Risk-Based Alerting (RBA) for Splunk Enterprise Security Explained—Bite-Size Webinar Series (Part 3)

Somerford Associates

6 Oct 202321:34

Summary

TLDR本次网络研讨会是关于基于风险的警报（RBA）的，这是企业查询安全系列的第三部分。主讲人首先介绍了与网络监控和即时响应管理相关的控制，然后解释了为什么RBA是一个有用的方法，以及它如何与风险框架相结合。接下来，讨论了成功实施RBA所需的配置和使用，并通过演示展示了其工作原理。RBA通过收集可疑行为数据、应用风险评分和注释，然后在风险指数中进行聚合，仅在达到一定阈值时发出警报，从而减少噪声并提高警报的保真度。此外，还介绍了如何使用Splunk安全基础和企业安全构建中的风险数据模型、指示器规则和仪表板来实现RBA。

Takeaways

📈 风险基础警报（RBA）是企业查询安全系列的第三部分，旨在通过风险框架改善安全警报系统。
🔍 RBA通过减少警报数量的噪音，帮助安全团队更快地响应真正的威胁，避免警报疲劳和人员流失。
🛡️ 两个关键的CIS控制（13和17）与网络监控防御和即时响应管理相关，是实现RBA的基础。
🤖 RBA的工作原理是首先收集可疑行为的观察结果，然后将其发送到风险指数，并应用风险评分和注释。
👀 实践中，RBA通过累积多个事件的风险分数，当超过一定阈值时触发警报，确保分析师只关注高风险事件。
🔑 实现RBA时需要考虑的关键因素包括为每个规则分配的风险分数、感兴趣的阈值或度量标准，以及哪些相关性规则适合基于风险的学习。
🛠️ Splunk安全基础（Splunk Secure Essentials）提供了与风险相关的内容，帮助用户过滤和找到适合RBA用例的内容。
📊 风险数据模型和风险指标规则是Splunk Enterprise Security中用于分析和管理风险数据的重要工具。
📚 通过Splunk的安全智能风险分析（Security Intelligence Risk Analysis）仪表板，可以深入了解环境中风险的分布和相关性。
🔗 风险框架允许通过相关性搜索创建事件，然后使用自适应响应动作来产生风险并将其应用到风险指数中。
📝 风险因素编辑器允许动态调整规则应用的风险，基于特定条件（如管理员用户或关键资产）增加风险评分。

Q & A

什么是基于风险的警报（Risk-Based Alerting）？
-基于风险的警报是一种安全方法，它通过收集和评估可疑行为，将其分类为观察结果，并发送到风险指数中。与传统的直接警报不同，它通过应用风险评分和注释来识别异常行为，然后在风险指数中寻找行为的集合或相关性，并在达到一定阈值时发出警报。
为什么需要基于风险的警报（RBA）？
-传统的警报系统常常因为过多的警报而导致安全团队不堪重负，这可能导致警报被忽略、检测响应变慢以及安全人员的疲劳和流失。RBA旨在减少这种噪音，通过更智能的方式提高警报的相关性和准确性。
CIS控制13和17在基于风险的警报中扮演什么角色？
-CIS控制13关注于网络监控和防御，强调建立和维护全面的网络监控以及对企业网络安全威胁的防御。CIS控制17则关注即时响应管理，能够快速响应攻击并提供更多信息。这两个控制为基于风险的警报提供了必要的安全监控和响应机制。
如何实施基于风险的警报？
-实施基于风险的警报需要首先收集相关数据，然后应用风险评分和注释，观察可疑行为并将其发送到风险指数。接着，在风险指数中寻找行为的相关性，当风险达到一定阈值时发出警报。
在基于风险的警报中，如何确定警报的阈值？
-警报的阈值可以根据不同的条件来确定，不一定要基于一个固定的分数。可以是涉及的战术数量、不同用例或搜索触发的次数，或者是多个不同技术或战术的组合。
什么是风险框架（Risk Framework）？
-风险框架是企业安全的一个基本框架，它通过创建相关性搜索、触发警报、应用风险并将其纳入风险指数，然后通过风险数据模型提取信息，用于风险指示器规则的警报。
如何配置和使用基于风险的警报？
-配置和使用基于风险的警报需要考虑应用到每个规则的分数、感兴趣的阈值或度量，并确定哪些相关性规则适合基于风险的学习以及哪些规则需要警报。此外，还需要通过应用程序如Splunk Secure Essentials来管理和查看风险数据。
如何通过Splunk Secure Essentials应用进行风险管理？
-在Splunk Secure Essentials应用中，可以查看和管理所有与风险相关的配置，包括保存的搜索、宏、查找等。该应用包含了风险数据模型、开箱即用的研究、风险指示器规则以及风险仪表板和宏。
风险因素编辑器在基于风险的警报中起什么作用？
-风险因素编辑器允许根据特定条件动态调整规则应用的风险。例如，如果用户是管理员，可以增加风险分数，以反映更高风险的情况。
如何通过Splunk Enterprise Security查看和管理风险事件？
-在Splunk Enterprise Security中，可以通过查看相关性搜索、启用的内容以及风险事件来管理风险。可以通过风险仪表板查看风险分数、活动源和风险事件的详细信息，以及进行威胁狩猎。
如何通过风险分析提高对环境风险的洞察力？
-通过安全智能风险分析，可以详细查看环境中的风险情况，包括按对象的风险分数、最活跃的源等。这可以帮助安全分析师快速了解哪些资产面临更高的风险，并采取相应的响应措施。

