security - baseline elearning (pdf) - oct 2013.pdf

8/10/2019 Security - Baseline eLearning (PDF) - Oct 2013.pdf

1/49

Global Field Enablement - Copyright 2013 Splunk, Inc.

SecurityBaseline eLearning


2/49


How do we compete

and succeed?

4

Case Study Examples

Competition

Discovery Questions

Modules

Who do we sell to?

1

Market Trends

Market Opportunity

Buyer Personas

How does it work?

3

Splunk Positioning

Features

Why do they buy?

2

Current Challenges and

Consequences

Future Vision and

Business Outcomes

Why do they buy?

2


3/49


Module 1

3

Who do we

sell to?

1 Market Trends

Market Opportunity

Buyer Personas


4/49


Security is Making $$ at Splun

About 30% of Splunk bookings

Customers are getting our Big Data forsecurity and more than a SIEM

messages

Security continues to make headlines:

4


5/49


Advanced Threats in the Headlin

Cyber Criminals

Nation States

Insider Threats

160 million credit cards later, cutting edge hacking NBC News, July 2013

Banks Seek U.S. Help on Iran Cyber attacks

Wall Street Journal, Jan 2013

Verizon: Most Intellectual Property Theft Involves Co

Dark Reading, Oct 2012

5


6/49


Target Market

Overall, SIEM is a $1B+ market

We compete for SIEM dollarswith a solution that is rapidly

eclipsing SIEMs in importance!

Overlap and cross selling

opportunities that involve

security DesVirtua$0.4

NetworkMgmt$3.4B

ServerVirtualization

Mgmt$2.4B

Event Correlation& Analysis$1.4B

Change &Config Mgmt

$4.9B

DesktopMgmt$1.3B

ServerMgmt

$420MM

ServiceDesk

$1.4B

Non SaaSCloud

Services$5.6B

A

SIEM/$

Web Analytics$1.0 B

End UserExperienceMonitoring$240MM

DatabaseMgmt$2.3B

ApplicMg$3.4

6


7/49


Target Buyers

7

VP/Dir Information Security PhysicSecurity Analyst

Influencers

CISO

Meet Your Top Prospects

How do we prevent attacks?

How can I prevent data loss and revenue impact?

How can I ensure

Compliance as part of a

broader Security message?

Are


8/49


Key Learning PointsModule

8

Security Market InfluBuyers

Security is top of mind

Require a Big Data

Approach

Security A

sometime

Overlap a

opportunsecurity

Its the CISO you want to talk

to (the Chief Information

Security Officer)


9/49


Module 2

9

Why do they

buy?

2 Current Challenges a

Consequences

Future Vision and

Business Outcomes


10/49


Security Information & Event Managis comprised of

Real-time moni

correlations, ale

Incident investimanagement

Use case: threa

Long-term data storage

Log / data analysis

Compliance ReportingUse case: compliance

Security Information Management (SIM) Security Event Mana

10
http://www.google.com/url?sa=i&rct=j&q=funnel&source=images&cd=&cad=rja&docid=PBipwkOCGN3PhM&tbnid=dhcoTi5J3C-tPM:&ved=0CAUQjRw&url=http://wonderfunnel.com/category/funnel-parts/&ei=VFsQUYv3BISpiAfRzYH4AQ&bvm=bv.41867550,d.aGc&psig=AFQjCNGwNEJV6p0-v5O9G4m9E7rEdj6PwQ&ust=1360112820106319


11/49


Before Splunk State

Traditional SIEMs have significant

limitations and fail to deliver

Advanced threats evade detection

IT Security is outgunned by the adversaries

IT Security is reactive, not proactive

Data loss occurs frequently and often goesunnoticed

Reduced revenue as data loss re

damage and customers leaving

Higher costs from data loss relat

fines, lawsuits, or intellectual pr

Higher costs from inefficient inc

downtime, and threat clean up Weak security posture

Board and executives are under

11

CustomerChallenges

Business/ITConsequences


12/49


After Splunk State

Scalable solution that can index all data

types and quickly search it

Fast, efficient incident investigations and

security reporting

Ability to do real-time correlations, alerts,

and advanced threat detectionAbility to do real-time correlations, alerts,

and advanced threat detection

Single, enterprise-wide solution with all

data used for many use cases

All relevant data available for inv

threat detection

Reduced costs from faster and le

well as faster threat eradication

Reduced costs and less lost reve

Improved ROI and departmenta

12

FutureVision

BusinessOutcomes


13/49



13

SIEM SplunkCustomerChallenges

SIEM is comprised of two

different products -

Security Information

Management and SecurityEvent Management.

