Splunk, SIEMs, and Big Data - The Undercroft - November 2019

Information about Splunk, SIEMs, and Big Data - The Undercroft - November 2019

Published on June 26, 2020

Author: JonathanSinger5

Source: slideshare.net

Content

1. 1

2. , SIEMs, and Big Data Presented By: Jonathan Singer 2

3. Agenda ● Whoami ● Introductory Notes ● History and Background on logging ● Needs for SIEMs ● Concepts of Big Data ● Splunk ● Architecture ● Basics 3

4. ~ # whoami Jonathan Singer ● GuidePoint Security ● Splunk Practice Lead ● Education ○ BS Information Technology | UCF ○ MS Cybersecurity - Information Assurance | USF ● Current Projects ○ OWASP Tampa Co-Lead, BSides Orlando Board, CigarCitySec Co-Founder, DEF CON Goon ● Past Projects ○ ISSA Tampa Board, OWASP Orlando Board, [email protected] Founder, US Cyber Patriots Mentor 4

5. First things first... 5

6. Splunk is not a SIEM* *by default out of the box 6

7. 7

8. Isolated Logs by System 8

9. The Syslog Protocol ● Designed in the 1980s ○ Yes, before some of you were born ● Originally designed for sendmail ● Adopted by other applications ● Since become the standard for *nix ● Assumed de facto for many years ● Documented in RFC 3164 ● Standardized in RFC 5424 9

10. Data Flow 10

11. Centralized Logging ● Collect logs from each system, bring to one central location ● Store for long term, save space on source host ● Easier than going to each box to collect logs ● Quickly search logs from different systems for values ● Identify users or IP activity across environment 11

12. Tips to look out for ● Fill up the HDD on syslog server ● UDP based, no hand-shake (like TCP) ● Network congestion ● Poor configuration leads to poor performance ● Not doing anything with the information 12

13. Tail log files 13

14. Tail logs in the browser 14

15. Security Information and Event Management (SIEM) ● Centralized logging with a security twist! ● Real-time analysis of security alerts generated by applications, systems, and network hardware Originally coined by Gartner in 2005 15

16. Features ● Event Searching ● Reporting (great for business folks) ● Dashboards and pretty graphs ● Correlation across multiple different data sources ● Log retention and cycling ● Alerts and notifications ● Device monitoring ● Meets compliance? 16

17. Reason for investing in SIEMs ● Compliance told you so ○ SOX (audit) ○ FISMA ○ PCI DSS ○ HIPAA ○ FERPA ○ ISO 27001 ● Operating a Security Operations Center ● Single pane of glass to monitor and alert on security events ○ Bouncing between too many tools ● You actually care about security? 17

18. Software ain’t cheap Free and open-source ● ELK Stack ○ Elastic, Logstash, Kabana ● Syslog Variations (syslog-ng & rsyslog) ● Kiwi Syslog Server ● Splunk Free (none of these are really SIEMs) 18 Commercial ● Arcsight ● Exabeam ● Logrhythm ● McAfee Nitro ● QRadar ● Splunk Enterprise Security ● Many More!

19. Data Retention Policy 19 What rules and regulations must you abide by? PCI-DSS 10.7 - Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis. ISO 27001 Annex A.12.4: Event logs recording user activities, exceptions, faults and information security events need to be produced, kept and reviewed regularly. (very vague)

20. Deployments & Software as a Service (SaaS) On Premise Deployed on your systems Deployed on your virtual environments Deployed in your data centers Provide your own admins, db, os System level configuration 20 In the Cloud Hosted elsewhere Costs bundled in Web access only (most cases) Limited staff required Bypass troubles of having a competent team

21. Sizing Requirements If you run on premise, how much storage is required? Example: 100GB per day > compression factor of 30% > 70GB of disk 365 days of storage > 25,550 GB > ~26TB of logs Now consider RAID, need to have redundancy 21

22. Big Data Analyze information from a large dataset Efficiency and speed is key Terabytes, if not Petabytes and Exabytes “Velocity, Volume, Variety” 22

23. Data Lake vs Data Warehouse ● Undefined Reason ● Remains raw until needed ● Often used by data scientists ● Still finding its place 23 ● Pre-defined Reason ● Processed and ready to query ● Used by business professionals ● Strong maturity

24. Managed SIEM Sometimes known as Managed Security Service Provider (MSSP) Hot new outsourced SOC concept Don’t have/need internal staff counts Monitored 24/7 (some) 24

25. 25

26. The Data-to-Everything Platform 26

27. What Splunk is not 27 ● Security Information and Event Management (SIEM) ○ We mentioned this ● Checkbox for compliance ○ We can change that ● Security Tool ○ We have the power to make it so

28. What Splunk actually is ● Data Analytics Engine ○ Lots of data and from different types ● Platform for Custom Development ○ Make it yours ● Tool to grow into a Security Suite or SIEM or etc… ○ Customize how you see fit 28

29. ● Splunk can do all of those things it’s not ● It takes some configuration ○ Not always hard ○ Nor time consuming ● Like any other platform, does nothing at first ● Where it shines is platform support ○ Vendors galore 29

30. 30

31. Unstructured and Structured Data 31 08/07/2017 18:20:34.389517 (src/loggedfs.cpp:138) read 349734 bytes from proposal.doc at offset 52256 department="Marketing" department_group="Energy" customer_name="Alfonso Gutierrez” SUCCESS [3588 sshd: rblack] Date Time Log_source Log_source_line Command Bytes Object Offset Department Department_group Customer_name Result Pid Process User 08/07/2017 18:20:34.389517 loggedfs.cpp 138 read 349734 proposal.doc 52256 Marketing Energy Alfonso Gutierrez SUCCESS 3588 sshd rblack

32. Metadata Every log received some META Source - the path of the file OR the port that received the logs Sourcetype - a name assigned to the type of data Host - the name of the system the logs originated from _time - the time of the log, from the log itself or when it first hit Splunk 32

33. Types of Components 33 Search Head - Web Search Console Indexer - Storage of Logs Universal Forwarder - Agent installed on hosts to collect local logs Heavy Forwarder - Full Splunk with forwarding capabilities Deployment Server - UF management console

34. Advanced components Cluster Master - Master server for Indexer Cluster Deployer - Master server for Search Head Cluster Management Console - Environment Health Monitoring License Master - Holds license for environment 34

35. Different Architectures 35 All-in-one Search and Indexer Combined Great for smaller installs (<80GB) Distributed Multiple Servers

36. Distributed 36

37. Splunk SIEM - Enterprise Security ● Make Splunk a SIEM with this one cool trick ● Enterprise Security App ● Add-on module to add security use cases ● Costs extra for license 37

38. Splunkbase App Store! Also built in! 38

39. Little bit of everything ● 2122 Apps & Add-ons ○ As of tonight ● Retrieve Data ● Parse Data ● Display Data 39

40. Splunk Apps and Technology Add-ons ● Apps ○ Demos ○ Dashboards ○ Show what is capable 40 ● Add-ons ○ Secret Sauce ○ Behind the scenes ○ Collection ○ Parsing ○ Extracting

41. Steps for Success 1. Get data in a. Locate source b. Install vendor add-ons 2. Validate and verify a. Is the data correct? b. Can you perform basic searches? 3. Build dashboards and reports a. Customize Splunk to your needs 4. Deliver success to management 41

42. Who uses Splunk? 42

43. Searching 1. Search Processing Language (SPL) 2. Over 140+ search commands 3. Based on Unix pipeline and SQL 4. Filter, modify, manipulate, enrich, insert and delete 43

44. Dashboards ● User interface in an app ● Contain visualizations ● Collection of searches ● Backed by XML 44

45. Alerts ● A saved search ● Can be real time or scheduled interval ○ Think cronjob ● Triggers on user-defined condition ● Initialize an action ○ Email ○ Text ○ Slack ○ You NAME IT 45

46. Reports ● Another type of saved search ● Schedule to run on regular intervals ○ And perform an action like email you ● Static items on a dashboard ○ But still ran on a set interval ● This is where you impress your boss 46

47. Translating Logical into Practical ● Take your idea and make it a Splunk query ● I want a… ○ Graph of this… ○ Report of that… ○ Alert when this… 47

48. Examples ● I want to know when… ○ My employees are visiting naughty website ○ A workstation is calling out to a Russian website ● Show me… ○ The average shopping cart price of customers ○ The CPU load of my production systems ● Am I… ○ Meeting compliance ○ Experiencing network bottlenecks 48

49. Demo 49

Related presentations


Other presentations created by JonathanSinger5