Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Elastic{ON} 2018 - Sipping from the Firehose: S...

Elastic Co
March 01, 2018

Elastic{ON} 2018 - Sipping from the Firehose: Scalable Endpoint Data for Incident Response

Enterprises have better sources of endpoint telemetry to respond to intrusions than ever before, yet attackers continue to slip through the cracks, often with surprising ease. And security teams still struggle to fully scope or remediate compromises, even after they’ve been detected.

This presentation will examine why it's so difficult to gather and maintain the right mix of endpoint data for effective incident response. It will then demonstrate how a blended approach — combining technologies like Elasticsearch with distributed, on-endpoint analysis — can offer comprehensive, high-speed, and efficient visibility at any scale. Examples from real-world breaches (including a few that inspired hacks in the latest season of Mr. Robot) will illustrate lessons learned from the field.

Ryan Kazanciyan| Chief Security Architect | Tanium

Elastic Co

March 01, 2018
Tweet

More Decks by Elastic Co

Other Decks in Technology

Transcript

  1. Tanium February 28, 2018 @ryankaz42 Sipping from the Firehose: Scalable

    Endpoint Data for Incident Response Ryan Kazanciyan, Chief Security Architect
  2. 5

  3. 6

  4. 8 • Endpoints are the ultimate security perimeter • We’re

    in a golden age of endpoint security tools and data… • …but we still struggle with scale, efficiency, and effectiveness
  5. • “Black box” flight recorder
 • Limited to the most

    common event-based data (process execution, file changes, network connections, etc.)
 • High-volume, high-value EDR telemetry 13
  6. • Access Tokens • Anti-virus • API monitoring • Authentication

    logs • Binary file metadata • BIOS • Browser extensions • Data loss prevention • Digital Certificate Logs • DLL monitoring • EFI • Environment variable • File monitoring • Host network interface • Kernel drivers • Loaded DLLs • MBR & VBR • Netflow • Network device logs • Network protocol analysis • Packet capture • PowerShell logs • Process command-line parameters • Process monitoring • Process use of network • Sensor health and status • Services • SSL/TLS inspection • System calls • Third-party application logs • User interface • Windows Error Reporting • Windows event logs • Windows Registry • WMI Objects Data sources per MITRE ATT&CK 15
  7. • Access Tokens • Anti-virus • API monitoring • Authentication

    logs • Binary file metadata • BIOS • Browser extensions • Data loss prevention • Digital Certificate Logs • DLL monitoring • EFI • Environment variable • File monitoring • Host network interface • Kernel drivers • Loaded DLLs • MBR & VBR • Netflow • Network device logs • Network protocol analysis • Packet capture • PowerShell logs • Process command-line parameters • Process monitoring • Process use of network • Sensor health and status • Services • SSL/TLS inspection • System calls • Third-party application logs • User interface • Windows Error Reporting • Windows event logs • Windows Registry • WMI Objects What do most EDR tools focus on? 16
  8. 17

  9. 18

  10. 19

  11. 20

  12. 21

  13. 22

  14. 23

  15. 24

  16. 25

  17. 26

  18. 27

  19. 28

  20. • What sources of data? • What can be centralized?

    • What must be examined on-endpoint? • What’s your cadence to collect? • What’s your cadence to analyze? You cannot capture everything, constantly 29
  21. • Typical endpoint sources • Alerting tools • Telemetry tools

    • Critical logs (limited to select systems)
 • Ideal for correlation with non-endpoint sources, aggregate data analysis
 • Resource constrained by event forwarding and storage over time Centralized approach 30
  22. • Broadest set of available data: • Volatile / in-memory

    • Files and artifacts on-disk • Locally stored telemetry and logs • Often difficult to efficiently search and collect at-scale On-endpoint evidence 31
  23. 32 rule PAS_TOOL_PHP_WEB_KIT { meta: description = "PAS TOOL PHP

    WEB KIT FOUND" strings: $php = "<?php" $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ $strreplace = "(str_replace(" $md5 = ".substr(md5(strrev(" $gzinflate = "gzinflate" $cookie = "_COOKIE" $isset = “isset" condition: (filesize > 20KB and filesize < 22KB) and #cookie == 2 and #isset == 3 and all of them } Searching web server files with Yara On-endpoint example #1
  24. • Different OS versions, add-ons, and regional variants • User

    applications • Enterprise applications • Randomized file paths, GUIDs, and other per-host unique artifacts • Churn from updates & patches Your software is noisy 35 Examining operating system, application, and script usage at-scale
  25. 5-7 per host 1-3 per host Large networks (>100k endpoints)

    Small networks (<100k endpoints) * Measured by total unique instances of installed application versions
  26. Iterating on an hunting technique 45 “How often do legitimate

    Windows applications run PowerShell encoded commands?” 1 2 3 4 5 “Oops. 10% of our endpoints produce 1000s of false positives per day. Too much noise. “Let’s apply some client-side filters to the data and try again.” “Eureka!” Now let’s collect, centralize, and analyze the data over time.” “Find all the evil things!” Ask a 
 question Get unexpected results Learn and refine Add to workflow Success!
  27. Common inhibitors 46 1 2 3 4 5 Ask a

    
 question Get unexpected results Learn and refine Add to workflow Success! • Expensive or slow to test at-scale • Can only work with pre-selected data • Contend for resources with other workflows 
 “Will this break something?”…“Take too long?”…“I guess I won’t try…”
  28. 49

  29. 50

  30. 51

  31. 52

  32. 57

  33. Distributed access to endpoint data 58 Full-disk index, files at-rest,

    OS configuration 
 and forensic artifacts Volatile memory and short-lived / stateful evidence Historical EDR telemetry, OS logs, application logs Efficient data aggregation, and a single source of truth
  34. Search, collect, and analyze at-scale 59 1 2 3 4

    5 Ask a 
 question Get unexpected results Learn and refine Add to workflow Success! Experiment without penalty, with results in seconds
  35. 61

  36. Tanium February 28, 2018 @ryankaz42 Sipping from the Firehose: Scalable

    Endpoint Data for Incident Response Ryan Kazanciyan, Chief Security Architect