Single ent

for all dat

All data is

Traditional SIEMs are being

outsmarted


14/49


Module 3

14

How does it

work?

3 Splunk Positioning

Features

S l k S it U O Ti


15/49


Splunk Security Uses Over Time

Security Event

Investigation andForensics

Security/riskReporting

Simple real-timecorrelations andalerts

Find hidd

Time

Often complement

an existing SIEM

Often we are the

SIEM

15


16/49


Case #1 - Incident Investigation/For

Often initiated by alert in another product

May be a cold case investigation requiringmachine data going back months

Need all the original data in one place and a

fast way to search it to answer:

What happened and was it a false positive?

How did the threat get in, where have they

gone, and did they steal any data? Has this occurred elsewhere in the past?

Take results and turn them into a real-time

search/alert if needed

client=unknown[99

.120.205.249]Jan 2616:27

(cJFFNMS

DHCPACK=A

SCII from

host=85.196.

82.110

January February Mar

16


17/49


Case #2Security/Compliance Rep

17

Many types of visualizations

Easy to create in Splunk

Ad-hoc auditor reports

New incident list

Historical reports

SOC/NOC dashboards

Executive/auditor dashboards

C 3 C l ti d Al t


18/49

Global Field Enablement - Copyright 2013 Splunk, Inc. 18

Event 1 + Event 2 + Event 3 +

Data Loss Prevention tool

identifies a server as

containing confidential

information

Active Directory identifies a

brute force password-

guessing attack on the server

Within X hours, a new

Administrator role is

created on the server

Possib

trying

confide

Firewall on an internal PC

indicates the PC is being port

scanned from an internal IP

address

Network-based firewall

indicates it is being port

scanned from the same

internal IP address

Within X hours, important

key settings have been

changed on the suspicious

machine associated with

the internal IP address

The m

the IP

been c

threat

reconn

Vulnerability scanner showsthat an internal server has an

unpatched OS

Intrusion Detection Systemsees an external attack on

that specific server that

exploits the vulnerability in

the OS

The sesucces

Case 3Correlations and Alerts


19/49


Unknown threats

APT / malicious insider Spear-phishing and social

engineering

Zero-day vulnerabilities

Custom malware

Actions hidden behind normal user

credentialed activity Move slowly and quietly

Evade detection

Case 4Advanced Persistent Threat Pa

Infiltration Back Door Data

GathRecon

Phishing or

web drive-

by. Email has

attached

malware or

link to

malware

Malware

installs

remote

access

toolkit(s)

Malware

obtains

credentials to

key systems

and identifies

valuable data

Data

acqui

stage

exfiltr

19


20/49

Global Field Enablement - Copyright 2013 Splunk, Inc. 20

Security Relevant Data

SIEM

All Security

Relevant Data

Normal user and machine gene

behind credentials. Includes Unkno

Security data, or alerts from po

products. Known threa

APT Step 1: CollectALLThe Data in One Loca


21/49


22/49


Splunk: The Security Intelligence Pla

22

All Your Machine Data Many Secur

AdvancDet

Real-time

and

Inc

Investigati

Securit

rep

T diti l SIEM Li it ti


23/49


Traditional SIEM LimitationsTraditional SIEMSplunk Can be multiple products

Often costly, physical appliances

Difficult to deploy; long time to value

Reliant on vendors collectors

DB schema and normalization limits

investigations and correlations

Scalability issues due to DB

Lack of search & reporting flexibility l

ability to find outliers/anomalies Specializes in Known Threat detectio

Closed platform with no APIs, SDKs, A

Only security/compliance use cases

23

Industry Accolades
http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=KrnbtSJRr7d96M&tbnid=-VijKkkrHgQMXM:&ved=0CAUQjRw&url=http://sweetclipart.com/green-dollar-sign-735&ei=dEI6UsaRGorrrAHq8YHQCQ&psig=AFQjCNEQcZdZhrk3M4IlVxVZati_rKPJHA&ust=1379636207307015http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=gm8FgcL8iynPOM&tbnid=-Qr1VlWaZ4Q_QM:&ved=0CAgQjRwwAA&url=http://www.veryicon.com/icons/system/fresh-addon/funnel.html&ei=ET86Uo2qEdKJrQGvx4HYAg&psig=AFQjCNGfSD8WeIkUdfKKfK3AI7o3DnxZBA&ust=1379635345377499


