Who

 is  Exabeam?  
A  security  analy.cs  company  founded  in  
2013.  We  provide  user  behavior  
intelligence  by  leveraging  exis.ng  SIEM  and  
log  management  data  repositories.  Our  
technology  detects  modern  cyber  aDacks  
and  simplifies  security  opera.ons.  

Sylvain  Gil  
Co-­‐founder  and  VP  Products  

1
 What  do  nearly  all  of  the  worst  
data  breaches  have  in  common?  

1.1  Million  customers   40  Million  customers   100,000  customers   SHll  Unknown  

3  Million  customers   4.5  Million  customers   215  Employees   56  Million  customers  

83+  Million   1,000  Stores   3.6  Million  Employees  

Stolen  user  credenHals  
were  involved  in  every  case  
•  ADackers  impersonate  employees   STOLEN  CREDENTIALS  
using  stolen  creden.als  
•  Able  to  move  throughout  the   ATTACK  

network  avoiding  detec.on  

COMMAND  &  CONTROL  
•  The  vic.ms  learned  about  their  
breach  through  outside  sources   LATERAL  MOVEMENT  

EXTENT  OF  IMPACT  

Most  companies,  if  not  all,  had  

made  significant  investments  in  SIEM,  
firewall,  anH-­‐malware  and  IPS.  
The  Typical  A`ack  Chain  

Move  
Maintain   Laterally  
Presence  

Internal  
IniHal   IniHal   Establish   Escalate   Complete  
Recon  
Recon   Compromise   Foothold   Privileges   Mission  

Hours   Weeks  or  Months   Hours  

S o u r c e :   F i r e E y e   M a n d i a n t   A P T 1   r e p o r t   ( F e b   2 0 1 3 )  
4  
Use  of  Stolen  CredenHals  

Move  
Maintain   Laterally  
Presence  

Internal  
IniHal   IniHal   Establish   Escalate   Complete  
Recon  
Recon   Compromise   Foothold   Privileges   Mission  

POSSIBLE  CREDENTIAL  USE  

Hours   Weeks  or  Months   Hours  

S o u r c e :   F i r e E y e   M a n d i a n t   A P T 1   r e p o r t   ( F e b   2 0 1 3 )  
5  
Undetected  A`ack:  
A U G U S T  

13   Spear  Phishing  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  

•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
6  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  credenHals  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  

•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
7  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  

•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
8  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  

•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  Thee  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
9  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  

•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   ExfiltraHon  
10  
Challenges  in  DetecHng  Stolen  CredenHal  Use  

Million   ADack  may   We  don’t  

ways  to   not  use   know  what’s  
compromise   malware   good  or  bad  

11  
Using  Splunk  for  Behavior  Profiling  

1   2   3  
Define  
Create  a   Detect  and  
Characteris.cs  
Baseline   Score  Anomalies  
of  User  Behavior  

12  
Splunk  Benefits  

1.  Access  to  historical  log  data  =  immediate  ability  to  baseline  
2.  Log  data  spans  en.re  stack  from  network  to  app  transac.ons  
3.  Unstructured  data:  collect  first,  get  insight  later  
4.  Powerful  search  and  sta.s.c  func.ons  
5.  You  already  own  it!  

13  
1   Defining  User  Behavior  CharacterisHcs  
•  Challenge  fundamentals  of  aDack  chain  
•  How many assets accessed
•  When do activities take place
•  What accounts connect to what machines
•  Did user ever connect from this country

•  Rely  on  likely  available  log  sources  

•  Windows Domain Controllers
•  Windows Servers
•  SSH logins
•  Remote Access VPN
•  Single Sign-On
14  
Windows  DC  and  Server  logs  
•  Use  Splunk  Universal  Forwarder  for  out-­‐of-­‐the-­‐box  fields  extrac.on  
h"p://docs.splunk.com/Documenta4on/Splunk/6.1.3/Data/Monitorwindowsdata  

•  Domain  Controllers  event  codes  

(EventCode=4769 OR EventCode=673)

•  Other  Windows  Servers  or  Worksta.ons  

(EventCode=4624 OR EventCode=528)

•  Make  sure  to  log  successful  logins:  GPO  >  Audit  Logon  Events  

15  
Fields  of  Interest  in  a  Windows  DC  Logon  
Log  Name:            Security  
Source:                MicrosoZ-­‐Windows-­‐Security-­‐Audi.ng  
Date:                    10/27/2009  9:58:02  PM   •  _Hme  
Event  ID:            4769  
Task  Category:  Kerberos  Service  Ticket  Opera.ons  
 
Level:                  Informa.on  
Keywords:            Audit  Success  
User:                    N/A  
Computer:            dcc1.Logis.cs.corp  
Descrip.on:        
A  Kerberos  service  .cket  was  requested.  
Account  Informa.on:  
 Account  Name:  
 Account  Domain:  
 [email protected]  
 LOGISTICS.CORP  
•  AccountName  
 Logon  GUID:    {9A6EBA7B-­‐42EE-­‐E3E3-­‐EC65-­‐5DD3DD4C77A9}    Look  for  non  $  values  to  filter  out  computer  logons  
Service  Informa.on:  
 Service  Name:
 Service  ID:
 
