Splunk CTO Urges Collaboration Against Cyberattacks - And 'Shapeshifting' Networks

"The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense," says the CTO of Splunk -- because the labor is cheap, the tools are free, and the resources are stolen. "He says what's needed to bring down the cost of defense is collaboration between the public sector, academia and private industry...the space race for this generation," reports Slashdot reader davidmwilliams.

Splunk CTO Snehal Antani suggests earlier "shift left" code testing and continuous delivery, plus a wider use of security analytics. But he also suggests a moving target defense "in which a shapeshifting network can prevent reconnaissance attacks" with software defined networks using virtual IP addresses that would change every 10 seconds. "This disrupts reconnaissance attacks because a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another."

1/100th the cost?

[hsmith]

Depends on the industry. Yahoo? will pay $0 in fines for their breach. If you were a hospital you'd see $50k per patient, which adds up quite fast, and doesn't include stupid things like credit monitoring.

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

Re:1/100th the cost?

[ark1]

Even when something happens, people pretend to care then go on with business as usual.

Re:1/100th the cost?

[geekmux]

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.

Re:1/100th the cost?

[Tharkkun]

Good infosec doesn't cost a lot - the problem is no one gives a shit until after something happens. Then you shit can your CISO, who you ignored the entire time, because you need someone to take the blame.

I wonder if companies have discovered the cost of their reputation, especially after they're forced to hired a CISO due to massive security breaches. (cough, Target, Home Depot, cough).

Sadly, the consumer attention span already forgot about their favorite stores getting hacked not long ago, so the business will hardly view security as a necessary evil going forward, unless the insurance company says otherwise.

Starting to wonder if this needs to be a change in mentality where insurance companies are the ones who should be insisting on CISOs.

Target lost a shit ton of customer not to mention they closed stores due to people abandoning them during the holidays last year.

Re:Sounds like IPv6 security extensions

[eyepeepackets]

It's getting so bad that I can see a forced implementation: Either switch or you're un-connected until you do. Set a switch date and enforce it. Thing is, will IPv6 really be the fix needed? I don't see how anything short of hardware built specifically for security on a secure network can be secure.

Coming from an information security academic

What he proposes is infeasible.

Think about a simple shipping trip to amazon. If your DNS cache is wrong after 9.2 seconds, how are you going to maintain your session long enough to finish your purchase?

The CTO here is confused as to how virtual IP addresses work. The virtual IP doesn't change, the actual IP of the servers in the cluster does. Without a reasonably constant IP, the availability portion of the CIA triad does not exist.

Secondly, "reconnaissance attacks"- footprinting, is reasonably handled with traditional techniques. Stopping what comes after is much harder. Stopping the easiest to exploit attack vector, the human factor, is orders of magnitude harder than that.

Re:Coming from an information security academic

[lucm]

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

The day his company creates something useful maybe I will pay attention to him.

Re:Coming from an information security academic

[ark1]

There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.

Re:Coming from an information security academic

[lucm]

Your office buys an expensive product you claim sucks and is never used

Yes, that's very common in large organizations. In order to save $50 per quarter they will buy cheap whiteboard markers that stop working within minutes of being pulled from the box, and at the same time they will have no problem buying expensive "enterprise" software with annual licenses more expensive than a condo because it's in Gartner's magic quadrant for whatever buzzword they heard at a conference. Then they bring in the vendor to do an implementation that never works, and if you're lucky the project will fade in the corporate ether after a year or two. They'll keep renewing licenses, of course, because otherwise it would be acknowledging a mistake, and once in a while in a meeting the CTO will ask to see if the product could be "leveraged" for such or such project, but that's shelfware and everyone knows it.

Organizations are penny wise and pound foolish like that.

Re: Coming from an information security academic

[lucm]

We have terabytes of logs in Splunk, and the servers are some of the biggest we have for utilities, something like 64GB RAM and who knows how many cores. Performance is usually bad, unless you just use the same dashboards over and over.

For correlations across a large number of devices Splunk works (slowly) as long as no fields are added or reordered too often.

So yeah, if you want to count useragents in Apache logs or do pie charts to show hits per url, you can do that. And you can add plugins to have heatmaps (as long as the lat/long is in your log because looking it up is way to slow). But is that worth the price tag? Absolutely not.

