Risk-Based Alerting (RBA) for Splunk Enterprise Security Explained—Bite-Size Webinar Series (Part 3)

hello and welcome to the webinar this

one's on risk-based alerting the

frontier of Enterprise query part of our

Splunk bite size security Series this is

webinar number three if you haven't seen

the first two so what are we talking

about today well

we're going to start again uh like the

last one on sys controls and really why

this is useful why risk-based alerting

is an approach that should be useful my

RBA in the risk framework how that kind

of comes together why the risk framework

as being a fundamental framework of

Enterprise security

the vital questions again just to make

sure that we have a successful

implementation what do we need to have

in place

how to configure use it and then we'll

also have a look at it as well we'll go

through a demonstration of it all so

that's the plan

so first off let's look at the couple

assist controls that are relevant to

here so we've got ciscontrol 13 which is

network monitoring and defense

um operator processes tooling to

establish and maintain comprehensive

network monitoring and defense against

security threats across the Enterprise

Network infrastructure and user base so

really just having same kind of Concepts

in place centralized security alert

event alerting 13.1 so making sure that

we have a seam and everything comes into

one place uh that's kind of the sort of

basis of having a scene really

and then second we've got the CIS

controller 17 which is instant response

management being able to kind of

correlate information together uh to be

able to detect or quickly respond to an

attack and have more information at the

fingertips so that's the reasons for it

right

so

why RBA well

as opposed to the ordinary sort of

notable kind of events or it's secure

incidents directly well essentially

because we're seeing this out in the

world more and more stocks are being

overwhelmed with the amount of alerts

and what that really leads to is abandon

the suppressed alerts slow detection

response and Alice burnout and turnover

of stuff unfortunately so really there

needs to be a better way of doing it and

RBA hopefully is there to the rescue to

kind of reduce a lot of that noise

um and make it a lot better so how's it

really work well

first off what we do is we take

correlations same as what we did

previously things that we want to be

interested in suspicious Behavior should

we say and then instead of directly

alerting art we now class it as an

observation we observe this effect and

send it into a Risk Index so we collect

that information as a subset of the data

that's already there right and we're

seeing the suspicious information

we then apply risk scores to it we apply

annotations to it whether it's the micro

attack annotations and really we're

looking for all those outliers of the

standard behavior

um and that then we look at inside the

Frisk index to see collections or

correlations of behavior known more bad

behavior or against policy Behavior or

suspicious behavior and essentially what

we then do is we alert on top of that

so if we see everything and it's all

tied to a particular entity whether it's

a user or a device and then we start

applying risk to that and then we when

it gets to a certain threshold we alone

so how does this look in practice well

multiple events okay so at 9 55 maybe

we've got a potential spear fishing

observed now do we know that anything's

actually occurred there there's a

security incident or is it just

something that's happened right

I sat in 10 points to the risk all right

now 1 23 PM so quite a bit later there's

some software that's been running on

this particular device right so we've

applied risk to the device we've now got

another 20 pieces of points of risk

because something that we've maybe not

seen before or started running in this

device

then a minute second or a minute later

basically another commands being run

disabling certain security controls okay

well okay it's starting to get a little

bit a lot more risky really we've got to

about 50 points right now then we see

some Powershell that's suspicious then

we see in service being installed okay

we're at 90 points and then at 2 15 p.m

we see suspicious lateral movement okay

so over time we've now accumulated

enough to say right I want to alert on

this I want my analysts to spend their

time because their time is precious to

spend their time investigating what's

going on here okay so now because we're

over 100 points what we do is we have a

risk into the rule so anything's over

100 points in a 24-hour period as in

this one then we send an alert and

that's just straight to the analyst

there for

um for investigation what this really

means is two things right first we have

far more coverage right we can do a lot

more

use cases in this way

than we could in a direct notable

because there just was too much noise

okay but we can also present back very

much higher Fidelity alerts when they

come back to them so analysts will see

all of this information about this asset

and know instantly that okay there's a

lot of a lot of bad things going on

maybe we need to lock the asset down or

whatever or even you can send that into

automation because you've got a lot

better confidence in the actual alert

itself

so this is how it works

sounds great so what's the most

important things to rethink about right

so we obviously need to think about what

score we need to apply to each rule

um we need to think about what

thresholds or measures we're interested

in now this isn't always just a score

threshold right it doesn't have to be

100 points and I'll show you in the demo

in fact other ways of doing it could be

the number of tactics that are involved

it could be the number of different use