Outlines

00:00

😀 风险基础警报概述

本段介绍了网络研讨会的主题——基于风险的警报（RBA），它是Splunk安全系列的第三部分。讨论了RBA在风险框架中的重要性，以及如何通过RBA提高企业安全。提到了CIS控制13和17，分别涉及网络监控和防御以及即时响应管理。强调了传统警报方式的不足，如警报过多导致的分析师疲劳和响应迟缓，而RBA旨在通过减少噪音和提高警报质量来解决这些问题。

05:00

🔍 RBA的工作原理与实践

详细解释了基于风险的警报（RBA）的工作原理，包括观察可疑行为、将行为分类为观察结果、将观察结果输入风险指数，以及如何对这些观察结果应用风险评分和注释。讨论了在风险指数中寻找行为模式，并在达到一定阈值时发出警报的过程。通过一个实际案例，展示了如何随时间积累风险分数，并在超过阈值时发出警报，从而提高警报的覆盖范围和准确性。

10:02

🛠️ RBA的配置与应用

探讨了实施RBA时需要考虑的关键因素，包括为每个规则分配风险评分、确定感兴趣的阈值或度量，并思考哪些相关规则最适合基于风险的学习。介绍了风险框架的设置，包括创建相关搜索、触发警报、适应性响应动作以及风险数据模型的应用。还提到了如何通过安全分析师反馈和威胁狩猎来增强风险框架，并介绍了Splunk的安全威胁情报应用。

15:02

📚 风险相关用例的探索与配置

介绍了如何在Splunk安全基础中找到与风险相关的用例，包括合规性、应用程序安全监控等内容。讨论了如何通过智能安全基础或分析顾问来过滤和推荐基于风险的内容。还展示了如何在Splunk企业安全中配置相关搜索，并详细解释了如何通过相关搜索进行注释，以及如何使用风险因子编辑器动态调整风险评分。

20:04

📊 风险分析与响应

本段深入介绍了如何通过Splunk的安全智能风险分析来查看和管理风险事件。展示了如何通过风险指标规则触发警报，并在达到特定阈值时创建显著事件。讨论了如何通过风险事件和风险对象来提供对分析师的深入洞察，以及如何使用这些信息来进行威胁狩猎和响应。最后，介绍了如何在安全情报风险分析中查看风险分数、高风险对象和最活跃的来源，以及如何使用这些数据来调整风险策略。

📞 结语与后续步骤

在网络研讨会的最后，提供了关于如何获取更多信息的指导，包括通过电子邮件联系Splunk Associates或在YouTube上观看研讨会录像。预告了系列的下一集，将专注于威胁情报和威胁框架。

Mindmap

Keywords

💡风险基础告警（Risk-Based Alerting）

风险基础告警是一种安全策略，它通过评估和打分潜在的安全威胁来确定哪些事件需要立即关注。在视频中，它被描述为一种减少警报噪音、提高检测效率的方法。例如，通过收集可疑行为的信息，然后应用风险评分和注释，以确定是否需要触发警报。

💡企业安全（Enterprise Security）

企业安全指的是保护整个企业网络和用户免受安全威胁的一系列措施和流程。视频提到风险框架是企业安全的一个基本框架，强调了风险基础告警在维护企业安全中的重要性。

💡CIS控制（CIS Controls）

CIS控制是指一套被广泛认可的最佳安全实践，旨在帮助企业保护其网络和系统。视频中提到了CIS控制13和17，分别涉及网络监控和即时响应管理，这些都是构建风险基础告警系统的关键组成部分。

