enterprise sec + user bahavior analytics

Copyright © 2015 Splunk Inc.

Enterprise Security & UBA Overview

splunklive Long Beach 2015Mark Bonsack, Staff SE

James Brodsky, Security SME

2

Agenda

Splunk Portfolio Update

Enterprise Security 4.0

User Behavior Analytics

VMware

Platform for Machine Data

Splunk Solutions > Easy to Adopt

Exchange PCISecurity

Across Data Sources, Use Cases & Consumption Models

IT Svc Int

Splunk Premium Solutions Rich Ecosystem of Apps

ITSI UBA

UBA

MainframeData

RelationalDatabases

MobileForwarders Syslog/TCP IoTDevices

NetworkWire Data

Hadoop & NoSQL

4

Recent Splunk Releases

4

Splunk Enterprise 6.3

Enterprise Security 4.0

ES

User Behavior Analytics 2.0

UBA

IT Service Intelligence

ITSI

5

Enterprise Security

Provides support for security operations/command centers

Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing

Persona service: SOC Analyst, security teams, incident responders, hunters, security managers

Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches

5

6


Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any)

Functions: baselines behavior from log data to detect anomalies and threats

Persona service: SOC Analyst, hunters

Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science.

6


Enterprise Security

7

Machine data contains a definitive record of all interactions

Splunk is a very effective platform to collect, store, and analyze all of that data

Human Machine

Machine Machine

Rapid Ascent in the Gartner SIEM Magic Quadrant*

*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2015 Leader and the only vendor to improve its visionary position

2014 Leader 2013 Leader2012 Challenger2011 Niche Player

2015

10 10

AppServers

Network

Threat Intelligence

FirewallWeb Proxy

Internal Network Security Endpoints

Splunk as the Security Nerve Center

Identity

11

ES Fast Facts● Current version: 4.0 just released a little over a month ago● Two releases per year● Content comes from industry experts, market analysis, but most

importantly YOU● The best of Splunk carries through to ES – flexible, scalable, fast,

and customizable● ES has its own development team, dedicated support, services

practice, and training courses

The best part of ES is free!●You’ve got a bunch of systems…●How to bring in:

●Network AV●Windows + OS X AV●PCI-zone Linux AV●Network Sandboxing●APT Protection

●CIM = Data Normalization


NORMALIZATION?!?


NORMALIZATION?!?

Relax. This is

therefore, CIM gets applied at SEARCH TIME.

Data Normalization is Mandatory for your SOC

“The organization consuming the data must develop and consistently

use a standard format for log normalization.” – Jeff Bollinger et.

al., Cisco CSIRT

Your fields don’t match? Good luck creating investigative queries

16

ES Evolution

Q3 2014 Q4 2014 Q2 2015

ES 3.1• Risk Framework• Guided Search• Unified Search

Editor• Threatlist Scoring• Threatlist Audit

ES 4.0• Breach Analysis• Integration with

Splunk UBA• Splunk Security

Framework

ES 3.0

ES 3.2• Protocol

Intelligence (Stream capture)• Semantic Search

(Dynamic Thresholding)

ES 3.3• Threat Intel

framework•User Activity

Monitoring• Content Sharing•Data Ingestion

Q4 2015

http://conf.splunk.com/?r=header

17

New Features in Enterprise Security 4.0

Optimize multi-step analyses to improve breach detection and response

Extensible Analytics & Collaboration

INVESTIGATION COLLABORATION

• Investigator Journal• Attack & Investigation Timeline

• Open Solutions Framework• Framework App : PCI

18

…and, Integration with Splunk UBA

SIGNATURES

RULES HUMAN ANALYSIS

Integrated withSplunk Enterprise Security

21

Open Solutions FrameworkSupports critical security related management framework features

21

EnterpriseSecurityFramework

• Notable Events Framework• Thereat Intelligence

Framework

• Risk Scoring Framework• Identity & Asset

Framework

Customer Apps

APPs / Content

Partner Apps

APPs / Content

Splunk Apps

APPs / Content

• Export• Import• Share

• Summarization Framework• Alerting & Scheduling

• Visualization Framework• Application Framework

ExternalInstance

ES Demo


ES Questions?