cases or searches that have kind of

triggered the same search triggers over

and over again and it's a threshold

that's probably not as interesting as

something where multiple different

techniques or tactics have been involved

okay so there's lots of different things

that we can do there and we can do

combinations of these one of the ones I

saw very recently at dot conf is the

concept um very very makes a lot of

sense really is using an analytics story

and if you ever see all the different

correlation searches that trigger over

an analytics story then alert on it

right so lots of different ways of

creating these alerts it doesn't have to

be tied down to a particular score and

but squaring is obviously the sort of

Baseline kind of level should we say we

also need to think about what

correlation rules are ideal for

risk-based Learning and which ones do we

actually want to know to alert for right

because if we want a notable event

directly because it's really known bad

and it shouldn't happen at all then

that's fine that's not a problem not

everything has to go into risk-based

alerting and in a lot of cases what

you'll actually have is a number of

alerts a large number of alerts that go

just far into risk-based learning some

alerts that do both

and then which you want to alert and

give you more context behind and then

some alerts are just a direct notable

just deal with them as they are

individually don't need any sort of

background to

so

it's just kind of going through all of

your use cases and figuring out which

ones are are good for which side really

so the risk framework this is kind of

how it sets up so

um basically what we do is we create

correlation searches those correlation

searches then create a an event okay a

notable event uh or sorry they trigger

an alert that adaptive response action

is then used as a risk adaptive response

action and that produces risk and

applies it into the Risk Index it's a

summary index basically there is then a

data model that sits on top of it for

the risk data model and essentially that

will kind of extract all the information

out there and that's what we look upon

that accelerated date model to be able

to alert on use our risk indicator rules

now this can also feedback a security

analysts we'll be able to see different

things going on they can do threat

hunting within the risk info they don't

have to wait for a natural alert and

when they find anything in there then

they can send an ad hoc risk entry into

the index if they want to

um at any point throughout that sort of

timeline they can go and add in ad hoc

risk entries that's another way of

adding into the risk framework

one app that's kind of really important

in this

um and a similar in a sense to what the

previous uh webinar was on right this

one's about essay threat intelligence

this is where we contain all the risk

stuff out of the box it's a supporting

application

um which is the sa piece

um of an Enterprise security build so

you'll see it in Splunk Cloud you'll see

it on on-prem um and inside here it

contains the risk data model it contains

all the out-of-the-box researchers risk

indicator rules

and it contains wrist dashboards as well

as macros and everything else so this is

really the kind of place that you want

to have a look if you want to kind of go

through all the risk side of things

so with that let's go and actually have

a look at it

so we're starting here in the all

configurations page specifically in that

essay threat intelligence application

and we're going to see everything that's

created in the app with that risk right

so we can see the saved searches these

are the top two or the out of the box

risk indicator rules okay so these are

the things that are creating notable

events we can see all the different risk

kind of save searches that go on in the

background we can see macros that are

doing things as well we can see ways of

applying macros to users or so forth so

that fields are extracted that says user

risk and stuff like that

um include the lookups

so you can see that risk being applied

so you you know so you get a constant

update in your searches where risk is

there what's the level of risk for this

particular thing

um so all that so if you want to have a

look a little bit more detail about

what's in there then that's the sort of

place to see um so there's 54 items you

could look through

now where I want to start this kind of

Journey Through risk is really about how

we can start thinking about what sort of

risk we want now spunk secure Essentials

is written with risk Concepts in mind so

you can actually find content you can

click on find content you can go to

risk-based alert and content across the

right hand side and then you can pick

the particular category of content that

you're looking for maybe it's compliance

maybe it's application security

monitoring and this will take you to

your security date your security content

in Splunk Security Essentials with all

the things that are really useful for

risk okay so it's filtering down to

those risk relevant kind of use cases

that can be useful for correlating

against other information that's

probably one of the ways to think about

it risk is really about correlating with

other sort of types of uh events that

might be occurring right so you get

presented back with this

as you would expect from Smart Security

Essentials another way of looking at

this is if you go to analytics advisor

go to risk-based alerting content

recommendations then you can filter down

again either to the content that's

available to you or to all content okay

and you can filter down on specific

applications and certain categories so

in this case I've gone to Cloud security

and maybe I'm pretty presented back with

all those security content that might be

useful for cloud Security in a risk kind

