In this lesson, I'm going to talk about Splunk. Splunk is a operational intelligence platform that allows us to gain information from a lot of different sources. It's really meant to be a log management tool that organizations use to gather and correlate information all in one place. Splunk does have several different versions, one of which is free, if you want a perpetual license for about 500mb a day. However, it doesn't include a lot of features. So, we have an enterprise license here at the university, and it's a very small license in the grand scheme of things. We only have several hundred host reporting in on a absolutely everything log file basis, and thousands of machines reporting in authentication into it. So let's look at how this is going to help with the threats and the monitoring of your attack vectors, inside of information security. So first thing that I'm going to do is, I'm going to, now I had to log in already, so let's just look at the last couple minutes here. I'm going to enter my user name. Let's look at the last sixty minutes, what I've been doing. So I'm going to search, and I've come up with three different hosts, okay? So AUTH1, WARP, and wc-coh.uccs.edu, now those are three different authentication sources that I've logged into. Whenever your organization is trying to pinpoint an incident or looking at the threats that you have, a tool like this, or a log in aggregation tool is going to allow you to determine what happened. And who has access to what much, much quicker than going from system to system. Additionally, if you have systems reporting in to a centralized system. It's going to allow you to preserve the data if an attacker decides that they want to remove the access logs that they've had on that server that they've compromised. So if you look here, let's look at, we got 320, Says an account was successfully logged off. Let's see if I can't get some other good information out of here. Here we go, here's some 52 lines. Okay, so an account was successfully logged on, so this was me. The computer name was AUTH1.UCCS.EDU. That is an authentication server, and it is an identity server for Microsoft type systems. It also will tell me where I tried to log in to, depending on the log. But that's often the machines themselves, and I don't think I can get you one here. But let's look at some other information. So right here, this is from our wireless controller. So at 2:34, looks like one of my devices decided to reauthenticate with the wireless system. So, role equals wireless campus compliant. Here is the VLAN that I was on, here is my access point name, so where I was associated with. The actual SSID of the wireless network, so UCCS-Wireless. And it also has my IP address and my MAC address. So my MAC address is going to show me what device that actually is. And my IP address is going to say, here is the IP address that I had at that given time. Now any of this information correlated helps us determine what happened, again, in the case of an incident. If we dig down even deeper, let's look at some other things that we have built into Splunk here. And I'm going to go to my Palo Alto network's dashboard here. Now, I have the firewalls feeding in, and this is just a minimal amount of information. And, typically, over the last hour, this is going to display. So it looks like, It looks like I only have, this is actually seven in the last five minutes. So I have some vulnerabilities being reported, and I also have spyware that is also being reported. If I go to my threat dashboard, let's see what that brings up. So it looks like over the past hour I've had quite a few vulnerabilities. Some flooding, probably UDP type flooding, which is a denial service attack. And these are things that are blocked. So it also looks like I have ZeroAccess command and control traffic from some system, which the security team probably wants to investigate. ZeroAccess is an attack kit that can affect users negatively. But because it's in here and it's identified. The firewall has blocked that activity, so I'm not too worried about it at the moment. So you can see that in the past hour here, I've had quite a few. And this is a Saturday, I only have Probably 100 to 200 megabits of data going through to the Internet right now. Now, if it was a semester that would be amplified by 10 to 20 times what I'm seeing right here. We also have other things that we can build into Splunk to correlate information across multiple systems. So I'm going to go down to my Security Onion software. Security Onion runs one of our intrusion detection devices that does deep packet inspection on certain parts of the network. If I click on my Browser tab here, Browser is short for Bro. And it's just, Bro is an IDS piece of software, and we use it to look at certain things on the network. And if I click over to SSH here, I can glean information from what Bro has seen in the past, however long we want to search for incidents. So, it looks like in the past hour, I've seen 7420 attempts to get into SSH servers. If I click on the destination IP count, I can actually drill down into, Drill down into each of these. Now some of them are going to be legitimate. Like this one right here is legitimate, and this one is legitimate. This one is legitimate as well, however, some of these are not legitimate and are attackers. So in conclusion a log aggregation tool or a tool like Splunk will help us learn about the threats that we have as a whole. And not just one off here and one off there by host. Because what'll happen is if we don't start looking at threats in real time and logs in real time, and correlate them together, we may miss a bunch of information about attacks that are coming in. And perhaps an attack is successful.
