splunk discovery dusseldorf: september 2017 - security session
TRANSCRIPT
© 2017 SPLUNK INC.
AgendaDiscovery Düsseldorf | 20. September 2017
Presentation Speaker
09:00 – 09:15 Splunk Überblick Frank Böning | Vice President Central Europe, Splunk
09:15 – 09:30 Buttercup Games Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk
09:30 – 10:00 Splunk @ Vodafone Eugen Rogoza | Integration Lead mCommerce, Vodafone
10:00 – 11:00 Daten-getriebene Einblicke in Ihre IT Operations René Siekermann | IT Markets Specialist EMEA, Splunk
11:00 – 11:30 Break
11:30 – 12:30 Best Practices für Ihre Security Strategie Angelo Brancato | Security Markets Specialist EMEA, Splunk
12:30 – 13:00 Operational Intelligence Demo Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk
13:00 – 14:00 Mittagessen
14:00 Ende der Veranstaltung
© 2017 SPLUNK INC.
Who am I
Angelo Brancato
Splunker, Security Specialist
© 2017 SPLUNK INC.
http://www.informationisbeautiful.net
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness
- Risk unknown
- In denial of breach
- No Incident
Response (IR) plans
- Ad-Hoc / Reactive
- Limited resources
- custom tools
- Basic alarming
- IR on roadmap
- Limited resources
- Risk understood
- SIEM in place
- Basic run books
- Some integrations
- Internal & external
resourcing
- Assume breached
- Formal run books
- Formal and (annually)
tested IR plan
- Panel of specialists
- Proactive threat hunting
- Best Practices & continuous improvement
- IR plans tested regularly (agile)
- Holistic security view
- Forensic investigation and
legal agreement to share IR data
- Integration and Automation
- Internal and external resources
2
© 2017 SPLUNK INC.
http://www.informationisbeautiful.net
Investigation
How Splunk can
help:
Right decision, at the
right time
Visibility
Automation
Threat Hunting
Situational Awareness
Risk Scoring
SOC Run Books
Adaptive Response
Business
Enablement
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness
2
© 2017 SPLUNK INC.
http://www.informationisbeautiful.net
Hunting
How Splunk can
help:
Right decision, at the
right time
Visibility
Automation
Business
Enablement
Risk Scoring
Situational Awareness
Investigation
SOC Playbooks
Adaptive Response
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness
© 2017 SPLUNK INC.
Avoid the “Medienbruch”
Drawing from independent.co.uk, modified
© 2017 SPLUNK INC.
D I F F E R E N T
People
A S K I N G D I F F E R E N T
Questions
O F T H E
Same Data
Enterprise Machine Data Fabric
Business Analytics
IT Operations
Security Operations
Application Development &Delivery
Internet of ThingsSplunk
© 2017 SPLUNK INC.
SOC Playbooks
Analytics-Driven Security
Machine Data
Monitor Detect Investigate Respond
Schema-On-Read
Adaptive Response
EnterpriseOn-Premise, Cloud, Hybrid
Universal Indexing
Tier 1 - Alert Analyst Tier 2 - Incident ResponderTier 3 - SME / Hunter
Process
People
Technology
Enterprise Security & UEBA
http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html
© 2017 SPLUNK INC.
IT Operations
Application Delivery
Industrial Data & IoT
Business Analytics, Future Markets
IT Security, Compliance & Fraud
Analytics-Driven Security
Monitor Detect Investigate Respond
EnterpriseOn-Premise, Cloud, Hybrid
Machine Data
Enterprise Security & UEBA
Different people asking different questions…
…of the same data.
© 2017 SPLUNK INC.
Avoid the “Medienbruch”
Drawing from independent.co.uk, modified
© 2017 SPLUNK INC.
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoring
and Alerting
Security Situational Awareness
Real-time Risk
Insight
Security Operations
Maturity
© 2017 SPLUNK INC.
Analytics-Driven Security
Risky behavior detection
Entity profiling, scoring
Kill chain, graph analysis
Unsupervised Machine Learning
Human-driven Analytics ML-driven Analytics
Data ingestion, Universal Indexing, Schema-on-Read, Log Aggregation
Search and Report
Monitor and Alert
Splunk Security Essentials (for Ransomware), CIS Top 20, PCI Compliance, Machine Learning Toolkit etc.
