Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics

Defend Against Malicious
Insiders Using Splunk

Enterprise Security,
Splunk’s Machine
Learning Toolkit, and
Statistics
Jason Barnette & Bryan Thiry
Lockheed Martin
© 2019 Lockheed Martin Corporation. All rights reserved. © 2019 SPLUNK INC.
Jason Barnette Bryan Thiry

LM-CIRT Insider Threat Lead | Lockheed Martin LM-CIRT Insider Threat Analyst Sr. | Lockheed Martin
© 2019 SPLUNK INC.
Forward- During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
Looking current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
Statements presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk
Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their
respective owners. © 2019 Splunk Inc. All rights reserved.
Agenda
▶ Foundational Elements
▶ The Problem
▶ Recipe For Success
▶ Where We Started
▶ Risk Score Framework
▶ Our Path Forward
Foundational Elements
Population 105k
Countries > 70
SIEM Splunk>
Data 12TB
Ingest Per Day
© 2019 SPLUNK INC.
“ The goal isn't to react well, or even to track well, it's to

anticipate, to see these things coming and step in before
the disaster occurs and mitigate it”
Chris Inglis: Former Deputy Director of the NSA

The Problem
Suspicious
Behavior
Witting Data
Targets Exfiltration
Challenge:
Finding Known Bad Problem
Workplace
Coercion Violence /
Suicide
Data
Destruction
Recipe For Success

FOUNDATIONS BASIC SEARCH DATA MACHINE MISSION RISK
FUNCTIONS PROCESSING LEARNING ASSESSMENT
Centralization Atomic Data Model

(SIEM) Histogram Categories
Indicators Acceleration
Normalization Correlation Summary

Categorical Weighting
(CIM) Searches Indexes
Probability Escalation
Baselining
Density Review
Trending
Clustering
Analysis
Where We Started: Pre-Baselining
▶ Attempt to run basic

stats on the full index
• Slow Searching
• Unable to do categorical
outlier scoring
• Inefficient resource
utilization
• Limited testing datasets
1 Hour Simple Stats Search: ~45 Seconds

Where We Started: Post-Baselining
▶ Preprocess,
Condense, and Score
• Higher fidelity results
• Minimal resource
utilization
• Greater search
complexity
1 Year Search: ~81 Seconds

Where We Started: MLTK
▶ Anomaly Detection
• Detecting outliers with
‘anomalydetection’
• Continuous updating of
baselines
• Usage of simple
statistics
• Standard Deviation
• Zscore
Identify Unusual Server Processes

MLTK Models
Probability Density
(Peer Grouping)
Current State: Risk Score Framework
▶ Category Identification
▶ Category & Indicator Weighting
▶ Aggregation of Data
▶ Escalation Process & Review
▶ Trending Analysis
Aligned to Mission Risk Assessment

CURRENT STATE: CATEGORY IDENTIFICATION & WEIGHTING
Negative Behavior Example: Unapproved Software Usage [1 – 10] x1
Data Exfil Example: Removable Media File Transfers [1 – 10] x2
Suspicious Comms Example: Foreign Research Communications [1 – 10] x2
Foreign Travel Example: Unreported Travel [1 – 10] x2
Behavior Anomalies Example: Unusual Data Transfer Volume 1 -–10

[1 10] x3
High Risk Example: Elevated Access 1 -–10

[1 10] x3
CURRENT STATE: SCORING MODEL
Risk Score 74
Output
Multiplier
Categories
Negative Suspicious Foreign Behavior
Data Exfil High Risk
Behavior Comms Travel Anomalies
2 9 3 0 10 6
Detections
Anomaly
Analytics
Atomic Indicators Correlation Detection Baselines
Collection
Summary
Raw Index Datamodel
Index
RISK FRAMEWORK – IN-DEPTH REVIEW
Data Preparation Detections Aggregation Analyst Review
A A A A Risk R
Score R
A A
Index R
A
A
A
L
D
L A
M A A A D
A D
S A
S A
A - Alert R - Report L - Lookup S - Summary D - Dashboard M - ML Routine

Index
Risk Score
Framework
Detection: Sensitive
email volume sent
externally
Risk Score
Framework
Aggregation
Risk Score Framework: Dashboard
▶ High Level Statistics