23

25

THREATS CONSTANTLY EVOLVE

You never know what’s coming next.

26Traditional SIEM detects 1% of breaches.

27

80,000 Information Security Analysts.

0% Unemployment.

28

Are they all of the same caliber? Sadly, No.

29

Even if you had all the hiring budget in the world – the staff doesn’t exist.

30

It’s hard to know what is NORMAL.

31

Administering and using complex tech is hard.

32

Administering complex tech=hard.

INSIDER THREAT is a big problem

Outsiders look like insiders!

33

Administering complex tech=hard.DATA BREACH COST: $154 on average per record.

34


We’re gonna need a bigger boat.

35


UBA

Unsupervised Machine Learning + Data Science

for User/Entity Behavior Analytics

36

Splunk UBA: Main Use Cases

Advanced Cyber-Attacks

Malicious Insider Threats

37

Splunk UBA: Anomaly & Threat ModelsIce cream shops have 31 flavors…

38

…Splunk UBA currently has 31 Threat and Anomaly Models

Thre

at A

ttack

Cor

rela

tion

Polymorphic Attack Analysis

Behavioral Peer Group Analysis

User & Entity Behavior Baseline

Entropy/Rare Event Detection

Cyber Attack / External Threat Detection

Reconnaissance, Botnet and C&C Analysis

Lateral Movement Analysis

Statistical Analysis

Data Exfiltration Models

IP Reputation Analysis

Insider Threat Detection

User/Device Dynamic Fingerprinting

39

TWO UBA WORKFLOWS

Guided SOC Analyst and…

40

Hunter.

41

OVA provided for on-prem, or bare-metal.

AMI available for AWS

42

Web Gateway

Proxy Server

Firewall

Box, SF.com, Dropbox, other SaaS

apps

Mobile Devices

Malware Norse, Threat Stream, FS-ISAC or other blacklists for

IPs/domains

Active Directory/Domain Controller

Single Sign-on

HRMS

VPN

Identity/Auth SaaS/MobileSecurity Products

External Threat Feeds

Activity(N-S, E-W)

OPTIONAL

Netflow, PCAP

AWS CloudTrail

End-point

IDS, IPS, AV

DNS, DHCP K E YDLP, File Server/Host Logs

Data Sources

43

Web Gateway

Proxy Server

Firewall

Box, SF.com, Dropbox, other SaaS

apps

Mobile Devices

Malware Norse, Threat Stream, FS-ISAC or other blacklists for

IPs/domains

Active Directory/Domain Controller

Single Sign-on

HRMS

VPN

Identity/Auth SaaS/MobileSecurity Products

External Threat Feeds

Activity(N-S, E-W)

OPTIONAL

Netflow, PCAP

AWS CloudTrail

End-point

IDS, IPS, AV

DNS, DHCP K E YDLP, File Server/Host Logs

Data Sources

Splunk Enterprise & ES preferred, but not required. UBA can be standalone!

UBA Demo

UBA Questions?


•September 26-29, 2016 •The Disney Swan and Dolphin, Orlando•5000+ IT & Business Professionals•3 days of technical content•165+ sessions•3 days of Splunk University•Sept 24-26, 2016•Get Splunk Certified for FREE! •Get CPE credits for CISSP, CAP, SSCP•Save thousands on Splunk education!

•80+ Customer Speakers•35+ Apps in Splunk Apps Showcase•75+ Technology Partners•1:1 networking: Ask The Experts and•Security Experts, Birds of a Feather and Chalk Talks•NEW hands-on labs! •Expanded show floor, Dashboards Control Room & Clinic, and MORE!

Visit conf.splunk.com for more information

.conf2016: The 7th Annual Splunk Worldwide Users’ Conference

47

We Want to Hear your Feedback!

After the Breakout Sessions concludeText Splunk to 20691

And be entered for a chance to win a $100 AMEX gift card!

Thank You!