💡风险框架（Risk Framework）

风险框架是一种用于评估和管理组织面临的风险的结构化方法。在视频中，风险框架被描述为企业安全的一个基础，它与风险基础告警紧密相连，共同构成了企业安全管理的一部分。

💡安全事件（Security Incidents）

安全事件指的是任何可能影响组织安全的操作或活动。视频提到，传统的告警系统可能会因为大量的安全事件而导致警报疲劳，而风险基础告警旨在通过更智能的告警机制来解决这一问题。

💡风险评分（Risk Scoring）

风险评分是一个量化过程，用于评估特定事件或行为对组织的潜在影响。视频中解释了如何将风险评分应用于收集的数据，并通过风险指数来监控和触发告警。

💡风险指数（Risk Index）

风险指数是一个集中存储和分析风险评分数据的工具。在视频中，风险指数用于收集和关联可疑行为的信息，并在达到一定阈值时触发告警，是风险基础告警流程的核心组件。

💡事件关联（Event Correlation）

事件关联是一种分析技术，用于识别和连接多个相关事件，以便更好地理解潜在的安全威胁。视频中提到，风险基础告警通过事件关联来观察和评估可疑行为，然后将其发送到风险指数中。

💡Splunk安全基础（Splunk Secure Essentials）

Splunk安全基础是一个提供安全监控和管理功能的产品。视频提到，该产品包含了与风险基础告警相关的内置研究、风险指标规则和仪表板，是实现风险基础告警策略的重要工具。

💡威胁情报（Threat Intelligence）

威胁情报指的是与潜在威胁相关的信息，用于帮助组织识别、评估和应对安全风险。视频中提到威胁情报与风险基础告警相结合，可以提供更全面的安全视角，并在第四部分的网络研讨会中进一步探讨。