There are signifiicantly superior products out there, such as the ELK stack that will allow you to do *actual* search in your logs, not just run regexes on terabytes of flat text files like Splunk does. There are even free versions, and various Apache projects (flume, solr) that will offer vastly superior capabilities.

Re:Coming from an information security academic

[lucm]

I've dealt with Splunk for almost 7 years now, saw it growing and evolving, and from a user point of view I can tell you that there are two types of people who like Splunk:

1) managers who like the pie charts and dashboards
2) people who spend their days in the web console, mastering the proprietary syntax for search

Anyone else tend to try a few times then give up and access the log files directly. And if their only access is via Splunk they hate you.

It sucks because not only do you need to know the magical keywords, you also need to know how they've been implemented. ex: what are the sources you can search, etc. And you have to use the web page because there's no good command-line tool, and the semi-REST api sucks, and it makes it hard to pipe results and do something with them.

Re: Coming from an information security academic

[Eosi]

Sounds like you do not have your build setup correctly. If you scale out Splunk correctly, 3 8 core / 8 gig of ram boxes in a Search head cluster, can pull MILLIONS of records in seconds. We went from 2 indexers and one search head, to a Index cluster and Search head cluster, and noticed a 1000% increase in performance. Also pulling in billions of log records a day with no issues. All of our indexers are recycled servers that were EOL.

Re: Coming from an information security academic

[lucm]

Well, it has been installed and configured by their Professional Services and they're the one tuning and upgrading it.

Yes you can pull a billion records as long as you're using the same queries over and over, and as long as your log file structure doesn't change. But those are lab/demo conditions, in real life things don't happen like that.

Re:Coming from an information security academic

[Mjlner]

Who cares what the Splunk CEO has to say? Splunk is a tool that is supposed to make it easy to search and aggregate logs, but it sucks at searching and aggregating logs. It's so slow and clunky that most people at the office ignore it and use awk or vi.

You forgot: grep, sed, perl, crontab and bunch of other tools. I'm sorry, but you have no comprehension of scale. The normal *nix tools are good enough at what they do for individual files, but once your infrastructure grows beyond a handful of hosts, the management becomes a major pain in the ass. I guess you've never even contemplated having to solve the issues like "Something weird happened in one of 20 application servers some time last week when user X logged in."

Just because you don't like a certain technology and are ignorant about it doesn't mean that the technology sucks.

Re:Coming from an information security academic

[geekmux]

There is plenty of snake and oil within security industry. It does not matter if it is feasible or not as long as you can sell it.

Security is nothing more than another form of insurance. In other words, it is essentially a snake oil industry, built on a foundation of FUD sales tactics, not unlike the insurance industry. This is why it continues to be very difficult to justify and implement, regardless of perceived or actual risk.

Re: Coming from an information security academic

[Eosi]

It seems you do not understand how Splunk runs entirely. Running the same searches over and over does nothing to improve performance. Its when you "accelerate" them or add them to a summary index that speeds it up. In a VERY real world environment, I search millions of records many times an hour, depending on what I am looking for or the request I get, Some of these are even over several (or all) of my indexes. Currently my install averages 130 million records a day, from about 15 different source feeds (with many source types per, such as Network gear). When I run some monthly data that is a LOT of records, which pulls in minutes or less.

I would suggest reviewing your SOW with their professional services and asking them to build you out a Index and Search Head cluster. Heck even just separating the search head and indexes to separate servers will improve your performance.

Re:Coming from an information security academic

[MachineShedFred]

That's because the value-add that Splunk gives you is the draconian and super expensive licensing quotas. Oh, your servers did more than your per-day data allotment? Well, you better call us and get a code so that you can look at any of your logs at all. And yes, if you do that more than a few times, we're charging you more.

Fuck Splunk.

Re:Coming from an information security academic

[MachineShedFred]

The funny thing is that you can spend a day with Elasticsearch and Logstash and come up with the same thing for essentially free.

Re:Coming from an information security academic

[MachineShedFred]

I have a slightly different take on it - Splunk sucks because of their licensing and cost, not the tech. The tech is merely "ok".

If I'm spending money for log aggregation and searching, I'd be throwing that money towards SumoLogic.

If I'm not spending money, then it's Elasticsearch / Logstash / Kibana, which still works better than Splunk most of the time, without the thing holding my data hostage if we should actually have servers logging things and overrun the daily quota.