Enterprise
• Correlation- and Notable Event Framework
• Risk Scoring Framework
• OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories
• Incident Investigation & Response workflow
• Adaptive Response
• Glass Tables, etc…
Realm of
Known
Realm of
Unknown
© 2017 SPLUNK INC.
Enterprise
Developer Platform (REST API, SDKs)
Security
Essentials
Security Essentials
for Ransomware
Splunk App for
PCI Compliance
Machine Learning
Toolkit
CIS Top 20
Critical Security Controls
Add-Ons
Splunk
Stream
Human-driven Analytics ML-driven AnalyticsSIEM
Cyber Security
Investigator
On-Premise, Cloud, Hybrid
Analytics-Driven Security
© 2017 SPLUNK INC.
Splunk CIS* Top 20 (Best Practice) Critical Controls
https://www.cisecurity.org/controls/
https://splunkbase.splunk.com/app/3064/
CIS Top 20 controls improve risk posture
against real-world threats
The control areas grew out of an
international consortium
Splunk can monitor PCI compliance and
generate Alerts for non-compliance
In case of non-compliance Splunk can carry
out recommended actions
40+ Dashboards
Splunk CIS Top 20
Critical Security Controls
*CIS: Center of Internet Control https://www.cisecurity.org/controls/
© 2017 SPLUNK INC.
Splunk Premium App for PCI Compliancehttps://splunkbase.splunk.com/app/2897/
Compliance Overview
Incident Review and Management Asset and Identity Aware
Scorecards and Reports
Measures effectiveness and status of
PCI compliance technical controls
Meets PCI requirements around log
retention/review, and continuous
monitoring
Fast ability to get to cause of non-
compliance or answer auditor data
requests
Covers up to PCI DSS v3.1 standards
Splunk App for
PCI Compliance
© 2017 SPLUNK INC.
Security Essentials
50+ use cases (common in UEBA products)
Target external attackers and insider threat
Scales from small to massive companies
Can sends results to ES/UBA
https://splunkbase.splunk.com/app/3435/
Security Essentials
Detection Methods
Time series analysis
(with standard deviation)
First time analysis
(powered by stats)
General Splunk
searches
© 2017 SPLUNK INC.
Security Essentials for Ransomwarehttps://splunkbase.splunk.com/app/3593/
Fake Windows Processes
Malicious Command Line Executions
Monitor AutoRun Reported Registry Keys
Monitoring Successful Backups
Monitor Successful Windows Update
Monitoring Unsuccessful Backups
Monitor Successful Windows Update
Ransomware extensions
Ransomware Note Files
Ransomware Vulnerabilities
SMB traffic Allowed
Spike in SMB traffic
Detect TOR Traffic
Office Spawns Unusual Process
Detection via Statistical Analysis
Detection via Windows Registry
Detection via Shannon Entropy
Detection via Fake Windows Processes
Detection via File Encryption EventsDetection via DNS TrafficDetection via Sysmon LogsDetection via Firewall LogsDetection via IDS EventsDetection via Network ActivityDetection via SMB EventsDetection via Deletion of Shadow CopiesForensics via log2timelinePrevention via Lag DetectionPrevention via Vulnerability ManagementPrevention via Backup ActivityPrevention via Automated File Analysis
Security Essentials
for Ransomware
Use Cases Detection Methods
© 2017 SPLUNK INC.
Cyber Security Investigatorhttps://splunkbase.splunk.com/app/3361/
traffic today compared to normal
Email traffic compared to normal
What are the count of windows related alerts over the last
week?
Hourly traffic to China
Which accounts were recently deleted?
Top accounts with failed logins
Show me traffic for app dns
Show me the systems where user ghost exists
How does traffic look during non-business hours compared
to during business hours?
Event count over time by top 10 hosts
What's the average number of vulnerabilities across all of
our systems
Graph the hourly max response time of web requests
Malware signatures on more than 10 distinct hosts
Websites with the most bytes
…
i.e.
Insight Engines
Cyber Security Investigator
for Splunk
© 2017 SPLUNK INC.