of way okay so that's another way of

getting through the content so it's one

of the kind of important things to

consider uh in the process

now if you want to then go into it what

you can see is in correlation searches

um in Splunk Enterprise security so if

you're coming to configure into content

into content management and then filter

based on correlation searches and

enabled you can see what's actually

running so here I've got some es content

update searches this was AWS console

login from by user from a new city so if

I look in detail at this actual search I

can see it's a normal correlation search

there's nothing sort of groundbreaking

out of here it's looking for anything

that's in a new city from historical

events but it's also then providing a

lot of annotations

so we're annotating with assist 20

controls the kill chain meant to attack

the nest uh the confidence and impact

scores and these are really good at kind

of if you can give an idea of what your

impact and your confidence of each use

case that you've got running that can be

really good way of deciding what score

you should be applying uh and there's a

Blog on our website about kind of uh

aligning those two together to make a

good a good actual risk score

um because it's always an idea of like

how do I risk work at the beginning so

just something to bear in mind

um you can also see the other

annotations in terms of what analytics

story is relevant to and so forth right

so that runs on a particular time window

um and in this case is not throttling at

all but in some cases you might want to

throttle it depends on kind of how you

want to play with your risk scores your

risk use cases right

um sometimes you might be wanting to

observe if it's got internet connection

or something like that sometimes you

want to observe something else and then

what we're doing with the Adaptive

response action so down here we've got

risk analysis we've got a user the

username is logging into the AWS console

from a city for the first time okay and

their risk score is applying 18 points

to that user field

okay so uh that's been defined obviously

based on the confidence score and the

impact score uh how much we want to be

applying and this risk message is really

important okay so if you are doing risk

for the first time do make sure you put

risk messaging and if you can put any

threat objects in because they can kind

of tie everything together as well so

they can be really useful

so one other thing that you can do as a

risk factor editor right so

in terms of risk factors what you can do

is add risk based on certain conditions

right so in this case if that user is an

administrator so if I've got a user in

there it's got 18 points of risk at the

moment but if that user is an admin I.E

they've got a privileged category of

user from my asset identity lists right

um then we can times that factor by one

and a half so it'll actually give 27

points of risk right an extra nine

points added on because that's what it

should do because that's a privileged

account we want to we want to increase

the risk we want to know about any

privileged accounts being of use in this

source so this risk factor editor has a

way of just a dynamically altering the

risk that's being applied out of a rule

on its own based on certain conditions

whether that's a contractor whether

that's a critical priority destination

whatever it is that we're interested in

or maybe their watch list that sort of

thing

um then we can add an increased risk or

decrease or decrease risk if we need to

right so there's a multiplication

addition

um or of course you can multiply by 0.5

to delete and so forth right

so that's how we can do the risk factor

editors they can be a Dynamic Addition

to it

and then once we've got all those

correlations rules set up they're all

applying risk we'll see that data in the

index equals um

index equals risk so let's have a quick

look at that because

so if I go index equals risk I'll see

within here all the different risk

events that are being generated right so

we're taking note of all these different

things they're all got a particular

um stash Source type right which is our

summary and summary Source type from

Splunk out of the box and we can see all

the different sources which are the risk

rules that have been applied and

triggered right so lots of different

things going on in this environment

um so we can search through that and we

can also pin of course to the risk

object

um so we want to browse around

particular risk objects what's been

creating our risk on this particular

risk object can go into that and we can

go into our sources okay so these three

things are occurring on this particular

asset sort of thing right so we can

browse that data it is just sitting

there so if we want to go threat hunting

into risk we can do that

and of course what we then do is we want

to alert on it right when certain

thresholds are hit so what we have here

is a couple of risk uh indicator rules

one's called attack tactic threshold

exceeded for object over previous seven

days there's also a 24-hour risk rule as

well so this is a seven day risk rule

which is looking in the date model for

risk okay and it's alerting if there's

at least three tactics from the miter

involved at least four sources right so

if I looked in the data itself I can see

annotations that might or attack and the

tactics and techniques of data fields

that are in there because of the

annotations that are in the correlation

search themselves

and when I then hit that trigger what I

actually then do is create my notable

and it's at this point that it goes into

instant review I've given it my title to

my description uh I've got a drill down

and all the sort of normal things that

you would have from you know your