• Highest Daily Risk
Score
• Daily Average
▶ Top 10 Risk Scores
▶ Top 10 User Info
• Drilldown: Further
Information
Risk Score Framework: Dashboard
▶ In-depth User Review

• Detection Name
• Weight
• Reason
• Category
• Score Contribution
▶ Trending Analysis
▶ Average Score
▶ Max Score
RISK FRAMEWORK – ESCALATION PROCESS & REVIEW
Top 10 Risk
Scores
Update / Initial
Calibrate Vetting
Security Forward
Partner Security
Review Partner
OUR PATH FORWARD
• Continuous Indicator Advancement

• Risk Score Value Normalization
• Process Refinement
• Enterprise Security Investigations
• Splunk UBA
• Feedback from Community

QUESTIONS?
EXAMPLE SEARCHES
HISTOGRAM EXAMPLE [CATEGORICAL OUTLIER]

• Identify unusual parent/child processes on process creation
• Utilize Enterprise Security on detection
• Set urgency
• Retrieve raw 4688 event for the ES Incident Review
1
2
4
HISTOGRAM EXAMPLE [CATEGORICAL OUTLIER]

STREAM STATS & STD. DEVIATION [NUMERICAL OUTLIER]
5
STREAM STATS & STD. DEVIATION [NUMERICAL OUTLIER]

CLOUD STORAGE DOWNLOAD VOLUME [RISK FRAMEWORK]

CLOUD STORAGE DOWNLOAD VOLUME [RISK FRAMEWORK]

VPN USAGE ANOMALIES [RISK FRAMEWORK]

VPN USAGE ANOMALIES [RISK FRAMEWORK]

Thank
You!

Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics

Încărcat de

Drepturi de autor:

Formate disponibile

Defend Against Malicious

Insiders Using Splunk

Jason Barnette Bryan Thiry

“ The goal isn't to react well, or even to track well, it's to

Chris Inglis: Former Deputy Director of the NSA

Recipe For Success

Centralization Atomic Data Model

Normalization Correlation Summary

Where We Started: Pre-Baselining

▶ Attempt to run basic

1 Hour Simple Stats Search: ~45 Seconds

Where We Started: Post-Baselining

1 Year Search: ~81 Seconds

Where We Started: MLTK

Identify Unusual Server Processes

Current State: Risk Score Framework

Aligned to Mission Risk Assessment

CURRENT STATE: CATEGORY IDENTIFICATION & WEIGHTING

Negative Behavior Example: Unapproved Software Usage [1 – 10] x1

Data Exfil Example: Removable Media File Transfers [1 – 10] x2

Suspicious Comms Example: Foreign Research Communications [1 – 10] x2

Foreign Travel Example: Unreported Travel [1 – 10] x2

Behavior Anomalies Example: Unusual Data Transfer Volume 1 -–10

High Risk Example: Elevated Access 1 -–10

CURRENT STATE: SCORING MODEL

RISK FRAMEWORK – IN-DEPTH REVIEW

Data Preparation Detections Aggregation Analyst Review

A - Alert R - Report L - Lookup S - Summary D - Dashboard M - ML Routine

Risk Score Framework: Dashboard

▶ High Level Statistics

Risk Score Framework: Dashboard

▶ In-depth User Review

RISK FRAMEWORK – ESCALATION PROCESS & REVIEW

OUR PATH FORWARD

• Continuous Indicator Advancement

• Feedback from Community

HISTOGRAM EXAMPLE [CATEGORICAL OUTLIER]

HISTOGRAM EXAMPLE [CATEGORICAL OUTLIER]

STREAM STATS & STD. DEVIATION [NUMERICAL OUTLIER]

STREAM STATS & STD. DEVIATION [NUMERICAL OUTLIER]

CLOUD STORAGE DOWNLOAD VOLUME [RISK FRAMEWORK]

CLOUD STORAGE DOWNLOAD VOLUME [RISK FRAMEWORK]

VPN USAGE ANOMALIES [RISK FRAMEWORK]

VPN USAGE ANOMALIES [RISK FRAMEWORK]

S-ar putea să vă placă și