BlackLynx Cybersecurity Integration Into Splunk

BlackLynx Cybersecurity Integration into Splunk June 25, 2019

BlackLynx Functions Microsoft Power BI Xilinx Alveo U200

BlackLynx Enhances, Accelerates, Optimizes Your Add BlackLynx Solution as a Splunk Enterprise App Company’s Splunk Investment Discover events faster High performance search ability to accelerate event detection through the elimination of ETL and indexing More efficient triage Search ALL the data enables improved visibility to answer the hard questions while not raising TCO Faster alert detection Splunk 24 real-time monitoring with BlackLynx Search & ML/AI to identify and resolve issues faster Integration with Splunk UI & automation and other 3rd party products Integrate Splunk APPs & provide other 3rd party product interfaces (ODBC/JDBC, RESTFul JSON) Leverage all the Splunk capabilities while adding BlackLynx performance and high end search capabilities (fuzzy searching, regular expressions, raw PCAP, etc.) to handle the growth in machine data

Splunk Powered by BlackLynx Performance Examples Benchmark comparison for Fuzzy Edit Distance and PCAP primitives The DNS log (2 GB) and the PCAP files (15.6 GB) are from the U.S. National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) dataset The tre-agrep tool was co-authored by Udi Manber, one of the great names in contemporary Computer Science and author of the well-regarded textbook Introduction to Algorithms: A Creative Approach, which to this day enjoys wide use in Computer Science curricula worldwide TSHARK Search is doing the filter parameter(ip.dest) on 16 files (serially). The TSHARK Decode is only the time to build the decoded files (parallel processes) and does not include any filter time

Add BlackLynx Solution as a Splunk Enterprise App BlackLynx Splunk App for Alerts & Full Analytics Bro logs / machine data Splunk Ingestion of PCAP, netflow, active triggers, etc. 10-100 Gbps Network Data Machine Learning Packet Capture Server Saved PCAP/JSON/CSV XML/Unstructured files BlackLynx Server RAW Storage Repository Future machine learning by fully analyzing the machine generated data 3rd Party Applications Using RESTful or ODBC/JDBC Interfaces Location based services

BlackLynx Proprietary Get smarter insights—faster—to drive critical business decisions and next-generation innovation High Speed Search Acceleration Xilinx AlveoTM accelerator cards and BlackLynx software combine to supercharge search capabilities to increase data visibility for Cyber, Performance, and Compliance Functions Image and Video Edge Analytics Acceleration Xilinx AlveoTM Data Center accelerator cards and BlackLynx technology combine to maximize the potential of image and video analysis at the edge of the network Accelerate time to extract insights from data through near real-time search performance Maximizes performance of FPGA technology doing image/video machine learning Add complex queries including fuzzy search, PCAP analysis, and RegEx capabilities Uses GPU or CPU trained Convolutional Neural Networks on FPGAs for inference analysis Eliminate ETL/indexing for fast, varied data (XML, JSON, CSV, Unstructured, PCAP) Achieves reliable, accurate results with smaller, low-power solution

Example of raw PCAP Analytics Search PCAP file for a particular IP Destination and then use regular expression on the payload data to find social security numbers ryftuser@R01-0003234: ryftrest -vv -p pcap -f PCAP/MACCDC2012/*.pcap -q 'ip.dest 34.238.50.30 and (RECORD.payload CONTAINS PCRE2("[ -0-9]*\d{3}-\d{2}-\d{4}[ -0-9]*"))' { "Duration(sec) ": 4.8, "Total Bytes(GB) ": 15.62, "Data Rate(GB/s) ": 3.26, "Matches ": 4 } Web Server option using RESTful JSON API Data Forensics Command Line showing size of data set, matches, and performance Over 3 GB/second performance 4.8 seconds to process 15.6 GB of raw PCAP 15 GB PCAP data thinned to 2.1KB PCAP data Programmatic interface (www.ryft.com/api), command line, web interfaces, RESTful APIs are available

Example of raw PCAP Analytics Search PCAP file for a particular IP Destination and then use regular expression on the payload data to find social security numbers Tableau Excel Using BlackLynx’s ODBC/JDBC Interfaces for commercial data analytics & visualization tools

Sample BlackLynx Dashboard Prebuilt Search Commands Forensics is now NOT LIMITED to only the fields indexed in Splunk. High performance search capabilities now available on raw PCAP data stored outside Splunk

Search & Investigate. When doing incident handling, one of the things we usually need to do is get the files which were downloaded. Example to look what files were downloaded Determine which files have been downloaded; Check table of blacklisted sites or use tools like Wireshark to extract the downloaded objects to see if they have been categorized as malicious

Additional forensics: What sites have the user(s) gone to? Domain names being looked at and displayed with Splunk Visualization

Additional forensics: What sites have the user(s) gone to that are blacklisted? These entries were found in the blacklist table Domain names being looked at and correlated with the blacklist domain names table

Additional forensics: Show all certificate expirations Graphic shows all certificate expirations by month

Additional forensics: What sites have expired certificates? These certificates have expired Graphic shows expired certificates by month

Additional forensics: Looking for Social Security Numbers in Clear Text Social Security Number High Lighted Found clear text social security numbers from a mySQL database in TCP Payload

Additional forensics: Do you see WAKE on LAN packets? If so what MAC address are they targeting? From Where? Wake on LAN commands happening; targeting MACs 00:00:5e:00:53:66 and 00:00:5e:00:53:61 both from the same source MAC 08:00:27:4c:91:df

PCAP Inspection: Deep dive search through PCAP file using layers 1 – 4 plus payload capabilities Construct Search query On the Fly PCAP results being returned Cyber forensics support against the raw PCAP data stored external to Splunk thus achieving significant cost savings given the typical size of the data

Monitoring and Alerting – Combine the power of Splunk & BlackLynx search capabilities for 24 hour monitoring Add BlackLynx based searches into overall monitoring strategy Turn searches into real-time alerts to monitor threshold conditions around the clock Severity of alert and results of query creating the alert

BlackLynx Proprietary Customer Benefits and Investment Full access and search capability to all machine generated data Enhanced cyber, performance, and compliance use cases No indexing overhead and storage costs Seamless transition through Splunk supported and published APIs Customer choices for amount of Splunk real time indexing (cost saving opportunity) Customer choice on long term storage and use of data (cost saving opportunity) Significant Opportunity for Mission Benefits and Total Cost Savings

BlackLynx Proprietary Proof of Concept Recommendation Load BlackLynx software onto local server or BlackLynx provided server Add BlackLynx App to the Splunk Enterprise “Test” server Point all raw data (log data for example) onto the server with BlackLynx software Apply search capabilities via the BlackLynx App and return real time alerts and research query results on the Splunk dashboard Validate the use cases for cyber, network performance, and compliance Assess future opportunities for machine learning applications Increase your data visibility while reducing your Splunk license and storage costs

Splunk Cybersecurity June 25, 2019

BlackLynx Proprietary Get smarter insights—faster—to drive critical business decisions and next-generation innovation Accelerate time to extract insights from data through near real-time search performance Add complex queries including fuzzy search, PCAP analysis, and RegEx capabilities Eliminate ETL/indexing for fast, varied data (XML, JSON, CSV, Unstructured, PCAP)