Splunk UBA Setting Active Directory's Security Straight
Splunk UBA:Setting Active Directory’s Security StraightStanislav Miskovic, PhD Splunk UBASeptember 27th, 2017 Washington, DC
Forward-Looking StatementsDuring the course of this presentation, we may make forward-looking statements regarding future events orthe expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC.The forward-looking statements made in this presentation are being made as of the time and date of its livepresentation. If reviewed after its live presentation, this presentation may not contain current or accurateinformation. We do not assume any obligation to update any forward looking statements we may make. Inaddition, any information about our roadmap outlines our general product direction and is subject to changeat any time without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.Splunk, Splunk , Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. inthe United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.
Stanislav MiskovicPrincipal Data Scientist, Splunk UBAsmiskovic@splunk.comWorks on data science applications in security, privacy and traffic analysis.Ph.D. from Rice University, Houston, TX, M.Sc. degree from the University of Belgrade, Serbia.
Assets Under Active ctoryDatabasesSecurityApplicationsEmail
Assets Under Active DirectoryWindowsLinuxMac DirectoryDatabasesSecurityApplicationsEmail
Assets Under Active DirectoryWindowsLinuxMac rectoryCloud l* Info Security: http://bit.ly/2hgUY0OAll this is at risk !Big enigma to security productsPartners’Active Directory
2017 SPLUNK INC.The Talk Unpublished Challenges in AD Security Spurious attack attributions Over represented incidents Blind spots Splunk UBA: Active Directory Intelligence State of Your Security
Root of All Evil- Login success- ExecuteGo toDestServRemote eDirectoryEventstargetcmdDomain Controller4648PS4688PSAdmin Chaotic world of internal micro interactionsIPC SCmanager
Spurious Attack AttributionLogName SecuritySourceName Microsoft Windows security auditing.Are documented event meanings correct?EventCode 4624EventType 0Type InformationDevice that logged the eventComputerName TaskCategory LogonOpCode InfoRecordNumber 989284571Keywords Audit SuccessMessage An account was successfully logged on.Subject:Security ID:Account Name:Account Domain:Logon ID:Logon Type:3Impersonation Level:Destination DeviceAccount that reported successful logonImpersonationNew Logon:Security ID:Account Name:Account Domain:Logon ID:Logon GUID:Process Information:Process ID:0x0Process Name:-Destination UserNetwork Information:Workstation Name:Source Network Address:Source Port:Detailed Authentication Information:Logon Process:KerberosAuthentication Package: KerberosTransited Services: Package Name (NTLM only):Key Length:0Source DeviceAccount for which logon was performedMachine nameIP address of machinefrom which logon attempt was performed
Spurious Attack AttributionUserA at the Domain Controller?UserA coming from SrcComp or DstServ?Domain ControllerNetwork Info points to the same device?UserASrcCompEvent:4624New Logon Account: UserANetwork information:Workstation:SrcCompSource Address: IP(SrcComp)Authentication:NtLmSspEvent:4624New Logon Account: UserANetwork information:Workstation:Source vent ID:4624Event:4624New Logon Account: UserANew Logon Account: UserANetwork information:Network information:Workstation:Workstation:DstServSource Address: IP(SrcComp)Source Address: dvapi
Over Representation Of IncidentsHow many logins were there?How many processes were run by the user?Domain ControllerEvent4688Count1EventCount4624 (domain)5 EventCount4624 (domain)4624 (Advapi)2146883Remote PowerShellUserASrcCompEvent 4624: An account was successfully logged onEvent 4688: A new process has been createdDstServ
Blind SpotsLog collectiononly from domain controllersDomain ControllerSources disappear!Sources destinations disappear!(Kerberos)(NTLM/User32/Advapi/ .)SrcCompUserADstServ
Blind SpotsLog collectionfrom critical serversDomain ControllerUserASrcCompDstServ
Blind SpotsLog collectionDomain Controller4776: UserX, CompALocalUserX4776: UserY, CompAAuxiliary indications4768: UserY, ServBDomainMany things disappear:UserY- Remote PowerShell- Access to SharesCompARemote PowerShellServB- Interactions with Exchange- Authentications via legacy domainEventstrusts4624: NTLM Advapi
Splunk UBA:Active Directory Intelligence
Span of Active Directory IntelligenceMachine LearningSecurity IntelligenceUntangling overrepresentation & blind spots– Behavioral & peer grouping anomaliesIdentifying IoC & raising alarmsUntangling spurious attributionsData Ingestion / ETL– Example: 30 interpretations of login eventsUBA Lab – Ground truth InfrastructureLack of public knowledge documentation
Active Directory Intelligence – Machine LearningEvent:46245 3Countering inherent over-representation
Active Directory Intelligence – Machine LearningBoosting confidence before threats are raised
State of Your Security
Blind Spots – What/Where Are You Logging?Sched.tasksFirewall2 Domain cesAuthCryptoPrivl. opsRegistryAccounts 1000 Servers
Blind Spots – “Cost” Of Logging More99.5%statistics across various deploymentsAuth20%55%Process 0%15%14%11%WindowsFirewallSharesADObjects 0% 0% 0%Volume of events
Use Of Safe Authentication Mechanismsstatistics across various deploymentsMin [%]KerberosAvg [%]Max [%]- Non Domain .98.2- Exchange ServerAuthz00.82.6- Access via IP addr User32000.0003- Windows Shares- Legacy Domain TrustsPass-the-hash exploit is extremely easy!!!Windows console logins are not enough!