Highlights

本次网络研讨会是关于基于风险的警报（Risk-Based Alerting, RBA）的，这是企业查询安全系列的第三部分。

基于风险的警报是企业安全框架中一个基本的方法，有助于减少警报数量，并提高响应效率。

CIS控制13和17是与网络监控和即时响应管理相关的两个重要控制。

普通事件警报可能导致警报泛滥、警报抑制、检测响应缓慢以及分析师疲劳和流失。

基于风险的警报通过收集可疑行为信息并应用风险分数来减少噪音。

风险指数（Risk Index）用于收集和关联可疑行为，以便在达到一定风险阈值时触发警报。

通过多个事件的累积，可以更精确地确定何时应该发出警报。

基于风险的警报可以提供更广泛的覆盖范围和更高的警报保真度。

需要考虑为每个规则分配什么分数，以及我们感兴趣的阈值或度量标准是什么。

风险框架的设置包括创建相关性搜索、触发警报、适应性响应行动以及风险数据模型。

Splunk安全基础（Splunk Secure Essentials）提供了与风险相关的内容，帮助用户过滤和找到合适的用例。

风险因子编辑器允许基于特定条件动态调整规则应用的风险。

在索引中查看风险数据可以提供对环境中风险事件的洞察。

风险指示规则（Risk Indicator Rules）用于确定何时基于风险数据发出警报。

风险事件的审查提供了关于资产风险的详细信息，包括风险分数和相关注释。

安全情报风险分析提供了关于环境中风险应用的详细视图和数据。

网络研讨会结束后，参与者可以通过电子邮件或YouTube获取更多信息或观看回放。

Transcripts

00:01

hello and welcome to the webinar this

00:04

one's on risk-based alerting the

00:06

frontier of Enterprise query part of our

00:08

Splunk bite size security Series this is

00:11

webinar number three if you haven't seen

00:13

the first two so what are we talking

00:15

about today well

00:16

we're going to start again uh like the

00:19

last one on sys controls and really why

00:21

this is useful why risk-based alerting

00:23

is an approach that should be useful my

00:25

RBA in the risk framework how that kind

00:27

of comes together why the risk framework

00:29

as being a fundamental framework of

00:31

Enterprise security

00:33

the vital questions again just to make

00:35

sure that we have a successful

00:36

implementation what do we need to have

00:38

in place

00:39

how to configure use it and then we'll

00:42

also have a look at it as well we'll go

00:44

through a demonstration of it all so

00:45

that's the plan

00:48

so first off let's look at the couple

00:49

assist controls that are relevant to

00:50

here so we've got ciscontrol 13 which is

00:52

network monitoring and defense

00:55

um operator processes tooling to

00:57

establish and maintain comprehensive

00:58

network monitoring and defense against

00:59

security threats across the Enterprise

01:01

Network infrastructure and user base so

01:03

really just having same kind of Concepts

01:05

in place centralized security alert

01:08

event alerting 13.1 so making sure that

01:11

we have a seam and everything comes into

01:12

one place uh that's kind of the sort of

01:15

basis of having a scene really

01:18

and then second we've got the CIS

01:20

controller 17 which is instant response

01:22

management being able to kind of

01:24

correlate information together uh to be

01:26

able to detect or quickly respond to an

01:28

attack and have more information at the

01:30

fingertips so that's the reasons for it

01:31

right

01:32

so

01:34

why RBA well

01:37

as opposed to the ordinary sort of

01:39

notable kind of events or it's secure

01:42

incidents directly well essentially

01:45

because we're seeing this out in the

01:47

world more and more stocks are being

01:49

overwhelmed with the amount of alerts

01:51

and what that really leads to is abandon

01:52

the suppressed alerts slow detection

01:55

response and Alice burnout and turnover

01:57

of stuff unfortunately so really there

02:00

needs to be a better way of doing it and

02:02

RBA hopefully is there to the rescue to

02:04

kind of reduce a lot of that noise

02:06

um and make it a lot better so how's it

02:09

really work well

02:11

first off what we do is we take

02:14

correlations same as what we did

02:16

previously things that we want to be

02:17

interested in suspicious Behavior should

02:19

we say and then instead of directly

02:22

alerting art we now class it as an

02:24

observation we observe this effect and

02:26

send it into a Risk Index so we collect

02:28

that information as a subset of the data

02:31

that's already there right and we're

02:32

seeing the suspicious information

02:34

we then apply risk scores to it we apply

02:37

annotations to it whether it's the micro

02:39

attack annotations and really we're

02:41

looking for all those outliers of the

02:42

standard behavior

02:44

um and that then we look at inside the

02:48

Frisk index to see collections or

02:51

correlations of behavior known more bad

02:55

behavior or against policy Behavior or

02:58

suspicious behavior and essentially what

03:00

we then do is we alert on top of that

03:03

so if we see everything and it's all

03:04

tied to a particular entity whether it's

03:06

a user or a device and then we start

03:09

applying risk to that and then we when

03:11

it gets to a certain threshold we alone

03:13

so how does this look in practice well

03:16

multiple events okay so at 9 55 maybe

03:19

we've got a potential spear fishing

03:20

observed now do we know that anything's

03:23

actually occurred there there's a

03:24

security incident or is it just

03:26

something that's happened right

03:27

I sat in 10 points to the risk all right

03:30

now 1 23 PM so quite a bit later there's

03:33

some software that's been running on

03:35

this particular device right so we've

03:36

applied risk to the device we've now got

03:39

another 20 pieces of points of risk

03:40

because something that we've maybe not

03:42

seen before or started running in this

03:44

device

03:44

then a minute second or a minute later

03:47

basically another commands being run

03:48

disabling certain security controls okay

03:51

well okay it's starting to get a little

03:53

bit a lot more risky really we've got to

03:55

about 50 points right now then we see

03:57

some Powershell that's suspicious then

03:59

we see in service being installed okay

04:01

we're at 90 points and then at 2 15 p.m

04:04

we see suspicious lateral movement okay

04:06

so over time we've now accumulated

04:10

enough to say right I want to alert on

