Saturday, July 30, 2016

Splunk Enterprise Security 3.0 - Out-of-the Box Security UseCases

Splunk Enterprise Security (ES 3.0) utilises the domain capabilities to provide an overall view of the organisation's security posture.  Splunk achieves this by taking events from various critical log sources and assign them as Security Domains, which are then categorised into high level domains called Access, Identity, Endpoint, Network, Web Domain.

The SIEM Designer/Engineer has to normalise the events as per the Common Information Model (CIM) pertaining to the domain itself. Once they are appropriately normalised, the default dashboards can assist the security team with the following use-cases. Along with power search capability and Datamodel's enabling  further custom use-cases as required.

Access Domain 
  1) To identify security incidents involving authentication attempts such as brute-force attacks, or the use of clear text passwords, or for identifying authentications to certain systems in off-hours.
  2) To obtain an overview of accounts that are newly active or newly inactive, including accounts that have been inactive for a period of time and recently became active again.
  3) To identify accounts that incorrectly remain on the system when a user leaves the Organization. These accounts are often vulnerable to attackers.
  4) To identify suspicious accounts and look more closely at what those users have been doing.
  5) To verify  accounts that are being administered correctly and that administration privileges for each type of account are restricted to the correct users and roles. A sudden increase in the number of accounts created, modified, or deleted can mean a rogue system or malicious behaviour. A high number of account lockouts may indicate an attack
  To Verify "default accounts", that is, out-of-the-box accounts that are disabled by default on various systems, including network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when the system is deployed. Abnormal or deviant behaviour can indicate security threats or policy violations. 

Identity
  1) To review and search for objects in the asset data like hosts, IP addresses, subnets within the organisation along with information about each asset. 

Endpoint
  1) To obtain  insight into malware events including viruses, worms, spyware, attack tools, adware and PUPs (Potentially Unwanted Programs), as well as endpoint protection deployment.
  2) To detect spikes in overall malware activity and ability to track a particular infection.
  3) To identify outbreaks related to a specific type of malware or on a specific system
  4) To tracks the status of the endpoint protection products that have been deployed.
  5) To monitor  the overall health of systems and to identify systems that need updates or modifications to their endpoint protection software.
  6) To obtain overview of the endpoint protection infrastructure that is being administered
  7) To obtain information around reporting of endpoint statistics and that have been gathered by Splunk. System configuration and performance metrics for hosts, such as memory usage, CPU usage, or disk usage.
  8) To validate and ensure the integrity of data by identifying hosts that are not correctly synchronizing their clocks.
  9) To detect filesystem and registry changes. Sudden change in file system and registry without appropriate change management can be indicative of a security incident.
  To identify endpoints that are not being updated. To identify which devices have a specific patch installed - for example, when there is a problem possibly caused by a patch and there is need to determine exactly where that patch is deployed.

Network
  1) Network Protection domain provides insight into the network and network-based devices, including routers, switches, firewalls, and IDS devices.
  2) To aggregates and display all the traffic on the network, including overall volume, specific patterns of traffic, what devices or users are generating traffic, and per-port traffic.
  3) To shows results from the vulnerability scanners on the network. And to identify the most vulnerable host, first time vulnerabilities, long term vulnerabilities, top vulnerabilities
  4) To perform ad-hoc searches of network activity
  5) To identify IDS-related events such as attacks or reconnaissance-related activity.
  6) To track network changes to firewall and other networking devices. This is to troubleshoot device problems around firewalls or other devices go down,  recent configuration change on the device(s).
  7) To obtain a overview of network sessions. Network sessions are used to correlate network activity to a user using session data provided by DHCP or VPN servers.
  8) To review the session logs and identify the user or machine associated with an IP address used during a session.
  To displays the volume network transport and port activity over time, to evaluate if port activity is trending upwards or downwards. Sudden increases in unapproved port activity may indicate a change on the networked devices, such as an infection.

Web
  1) To profile web events
  2) To gather overview and profile the type of content that clients are requesting and how much bandwidth is being used by each client
  3) Ability to troubleshoot potential issues such as bandwidth usage or proxies that are no longer serving content for proxy clients
  4) To identify the sources associated with the highest volume of network traffic. This is useful for identifying sources that are using an excessive amount of network traffic (for example, hosts doing file-sharing), or frequently-requested destinations generating large amounts of network traffic (for example, YouTube or Facebook).
  To identify the destinations associated with the highest volume of network traffic. This is useful for identifying sources that are using an excessive amount of network traffic (for example, hosts doing file-sharing), or frequently-requested destinations generating large amounts of network traffic (for example, YouTube or Facebook).