Security Streamhttps://splunkbase.splunk.com/app/1809/
Metadata Collection
Live Interface Collection Option
Commercial App Detection (300+)
NetFlow Collector
Aggregation Mode
Filtering at Endpoint
Out-of-Box Content
Distributed Forwarder Mgt
1GbE and 10GbE link options
Get visibility into
applications
performance and user
experience
Understand database
activity and
performance without
impacting database
operation
Improve security and
application
intelligence with DNS
analytics
Splunk Stream
Layer Examples
7. Application HTTP, SMTP
6. Presentation TLS
5. Session SCP
4. Transport TCP, UDP
3. Network IPv4, IPv6
2. Data Link Ethernet
1. Physical Ethernet, WiFi
Deployment:
• Out-of-band (stub) with tap or SPAN port
• In-line directly on monitored host
Collection:
• Technical Add-On (TA) with Splunk
Universal Forwarder (UF)
• Independent Stream Forwarder
using HTTP Event Collector (HEC)Any Linux Host Splunk
Indexers
TLS/HEC
Splunk
Indexers
Splunk
Forwarder
TLS
© 2017 SPLUNK INC.
MLT – applied example: DGA Analyzer
This is an example a Splunk SE built
It uses the MLT to very reliably detect DGA
generated domain names
Machine Learning
Toolkit
https://splunkbase.splunk.com/app/2890/
© 2017 SPLUNK INC.
Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
27
Dashboards & Reports Incident Investigations
and Management
Statistical Outliers & Risk Scoring Asset & Identity Aware
• Correlation- and Notable Event Framework
• Risk Scoring Framework
• OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories
• Incident Investigation & Response workflow
• Adaptive Response
• Glass Tables, etc…
© 2017 SPLUNK INC.
WAF & App
SecurityOrchestration
Network
Threat Intelligence
Internal Network
Security
Identity and Access
Endpoints
Firewall
Web Proxy
MONITORING AUTOMATION:
Splunk Adaptive Response Partnerships
Enterprise Security▶ Adaptive Response
© 2017 SPLUNK INC.
HUMAN MACHINE AUTHORING:
Security Machine Learning & Data Science
User and Entity Behavior Analytics
© 2017 SPLUNK INC.
Use machine data to meet
customer expectation
I expect detailed App
usage analytics
I expect 360° visibility into how
my business is performing
I expect security dashboards, reports
and real-time alerts and risk scoring
I expect a secure IT
environment
What do you expect?
I expect network and
equipment uptime I expect you to
protect my data
I expect
compliance
I expect Risk
reduction I expect an effective and
secure App. DevOps
© 2017 SPLUNK INC.
• 5,000+ IT and Business Professionals• 175+ Sessions • 80+ Customer Speakers
PLUS Splunk University• Three days: Sept 23-25, 2017• Get Splunk Certified for FREE!• Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017Walter E. Washington Convention CenterWashington, D.C.
CONF.SPLUNK.COM
.conf2017: The 8th Annual Splunk Conference
© 2017 SPLUNK INC.
Join:
Our Community with
Apps, Ask Questions or
join a online session!
https://www.splunk.com/en_us/community.html
Try:
Splunk Security Online
Experience (No Download)
https://www.splunk.com/en_us/solutions/solution-
areas/security-and-fraud/security-
investigation/getting-started.html
Explore:
Splunkbase – our online
store of over 1000+ apps
https://splunkbase.splunk.com/
© 2017 SPLUNK INC.
Prove GDPR Security Controls
are enforced
Detect, Prevent and Investigate Data Breaches
Search and Reporton Personal Data
Processing
Splunk for GDPR
© 2017 SPLUNK INC.
Splunk for GDPR
Detect, Prevent
and Investigate
Data BreachesThe Forrester Wave:
Security Analytics Platforms, Q1 2017Gartner MQ for SIEM, Aug. 2016
ITOperations
ApplicationDelivery
IndustrialData&IoT
BusinessAnalytics,FutureMarkets
ITSecurity,Compliance&Fraud
Monitor Detect Investigate Respond
Enterprise
ES,UEBA
On-Premise,Cloud,Hybrid|AnalyticsforHadoop
Differentpeopleaskingdifferentquestions…
…of the samedata.
MachineData
Article 33 - Notification of a personal data breach to the supervisory authority
Article 34 - Communication of a personal data breach to the data subject
Data Breach Notification
© 2017 SPLUNK INC.
Splunk for GDPR
Prove GDPR
Security Controls
are enforced
Article 32 - Security of processing
Article 58 - Supervisory Investigative Powers
Risk
Minimization
Report
ComplianceDPIA
© 2017 SPLUNK INC.
Splunk for GDPR
Search and Report
on Personal Data
Processing
Article 30 - Records of Processing Activity
Article 5, 15, 17, 18 and 28 - Data Subject Rights
Supply chain
Obligations
Right to be
Forgotten
Right of
rectificationRight of access
Right of data
portability…