04:12

this I want my analysts to spend their

04:13

time because their time is precious to

04:16

spend their time investigating what's

04:17

going on here okay so now because we're

04:19

over 100 points what we do is we have a

04:21

risk into the rule so anything's over

04:23

100 points in a 24-hour period as in

04:25

this one then we send an alert and

04:28

that's just straight to the analyst

04:30

there for

04:31

um for investigation what this really

04:33

means is two things right first we have

04:36

far more coverage right we can do a lot

04:38

more

04:40

use cases in this way

04:42

than we could in a direct notable

04:44

because there just was too much noise

04:46

okay but we can also present back very

04:49

much higher Fidelity alerts when they

04:52

come back to them so analysts will see

04:54

all of this information about this asset

04:56

and know instantly that okay there's a

04:58

lot of a lot of bad things going on

05:00

maybe we need to lock the asset down or

05:02

whatever or even you can send that into

05:03

automation because you've got a lot

05:05

better confidence in the actual alert

05:07

itself

05:09

so this is how it works

05:11

sounds great so what's the most

05:12

important things to rethink about right

05:14

so we obviously need to think about what

05:15

score we need to apply to each rule

05:17

um we need to think about what

05:18

thresholds or measures we're interested

05:20

in now this isn't always just a score

05:22

threshold right it doesn't have to be

05:23

100 points and I'll show you in the demo

05:25

in fact other ways of doing it could be

05:27

the number of tactics that are involved

05:29

it could be the number of different use

05:30

cases or searches that have kind of

05:32

triggered the same search triggers over

05:34

and over again and it's a threshold

05:35

that's probably not as interesting as

05:37

something where multiple different

05:39

techniques or tactics have been involved

05:41

okay so there's lots of different things

05:42

that we can do there and we can do

05:44

combinations of these one of the ones I

05:46

saw very recently at dot conf is the

05:49

concept um very very makes a lot of

05:51

sense really is using an analytics story

05:53

and if you ever see all the different

05:54

correlation searches that trigger over

05:56

an analytics story then alert on it

05:58

right so lots of different ways of

06:01

creating these alerts it doesn't have to

06:02

be tied down to a particular score and

06:04

but squaring is obviously the sort of

06:06

Baseline kind of level should we say we

06:09

also need to think about what

06:09

correlation rules are ideal for

06:12

risk-based Learning and which ones do we

06:13

actually want to know to alert for right

06:15

because if we want a notable event

06:16

directly because it's really known bad

06:19

and it shouldn't happen at all then

06:21

that's fine that's not a problem not

06:22

everything has to go into risk-based

06:24

alerting and in a lot of cases what

06:25

you'll actually have is a number of

06:27

alerts a large number of alerts that go

06:29

just far into risk-based learning some

06:31

alerts that do both

06:32

and then which you want to alert and

06:35

give you more context behind and then

06:37

some alerts are just a direct notable

06:38

just deal with them as they are

06:39

individually don't need any sort of

06:41

background to

06:43

so

06:44

it's just kind of going through all of

06:45

your use cases and figuring out which

06:47

ones are are good for which side really

06:50

so the risk framework this is kind of

06:53

how it sets up so

06:54

um basically what we do is we create

06:57

correlation searches those correlation

06:58

searches then create a an event okay a

07:01

notable event uh or sorry they trigger

07:05

an alert that adaptive response action

07:07

is then used as a risk adaptive response

07:10

action and that produces risk and

07:12

applies it into the Risk Index it's a

07:15

summary index basically there is then a

07:17

data model that sits on top of it for

07:19

the risk data model and essentially that

07:20

will kind of extract all the information

07:22

out there and that's what we look upon

07:24

that accelerated date model to be able

07:25

to alert on use our risk indicator rules

07:27

now this can also feedback a security

07:30

analysts we'll be able to see different

07:32

things going on they can do threat

07:34

hunting within the risk info they don't

07:36

have to wait for a natural alert and

07:37

when they find anything in there then

07:39

they can send an ad hoc risk entry into

07:41

the index if they want to

07:43

um at any point throughout that sort of

07:45

timeline they can go and add in ad hoc

07:46

risk entries that's another way of

07:48

adding into the risk framework

07:52

one app that's kind of really important

07:54

in this

07:55

um and a similar in a sense to what the

07:57

previous uh webinar was on right this

07:59

one's about essay threat intelligence

08:01

this is where we contain all the risk

08:02

stuff out of the box it's a supporting

08:04

application

08:05

um which is the sa piece

08:07

um of an Enterprise security build so

08:09

you'll see it in Splunk Cloud you'll see

08:10

it on on-prem um and inside here it

08:13

contains the risk data model it contains

08:14

all the out-of-the-box researchers risk

08:16

indicator rules

08:18

and it contains wrist dashboards as well

08:20

as macros and everything else so this is

08:21

really the kind of place that you want

08:23

to have a look if you want to kind of go

08:24

through all the risk side of things

08:26

