Enterprise Security Script: Splunk Security Solutions Marketing October 2019
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
Version 1.2
Demo Purpose: This Demo is designed to highlight the specific value of ES as a stand-alone solution while also
mentioning where it fits in the larger Security Operations Suite ecosystem.
System Access: To ensure proper URLs all shared demos should be accessed through the main landing page of
Splunk Oxygen available at https://www.splunkoxygen.com using your individual Oxygen AD credentials (separate from Splunk
AD)
● Ensure you have one of the Potential Ransomware Infections loaded or create one of your own based on data present
around the time of your demo and pre-load.
● Check Key Security Indicators on Posture Page so you know what to expect (up or down for Total Infections, Risk, etc)
and can modify your talk track as-needed based on the data at time of demo.
● Go into the Use Case Library (Configure → Content → Use Case Library). Ensure Web Fraud Detection Analytic Story is
not Bookmarked.
● Type and copy the word ‘ransomware’ in the search filter on the top right so that you will have it ready to paste into the
Text Box on the top right later during the demo.
General Note:
Be familiar with the high level messaging of the new features we are highlighting while also being prepared to deliver a full
Enterprise Security Demo for customers who are new and considering ES as their SIEM Solution. The order starts with the
latest full script. Vignettes for new features that have not been built into the latest core script flow are provided to highlight new
features and are available in order of release at the bottom of the script.
1
Primary Enterprise Value Demo
Splunk Home Running an effective Security Operations Center is difficult. And without
the right tools it’s nearly impossible. 1/3rd of all breaches are detected by
3rd parties and 97% of all breaches take place using stolen
credentials…meaning that despite significant investments, organizations
are still struggling to address the real-time threats that impact their
business.
During this demo I’m going to show you how Splunk’s Security
Operations Suite enables organizations to detect, investigate, and
respond in real-time to threats, attacks and other abnormal activity. And
how with Splunk’s advanced analytics, customers realize accelerated
threat detection and faster incident response across their entire security
ecosystem.
Let’s start with a high level view into the health of our overall Security
Posture and then we’ll go through what the process looks like to solve a
specific type of threat. In looking at my overall posture, across the top I
can see Key Security Indicators, or KPIs, that tell me if we’re improving
or getting worse for each for each KPI over time.
→ Security Posture These KPIs can tell the analyst at-a-glance information about what’s
taking place throughout the entire organization. Here, for example, you
see we have a decrease in our Total Infections, but our overall
Aggregated risk is increasing.
2
KPI → Scroll to show These selected KPIs are just a small subset of the KPI’s splunk provides
depth -->Close out-of-box across key domains like Access, Identity Network, and Risk.
So each organization, and different teams within the SOC may select the
KPIs that make the most sense based on their role to ensure their view
provides the most meaningful at-a-glance update on their overall
posture.
3
Top Notable Event
Occurrence by Host-- By clicking on the IP address, Splunk automatically takes me to an
> 10.11.36.20 Incident Review dashboard. The Incident Review Dashboard is a key
(Incident Review) area for Security Analysts where they can begin the investigation, as well
as begin escalation and remediation processes. PUT BACK
EXPANSION
CLICKPATH DISPLAY
TYPES OF NOTABLES
Hover- UBA –
Lateral Movement Now, in looking at the list of Notable events, these Notable events may
becoming from a variety of sources to provide a single comprehensive view.
Beyond baseline notable events provided with Enterprise Security, like Host
Sending Excessive Email, or Multiple Notable Events Associated with an Asset, I
can also see events coming from User Behavior Analytics (or UBA) as well as
events that start with ESCU, which stands for ES Content Updates.
I’ll talk more about the value of UBA and ESCU Notable Events in just a
moment, but first I wanted to talk about how customers can also create new
Notable events based on their unique environment, and, although they can be
very simple, I wanted to show you how flexible splunk is to empower
organization with the ability create very sophisticated, advanced Notable
events when needed.
CLICKPATH DISPLAY
SEQUENCED EVENTS
4
(far left)--> Down
Arrow on “ Phishing Let’s take a closer look at this Sequenced Event. Detecting a Phishing
Attack Detected on attack requires understanding a lot more than just one individual
Compromised Host” anomaly...it involves understanding a much larger pattern of behavior.
In drilling down and looking further into this Notable Event, we can see
that Splunk has automatically identified consecutive anomalies that
collectively indicate a Phishing Attack.