Use of End-of-Life WindowsDomainControllersCitrixSQLPre Defenses are much weaker!Events are much poorer!
2017 SPLUNK INC. We know all AD’s tricks!KeyTakeaways Reach out – email or Pavilion booth:“Insider Threat Detection & Anomalous Behavior” Splunk UBA saves your SOC’s time: Device Access AnomaliesCritical EventsLateral MovementPrivilege Escalation
ContactStanislav Miskovic, PhDsmiskovic@splunk.com
2017 SPLUNK INC.Thank YouDon't forget to rate this session in the.conf2017 mobile app
Assets Under Active Directory Databases Email Applications Servers Mobile Desktop Laptop Active Directory Users Windows Linux Mac OS Android/iOS Security Azure Microsoft's Cloud Hosted Exchange Office 365 Hosted Office Cloud VMs Partners' Active Directory All this is at risk ! Big enigma to security products 95% * * Info Security: http .
As an alternative, an app can be uploaded using the corelight-client command line utility: corelight-client splunk list splunk delete Removes a previously uploaded Splunk App. splunk download Retrieves a previously installed Splunk App as a ZIP file. splunk list Returns a list of all installed custom Splunk Apps. splunk upload Uploads a new Splunk App from a ZIP file.
GSG-Monitoring-and-Diagnostics-101 sales@splunk.com www.splunk.com Try Splunk Cloud or Splunk Enterprise for free or learn more about IoT and industrial data. Already have Splunk? Download Splunk Apps on Splunkbase. 5 Connecting Splunk to Industrial Data and the IoT Kepware Industrial Data Forwarder for Splunk
Intellipaat's Splunk certification training includes the complete aspects of Splunk Developer and Splunk Administration. This Splunk course also includes various topics of Splunk, such as installation and configuration, Splunk Syslog, Syslog Server, log analysis, Splunk dashboard, and deploying Splunk search, monitor, index, report, and analysis.
Splunk Configuration 1. To install Splunk Apps, click the gear. 2. To install Splunk Apps, click the gear. Click Browse more apps and search for "Fortinet" 3. Install the Fortinet FortiGate Add-On for Splunk. Enter your splunk.com username & password. 4. Then install the Fortinet FortiGate App for Splunk. Enter your splunk.com username .
This is Intellipaat Master Program in Splunk tool includes Splunk Developer and Splunk Administration training. As part of this Splunk course, you will work on searching, sharing, saving Splunk results, creating tags, generating reports and charts, installing and configuring Splunk, monitoring, scaling and indexing large volumes of searches and analyzing it using the Splunk tool. Instructor Led Training 26 26Hrs of highly interactive
Splunk Documentation: docs.splunk.com Splunk Education & Training: education.splunk.com Third-Party Tools (not supported by Splunk) Search Examples: Big Book of Splunk Searches:bbosearch.com GoSplunk-A Search Repository: gosplunk.com Sizing Tool for Predicting Storage Requirements: splunk-sizing.appspot.com
Gain Insights into your Microsoft Azure Data using Splunk Jason Conger Splunk. Disclaimer 2 . Deploying Splunk on Azure Collecting Machine Data from Azure Splunk Add-ons Use cases for Azure Data in Splunk 3. Splunk available in Azure Marketplace 4. Splunk in Azure Marketplace
Name of Product/Version: Splunk User Behavior Analytics (UBA), version 4.1.1, application build 00 Product Description: Splunk UBA is a machine learning-powered solution that delivers the answers you need to find unknown threats and anomalous behavior across users, endpoint devices and applications. Date: 4/16/2018 Splunk Contact Information:
