![© 2018 SPLUNK INC.
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
[Priority: 2]:
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the
computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Status=Degradedwmi_ type=UserAccounts
All three occurring within a 24-hour period
Example Correlation – Data Loss
What Does Machine Data Look Like?](https://image.slidesharecdn.com/71500splunk-180501154503/85/What-you-will-take-away-from-this-session-33-320.jpg)
![© 2018 SPLUNK INC.
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
[Priority: 2]:
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the
computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Status=Degradedwmi_ type=UserAccounts
Sources
All three occurring within a 24-hour period
Example Correlation – Data Loss
Windows
Authentication
Time Range
Intrusion
Detection
Endpoint
Security
What Does Machine Data Look Like?](https://image.slidesharecdn.com/71500splunk-180501154503/85/What-you-will-take-away-from-this-session-34-320.jpg)
![© 2018 SPLUNK INC.
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
[Priority: 2]:
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the
computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Status=Degradedwmi_ type=UserAccounts
Sources
All three occurring within a 24-hour period
Example Correlation – Data Loss
Source IP
Source IP
Source IP
Data Loss
Default Admin Account
Malware Found
Windows
Authentication
Time Range
Intrusion
Detection
Endpoint
Security
What Does Machine Data Look Like?](https://image.slidesharecdn.com/71500splunk-180501154503/85/What-you-will-take-away-from-this-session-35-320.jpg)
![© 2018 SPLUNK INC.
Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer
name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and
Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time:
2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My
CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20
Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]:
[1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text
[Priority: 2]:
20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the
computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20
TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1
Status=Degradedwmi_ type=UserAccounts
Sources
All three occurring within a 24-hour period
Example Correlation – Data Loss
Source IP
Source IP
Source IP
Data Loss
Default Admin Account
Malware Found
Windows
Authentication
Time Range
Intrusion
Detection
Endpoint
Security
What Does Machine Data Look Like?](https://image.slidesharecdn.com/71500splunk-180501154503/85/What-you-will-take-away-from-this-session-36-320.jpg)
![© 2017 SPLUNK INC.
before [social] media
chatter explodes
• Inform Authority
• Inform affected
Individuals
• (Inform Public)
As an
organization
you want to
control the
story](https://image.slidesharecdn.com/71500splunk-180501154503/85/What-you-will-take-away-from-this-session-46-320.jpg)
What you will take away from this session
- 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. A Day in the Life of a Breach Greg Wiley April 2018 Name Title
- 2. © 2018 SPLUNK INC. ▶ The information in this presentation was compiled from sources believed to be reliable for informational and discussion purposes only. ▶ The information contained herein is not intended to constitute legal advice. You should consult with your own legal teams when developing programs and policies. You should not take, or refrain from taking, action based on its content. We do not guarantee the accuracy of this information and assume no liability in connection with therewith. Legal Disclaimer
- 3. © 2018 SPLUNK INC. What is the GDPR? A Day in the Life of a GDPR Breach Why Splunk? & further resources Agenda
- 4. © 2017 SPLUNK INC. Remember this?
- 5. © 2017 SPLUNK INC. Anyone been getting these?
- 6. © 2018 SPLUNK INC. GDPR Timelines ▶ The regulation is binding across all EU members states January, 2012 Commissioner Proposed reform to Data Protection regulation May, 2018 Effective Data Protection Framework comes into force (25th May, 2018) April, 2016 EU Council adopted new regulation December, 2015 EU agreement on regulation including the UK after Brexit You Are Here!
- 7. © 2018 SPLUNK INC. Key Features of GDPR Applicable to any company doing business in the European Union European Data Protection Harmonization Fines up to €20m or 4% of turnover Mandatory Privacy Impact Assessments Privacy by Design & Default 72 Hour Breach Notification Mandatory Data Erasure & Portability Consent for Personal Data Profiling
- 8. © 2018 SPLUNK INC. A Day in the Life of a Breach
- 9. © 2017 SPLUNK INC. Imagine you are responsible for your organisation’s security
- 10. © 2017 SPLUNK INC. Imagine today is May
- 11. © 2017 SPLUNK INC. What if… May
- 12. © 2017 SPLUNK INC. …it’s The Day After Tomorrow
- 13. © 2017 SPLUNK INC. …and you’re rudely woken early in the morning
- 14. © 2017 SPLUNK INC. Your friendly Data Privacy Officer is on the phone Blah, blah blah BREACH
- 15. © 2017 SPLUNK INC. Someone is selling personal data you hold
- 16. © 2017 SPLUNK INC. How does the DPO know? Your Threat Intelligence provider informed you and provided you samples
- 17. © 2017 SPLUNK INC. There is data in the deep web It may be your data!
- 18. © 2017 SPLUNK INC. She hangs up! Now what?
- 19. © 2017 SPLUNK INC. Your incident investigation plan kicks in
- 20. © 2017 SPLUNK INC. DPO IT PR/Media Team Legal (CEO) Coordination
- 21. © 2017 SPLUNK INC. Emergency call Emergency chatroom
- 22. © 2017 SPLUNK INC. In case of fire press here
- 23. © 2017 SPLUNK INC. 72 hours
- 24. © 2017 SPLUNK INC. Internal Leak External Leak Incident commander
- 25. © 2017 SPLUNK INC. “We need to investigate!!!” Reaching out to your security operations team
- 26. © 2017 SPLUNK INC. People and Processes
- 27. © 2017 SPLUNK INC. Where is that data stored in your environment?
- 28. © 2017 SPLUNK INC. First Action Is data still leaking?
- 29. © 2017 SPLUNK INC. How will you monitor them?
- 30. © 2017 SPLUNK INC. Nice, structured, tidy data?
- 31. © 2017 SPLUNK INC. Diving deep into the infrastructure
- 32. © 2017 SPLUNK INC. time series, in motion, unstructured Machine data 32
- 33. © 2018 SPLUNK INC. Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts All three occurring within a 24-hour period Example Correlation – Data Loss What Does Machine Data Look Like?
- 34. © 2018 SPLUNK INC. Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts Sources All three occurring within a 24-hour period Example Correlation – Data Loss Windows Authentication Time Range Intrusion Detection Endpoint Security What Does Machine Data Look Like?
- 35. © 2018 SPLUNK INC. Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts Sources All three occurring within a 24-hour period Example Correlation – Data Loss Source IP Source IP Source IP Data Loss Default Admin Account Malware Found Windows Authentication Time Range Intrusion Detection Endpoint Security What Does Machine Data Look Like?
- 36. © 2018 SPLUNK INC. Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts Sources All three occurring within a 24-hour period Example Correlation – Data Loss Source IP Source IP Source IP Data Loss Default Admin Account Malware Found Windows Authentication Time Range Intrusion Detection Endpoint Security What Does Machine Data Look Like?
- 37. © 2017 SPLUNK INC. It’s big data…
- 38. © 2017 SPLUNK INC. Worst Case External authorities might come in to your organization and say: “Don’t stop it”
- 39. © 2017 SPLUNK INC. Take response actions to stop data leakage
- 40. © 2017 SPLUNK INC. Understand
- 41. © 2017 SPLUNK INC. How much data will be needed for this?
- 42. © 2017 SPLUNK INC. Who processed your information?
- 43. © 2017 SPLUNK INC. You know what you know You know what you don’t know Painting the picture
- 44. © 2017 SPLUNK INC. Do individuals need to be informed additionally? How sensitive was the data?
- 45. © 2017 SPLUNK INC. Maybe resulting in a non event? Are the data subjects truly at risk?
- 46. © 2017 SPLUNK INC. before [social] media chatter explodes • Inform Authority • Inform affected Individuals • (Inform Public) As an organization you want to control the story
- 47. © 2017 SPLUNK INC. Worst Practice: German Bundestag "The Trojans are still active," confirmed SPIEGEL ONLINE. According to data from several sources familiar with the case, Bundestag data from the ”Parliament" network continue to flow in an unknown direction.
- 48. © 2017 SPLUNK INC. Best Practice: ABTA Breach
- 49. © 2017 SPLUNK INC. Best Practice: ABTA Breach
- 50. © 2017 SPLUNK INC. 2+ weeks later out of the news Example ABTA Breach 51
- 51. © 2018 SPLUNK INC.
- 52. © 2017 SPLUNK INC. Someone knocks on your door
- 53. © 2017 SPLUNK INC. Massive Fines
- 54. © 2017 SPLUNK INC. Have you deployed “countermeasures appropriate to the risk”? Have you used “state of the art” best practices? Data Privacy Audits
- 55. © 2017 SPLUNK INC. What did you know? When did you know? How did you know about it? Prove
- 56. © 2017 SPLUNK INC. Logs become your digital fingerprints
- 57. © 2018 SPLUNK INC. What Next? Splunk can help
- 58. © 2018 SPLUNK INC. Security Analysis & Response ComplianceRisk mitigation How Does Splunk Help with Security?
- 59. © 2017 SPLUNK INC. Three Use Cases that bring different person’s on the same level and speak the same language, each: ▶ Real World Scenario (IT-Manager) ▶ Relevant GDPR Articles and what they mean (Data Privacy Officer) ▶ How machine data helps with (Splunk Champion) How Machine Data Supports GDPR Compliance Available at the Splunk stand R566
- 60. © 2018 SPLUNK INC. Machine Data is Crucial for Breach Response Detection, Investigation, Response & Remediation Custom dashboards Report and analyze Monitor and alert Developer Platform Ad hoc searchOn-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Machine Data: Any Location, Type, Volume Answer Any Question
- 61. © 2018 SPLUNK INC. Visit the Splunk stand for a demo of Security Essentials or Enterprise Security Ask for a Security Use Case Workshop Try it for FREE: online security investigation demo Next Steps
- 62. © 2018 SPLUNK INC.© 2017 SPLUNK INC. Thank You for attending ▶ Questions?