Copyright©2014SplunkInc.

SplunkEnterpriseSecurity&UBAAnalytics-DrivenSecurity

MattPolandSr.SalesEngineer

TheEver-ChangingThreatLandscape

2

53%Victimsnotifiedbyexternalentity

100%Validcredentials

wereused

143Median#ofdaysbeforedetection

Source:MandiantM-TrendsReport2012-2016

3

Splunk Positionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*

*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.

FourYearsinaRowasaLeader

FurthestoverallinCompletenessofVision

Splunk alsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeUseCases

Splunk– Analytics-DrivenSecurity

4

• APTdetection/hunting(killchainmethod)• Counterthreatautomation• ThreatIntelligenceaggregation(internal&external)• Frauddetection– ATO,accountabuse• Insiderthreatdetection

• ReplaceSIEM@lowerTCO,increasematurity• AugmentSIEM@increasecoverage&agility• Compliancemonitoring,reporting,auditing• Logretention,storage,monitoring,auditing

• Continuousmonitoring/evaluation• Incidentresponseandforensicinvestigation• Eventsearching,reporting,monitoring&correlation• Rapidlearningloop,shortendiscover/detectcycle• Rapidinsightfromalldata

• Fraudanalyst• ThreatResearch/Intelligence•Malwareresearch• CyberSecurity/Threat

• SecurityAnalyst• CSIRT• Forensics• Engineering

• Tier1Analyst• Tier2Analyst• Tier3Analyst• Audit/Compliance

SecurityOperationsRoles/Functions

Reactive

Proactive

Searchand

Investigate

ProactiveMonitoringandAlerting

SecuritySituationalAwareness

Real-timeRisk

Insight

Connectingthe“data-dots”viamultiple/dynamicrelationships

Persist,Repeat

Threatintelligence

Auth - UserRoles

HostActivity/Security

NetworkActivity/Security

Attacker,knowrelay/C2sites,infectedsites,filehashes,IOC, attack/campaignintentandattribution

Wheretheywent,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload

Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility

Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain

Delivery,exploitinstallation

Gaintrustedaccess

ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement

Persist,Repeat

5

SplunkEnterpriseSecurity

Risk-BasedAnalytics VisualizeandDiscoverRelationships

EnrichSecurityAnalysiswithThreatIntelligence

6

SplunkEnterpriseSecurityisanadvancedSIEMandSecurityIntelligencePlatformthatempowersSecOps tomonitor,detect,investigateandrespondtoattacksand

threatswhileminimizingriskandsafeguardingyourbusiness.

AnalyticsDrivenSecurityRisk-BasedAnalyticstoAlignSecurityOperationsWiththeBusiness– Riskscoringframeworkenhancesdecisionmakingbyapplyingriskscorestoanydata– QuicklyandeasilyassignanyKSIorKPItoanyeventtoalignwithyourcurrentpriorities– Exposethecontributingfactorsofariskscorefordeeperinsights

VisualizeandDiscoverRelationshipsforFasterDetectionandInvestigation– Visuallyfusedata,contextandthreat-intel acrossthestackandtimetodiscernrelationships– Pre-builtcorrelations,alertsanddashboardsfordetection,investigationandcompliance– Workflowactionsandautomatedlookupsenhancecontextbuilding

EnrichSecurityAnalysiswithThreatIntelligence– Automaticallyapplythreatintelligencefromanynumberofproviders– Applythreatintelligencetoeventdataaswellaswiredata– Conducthistoricalanalysisusingnewthreatintelligenceacrossalldata

7

Demo

FreeESSandbox

Meeting– Cosmopolitan Password– SPLUNK2016

https://www.splunk.com/en_us/download-21.html

CommonInformationModelC

omm

on In

form

atio

n M

odel

Network Traffic

Data ModelsMalware Email Intrusion DetectionAuthentication ... 30 Models ...

action bytes_in bytes_out channel dest_ip dest_mac duration src_ip …...

• Network Traffic Data Model

FW Vendor A• direction• d_ip• ….

FW Vendor B• direction• destin_ip• ….

FW Vendor C• Direction• dest_ip• ….

1 Contextual search / rules / reports across different technologies 2 Dynamic field mapping allow structure

on the fly instead of normalization Key

Purpose

11

Managing Correlation RulesCentral framework to create / update / delete / import correlated rules management for continuous adoption

Enable / Disable rules

ES CORRELATION RULE MANAGMENT

Splunk Inc. 2016 © - Page 11

Comparison– EventCorrelation

• Construct as saved search, simply generate indication of match.