24/49


Industry Accolades

Best SIEM

Solution

Best Enterprise

Security Solution

24

One Solution; Three Main Offer
http://www.google.com/url?sa=i&rct=j&q=sc%20magazine%202012%20winner%20europe&source=images&cd=&cad=rja&docid=_YcqgHXrP1KcvM&tbnid=AouvV4OtQpBt4M:&ved=0CAUQjRw&url=http://www.cyber-ark.com/news-events/awards.asp&ei=LiUEUsDiM5CgyAG09IHYCA&bvm=bv.50500085,d.cGE&psig=AFQjCNGzw_98z2HqhxqDmgXC3WTcYGxWXA&ust=1376089769508836


25/49


One Solution; Three Main OfferMajority of customers use 1 & 3 below

25

2. Splunk App for

Enterprise

Security (cost)

Splunk App for Enterprise Secur


26/49


Splunk App for Enterprise SecurPre-built searches, alerts, reports, dashboards, workflo

Incident Management ViewDashboards and Reports

Statistical Outliers Asset and Identity

26

K L i P i t M d l


27/49



27

Machine Data One Sooffe

Common Uses ofSplunk for Security

Machine data is one ofthe fastest, growing,most complex and mostvaluable segments of bigdata.

All Machine Data issecurity relevant

Splunk En

Splunk Ap

Security

Additiona

Security Event Investigation

and Forensics

Security/risk Reporting

Simple real-time correlationsand alerts

Find advanced, hidden threats

M d l 4


28/49


Module 4

28

How do we

compete and

succeed?

4 Case Study Examples Competition

Discovery Questions

R l i SIEM @ C d C t


29/49


Replacing a SIEM @ Cedar Cresto Challenges:Inflexible SIEM

Difficult to index non-security or custom app data without Prof Serv

SIEM could not provide who/what/where context

Inflexible parsing, visualizations, and reporting

Limited correlations rules and ability to tailor them

Enter Splunk: Flexible SIEM covering many use cases Easily index any data from any source. Saved $200k+ in Prof Serv & conn

Flexible search and reporting, including anomaly detection and custom

Helps customers be compliant, including for PCI and SOX Used by security and operation teams for strong ROI

We replaced a SIEM that we had before with Splunk and the SEnterprise Security. The other SIEMs vision seemed right but

brittle and got more so over time.

Dan Frye, VP Security

29

R l i SIEM @ Ci


30/49


Replacing a SIEM @ Cisco Challenges:SIEM could not meet security needs

Very difficult to index non-security or custom app log data

Serious scale and speed issues. 10GB/day and searches took > 6 minute

Difficult to customize with reliance on pre-built rules which generated f

Enter Splunk: Flexible SIEM and empowered team Easy to index any type of machine data from any source

Over 60 users doing investigations, RT correlations, reporting, advanced

All the data + flexible searches and reporting = empowered team

900 GB/day and searches take < minute. 7 global data centers with 350 Estimate Splunk is 25% the cost of a traditional SIEM

We moved to Splunk from traditional SIEM as Splunk is designengineered for big data use cases. Our previous SIEM was n

could not scale to the data volumes we have.