Re: Coming from an information security academic

[t0rkm3]

Other folks here have provided insight and commentary that you likely have no clue as to what you are talking about, but who doesn't love a dogpile?

I have implemented MANY very large Splunk and ELK implementations. ELK will almost always ask for MORE hardware to get search performance. I agree that ELK scales out more quickly, but far less efficiently than Splunk does. If your sole criteria is search speed and you have unlimited hardware capacity then ELK is the way to go.

However, doing calculations on the logs, presenting the logs, transforming the data (geo IP lookups, changing the message so that it reads more easily), and doing multivariable comparison for either human or automated response is vastly superior in Splunk. In both the functions and toolkits available and the ability to front load a lot of your search work so that your performance is outstanding.

Cost wise... it's usually a wash. I have customers that have looked at the cost of installing and maintaining an ELK stack and replacing the lost features and ran away quickly. This is for >500GB/day infrastructures with a dedicated dev team of >3 people.

If your Splunk implementation is sucking wind that badly, then it is likely that whoever is paying for your implementation has expressed goals that are counter to your goals and thus you are ill served. If you are the payer, then you have done poorly at describing your desired outcome and approx 50% of the result is your fault.

Continuing on... You mention Flume and Solr. Solr, if you buy the production implementation (last time I looked) doesn't have a good flow control and message verification platform and is thus dependent on the messaging bus within Flume or the implementation of an outside message bus (Kafka, Redis). This results in another set of configurations to maintain, and a good place for logs to be lost in the ether. Flume itself is awesome, although the parsing recipes could use some work. If I were looking outside of Logstash/Beats (which is advisable as Logstash seems to still have some memory management issues) I would favor Fluent as the ingest process is less of a pain in the neck.

However, I've only done hundreds of implementations of log management infrastructures using logstash, ElasticSearch, Kibana, flume, kafka, redis, fluent, syslog-ng, and/or Splunk... so there are likely some options I haven't mentioned.

Re:Coming from an information security academic

[rhazz]

If you don't want to pay the licensing fee for the amount of data you're collecting, you could always trim what you're collecting to stay below the threshold?

Re: Coming from an information security academic

[lucm]

You mention yourself a flock of FOSS products that are vastly superior to Splunk, but somehow in your organization it's a daunting task to manage multiple configuration files so you buy Splunk instead. I'm guessing that you're mostly a Windows guy.

So let's agree that Splunk is an overpriced regex script with a lousy web frontend, sub-par command line capabilities and slow, row-by-row transformation features, but comes with a convenient central config file. If your use cases are satisfied with these limitations, knock yourself out, keep doing hundreds of implementations. There's no shame in that, some people make a living installing Oracle or Groupwise, it's not like you're the first person to waste your employer's money on expensive commercial software that is inferior to FOSS alternatives.

To the point: even if Splunk was good at doing that (which it's not) that would still not make their CEO an authority about security.

Re:Coming from an information security academic

[lucm]

It's also like that with TeamCity: annual license per agent (which runs on your own machine) and only 1 concurrent build per agent. So essentially they force you to pay for rush hour usage.

Meanwhile Jenkins is free and scales a lot better.

Re:Coming from an information security academic

[lucm]

No, my primary complaint is that it sucks. I've had the "pleasure" of learning and using the proprietary query language and the half-baked API, that's why I'm comfortable to say that it's a piece of shit.

I also had the opportunity to work extensively with the dashboarding tools, and those make SharePoint look like a marvel of UX engineering.

Re: Coming from an information security academic

[Eosi]

Actually, I understand exactly what a Search Head cluster (put it behind a Load Balancer to handle the traffic, not the DNS round robin) with multiple Search Heads does. It allows you to share all your user load over several servers, which does help performance, when some people are doing huge searches and some just want to watch a dashboard. Beyond that, not everyone understands that separating your apps over multiple search heads actually helps as well. DBConnect for instance, if you have that on a SH with some other apps, you have a lot of back end work, which will lower your performance. Of course, using Heavy Forwarders to gather data and do some preparsing helps even better.

Having used numerous other SIEM or Log aggregation tools on the market over the last 10 years, I can say that Splunk does scale better than any other commercial SIEM. It also allows you to take any data feed and get results and mappings faster with a lot less work. But just as with any other SIEM, you have to plan out your install and run before you build it or you will kill your performance.

You also have to understand the search formatting. The order of things like Deduping data (or using the NOT perm in a search) matters with Splunk, and affects your performance big time.