5
CLICKPATH DISPLAY
UBA
Incident Review
Let’s talk a little more about how Splunk UBA is generating notable
events like the one we have here for Lateral Movement and just saw also
assisted in recognizing a Phishing attack. UBA uses machine learning to
profile each identity and asset’s “normal” behavior, and then looks for
any unusual behavior patterns across users and devices------beyond
anything humans could have designed rules for, it’s really searching for
the unknowns, because It’s impossible to build rules that monitor for the
thousands of actions a bad actor can take in the process of getting or
abusing a user credential. Once UBA has identified anomalies, it uses
machine learning again to make a second pass and look for unusual
patterns in the captured anomalies that indicate a High Fidelity Threat.
Those threats are then automatically sent here so analysts can leverage
the information in their overall analysis.
CLICKPATH DISPLAY
CLICKPATH DISPLAY
USE CASE LIBRARY
6
Configure → Content With over 50 use cases, the Library helps analysts strengthen their
security posture with ready-to-use content that’s relevant to them. As an
→ Use Case Library example, the Use Case Library already includes pre-packaged content
(scroll to show depth) for detecting signs of malicious Phishing Payloads, protecting against
communication to fake websites generate by the EvilGinx2 toolkit, , and
content to protect against the Orangeworm Attack Group, a group that
frequently targets the healthcare industry.
Framework Mapping In this case, I’m interested in Ransomware; now I could filter down by
→ DropDown Arrow Malware, or review Use Cases based on a Specific Framework such as
the CIS Top 20, the Kill Chain Phases, or Mitre ATT&CK Chain.
→ Scroll
Top Far Right enter I can also simply search by keyword. When I filter by Ransomware, I
‘Ransomware’ to can see how this can help my organization investigate a variety of use
filter Use Cases. cases. I’m going to bookmark Web Fraud Detection so I can revisit that
use case later, as that’s another important use case for my organization.
Bookmark Web
Fraud Detection Use
Case
Click Ransomware Right now, I want to focus on the Malware Use Case associated to the
Analytic Story. Ransomware Analytic Story. Across the top I can get a wealth of
information about the purpose and value, while also understanding at a
glance exactly which phases of each Framework this will help address,
along with the most common data sources.
7
Scroll Down. Expand If we scroll down, we can leverage the content at a more granular level--
and Tab Through understanding every correlation, what the search looks like, how to
Detection, implement it, and more. We’ve aligned everything into logical categories
Investigative, so you can understand how this content aids in Detection, Investigation,
Contextual, and the Context, and ongoing Support of the Ransomware Use Case.
Support
By leveraging this content, your team can focus more of their valuable
time doing higher value tasks with the confidence that Splunk is
proactively doing Research and Development on an ongoing basis.
Let’s take a closer look at how just one of the Notable events generated
from the Ransomware Use Case Content can be analyzed in more detail
and enable investigators to quickly understand the full context to reduce
their investigation and remediation time.
CLICKPATH DISPLAY
ESCU RANSOMWARE NOTABLE EVENT ANALYSIS
Click on Incident
Let’s go back to the Incident Review page, and take a look at one of the
Review Page → fill in Notable events surfaced by the ES Content Update for Ransomware.
Common
Ransomware Notes
→ Submit
Expand ESCU -
Ransomware Notice I can see who owns this IP, where it’s located, and a wealth of
Notable Event other information. I can also see on the right, a number of automated
(may be on pg. 2) actions that have already been executed. Splunk provides an Adaptive
Response framework that enables issuing commands to an external
system for further actioning, such as the Phantom SOAR platform.
I can also see the recommended next steps.
8
To the right of Value
But let’s go back over here on the left, and take a look at just a few of the
10.11.36.20 (Risk) →
ways we can pivot to continue this investigation. We have a number of
Action Dropdown actions we might take. Within the context of this IP, we can pivot to
dashboards in Splunk, and also off to third-party resources. If we want to
see what the IDS says about this device, either as a source, destination,
or both, we can do that. If we want to see what traffic has taken place or
what updates have been installed or are available for this device, that’s
another easy way to pivot our analysis and get a more holistic picture of
the situation.
This ability to pivot across sources and across perspectives provides
faster context and visibility that leads to more tickets closed, and with
more accuracy. Let’s go down just one of these paths to see how this
would be carried out, by going into the Asset Investigator to continue our
investigation.
ASSET INVESTIGATOR
Source → Action →
From here, we’re using swimlanes to identify all of the notable events
Asset Investigator- from each source that have taken place within a specific time frame,
(pause) 🡪 any Dark shaded based on the volume of Notable Events.
Blue Authentication
Bar We’re tracking successful and failed authentication to and from this
device, changes to configuration files, application installations, and
registry changes. We’re also tracking communication to known bad
actors via threat data, what attacks the IDS has identified to this device,
and what malware outbreaks have occurred.