 
 TERMSERV1$  
 S-­‐1-­‐5-­‐21-­‐1135140816-­‐2109348461-­‐2107143693-­‐1000  
•  ServiceName  
Network  Informa.on:   Computer  being  accessed  
 Client  Address:    192.168.23.189  
 Client  Port:
Addi.onal  Informa.on:  
   0  
•  ClientAddress  
 Ticket  Op.ons:    0x40810000   Misleading,  oZen  IP  of  des.na.on  
 Ticket  Encryp.on  Type:  0x12  
 Failure  Code:    0x0  
 Transited  Services:  -­‐  
16  
2   CreaHng  a  Baseline  
•  We  want  to  gather  daily  usage  stats  per  user  
•  We  cannot  afford  to  search  over  en.re  history  everyday  

•  Solu.on  à  Splunk  Summary  Indexing  

•  Similar to Map Reduce concept

Search   Calculate   Save  stats   Search  

logs  daily   stats   to  index   index  

17  
Demo:  Storing  daily  user  stats  in  summary  index  

We  store  a  daily  count  of  servers  per  user  and  save  this  info  in  the  userstats  index  

EventCode=4769
| bin _time span=1d
| stats dc(ServiceName) by _time user
| rename dc(ServiceName) as count
| collect index=userstats

18  
3   DetecHng  and  Scoring  Anomalies  

•  Run  sta.s.cal  analysis  on  daily  stats  stored  in  summary  index  

•  Splunk  offers  several  possibili.es:  

•  Xth percentile analysis – percX(Y)
•  Standard deviation analysis – stdev
•  Build your own with lookups

19  
PercenHle  analysis  

index=UserStats AccountName=bob
| eventstats p95(AssetCount) as threshold
| where AssetCount>threshold

•  Returns  days  where  bob  accessed  more  than  his  95th  percen.le  number  of  assets  
•  Runs  in  seconds  even  for  several  months  of  data  

20  
Standard  DeviaHon  
VPN  session  dura.on  

msgType=juniper-vpn-*
| transaction user startswith="msgType=*start" endswith="msgType=*end"
| eval type="VpnDuration"
| table type,_time,user,duration
| collect userstats

index=userstats type="VpnDuration”
| eventstats mean(duration) as avgdur, stdev(duration) as stdevdur by user
| eval threshold=tonumber(avgdur)+3*tonumber(stdevdur)
| where duration>threshold
| table user,duration,threshold
21  
First  occurrence  with  Lookups  
Known  VPN  endpoints.  We  store  all  past  endpoints  of  each  user  in  a  lookup.  
We  then  filter  for  endpoints  that  are  not  found  in  that  lookup.  

eventtype=vpn-login
| eval key=user+"-"+src_host | eval value=1
| dedup key | table key,value
| outputlookup UserVpnHosts.csv

eventtype=vpn-login earliest=-2d@d latest=-1d@d

| eval key=user+"-"+src_host
| lookup UserVpnHosts.csv key OUTPUT value as result
| where isnull(result) | table user,host
22  
AggregaHng  Anomalies  and  Scoring  
•  We  want  to  sum  up  anomalies  and  create  a  daily  score  per  user  
•  Each  anomaly  detec.on  search  will  increment  the  daily  score  

•  Solu.on  à  Splunk  Summary  Indexing  

 
Run  detec.on   Roll  up  daily  
Assign  score  and   Collect  in   score  with  
searches  on  
reason   UserScores  index  
index   |  stats  sum()  

23  
Keeping  Score  and  Reasons  
index=UserStats AccountName=bob
| eventstats p95(AssetCount) as threshold
| where AssetCount>threshold
| eval Reason="Asset count exceeded threshold of $threshold”
| eval Score="20”
| fields _time,AccountName,AssetCount,Score,Reason
| collect index=userscores

•  Comments  

24  
 Demo:  Aggregate  and  Trend  User  Score  

We  sum  up  the  scores  per  user  per  day  and  collect  the  associated  reasons  

index=userscores
| bin _time span=1d
| stats sum(Score) as Score, values(Reason) as Reasons by _time,user
| table user,_time,Score,Reasons

25  
Possible  Caveats  
•  There  may  not  be  enough  data  for  the  baseline  to  be  valid  
•  New users, new machines
•  Exabeam uses a proprietary Confidence Factor algorithm
•  Session  Tracking  
•  Logs are stateless by nature, hard to track identity switches
•  User  Interface  
•  Representing log events of diff. nature alongside anomalies can be tricky
•  Peer  analysis  
•  New behaviors should be compared to the users’ peers (lookups?)
26  
 The  Exabeam  Approach  
IT S E C U R I T Y   E R P   C M D B  
Research  &  
M A C H I N E   D A T A   H R M S   I T M S   Community  
L O G   M A N A G E M E N T   A C T I V E   D I R E C T O R Y   Insights  

Log  ExtracHon   +   User  Session   +   Behavior     +   Risk    

&  Context   Tracking   Analysis   Engine  

Risk  Scoring  
SCORE
Incident  Ranking  
75   A`ack  DetecHon   27  
Exabeam  Tracking  
of  User  Sessions  

•  Context  on  who  the  user  is  

•  Peer  group  and  manager  info  
•  Risk  trend  over  .me  
•  Quick  view  of  risk  reasons  

28  
Session  Timeline  
•  Lists  user  ac.vi.es  from  logon  
to  logoff  

•  Track  reasons  per  event  and  

associated  score  

•  Transfers  risk  from  one  day  to  

the  next  

29  
Takeaways  

•  Add  user  behavior  and  anomaly  detec.on  to  your  rules  

•  Start  simple  with  logs  you  have  and  basic  analysis  

•  Use  a  scoring  approach  to  rank  risk  

30  
 Ques.ons?  
 
 
Visit  our  booth  for  a  demo  
www.exabeam.com  

31  
 Thank You

Questions

CONFIDENTIAL