Splunk .conf 2016

Show the Board the Value of Your Incident Response Team – Detect a Live Attack With Splunk and Knock Their Socks Off!

Presented during Splunk .conf 2016 at the Walt Disney World Swan and Dolphin Resorts, Tuesday, September 27, 2016 from 12:40 PM-1:25 PM

In this presentation myself and colleagues walk through an approach for showing the value of information security and the value and role of Splunk. We demonstrate the high ROI achieved and help justify the investments in the security program and in Splunk solutions. The presentation describes: how to create a demo network with a fictitious HR victim, and a remote hacker; how to set up Splunk solutions to detect each step of attack, including a dashboard that maps to the cyber kill chain; what to consider when presenting technical material to the board; how to maximize the impact of the demonstration by making it “real”; how to take this conversation to the board; how we did it and our board’s reaction to the brief and how (magically) we had board level excitement in Splunk afterwards.

The following posts describe in detail the creation of the demonstration network.

I kick the whole series off with a question: How often have you had to argue or prove the value of your Information Security program to management? This post provides an introduction to the series and discusses why we decided to create the demonstration.

In Part 2 of “Selling your Information Security Team”, we discuss recommendations for your host computer and installation of Virtualization Software. We define the network types we will use and reveal what the virtual network layout will look like. Prepare to WOW your Board of Directors!

Next in Part 3 we build on the framework that was designed in the previous posts, we are now ready to start creating our first Virtual Machine: the Firewall. This VM will join the two networks together and form the keystone of the demonstration before the Board of Directors.

In Part 4 were we build the Swiss Army Knife of the demonstration: The Utility VM.  This system will host the Snort IDS, the WebMail service and the cornerstone of the demonstration: the Splunk Service. We walk through installing the OS, Snort and WebMail in this post.

Splunk Enterprise is the center piece of this entire demonstration and is installed in Part5.  Clear visual indicators will let your audience know when things have gone bad (red is bad/green is good) during the attack demo.  This is where we will build that center piece and the dashboard that will be used during the demonstration.

If you are followed this series so you can present a similar demonstration, Part 6 will provide details in building the Victim VM which will be used by the audience member that volunteers to be the victim. A very important step in this build is NOT patching the Victim VM system so we can take advantage of vulnerabilities that exist in the Windows 7 SP1 build.

Now, in Part 7, for the Fun Hacker Ninja work: the Attack VM.  We will use an OS designed for penetration testing that has the tools and a framework to make this job easier: Kali Linux.  We’ve already built a vulnerable Victim VM, so we will take advantage of known vulnerabilities in that build.  This is the build I had the most fun with!

Part 8 (TBD) will wrap up the series with a discussion on running the demonstration