Select UBA Anomaly But at a high level I can also visually find patterns in the data, such as
this clustering of Notables across sources occurring after an account
→Drag select group → takeover, and simply highlight them to define a new notable event in the
Bell on right (hover) future.
Now that we’ve taken a look at just one of the ways we can pivot and
9
until ‘Create Notable’ analyze a Notable event and also define a new notable event, let’s talk
about how Notable Events can be turned into specific investigations.
appears (do not
create a new Notable
event)
SECURITY DOMAIN
Back → Endpoint -- Breaches begin with Endpoints. Here, under Endpoints, we can see not
only Malware outbreaks, but also the operational side of security which
(hover) Malware
tracks malware operations, anit-virus code versions, and virus updates,
Center, (hover)
as well as what updates are installed or available.
Malware
Operations (hover),
Update Center
(hover)
10
Back → Network → Here, under Intrusion Center, it’s exactly what you would expect. Now,
you probably have dashboards for each of these in the individual tools
(hover) Intrusion that feed this data. But the difference is, we can quickly pivot between
Center, them and correlate across these sources to to reduce the time to
remediate.
Security So here we’ll give you a few examples of that. Now, splunk provides
Intelligence, (hover) content for Risk Analysis, Protocol Intelligence, Threat Intelligence and
Risk Analysis --> more. But let’s focus for a moment on the fact that we know breaches
(hover) Protocol require credentials. And how splunk can help organizations find
Intelligence, (hover) credential theft.
Threat Intelligence,
(hover)
Click → User Here we have a haversine algorithm which is a great way to do it.
Check this out. Here, we have a user who has authenticated from
Intelligence → this<location> , at this time, from<city> , locally. But they last
Access Anomalies. authenticated at this time, from <city>, and remotely. Now ,the distance
Hover first line over between these two locations, that user would have to be able to move at
key field (time, city, over 5,000 miles which would have required a speed that even
session, remote, superman probably couldn’t keep up with.
previous, distance,
11
speed etc) Let’s take a look at another part of our proactive security intelligence...
Security Here we can see a list of recently generated domains. So how would
Intelligence→ Web you feel about a domain that has only existed for 1 day, with a lot if
visits, and a pretty unusual site name that doesn’t really reflect any sort
Intelligence→ New of business or reasonable name that we can think of?!?
Domain Analysis.
Click on First Let’s click on that first Domain name, which automatically takes us into
Domain Listed a Web Search Page. From here, we can see that all of the activity has
been posts, with a Status 200, and we can also see the source
machines that are possibly reaching out to this host even without the
users’ knowledge.
So now that we’ve taken a look at just a few of the powerful ways an
analyst can investigate a specific asset, and some of the out of box
views that provide critical visibility and proactive protection to make
Security Operations significantly easier, let’s take a look at specifically
how to easy it is to create and manage an investigation in Splunk
CLICKPATH DISPLAY
CREATE/REVIEW INVESTIGATION
12
I’m going to start by looking at all of the Notables I’ve selected on a
This launches timeline so I can see the full scope of events associated to this
Workbench → go to investigation. I can see the Ransomware web traffic to a dynamic DNS
Host, a rare process that’s kicked off, followed by Lateral movement from
Timelines → bottom
the same host...essentially the entire Kill Chain.
left → +/- to Zoom as-
needed
Let’s explore more about this specific asset. Within Network data I see
→ Workbench → emails from a potentially malicious external user to this destination, if I
continue my review in traffic analysis, I see spikes of allowed activity,
Assets → 10.11.36.20
and looking further at my threat intelligence, I see communication with a
→ Explore → Go known bad actor. I think it’s safe to say, this system has certainly been
compromised.
through Tabs →
13
Network Data →
Custom: Traffic
Analysis → Custom:
Threat Match →
CLOSE/VALUE
Phantom Vignette:
14
Steps Prior in Phantom:
Ensure you have Phantom open on a separate Tab. Go to Phantom → Playbooks and load the Ransomware Playbook. On
the notice of missing assets select the X on the far top right of the Pop Up.
PHANTOM
The Playbook works with apps that provide the integrations between
Phantom and the other security technologies in your environment. Each
App is designed to enable Phantom to authenticate and take action on
these other technologies or services leveraging their APIs.
15
automation, enabling me to see the real dollars saved across all of the
orchestration and automation being provided.
Auditing/Legal Vignette:
close/ok
16
Steps Prior to Demo Focused on New 6.0 Features:
● It is recommended you open multiple browser tabs to ease navigation of the new features during the demo, however the
clickpath is also provided in case needed.
