Q-TRIP (Qmulos-Threat Reveal and Investigate Platform)

Inspiration

Our inspiration comes from our day-to-day work. We are actively helping to solve the Insider Threat challenges in large government and commercial organizations and are passionate about changing the approach to solving this problem.

How it works

The Q-TRIP App architecture looks a lot like Splunk's own Enterprise Security App. We use accelerated data models to drive most of our visualizations and those data models, in turn, are driven by tag-based searches. This means our users can add data from whatever devices are important to them, to include devices we may never have heard of. We also use tags and fields that comply with the Common Information Model wherever possible. All of this means that users will get a lightning fast working app right out of the box but be able to easily extend it as they fit adding new log types and visualizations that can take full advantage of the groundwork that Qmulos, and Splunk, have already provided. In addition to the built-in Splunk visualizations, we are also using the D3 JavaScript library, the Sankey visualization in particular, to provide a new dimension of understanding of connectivity and cause and effect.

Challenges I ran into

Avoiding the common trap of trying to point to a single user as THE Insider and instead focusing on providing holistic views of users and their suspicious behaviors. It was also difficult to generate appropriate data sets to highlight the full functionality of the Application.

Accomplishments that I'm proud of

The fact that we are arming analysts and investigators with information on particularly high-risk behaviors across several key areas (web traffic, printing, usb, and email activity) while providing relevant user details for context so they can focus their limited Insider Threat Program resources on the highest risk individuals. We feel that the App supports real world use-cases to make analysts more efficient in identifying high-risk behaviors and investigators more efficient in adjudicating high volumes of leads/tips.

What I learned

Splunk is a valuable tool in solving the Insider Threat problem, although we kinda knew that already. We also learned that judges are the coolest people ever.

What's next for Q-TRIP (Qmulos-Threat Reveal and Investigate Platform)

We plan to incorporate a lot of the data from the User Page (for Investigators) into additional correlations on the Detection Pages (for Analysts). For example, using anticipated departure date to identify users to monitor more closely. We also plan to take code we have for detecting suspicious behaviors from Admins and modify it for inclusion in the App. Other future enhancements include adding other data sources, looking at off-hour activity, inclusion of financial disclosure, and integration with a case tool.

Built With

active.com
bluecoat
cim
custom-agent
d3.js
fireeye
splunk-cim
windows

Submitted to

Splunk Apptitude App Challenge
- Winner Fraud / Insider Threat - Second Place

Created by

Insider threat Content Development. Analytical flow. Data Representation.

Ruben Gavilan
CEO of NexThreat. Award winning Management Consultant, Specializing in Cyber.
I Th
Matt Coose