BlackLynx Cybersecurity Integration into Splunk - June 25, 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
BlackLynx Cybersecurity Integration into Splunk June 25, 2019
BlackLynx Functions
Microsoft Power BI
Xilinx Alveo
U200
BlackLynx Enhances, Accelerates, Optimizes Your
Add BlackLynx Solution as a Splunk Enterprise App
Company’s Splunk Investment
Discover events faster
High performance search ability to accelerate event detection through the elimination of ETL and indexing
More efficient triage
Search ALL the data enables improved visibility to answer the hard questions while not raising TCO
Faster alert detection
Splunk 24 real-time monitoring with BlackLynx Search & ML/AI to identify and resolve issues faster
Integration with Splunk UI & automation and other 3rd party products
Integrate Splunk APPs & provide other 3rd party product interfaces (ODBC/JDBC, RESTFul JSON)
Leverage all the Splunk capabilities while adding BlackLynx performance and high end search capabilities
(fuzzy searching, regular expressions, raw PCAP, etc.) to handle the growth in machine data
Splunk Powered by BlackLynx Performance Examples
Benchmark comparison for Fuzzy Edit Distance and PCAP primitives
• The DNS log (2 GB) and the PCAP files (15.6 GB) are from the U.S. National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) dataset
• The tre-agrep tool was co-authored by Udi Manber, one of the great names in contemporary Computer Science and author of the well-regarded textbook Introduction to Algorithms: A Creative
Approach, which to this day enjoys wide use in Computer Science curricula worldwide
• TSHARK Search is doing the filter parameter(ip.dest) on 16 files (serially). The TSHARK Decode is only the time to build the decoded files (parallel processes) and does not include any filter time
Add BlackLynx Solution as a Splunk Enterprise App
BlackLynx Splunk App > for Alerts & Full Analytics
Bro logs / machine data
Splunk > Ingestion of PCAP, netflow,
active triggers, etc.
10-100 Gbps
Network Data
Packet Capture
Server
Machine Learning
Saved PCAP/JSON/CSV
XML/Unstructured files
BlackLynx Server
RAW Storage
Repository
Future machine learning by fully analyzing the machine
generated data
3rd Party Applications Using
RESTful or ODBC/JDBC Interfaces
Location based services
BlackLynx Proprietary
Get smarter insights—faster—to drive critical business
decisions and next-generation innovation
High Speed Search Acceleration Image and Video Edge Analytics Acceleration
Xilinx® AlveoTM accelerator cards and BlackLynx software combine
Xilinx® AlveoTM Data Center accelerator cards and BlackLynx
to supercharge search capabilities to increase data visibility for
technology combine to maximize the potential of image and video
Cyber, Performance, and Compliance Functions
analysis at the edge of the network
• Accelerate time to extract insights from data through near real-time search performance • Maximizes performance of FPGA technology doing image/video machine learning
• Add complex queries including fuzzy search, PCAP analysis, and RegEx capabilities • Uses GPU or CPU trained Convolutional Neural Networks on FPGAs for inference analysis
• Eliminate ETL/indexing for fast, varied data (XML, JSON, CSV, Unstructured, PCAP) • Achieves reliable, accurate results with smaller, low-power solution
Example of raw PCAP Analytics
Search PCAP file for a particular IP Destination and then use regular expression
on the payload data to find social security numbers
▪ Web Server option using
RESTful JSON API
ryftuser@R01-0003234:~$ ryftrest -vv -p pcap -f PCAP/MACCDC2012/*.pcap -q 'ip.dest ==
34.238.50.30 and (RECORD.payload CONTAINS PCRE2("[^-0-9]*\d{3}-\d{2}-\d{4}[^-0-9]*"))'
▪ Data Forensics
{
"Duration(sec) ": 4.8,
"Total Bytes(GB) ": 15.62,
"Data Rate(GB/s) ": 3.26,
"Matches ": 4
}
Command Line showing size of data set, matches, and performance
▪ Over 3 GB/second performance
▪ 4.8 seconds to process 15.6 GB of raw PCAP
▪ 15 GB PCAP data thinned to 2.1KB PCAP data
Programmatic interface (www.ryft.com/api), command line, web interfaces, RESTful APIs are available
Example of raw PCAP Analytics
Search PCAP file for a particular IP Destination and then use regular
expression on the payload data to find social security numbers
Tableau Excel
Using BlackLynx’s ODBC/JDBC Interfaces for commercial data analytics & visualization tools
Sample BlackLynx Dashboard Prebuilt Search Commands Forensics is now NOT LIMITED to only the fields indexed in Splunk. High performance search capabilities now available on raw PCAP data stored outside Splunk
Search & Investigate. When doing incident handling, one of the
things we usually need to do is get the files which were downloaded.
Example to
look what
files were
downloaded
Determine which files have been downloaded; Check table of blacklisted sites or use tools like
Wireshark to extract the downloaded objects to see if they have been categorized as maliciousAdditional forensics: What sites have the user(s) gone to? Domain names being looked at and displayed with Splunk Visualization
Additional forensics: What sites have the user(s) gone to that are
blacklisted?
These entries were
found in the blacklist
table
Domain names being looked at and correlated with the blacklist domain names tableAdditional forensics: Show all certificate expirations Graphic shows all certificate expirations by month
Additional forensics: What sites have expired certificates?
These
certificates
have expired
Graphic shows expired certificates by monthAdditional forensics: Looking for Social Security Numbers in Clear Text
Social
Security
Number
High
Lighted
Found clear text social security numbers from a mySQL database in TCP PayloadAdditional forensics: Do you see WAKE on LAN packets? If so what MAC address are they targeting? From Where? Wake on LAN commands happening; targeting MACs 00:00:5e:00:53:66 and 00:00:5e:00:53:61 both from the same source MAC 08:00:27:4c:91:df
PCAP Inspection: Deep dive search through PCAP file using
layers 1 – 4 plus payload capabilities
Construct
Search query
On the Fly
PCAP
results being
returned
Cyber forensics support against the raw PCAP data stored external to Splunk thus achieving
significant cost savings given the typical size of the dataMonitoring and Alerting – Combine the power of Splunk &
BlackLynx search capabilities for 24 hour monitoring
Add Severity of
BlackLynx alert and
based results of
searches
into overall
query
monitoring creating
strategy the alert
Turn searches into real-time alerts to monitor threshold conditions around the clockBlackLynx Proprietary
Customer Benefits and Investment
• Full access and search capability to all machine generated data
• Enhanced cyber, performance, and compliance use cases
• No indexing overhead and storage costs
• Seamless transition through Splunk supported and published APIs
• Customer choices for amount of Splunk real time indexing (cost saving opportunity)
• Customer choice on long term storage and use of data (cost saving opportunity)
Significant Opportunity for Mission Benefits and Total Cost SavingsBlackLynx Proprietary
Proof of Concept Recommendation
• Load BlackLynx software onto local server or BlackLynx provided server
• Add BlackLynx App to the Splunk Enterprise “Test” server
• Point all raw data (log data for example) onto the server with BlackLynx software
• Apply search capabilities via the BlackLynx App and return real time alerts and
research query results on the Splunk dashboard
• Validate the use cases for cyber, network performance, and compliance
• Assess future opportunities for machine learning applications
Increase your data visibility while reducing your Splunk license and storage costsSplunk Cybersecurity June 25, 2019
You can also read