● Asset & Identity Management Page (ES Home → Configure→ Data Enrichment→ Asset & Identity Management
● ES content management page (https://sec-keynote-es-01.splunkoxygen.com:8000/en-
US/app/SplunkEnterpriseSecuritySuite/ess_content_management (look for in portal but can’t validate at time of publishing)
● Machine Learning Audit Page: (ES Navigation Bar → Audit→ Machine Learning Audit)
● Machine Learning Toolkit Page: (App → Machine Learning Toolkit → Nav Bar)
17
6.0 Feature Vignettes
ES Home →
Configure→ Data The Assets & Identities framework in ES provides analysts the
Enrichment→ Asset ability to enrich their security data with specific pieces of
& Identity contextual information. Historically, this has been a fixed set of
Management
fields that are shipped as a set of out-of-box lookups. With ES 6.0,
we expanded that capability to not only improve the scalability
and predictability, but of greatest value, we’ve made the
Framework extensible to provide customers more flexibility, and
control.
→
bcmotors_charge_st For Demo purposes, we’ve added a few fields to give you an
ation or → idea of how you can extend the Framework to meet your
is_cloud_asset specific needs
18
→ Cancel → Identity
Settings When you add fields to the lookup in ES 6.0, you can now
also specify if you want this field to be multivalue, as well as
as apply tags which are additional values you may want to
leverage as you’re looking up the key fields. These tags are
specific to the Framework so that it doesn’t overlap or create
confusion if users are using traditional Tags on searchable
fields in Enterprise Security
→ Search Preview
This page provides an overview of the searches that are
used by the backend merge process. These searches run
automatically whenever the feeder-lookups from the
Asset/Identify Lookup Configuration are updated. One of the
added benefits, is you can leverage these searches to
experiment with the merge process or if needed for
troubleshooting as well.
19
→ Data
Onboarding→ With ES 6.0, we have started to build "wizards" for
Cancel onboarding widely-used sources of Asset & Identity data. In
this case, we are integrating with the "Splunk Supporting
Add-on for Active Directory", which is installed on this demo
ES search head. This wizard is intended to provide a more
straight-forward way to build search-driven lookups; in which
you can create the lookup definition as well as the SPL that
drives the lookup from a single set of modals, on a single
page.
Asset Lookup
Configuration Tab -- As an example, if we look at this model, this lookup was
ldapperdan_asset created via the previous "Create LDAP Configuration" button,
row → Cancel and now allows us to easily plug this into our A&I framework.
20
6.0 MLTK Integration Vignette:
21
distribution types: normal, exponential or guassian. And you can
change that distribution type in the future if your needs change.
ES Navigation Bar →
Audit→ Machine With 6.0, you’ll also be able to easily do a quick review both the
Learning Audit→ use of both MLTK as well as Extreme Search in the context of your
scroll for Extreme deployment. So here we can see the overall number of MLTK
Search content
errors seen in the environment, the number of saved searches
deployed → List of
Model Generating that leverage various MLTK algorithms, as well as Extreme Search
Searches → Job content that's been deployed.
Manager
22
If you click the "List of Model Generating Searches", this will take
you to the Splunk Job Manager page, where you can view the
various statuses of your model gen searches, including the search
job details.
Managing ML Models
App → Machine
Learning Toolkit → This shows all the various models that are in use within your
Nav Bar Splunk ES deployment, inclusive of the sample models that ship
with MLTK, or other models that have been created. Model files
are stored as "lookup" files, in order to assist with replication for
use in "streaming apply" of models.
*Extra Note*
For customers that have custom Extreme Search (XS) content,
Splunk will be supporting XS for the next year (through October
2020). We will be providing documentation on how to migrate XS
content to MLTK, however, if customers wish to leverage their
existing XS investment, and preserve the models/context files,
they can purchase "Extreme Vigilance" and "Extreme Rules" from
Scianta Analytics, which allows them to convert and migrate their
XS content.
23
Audit → Investigation
Audit We are constantly gathering feedback and input from our
customers. One of our new added enhancements came directly
from that feedback in the form of an Overview Page for ES
Investigations. We’ve found that most customers wanted to build
and customize their own dashboards to fit their specific needs. So
with this release, we also provide better visibility into
investigations by providing a custom REST endpoint and some
example dashboards to help build some basic metrics so
customers can leverage the out of box examples and build their
own simply using the | rest command. . In general most
customers tend to build and customize their own dashboards to fit
their needs, based on out of the box examples. With the new
"Investigations" feature, they can do this simply via "| rest"
command.
24
25