As for your statement "Here you are talking about separating search-heads from indexers and you should know that most customers already have small clusters with that separation, and yes performance still sucks." This is contrary to what I have heard. Of the people I know who run Splunk, many did not separate out their install until a year or so into the install. This I think is a failing of the Splunk documentation for real world load. Once you go beyond the 10 gig a day license you MUST separate the servers to keep performance higher. Just like how you should not put ES and the PCI app on the same server (even though its supported)

The SIEMs that use a SQL backend (like LogRhythm) cannot return data as fast as Splunk, nor are they are versatile in allowing searches.

Re:Coming from an information security academic

[lucm]

Apparently *you* care.

Isn't it easier...

[ZenShadow]

...to keep them out of your network in the first place?

The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

Which leads us back to firewalls and IDS and such.

Re:Isn't it easier...

[turbidostato]

"The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access"

Internally available systems have to have known addresses for access too: "a specific IP address may be a Windows box one moment, a Linux box another, a mainframe another." funny if you try to get a CIFS mount point out of your mainframe instead of your Windows server.

Re:Isn't it easier...

[The-Ixian]

I think the easiest fix would be to stop spoofed packets at the egress boarder router.

This would eliminate reflection attacks and a whole lot of other nastiness.

Of course, this would require every ISP to get on board and not let packets which do not belong to their IP space to leave their network.

I currently do this for our small network. No spoofed packets can leave our network. I am trying to do my small part in case any of our computers become compromised.

Godel's hand reaches from the grave

[Etcetera]

...to keep them out of your network in the first place?

The shifting addresses could only apply to internal systems. Externally available systems (like, say, web servers) have to have known addresses for access, or you've defeated the entire purpose of having them externally accessible.

Which leads us back to firewalls and IDS and such.

Shape-shifting has to "bottom out" somewhere with known addresses, and that's where you're going to be vulnerable. You can test this now with low TTL DNS servers and (assuming your TTL is respected) you just send the traffic over to the new destination. If he's referring to external services, that about covers it. If it's external access to internal networks, then why are you running IPv6? Use NAT and a FW like everyone else and get that stuff off the internet. If he's referring to internal services, they're just as vulnerable for the same reason. Your internal services will have to have a lookup system (DNS, or your super-awesome low latency replacement for DNS because what good is a wheel if it isn't being reinvented), and that can be used for following whatever you need around. You've added one small, boring step for your hackers that's just as HOBE as anything else because the lookup has to be automated to make all your systems work internally.

Hosts aren't going away any time soon because they're an architecture more than anything else. There's this wacky vision some in the industry have of containers running on top of Cisco gear that they seem to think will be a panacea for all of their tech issues. Software-defined stacks won't fix everything, and they really won't fix this.

buzzword collection

[manu0601]

Perhaps Snehal Antani's original ideas were interesting, but linked article turns everything into a buzzword collection that makes little sense.

Spare your time, skip article. Slashdot summary contains all relevant information.

Possible reduction in attacks

[frnic]

Put together a special forces team to find the hackers and the make a video of them being lowered slowly feet first into tree shredders and publish the video online.

Re:Sounds like IPv6 security extensions

[pete6677]

IPv6 is a very typical problem, in that if you continue to ignore it, it will eventually go away.

Buzzword salad

[geek]

Seriously, Splunk is probably the most expensive SIEM out there so for him to bitch about costs rings hallow to me. Bring the price down on your shit before lecturing me on costs.

Networks nobody can debug anymore. Great!

[gweihir]

Sounds like somebody is pushing an utterly stupid and destructive idea to earn a lot of money.

rotate shield frequencies....

[magical+liopleurodon]

This sounds like rotating shield frequencies every 10 seconds to keep the borg from adapting. I saw that episode of Star Trek: V'ger, they end up adapting

Hey anonymous

Can we ddos any and all people that use the word cyber in any context, i'm willing to take the first hit if it will start a trend.

"We need to bring down the cost of defense"

[Opportunist]

Does that mean Splunk will no longer charge you through the nose for every fart you might want to pass through their software?

Didn't think so.

Preaching water, drinking wine, thanks, but we have enough assholes that already do that, we'd much appreciate if you just kept your mouth shut, Snehal.

Seems fitting.

