of great stuff within the endpoint kind of realm and network we can do things like what our traffic is doing so again filter down for this particular host see what traffic's going to and from it um have a high top level viewpoint about the amount of traffic that's going around my environment how much how many bytes are going through firewalls that sort of things vulnerabilities across the estate right so you know one of the key things that um i've got clients that i talk very regularly with they find really useful about splunk is just the reporting capabilities um that other tools maybe don't have so if we feed the information from those other tools into splunk we can really report on the number of vulnerabilities and the security operations program and how we're reducing the number of vulnerabilities not increasing the number of vulnerabilities across the estate that side of things and how when we do these are patching and updates that kind of reduces the vulnerabilities all of that kind of reporting across time and not only do you get the vulnerability information you can you can correlate that vulnerability information with the update information right because they're generally quite linked um vulnerabilities and patches you can patch them so you can get a kind of a better picture of this so because that's usually a good program that goes on in security teams this kind of patching vulnerabilities and that side of things so you can do that as well um with vulnerability operations you're talking about things that have been around for a long time that side of things so vulnerabilities that haven't been patched why not that side of things and works and there's lots of other things in here as well so an interesting time and i want to allow some time for questions i'm just going to quickly come into here um so we talked about rba and you can come in and view rba for security intelligence risk analysis you can see all the kind of rba pieces um just on the threat pieces though so splunk enterprise security has a threat framework in fact it has five frameworks uh in total so it has a risk framework has a threat framework has a notable event framework has an adaptive response framework and has an assets and identities framework we've talked about all of those apart from threats so far so from a threat framework perspective what is it um and this is going to develop no doubt um with splunk's acquisition of truestar and um that side of things but for now what it is is essentially a way of collating lots of different threat data from lots of different threat feeds out of the blocks enterprise security comes with links to lots of open source threat feeds which you can just turn on and bring it in it also comes with a collection of local threat intelligence that you can like update and then like include your own threat information just stick it in and it will start being leveraged once you've built up this collection of threat data which is what this threat artifacts is really it's kind of all these kind of known bad um kind of situations so that's for your kind of your feeds a list of all your feeds this is your list of network information so ips and urls and host names endpoints so file intelligence registry intelligence process intelligence certificates emails email hashes that sort of thing so you get all this kind of threat information threat data and then splunk is able to scan all of the information that you get in splunk so from firewalls from endpoints from event logs whatever all of it comes in and we can scan across all of that information against the threat framework and we can then generate threat um threat notables or threat activity so we have a dashboard showing threat activity so this is when a machine is connected to a known bad ip or no bad domain or an email has got a known bad file hash or attachment or it's an email hash that's also got you know known to be a threat and we can see the threat activity across it so we've got 202 matches of threat in the last 24 hours in this data um and we can also create a notable event or we can also create a risk notable a risk event essentially um and leverage the risk framework to be able to kind of narrow down the number of threat data that we're getting um and it's really important to make sure that the threat data that's powering the threat framework is as good quality as possible because if you find you're using threat data that's out of date then you might get more notables than really is actually true um and that would be force positives and all that side of things you don't really want to see so as a quick stop on the threat hopefully that's covered it so with nine minutes to go or you know and i'm sure you've all got 11 o'clock appointments uh i do so um i'll just answer some questions if you've got any further questions please do bring them in before i get to the questions um just very quickly if you do want to learn more um and you do want to know more much more about enterprise security you want to go hands-on and actually understand all of the things about enterprise security we'll talk about all the dashboards we'll go into much more details we'll even talk about my one of my favorite dashboards the domain generating algorithm dashboard which um we'll have to leave to another day um it will be with me actually uh this workshop in the 28th of july so if you have questions you just want to see a lot more about enterprise security what it does you just want to learn about enterprise career you want to quiz me right so that will be an open session that you can just ask questions free form with me um and whether that's about yes or phantom or you know uba whatever it is you get me for four hours so um a good amount of time um so that's on the 28th of july so if you want to see that and also if you want to get any more information contact us informativeassociates.com uh and then finally i'm just going to go to questions so let me just open those questions up and then i can see them which it doesn't look like they want to show me at the same time as right okay so i've got a question here about the splunk security essentials doesn't show in the splunk cloud app market does it have to be downloaded then uploaded to our managed cloud or would we need splunk to do this good question um so it should be there uh unfortunately i find this if you look in um in manage apps um which uh no doubt you're probably doing in your splunk cloud um if you come here and go browse more apps this is blunt cloud environment as well and if you look in splunk security essentials and you hunt for it it never comes up what it did today okay so it is there um previously it might be because it's installed already um but it comes up as um an application that should be installable i haven't found any problems with installing i can't install because it's an es box actually so i wouldn't be able to install directly on an es box if you've got an es environment in splunk cloud they're a little bit more limited about what apps you can install on it so they don't allow you to automatically install to a splunk cloud's es instance if you use this normal search you would be able to do it but i would recommend putting on a yes and just get the splunk cloud team to do that open a ticket for them uh and you'll be able to do that yeah all right you just seen that as well all right good um any other questions um please fire them in to the chat um more than happy to answer them for the next next few minutes if there's no more questions then absolutely enjoy the rest of your day feel free to drop off i'll stay here if there are any questions dropping in but at the moment i don't have any more questions so um yeah please feel free to drop off the line and thanks for attending

Info

Channel: Somerford Associates

Views: 3,332

Rating: undefined out of 5

Keywords: What is Splunk, What is Splunk Cloud, Splunk Introduction, Splunk Intro, Splunk Video, Splunk Demo, Splunk Cloud Demo, Splunk Cloud Introduction, Splunk MLTK, Splunk App, Splunk ITSI, Splunk, Splunk Enterprise, Splunk Data, Splunk AWS, Splunk ES, Splunk Enterprise Security, Splunk Phantom, Somerford, Splunk Partner, Splunk UK, Splunk Observability, Infrastructure Monitoring, APM, Splunk UBA, Observability, Splunk Security, Security, Cloud Security, Splunk for Security

Id: 6XmiLxKvg6k

Channel Id: undefined

Length: 50min 28sec (3028 seconds)

Published: Thu Jul 08 2021