so with that let's go and actually have

08:28

a look at it

08:30

so we're starting here in the all

08:32

configurations page specifically in that

08:35

essay threat intelligence application

08:37

and we're going to see everything that's

08:38

created in the app with that risk right

08:41

so we can see the saved searches these

08:43

are the top two or the out of the box

08:45

risk indicator rules okay so these are

08:47

the things that are creating notable

08:48

events we can see all the different risk

08:50

kind of save searches that go on in the

08:52

background we can see macros that are

08:55

doing things as well we can see ways of

08:58

applying macros to users or so forth so

09:01

that fields are extracted that says user

09:03

risk and stuff like that

09:05

um include the lookups

09:07

so you can see that risk being applied

09:09

so you you know so you get a constant

09:11

update in your searches where risk is

09:13

there what's the level of risk for this

09:15

particular thing

09:16

um so all that so if you want to have a

09:18

look a little bit more detail about

09:19

what's in there then that's the sort of

09:21

place to see um so there's 54 items you

09:23

could look through

09:24

now where I want to start this kind of

09:27

Journey Through risk is really about how

09:29

we can start thinking about what sort of

09:30

risk we want now spunk secure Essentials

09:33

is written with risk Concepts in mind so

09:36

you can actually find content you can

09:37

click on find content you can go to

09:39

risk-based alert and content across the

09:40

right hand side and then you can pick

09:43

the particular category of content that

09:44

you're looking for maybe it's compliance

09:46

maybe it's application security

09:48

monitoring and this will take you to

09:50

your security date your security content

09:52

in Splunk Security Essentials with all

09:55

the things that are really useful for

09:56

risk okay so it's filtering down to

09:59

those risk relevant kind of use cases

10:01

that can be useful for correlating

10:04

against other information that's

10:06

probably one of the ways to think about

10:07

it risk is really about correlating with

10:09

other sort of types of uh events that

10:12

might be occurring right so you get

10:13

presented back with this

10:15

as you would expect from Smart Security

10:17

Essentials another way of looking at

10:18

this is if you go to analytics advisor

10:20

go to risk-based alerting content

10:22

recommendations then you can filter down

10:25

again either to the content that's

10:26

available to you or to all content okay

10:29

and you can filter down on specific

10:31

applications and certain categories so

10:33

in this case I've gone to Cloud security

10:35

and maybe I'm pretty presented back with

10:37

all those security content that might be

10:39

useful for cloud Security in a risk kind

10:43

of way okay so that's another way of

10:45

getting through the content so it's one

10:46

of the kind of important things to

10:49

consider uh in the process

10:52

now if you want to then go into it what

10:55

you can see is in correlation searches

10:57

um in Splunk Enterprise security so if

10:59

you're coming to configure into content

11:01

into content management and then filter

11:02

based on correlation searches and

11:05

enabled you can see what's actually

11:06

running so here I've got some es content

11:09

update searches this was AWS console

11:12

login from by user from a new city so if

11:14

I look in detail at this actual search I

11:17

can see it's a normal correlation search

11:18

there's nothing sort of groundbreaking

11:20

out of here it's looking for anything

11:22

that's in a new city from historical

11:23

events but it's also then providing a

11:26

lot of annotations

11:28

so we're annotating with assist 20

11:30

controls the kill chain meant to attack

11:31

the nest uh the confidence and impact

11:34

scores and these are really good at kind

11:36

of if you can give an idea of what your

11:38

impact and your confidence of each use

11:40

case that you've got running that can be

11:42

really good way of deciding what score

11:44

you should be applying uh and there's a

11:45

Blog on our website about kind of uh

11:47

aligning those two together to make a

11:49

good a good actual risk score

11:52

um because it's always an idea of like

11:53

how do I risk work at the beginning so

11:56

just something to bear in mind

11:57

um you can also see the other

11:58

annotations in terms of what analytics

12:00

story is relevant to and so forth right

12:02

so that runs on a particular time window

12:05

um and in this case is not throttling at

12:08

all but in some cases you might want to

12:10

throttle it depends on kind of how you

12:12

want to play with your risk scores your

12:13

risk use cases right

12:15

um sometimes you might be wanting to

12:17

observe if it's got internet connection

12:18

or something like that sometimes you

12:20

want to observe something else and then

12:23

what we're doing with the Adaptive

12:24

response action so down here we've got

12:26

risk analysis we've got a user the

12:28

username is logging into the AWS console

12:31

from a city for the first time okay and

12:34

their risk score is applying 18 points

12:36

to that user field

12:38

okay so uh that's been defined obviously

12:43

based on the confidence score and the

12:44

impact score uh how much we want to be

12:46

applying and this risk message is really

12:49

important okay so if you are doing risk

12:50

for the first time do make sure you put

12:52

risk messaging and if you can put any

12:54