Gavin Reid, Leader, Cisco Computer Security Incident Respo

30

SIEM Performance Comparison @
http://www.google.com/url?sa=i&source=images&cd=&cad=rja&docid=Ys6wUbUDiATumM&tbnid=KhLtjx32PHDnGM:&ved=0CAgQjRwwAA&url=http://www.huntlogo.com/cisco-logo/&ei=38NUUfrUDa3oigLxhIHQDg&psig=AFQjCNHhuHMS0i2zVrwhAs7ut6zmccuG6A&ust=1364596063261782


31/49


SIEM Performance Comparison @

31

17

350356

100

50100

150

200

250

300

350

400

Avg Query Time (seconds) Data Indexed (GB/day)

Query Time vs. Indexed Data

Splun

SIEM

$500k Security ROI @ Interac


32/49


$500k Security ROI @ Interac Challenges:Manual, costly processes

Significant people and days/weeks required for incident investigations

No single repository or UI. Used multiple UIs, grepdlog files, reported

Traditional SIEMs evaluated were too bloated, too much dev time, too

Enter Splunk: Fast investigations and stronger security Feed 15+ data sources into Splunk for incident investigations, reports, r

Splunk reduced investigation time to hours. Reports can be created in m

Real-time correlations and alerting enables fast response to known and

ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

Splunk is a product that provides a looking glass into our enviwe previously couldnt see or would otherwise have taken da

Josh Diakun, Security Specialist, Information Security Operat

32

Security and Compliance @ Barc
http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=0o1nqeEm3viL-M&tbnid=d-z2E15cXBeCtM:&ved=0CAUQjRw&url=http://chairmanoftheboard.wordpress.com/2011/10/15/things-i-am-not-down-with-interac-chips/&ei=Ac1UUeq1Mcr9lAW32oGICg&bvm=bv.44442042,d.dGI&psig=AFQjCNF4UtLbnPRZF8n2PK8XxgD2cg8Gdg&ust=1364598398724426


33/49


Security and Compliance @ Barc Challenges:Unable to meet demands of auditors

Scale issues, hard to get data in, and impossible to get data out beyond

Not optimized for unplanned questions or historical searches

Struggled to comply with global internal and external mandates, and to Other SIEMs evaluated were poor at complex correlations, data enrichm

Enter Splunk: Stronger security and compliance posture Fines avoided as searches easily turned into visualizations for complian

Faster investigations, threat alerting, better risk measurement, enrichm

Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, Other teams using Splunk for non-security use cases improves ROI

We hit our ROI targets immediately. Our regulators arethey say we need to demonstrate or prove the effectivcontrol, the only way we can do these things is with Sp

Stephen Gailey, Head of Security Services

33

Find In depth Customer Stories (R
http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=rbdBFdo6wiL1uM&tbnid=x-Lb1s006kA6QM:&ved=0CAUQjRw&url=http://bachmanstudios.wordpress.com/2012/06/07/top-10-big-banking-financial-institution-logos-plus-their-meanings/&ei=qspUUZbyGIaEkwWOtID4Aw&bvm=bv.44442042,d.dGI&psig=AFQjCNHCpj-bcm-3Unxs-0mA61q3lpDLSg&ust=1364597799181913


34/49


Find In-depth Customer Stories (R

34

Key Competitor Scorecar


35/49


Key Competitor ScorecarThreat

2

2

3

3

Strengths Weakness

SIEM leaders quadrant

Largest installed base

RT correlation, lots of rules

100s of supported data sources

Complex, long impl

SIEM is separate log

Data exploration ne

Post-HP acquisition

minimal innovation, SIEM leaders quadrant

100s of supported data sources

SIEM portfolio includes network and app

monitoring products

New Big Data offering including Hadoop and

InfoSphere

Connectors are britt

Limited scalability

Difficult to create cu

SIEM is separate log

New offering is an u

SIEM of multiple p

SIEM leaders quadrant

SIEM portfolio includes network , DB, and app

monitoring products

Big push by McAfee since purchase

Poor track record of

Limited flexibility w


SIEM is separate log SIEM leaders quadrant

Strong traction in compliance

Easy to use & deploy

Lots of out of the box content

SMB, not seen muc


Security portfolio includes DLP and eGRC

Re-architected offering as RSA Security

Analytics incl Hadoop and rest of portfolio

New offering demos well

New offering is an u

SIEM of multiple p

Old version - Cumbe

scale issues, custom

3

35

Discovery Questions


36/49


Discovery Questions

36

Objective Questions to A

Understand the customer use cases and problems so you

can position the right solution. Common Splunk use

cases include security investigation, forensics,correlations, advanced threat detection, fraud.

