Académique Documents
Professionnel Documents
Culture Documents
Using Splunk to
Protect Students,
Faculty and the
University
Chris Kurtz
System Architect
Arizona State University
Disclaimer
During the course of this presentation, we may make forward looking statements regarding future events or the
expected performance of the company. We caution you that such statements reflect our current expectations and
estimates based on factors currently known to us and that actual events or results could differ materially. For important
factors that may cause actual results to differ from those contained in our forward-looking statements, please review
our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time
and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other
commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include
any such feature or functionality in a future release.
Additional Speaker Disclaimer: While I am speaking as an employee of Arizona State University, I do not speak for the
University nor dictate policy, procedures, or purchases. Any and all statements made in this presentation are mine
alone, and do not in any way represent an official statement from ASU. The opinions and comments contained herein
are entirely my own. ASU does not endorse or represent any product mentioned, up to and including Splunk.
2
Agenda
Introduction to me and Arizona State University
About ASU
About me
Our Environment and our challenges
Introduction
Logs reside in multiple locations, depending on when and where the system was
installed: web logs in one location, system logs multiple others (depending on
OS); some are on single log concentrator and some in an old, slow, and
unsupported proprietary search database. ISO requests logs for incident. Ops
has to use the proprietary tools (or just as often, just grep through multiple
logfiles) based on ISO description and email/share logs. ISO likely has to revise
request at least once.
Typical response time to incident: multiple business days
With
Splunk
Licensing
750gb/day
Started at 50gb in November 2012
to 150gb in February 2013
to 500gb in June 2013
to 750gb in July of 2014
On track to reach 1TB this FY
The value of Splunk to the Information Security Office
has driven the rapid growth
but other groups are starting to see the value!
10
We didnt know
To ASU, Splunk was like the invention of the
microscope: we didnt know what we couldnt
see.
Martin Idaszak
Security Architect, Arizona State University
11
Protecting Direct
Deposit
12
13
Payroll gets a call that an employee didnt get their direct deposit.
2.
3.
4.
5.
DB records
IP
username
Geo tag
country
user
address
IP
username
state/country
1.
Logs from webserver single sign-on and Peoplesoft now go to Splunk. No more waiting on
Operations to retrieve logs! This makes both ISO and Ops very happy!
2.
Splunk monitors for Direct Deposit changes via a schedule search, building a transactions to
link the change back to the users webserver authentication. Ok, now we have an originating
IP and a usernameso we run geolocation on the originating IP so its easier to create
reports based on location of the change.
15
16
1. Home
2. Work
So, lets think about it:
If your direct deposit changes from Malaysia, its probably fraud
but what about Ohio, if you live in Arizona?
2.
3.
4.
Starting with the originating IP and username from Version 1we use a
custom lookup tables (more later!) to leverage HR system data, so we can
lookup a usernames information: Name, address, etc.
Geolocation information about the users home zip code (via the zip
code) is generated.
Using a free Splunk App called haversine, we calculate the distance
between the users home (technically, the lat/lon of the center of their
zipcode) and the lat/lon of the IP the change was made from. We realize
both of these are a bit vague, but were really only looking for scale.
If the distance is unusual (~50 miles) the result will be flagged for Payroll
review automatically.
18
3.
4.
5.
Flexibility
Its not only its schema-on-the-fly,
its use-case-on-the-fly.
- Barak Reeves
Splunk Sales Engineer, Team TK-421
20
Phishing as a
teaching tool
21
22
Mandatory
Pie Chart
Mail
Filter
Firewall
Email
Stored
User clicks
on phishing link
Seems legit?
25
Email log
Bad URL
user
This too is being automated! We plan to use workflows to allow ISO to easily flag a
potentially compromised account in Splunk, which (via a REST API call to our authentication
system) is automatically disabled and (via another REST API) a ticket is created for the
helpdesk, so they can explain the situation to the user when they call in because their
password no longer works.
27
2.
ISO actively follows phishing links (from a secure and isolated Virtual
Machine) and enters bogus credentials. We are now using Splunk to alert on
attempted logins using those honeypot credentials. These active hackers are
then blocked on the Palo Alto Firewalls in a quick but manual processthis
protects users who might click on the phishing. Eventually, we plan to semiautomate this using Splunk workflows that let ISO directly block several
different types of attackers from Splunk, using the Palo Altos APIs.
ASU is investigating using honeypot full email accounts that will be scraped
from the public directory and then sent spam/phishing attempts just like real
users. The plan is to use Splunk to index the entire email, so we will have the
full body of phishing and spam emails as well as headers. Phishing URLs
identified would be blocked using a workflow to the Palo Alto APIs, as above,
and the from addresses would be blocked on the Barracudas with their APIs.
28
3.
4.
Value of Splunk
30
31
To correlate data,
you have to have data to correlate
Having data from machine logs such as mailservers and firewalls is
great, its the first (and easiest) data to get into Splunk.
33
several databases, and writes a series of lookup tables (with the affiliate ID)
every 4 hours
Linux ionotify monitors the lookup tables, and on write-close copies data to
production systems (sanity checking applies)
Data Warehouse
Isolated Splunk
running DBX
Production Splunk
Problem is
Splunk (and most other applications) use the ISO3166 standard alpha-2 country codes (US for
United States, for example). This is standard for geolocation services in Splunk.
Butour Oracle Databases for Student data get the data from the students, often their
passports. And machine-readable passports use the ISO3166 alpha-3 country codesand
there isnt a simple conversion!
If the Country Code is not in the standard geolocation format, I cant do any geolocation, which
means the data is far less useful.
I looked on the Splunk Apps site (http://apps.splunk.com) but didnt find a solution
Country
alpha-3
alpha-2
United States
USA
US
China
CHN
CN
Nigeria
NGA
NG
35
Lookup Sample:
alpha-2,alpha-3,numeric
US,USA,840
CN,CHN,156
NG,NGA,566
My app took me about a day to do, including an obsessive amount of research on how to do it.
37
#splunk
It is days like today when I am stuck with a piece
of crappy software with horrible documentation
and support that I am very thankful that I spend
the rest of my time dealing with Splunk.
- David Shpritz (automine) Splunk IRC channel
38
Conclusion
39
42
43
THANK YOU