threat objects in because they can kind

12:55

of tie everything together as well so

12:57

they can be really useful

13:07

so one other thing that you can do as a

13:09

risk factor editor right so

13:11

in terms of risk factors what you can do

13:13

is add risk based on certain conditions

13:17

right so in this case if that user is an

13:19

administrator so if I've got a user in

13:22

there it's got 18 points of risk at the

13:24

moment but if that user is an admin I.E

13:26

they've got a privileged category of

13:28

user from my asset identity lists right

13:31

um then we can times that factor by one

13:33

and a half so it'll actually give 27

13:35

points of risk right an extra nine

13:36

points added on because that's what it

13:40

should do because that's a privileged

13:41

account we want to we want to increase

13:42

the risk we want to know about any

13:44

privileged accounts being of use in this

13:45

source so this risk factor editor has a

13:48

way of just a dynamically altering the

13:50

risk that's being applied out of a rule

13:52

on its own based on certain conditions

13:54

whether that's a contractor whether

13:55

that's a critical priority destination

13:57

whatever it is that we're interested in

13:59

or maybe their watch list that sort of

14:01

thing

14:02

um then we can add an increased risk or

14:04

decrease or decrease risk if we need to

14:06

right so there's a multiplication

14:08

addition

14:10

um or of course you can multiply by 0.5

14:12

to delete and so forth right

14:14

so that's how we can do the risk factor

14:17

editors they can be a Dynamic Addition

14:18

to it

14:19

and then once we've got all those

14:21

correlations rules set up they're all

14:22

applying risk we'll see that data in the

14:24

index equals um

14:27

index equals risk so let's have a quick

14:29

look at that because

14:31

so if I go index equals risk I'll see

14:34

within here all the different risk

14:36

events that are being generated right so

14:38

we're taking note of all these different

14:39

things they're all got a particular

14:42

um stash Source type right which is our

14:44

summary and summary Source type from

14:45

Splunk out of the box and we can see all

14:48

the different sources which are the risk

14:49

rules that have been applied and

14:51

triggered right so lots of different

14:52

things going on in this environment

14:54

um so we can search through that and we

14:56

can also pin of course to the risk

14:58

object

14:59

um so we want to browse around

15:00

particular risk objects what's been

15:02

creating our risk on this particular

15:04

risk object can go into that and we can

15:06

go into our sources okay so these three

15:08

things are occurring on this particular

15:10

asset sort of thing right so we can

15:12

browse that data it is just sitting

15:14

there so if we want to go threat hunting

15:15

into risk we can do that

15:18

and of course what we then do is we want

15:20

to alert on it right when certain

15:21

thresholds are hit so what we have here

15:23

is a couple of risk uh indicator rules

15:25

one's called attack tactic threshold

15:27

exceeded for object over previous seven

15:29

days there's also a 24-hour risk rule as

15:31

well so this is a seven day risk rule

15:34

which is looking in the date model for

15:36

risk okay and it's alerting if there's

15:39

at least three tactics from the miter

15:42

involved at least four sources right so

15:45

if I looked in the data itself I can see

15:47

annotations that might or attack and the

15:50

tactics and techniques of data fields

15:52

that are in there because of the

15:53

annotations that are in the correlation

15:54

search themselves

15:56

and when I then hit that trigger what I

15:58

actually then do is create my notable

16:00

and it's at this point that it goes into

16:02

instant review I've given it my title to

16:04

my description uh I've got a drill down

16:07

and all the sort of normal things that

16:08

you would have from you know your

16:09

previous kind of notable events and how

16:11

you would normally previously alert

16:13

so that can all be done from there

16:16

um and you could make these up for

16:18

different things right and you could

16:19

weight these things and if you follow

16:22

um Hayley Mills kind of Journey to

16:23

learning how to implement uh risk-based

16:26

alerting right she's got a four stage

16:28

Journey some of the things she talks

16:29

about is about having Dynamic risk that

16:31

you can apply in Risk rules but also

16:33

having weighted sources and weighted

16:35

tactics and what we mean by that is the

16:39

not all Risk rules should apply the same

16:42

Source maybe you've got Brute Force

16:43

maybe that's not so interesting maybe

16:44

excessive power logins maybe that's not

16:46

so interesting whatever it is so you can

16:48

reduce the weight of that particular

16:50

source so that it doesn't hit the

16:52

threshold whereas some sources should

16:54

count as a full one point some maybe

16:55

even two points towards that Source

16:57

count so you know each Source could be a

17:00

little bit different in that weighting

17:01

as well

17:02

so that's another way of just kind of

17:03

looking in interesting ways

17:07

um

17:09

yeah so that's the kind of risk

17:11

indicator rules and so when that then

17:13

alerts what you then see is an incident

17:15

review you'll see events that are

17:17

presented like this and these are known

17:19

as risk notables you can filter based on

17:22

type so in this case drill down to type

17:25

risk notable and then you'll get

17:27

presented with all of them back and you

17:28