previous kind of notable events and how

you would normally previously alert

so that can all be done from there

um and you could make these up for

different things right and you could

weight these things and if you follow

um Hayley Mills kind of Journey to

learning how to implement uh risk-based

alerting right she's got a four stage

Journey some of the things she talks

about is about having Dynamic risk that

you can apply in Risk rules but also

having weighted sources and weighted

tactics and what we mean by that is the

not all Risk rules should apply the same

Source maybe you've got Brute Force

maybe that's not so interesting maybe

excessive power logins maybe that's not

so interesting whatever it is so you can

reduce the weight of that particular

source so that it doesn't hit the

threshold whereas some sources should

count as a full one point some maybe

even two points towards that Source

count so you know each Source could be a

little bit different in that weighting

as well

so that's another way of just kind of

looking in interesting ways

um

yeah so that's the kind of risk

indicator rules and so when that then

alerts what you then see is an incident

review you'll see events that are

presented like this and these are known

as risk notables you can filter based on

type so in this case drill down to type

risk notable and then you'll get

presented with all of them back and you

can see the risk of entering the risk

score so in this case I'm going to just

expand this one to start with to show

you that now that because it's a risk

event I can see all of the miter details

the annotations across the top so I can

get much quicker in insight into what's

actually occurring with this particular

um

asset in this case because that's the

risk object

um so I can see all the different things

that are going on there um I can get all

that sort of useful key information down

the left hand side and anything that's

going on on the right this one's

actually gone directly to saw and

actually been triaged in some respects

already which is why it's in progress

um and then if I click on in Risk events

I'll get a pop-up here

which will show me all of the risk

events all the all the Risk rules that

have triggered related to this

particular device okay so here we can

see six different rest rules here

um over a time period we can zoom in to

further into that we'll zoom out of

course

um so these are the risk events and if I

scroll down to the bottom of the page

you can see all of those in individually

and this when I mentioned why risk

messages are really important because

this is what's actually read to by the

analyst really

um so just making sure there's good

detail in there making sure it shows

what processes or what

um objects are that's actually occurred

to indicate that this is riskier a risky

instance

and you can see the Risk rules of what

has actually triggered and the

annotations as well on the right there

you can filter that down or of course

expand it with a little bit more detail

and then also at the top right you can

go into the threat typology and this is

where we can really link things between

threat objects and risk objects we can

get a little bit more detail around

what's going on so you can see these

things are linked together so this

laptop's also linked to be stole

um so you can see lots of good kind of

insight overview of what's actually

going on across the top and of course

the assets and in its in the asset list

across the top there as well so

um jolly good so that gives us a lot

more insight into what's actually going

on

um our analysts can go yes this is no

bad I want to lock it down I can go

ahead and run my adaptive response

action come in here run an Adaptive

response action from here and block it

or whatever or if it's climbing out into

saw you can get that kind of automated

um as it goes through processes and so

forth so whatever we need to do we can

do a particular Direct

adaptive response from there

and then finally if you really want to

look into it what you have is under

security intelligence risk analysis and

this will go into detail about all the

things that are going in Risk in the

environment right so we've got risk

scores by objects you can see the high

objects you can see most active sources

and this is probably one of the most

important youth dashboard panels you

probably want to expand it out and have

a look over it to see where your risk is

being applied if you come in here and

click search then that will give you a

good idea and then across the top you

can also see all the different

annotations and threat objects that are

involved across my risk and you can

filter everything down as you need to

change the time window and then right at

the bottom you can see all the modifiers

individually in a table tabular format

right but again this is just looking at

the data in the index itself so you can

go ahead and have a look and browse

through it that way

but this is as I say one of the most

useful ones because it gives you kind of

Direction about okay well there's not

particularly hitting many uh risk

objects but applying a lot of risk it's

just repeating itself maybe it's running

too often maybe it needs a bit of

thresholding can kind of give you some

direction of where you want to be

thinking about tuning this uh in this

kind of space okay with that thank you

very much for attending

um I hopefully that bite size

information on risk-based alerting was

useful for you if you do want to find

out any more have any questions just

email invert someone from associates.com

um and if you missed the webinar you can

go to youtube.com and find us there

um but uh yeah hopefully you'll join us

on the fourth uh one was doing Stu in

that case uh on our fourth episode in

the series looking at the threat