[jnngill]

1) Dodge 2) Duck 3) Dip 4) Dive 5) Dodge. ... 2) Duck 3) Dip 4) Dive 5) Dodge. remember the 5 D's of dodgeball! thats the key to victory

You've got to be fucking kidding.

[thermowax]

And now you've got to shell out for an SDN infrastructure, too.

That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

J-.

Re:You've got to be fucking kidding.

[Tharkkun]

And now you've got to shell out for an SDN infrastructure, too.

That's a cute idea, but he's obviously never had to operate or troubleshoot issues on a production enterprise network. What happens when an machine changes IPs in mid-tcp conversation? I have stuff that maintains ssh sessions for days, the client isn't doing constant nslookups to see where the server has gone. Not to mention the fact that sshd is going to interpret the client IP changing as a session-hijacking attack.

That's just one example, the more I think about it leads me to downgrade my opinion to "dumbass".

J-.

Let's invest. I'll bet we can make millions off the stock before people see through this vaporware idea!!!

$5,000 steel safe vs $25 demolition saw rental

[raymorris]

The claim is that breaking security is cheaper than creating security. For $5,000, I can buy a steel safe reinforced with concrete. For $25, I can rent a saw designed for cutting steel and concrete.

Breaking things has always been cheaper than building them, and probably always will be. As you hinted, that's the wrong comparison. The comparison that drives decisions is:
A) The cost to avoid a breech (the cost of security at a given level).
Vs
B) The cost of having a breech (reputation, down time, etc).

In almost all cases, the lowest total cost is a certain degree of security, neither ignoring security nor obsessing about it. You put a lock on your door, you don't normally hire armed guards to guard the door.

One of the best and cheapest approaches to information security is to reduce the cost of a breech - don't store plaintext passwords, don't store credit card numbers and social security numbers of you don't abaolutely have to. They can't steal what you don't have.

More corporate welfare

[mea2214]

"Collaboration between public and private sectors" is word salad that really means he wants taxpayers to fund his enterprise and lifestyle.

"the space race for this generation"

[neo-mkrey]

Then I guess this generation is well and truly f*cked!

Further Explanation

[snehalantani]

Thanks for all of the comments. Let me further explain, and I'm excited to hear more ideas from the community on the topic. First, to clarify the point I made about collaboration across public sector, academia, and private sector. Government agencies like DHS, NSA's IAD, universities like MIT's CSAIL, and hundreds of private sector companies are doing some amazing work in the area of breach detection, incident response, and security analytics. The challenge is that these efforts aren't synchronized or coordinated, and as a result, we are not as effective as we could otherwise be in transforming our national & critical infrastructure cyber defense capabilities. The collaboration required across public sector, academia, and private sector has not been seen since the Space Race, hence why I believe the effort to transform cyber defense will be the "Space Race" of our generation. With regard to "shape shifting networks", this is an idea that falls within the domain of "Moving Target Defense" (MTD), an emerging area of cyber defense, that is still in its early days, and has the potential to be a game changer in how we defend our critical systems. The concept of MTD, and the specific idea of shape-shifting networks, is not yet in production anywhere (as far as I know), but this work is in prototype and in research. If you're interested in diving into this topic, here are some resources to get you started:

• Problem statement from DHS: In the current environment, information technology systems are built to operate in a relatively static configuration. For example, addresses, names, software stacks, networks and various configuration parameters remain more or less the same over long periods of time. This static approach is a legacy of information technology systems designed for simplicity in a time when malicious exploitation of system vulnerabilities was not a concern
• Solution approach from DHS: Moving Target Defense (MTD) is the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts. MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment and to have systems that are defensible rather than perfectly secure.
• “[MTD] Enables us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.” – Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program published by the Executive Office of the President, National Science and Technology Council, December 2011
• Links to additional reading material
  1. 1. DHS overview: https://www.dhs.gov/science-an...
  2. 2. Morphisec's blog on MTD: http://blog.morphisec.com/movi...
  3. 3. Details on Morphisec's solution (one of many in this space): http://www.morphisec.com/how-i...
  4. 4. The "Morphinator" project sponsored by the Army for shape-shifting networks: https://gcn.com/articles/2012/...
• It is the combination of at least 6 key initiatives that will fundamentally disrupt and transform the cyber defense capabilities of our critical infrastructure and beyond:
  1. 1. "Shift left" by applying Continuous Delivery, Architecture-as-Code, and other