1. What is your security use case?

2. What are you looking at Splunk to help you

Understand what incumbent solutions they have and

what their pain is. Identify the entry points. Examples:

New to SIEM, Replacing a SIEM, Looking to augment a

SIEM, Need a data investigation tool.

1. What kinds of security technologies do you h

evaluate security threats?

2. What problems do you have that you cant a

solution?

Understand the customers security model and business

practice maturity. Use this to understand how they thinkabout security. Are they a check box customer or

building a comprehensive security practice.

1. What data source do you have that are used

2. What is the SLA for response to a threat in y

3. How many people do you have within your s

functions do they havesecurity analysts, se

Understand the importance the prospect places on out of

the box capabilities versus flexibility.

1. What value do you place on out of the repor

2. What value do you place on ad hoc reporting

3. How important is out of the box alerting and

flexibility to create your own alerts?

Problem / Solution Matrix


37/49


Problem / Solution Matrix

37

Customer use case SolutiSplunk

Security forensics / investigations (highly capable customer)Security forensics / investigations (low capability customer)

Security reporting / visualizations

Event correlation and real-time alerting

Pre-built reports, dashboard, correlation rules

Incident workflow

Fraud Detection

Network Monitoring

Technology specific monitoring

Selling Best Practices


38/49


Selling Best PracticesQualify/Discovery > First Meeting/Demo > Evaluation/PoC

If using Splunk for other use cases, leverage this and internal champion

Use discovery to uncover pain and determine offering(s) to sell

Do not be afraid if they already have a SIEM; often they are not happy w

Broaden deal beyond just security

Seed our points of differentiation and how we are more than a SIEM

Avoid PoC by using demo, refs, internal champions

At minimum, limited deployment of Enterprise for investigations/

But ideally also sell the App for Enterprise Security covering all dat

With Splunk success, limited deal can be extended and existing SIE

38

Key Learning Points Module


39/49



39

Broaden theScope

One Sooffe

We can replace aSIEM

All Machine Data is

security relevant

Look cross use case as

well as within Security

Understa

position S

alone or w

App for EPremium

We can replace an existing

SIEM

Understand the Use Case

Dont be afraid to compete

Module 5


40/49


Module 5

40

How do you

price?

5 Pricing Examples

Splunk Enterprise


41/49


Splunk EnterpriseAnnual or Perpetual

Splunk Enterprise

41

Splunk Enterprise Perpetual


42/49


Splunk Enterprise Perpetual

Name Description Support How

Splunk

Enterprise

Perpetual

On-premise ENTERPRISE

SPLUNK that the

customer owns

perpetually (forever)

Enterprise Support ($)

SKU: ES-GB-P

20% of Net License

Global Support ($$)

SKU: GS-GB-P

25% of Net License

Annual Renewals: Support is

renewed to access new releases.

Daily

by am

index

period

42


43/49



44/49


Premium App Pricing Module


44



45/49



45

Security Data Iper

Perpetual or Term

Security is the use case.Splunk Enterprise is theproduct you sell. You canalso sell the Splunk App

for Enterprise Security orthe Splunk App for PCI.

Splunk En

licensed b

data inde

period. Omeasurem

in GB per

Splunk Enterprise can be

purchased as a Perpetual or

Annual license.

Internal Enablement


46/49


Internal Enablement

46

Global Field Enablement PortalSecurity

Partner Enablement PortalSecurityOpportunity Playboo

Customer Facing Materials


47/49


Customer Facing Materials

Marketing Workspace | Content Search Splunk.comSecurity

47

Who Do I Contact?


48/49


o o Co tact

Product Marketing Joe Goldberg, Senior Manager, all security/compliance

Mark Seward, Senior Director, all security/compliance

Product Management Jack Coates, Product Manager

Security Strategists: highly qualified, strategic/large accounts Fred Wilmot (team manager)

Global Field Enablement | Internal Training Deliverables

[email protected] School of Splunk: Field Onboarding (Sales, Technical)

School of Splunk: Field New Hire Training (Sales, Technical)

School of Splunk: Field Enablement Portal (Sales, Technical, Partner)

School of Splunk: Weekly Virtual (VEC) and Technical (TEC) Enablement Calls

48
mailto:[email protected]:[email protected]:[email protected]


49/49


THANK Y

security - baseline elearning (pdf) - oct 2013.pdf

Documents