• Self define a placeholder to hold events and link it to process logic.

• Just pass on to the 3rd party incident management / case management.

• Security incident alerts the flows into ES workflow management process.

• Security event focused specific authoring interface, just ready to define new condition.

• Pre-defined out-of-box correlations rules.

ThreatIntelligenceFrameworkFinding hidden IOCs using comprehensive threat intelligence mappings

• Multiplesources

• Multiple transmissiontypes

• Multipletransports

• Multiple data formats

INTEL SOURCES

1. IP2. Emails3. URLs4. Files

names/hashes5. Processes

names6. Services7. Registry entries8. X509 Certificates9. Users

CATEGORIZE

Index, Extract, Categorize

Manage / Audit threat sources

• List status• List mgmt.• List location

COLLECT MANAGE

Data Management

SEARCH

Ad-hoc search, analyze,

investigate, prioritize

Data Search

CORRELATE

Match all IOCs in existing log data

Generate alert for any matches

KSI and trends

Security Dashboard

Correlation Data / Notable Events

FacebookThreatExchange

• Providesdomainnames,IPs,hashthreatindicators

• Usewithadhocsearchesandinvestigations

14

• NeedanappIDandsecretfromFacebook• Config Splunkadd-onforFBThreatExchange• Customersalreadyuse!

What’sNew?

15

StorageTCOReductionOptions

16

ReduceTSIDXforhistoricaldata

RollhistoricaldataintoHadoop

KeepsdatawithinexistingSplunk storage

Exportsdatabutmaintainssearchcapability

Flexibleoptionstoreducestoragerequirementsupto80%

EnhancedInvestigationTimeline

AddfileattachmentstoInvestigationTimeline

17

ExportInvestigationTimelineasPDF

ExtendAnalytics-drivenDecisionsandAutomationwith

AdaptiveResponseinSplunkES

AUTOMATION VISUALIZATION

EnhanceAnalyticsWithGlassTableViewsinSplunkES

AdaptiveResponse:Analytics-drivenDecisions,Automation

• Centrallyautomateretrieval,sharingandresponseactionresultinginimproveddetection,investigationandremediationtimes

• Improveoperationalefficiencyusingworkflow-basedcontextwithautomatedandhuman-assisteddecisions

• Extractnewinsight byleveragingcontext,sharingdataandtakingactionsbetweenEnterpriseSecurityandAdaptiveResponsepartners

AdaptiveResponse Actions(Examples)

AUTOMATION

Category - Informationgathering, Informationconveyance, Permissionscontrol

Task - Create,Update,Delete,Allow,BlockSubject– whatwillbeactedupon(network,endpoint,etc)

Vendor– providingtheaction.Ex;Splunk,Ziften,PaloAltoNetworks,etc

InsightfromAcrossEcosystem

21

Effectivelyleveragesecurityinfrastructuretogainaholisticview

Workflow

Identity

Network

InternalNetworkSecurity

App

Endpoints

WebProxy ThreatIntel

1. PaloAltoNetworks2. Anomali3. Phantom4. Cisco5. Fortinet6. ThreatConnect7. Ziften8. Acalvio9. Proofpoint10. CrowdStrike

11. Symantec(BlueCoat)12. Qualys13. RecordedFuture14. Okta15. DomainTools16. CyberArk17. Tanium18. CarbonBlack19. ForeScout

GlassTablestoEnhanceVisualAnalytics

• SimplifyanalysisbyunderstandingtheimpactofsecuritymetricswithinalogicalorphysicalGlassTableview

• Improveresponsetimeswithnestedviewstodisplaywhat’simportantorrelevant

• Optimizeworkflowwithdrill-downtothesupportingcriteriaofthemetric

UBA

23

Detection:EnhancedSecurityAnalytics

Visibilityandbaselinemetricsarounduser,device,applicationandprotocol

30+newmetrics

USERCENTRIC DEVICECENTRIC

APPLICATIONCENTRIC PROTOCOLCENTRIC

DetailedVisibility,UnderstandNormalBehavior

UBA2.2

Create customthreatsusing60+anomalies.

Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.

Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.

Analystscancreatemanycombinationsandpermutationsofthreatdetectionscenariosalongwithautomatedthreatdetection.

Detection:CustomThreatModelingFramework UBA2.2

Summary

26

UBAResultsAcrossSIEMWorkflow

RapidInvestigationofAdvancedThreats

EnhancedInsiderThreat&CyberAttackDetection

ES4.1+UBA2.2 ES4.1 UBA2.2

QuickUBADemo,…thenHappyHour

27