can see the risk of entering the risk

17:30

score so in this case I'm going to just

17:32

expand this one to start with to show

17:34

you that now that because it's a risk

17:35

event I can see all of the miter details

17:37

the annotations across the top so I can

17:39

get much quicker in insight into what's

17:42

actually occurring with this particular

17:45

um

17:47

asset in this case because that's the

17:48

risk object

17:50

um so I can see all the different things

17:51

that are going on there um I can get all

17:53

that sort of useful key information down

17:55

the left hand side and anything that's

17:57

going on on the right this one's

17:58

actually gone directly to saw and

18:00

actually been triaged in some respects

18:02

already which is why it's in progress

18:05

um and then if I click on in Risk events

18:08

I'll get a pop-up here

18:10

which will show me all of the risk

18:12

events all the all the Risk rules that

18:14

have triggered related to this

18:15

particular device okay so here we can

18:18

see six different rest rules here

18:20

um over a time period we can zoom in to

18:22

further into that we'll zoom out of

18:23

course

18:24

um so these are the risk events and if I

18:26

scroll down to the bottom of the page

18:27

you can see all of those in individually

18:29

and this when I mentioned why risk

18:32

messages are really important because

18:33

this is what's actually read to by the

18:35

analyst really

18:36

um so just making sure there's good

18:37

detail in there making sure it shows

18:39

what processes or what

18:42

um objects are that's actually occurred

18:44

to indicate that this is riskier a risky

18:47

instance

18:48

and you can see the Risk rules of what

18:50

has actually triggered and the

18:52

annotations as well on the right there

18:54

you can filter that down or of course

18:56

expand it with a little bit more detail

18:57

and then also at the top right you can

18:59

go into the threat typology and this is

19:02

where we can really link things between

19:03

threat objects and risk objects we can

19:05

get a little bit more detail around

19:07

what's going on so you can see these

19:08

things are linked together so this

19:10

laptop's also linked to be stole

19:13

um so you can see lots of good kind of

19:15

insight overview of what's actually

19:17

going on across the top and of course

19:20

the assets and in its in the asset list

19:24

across the top there as well so

19:27

um jolly good so that gives us a lot

19:30

more insight into what's actually going

19:31

on

19:32

um our analysts can go yes this is no

19:34

bad I want to lock it down I can go

19:35

ahead and run my adaptive response

19:37

action come in here run an Adaptive

19:39

response action from here and block it

19:41

or whatever or if it's climbing out into

19:43

saw you can get that kind of automated

19:47

um as it goes through processes and so

19:48

forth so whatever we need to do we can

19:50

do a particular Direct

19:52

adaptive response from there

19:55

and then finally if you really want to

19:56

look into it what you have is under

19:58

security intelligence risk analysis and

20:00

this will go into detail about all the

20:02

things that are going in Risk in the

20:03

environment right so we've got risk

20:05

scores by objects you can see the high

20:06

objects you can see most active sources

20:08

and this is probably one of the most

20:09

important youth dashboard panels you

20:12

probably want to expand it out and have

20:14

a look over it to see where your risk is

20:15

being applied if you come in here and

20:17

click search then that will give you a

20:19

good idea and then across the top you

20:20

can also see all the different

20:21

annotations and threat objects that are

20:23

involved across my risk and you can

20:26

filter everything down as you need to

20:27

change the time window and then right at

20:30

the bottom you can see all the modifiers

20:31

individually in a table tabular format

20:33

right but again this is just looking at

20:36

the data in the index itself so you can

20:39

go ahead and have a look and browse

20:40

through it that way

20:42

but this is as I say one of the most

20:44

useful ones because it gives you kind of

20:46

Direction about okay well there's not

20:47

particularly hitting many uh risk

20:50

objects but applying a lot of risk it's

20:51

just repeating itself maybe it's running

20:53

too often maybe it needs a bit of

20:55

thresholding can kind of give you some

20:57

direction of where you want to be

20:58

thinking about tuning this uh in this

21:01

kind of space okay with that thank you

21:03

very much for attending

21:04

um I hopefully that bite size

21:06

information on risk-based alerting was

21:08

useful for you if you do want to find

21:10

out any more have any questions just

21:12

email invert someone from associates.com

21:15

um and if you missed the webinar you can

21:17

go to youtube.com and find us there

21:20

um but uh yeah hopefully you'll join us

21:22

on the fourth uh one was doing Stu in

21:25

that case uh on our fourth episode in

21:27

the series looking at the threat

21:29

intelligence side of things and the

21:31

threat framework

Rate This

★

★

★

★

★

4.7 / 5 (43 votes)

Related Tags

风险警报企业安全安全框架事件响应警报阈值安全策略网络监控自动化响应安全分析Splunk应用

Do you need a summary in English?

Browse More Related Video

How to accelerate in Splunk

Roadmap for Learning SQL

Beginner's Guide to ControlNets in ComfyUI

Microsoft's New PHI-3 AI Turns Your iPhone Into an AI Superpower! (Game Changer!)

The State of Cybersecurity – Year in Review

Lesson 5 – Tips for Protecting your AI