Transcription
BlackLynx Cybersecurity Integration into SplunkJune 25, 2019
BlackLynx FunctionsMicrosoft Power BIXilinx AlveoU200
BlackLynx Enhances, Accelerates, Optimizes YourAdd BlackLynx Solution as a Splunk Enterprise AppCompany’s Splunk InvestmentDiscover events fasterHigh performance search ability to accelerate event detection through the elimination of ETL and indexingMore efficient triageSearch ALL the data enables improved visibility to answer the hard questions while not raising TCOFaster alert detectionSplunk 24 real-time monitoring with BlackLynx Search & ML/AI to identify and resolve issues fasterIntegration with Splunk UI & automation and other 3rd party productsIntegrate Splunk APPs & provide other 3rd party product interfaces (ODBC/JDBC, RESTFul JSON)Leverage all the Splunk capabilities while adding BlackLynx performance and high end search capabilities(fuzzy searching, regular expressions, raw PCAP, etc.) to handle the growth in machine data
Splunk Powered by BlackLynx Performance ExamplesBenchmark comparison for Fuzzy Edit Distance and PCAP primitives The DNS log (2 GB) and the PCAP files (15.6 GB) are from the U.S. National CyberWatch Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC) datasetThe tre-agrep tool was co-authored by Udi Manber, one of the great names in contemporary Computer Science and author of the well-regarded textbook Introduction to Algorithms: A CreativeApproach, which to this day enjoys wide use in Computer Science curricula worldwideTSHARK Search is doing the filter parameter(ip.dest) on 16 files (serially). The TSHARK Decode is only the time to build the decoded files (parallel processes) and does not include any filter time
Add BlackLynx Solution as a Splunk Enterprise AppBlackLynx Splunk App for Alerts & Full AnalyticsBro logs / machine dataSplunk Ingestion of PCAP, netflow,active triggers, etc.10-100 GbpsNetwork DataMachine LearningPacket CaptureServerSaved PCAP/JSON/CSVXML/Unstructured filesBlackLynx ServerRAW StorageRepositoryFuture machine learning by fully analyzing the machinegenerated data3rd Party Applications UsingRESTful or ODBC/JDBC InterfacesLocation based services
BlackLynx ProprietaryGet smarter insights—faster—to drive critical businessdecisions and next-generation innovationHigh Speed Search AccelerationXilinx AlveoTM accelerator cards and BlackLynx software combineto supercharge search capabilities to increase data visibility forCyber, Performance, and Compliance FunctionsImage and Video Edge Analytics AccelerationXilinx AlveoTM Data Center accelerator cards and BlackLynxtechnology combine to maximize the potential of image and videoanalysis at the edge of the network Accelerate time to extract insights from data through near real-time search performance Maximizes performance of FPGA technology doing image/video machine learning Add complex queries including fuzzy search, PCAP analysis, and RegEx capabilities Uses GPU or CPU trained Convolutional Neural Networks on FPGAs for inference analysis Eliminate ETL/indexing for fast, varied data (XML, JSON, CSV, Unstructured, PCAP) Achieves reliable, accurate results with smaller, low-power solution
Example of raw PCAP AnalyticsSearch PCAP file for a particular IP Destination and then use regular expressionon the payload data to find social security numbersryftuser@R01-0003234: ryftrest -vv -p pcap -f PCAP/MACCDC2012/*.pcap -q 'ip.dest 34.238.50.30 and (RECORD.payload CONTAINS PCRE2("[ -0-9]*\d{3}-\d{2}-\d{4}[ -0-9]*"))'{"Duration(sec)": 4.8,"Total Bytes(GB)": 15.62,"Data Rate(GB/s)": 3.26,"Matches": 4} Web Server option usingRESTful JSON API Data ForensicsCommand Line showing size of data set, matches, and performance Over 3 GB/second performance4.8 seconds to process 15.6 GB of raw PCAP15 GB PCAP data thinned to 2.1KB PCAP dataProgrammatic interface (www.ryft.com/api), command line, web interfaces, RESTful APIs are available
Example of raw PCAP AnalyticsSearch PCAP file for a particular IP Destination and then use regularexpression on the payload data to find social security numbersTableauExcelUsing BlackLynx’s ODBC/JDBC Interfaces for commercial data analytics & visualization tools
Sample BlackLynx DashboardPrebuiltSearchCommandsForensics is now NOT LIMITED to only the fields indexed in Splunk. High performancesearch capabilities now available on raw PCAP data stored outside Splunk
Search & Investigate. When doing incident handling, one of thethings we usually need to do is get the files which were downloaded.Example tolook whatfiles weredownloadedDetermine which files have been downloaded; Check table of blacklisted sites or use tools likeWireshark to extract the downloaded objects to see if they have been categorized as malicious
Additional forensics: What sites have the user(s) gone to?Domain names being looked at and displayed with Splunk Visualization
Additional forensics: What sites have the user(s) gone to that areblacklisted?These entries werefound in the blacklisttableDomain names being looked at and correlated with the blacklist domain names table
Additional forensics: Show all certificate expirationsGraphic shows all certificate expirations by month
Additional forensics: What sites have expired certificates?Thesecertificateshave expiredGraphic shows expired certificates by month
Additional forensics: Looking for Social Security Numbers in Clear TextSocialSecurityNumberHighLightedFound clear text social security numbers from a mySQL database in TCP Payload
Additional forensics: Do you see WAKE on LAN packets? If so whatMAC address are they targeting? From Where?Wake on LAN commands happening; targeting MACs 00:00:5e:00:53:66 and 00:00:5e:00:53:61both from the same source MAC 08:00:27:4c:91:df
PCAP Inspection: Deep dive search through PCAP file usinglayers 1 – 4 plus payload capabilitiesConstructSearch queryOn the FlyPCAPresults beingreturnedCyber forensics support against the raw PCAP data stored external to Splunk thus achievingsignificant cost savings given the typical size of the data
Monitoring and Alerting – Combine the power of Splunk &BlackLynx search capabilities for 24 hour monitoringAddBlackLynxbasedsearchesinto overallmonitoringstrategyTurn searches into real-time alerts to monitor threshold conditions around the clockSeverity ofalert andresults ofquerycreatingthe alert
BlackLynx ProprietaryCustomer Benefits and Investment Full access and search capability to all machine generated data Enhanced cyber, performance, and compliance use cases No indexing overhead and storage costs Seamless transition through Splunk supported and published APIs Customer choices for amount of Splunk real time indexing (cost saving opportunity) Customer choice on long term storage and use of data (cost saving opportunity)Significant Opportunity for Mission Benefits and Total Cost Savings
BlackLynx ProprietaryProof of Concept Recommendation Load BlackLynx software onto local server or BlackLynx provided server Add BlackLynx App to the Splunk Enterprise “Test” server Point all raw data (log data for example) onto the server with BlackLynx software Apply search capabilities via the BlackLynx App and return real time alerts andresearch query results on the Splunk dashboard Validate the use cases for cyber, network performance, and compliance Assess future opportunities for machine learning applicationsIncrease your data visibility while reducing your Splunk license and storage costs
Splunk CybersecurityJune 25, 2019
Add BlackLynx Solution as a Splunk Enterprise App Leverage all the Splunk capabilities while adding BlackLynx performance and high end search capabilities (fuzzy searching, regular expressions, raw PCAP, etc.) to handle the growth in machine data High performance search ability to accelerate event detection through the elimination of ETL and .
