2
SplunkLiveSecurityTrackToday 13:00-14:00: Opera-onalSecurityIntelligence 14:00-15:00: SplunkforEnterpriseSecurityfeaturingUser
BehaviorAnaly/cs 15:00-16:00: CloudBreach–Detec/onandResponse 16:00-17:00: HappyHour 17:00–19:30: SplunkLondonUserGroupMee8ng
ê RegisterandmoreInfo/Agenda:hOps://usergroups.splunk.com
4
WhoIam• NowProductMarke/ngManagerEMEA• 7YearsConsultantSecurity+BigData• 3+YearsatSplunk,McAfee(IntelSecurity),TibcoLogLogic
• workedwithtoporganiza/onsacrossindustriesadvisingcustomers
• CISSP,Cer/fiedethicalHacker
5
Disclaimer
5
Duringthecourseofthispresenta/on,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecau/onyouthatsuchstatementsreflectourcurrentexpecta/onsandes/matesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilingswiththeSEC.Theforward-lookingstatementsmadeinthethispresenta/onarebeingmadeasofthe/meanddateofitslivepresenta/on.Ifreviewedaceritslivepresenta/on,thispresenta/onmaynotcontaincurrentor
accurateinforma/on.Wedonotassumeanyobliga/ontoupdateanyforwardlookingstatementswemaymake.
Inaddi/on,anyinforma/onaboutourroadmapoutlinesourgeneralproductdirec/onandissubjecttochangeatany/mewithoutno/ce.Itisforinforma/onalpurposesonlyandshallnot,beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobliga/oneithertodevelopthefeatures
orfunc/onalitydescribedortoincludeanysuchfeatureorfunc/onalityinafuturerelease.
6
Agenda
Thesuperheroandthefishmarket–ashortstory
WhatisSecurityIntelligence
Forthebosses
DemosandExamples
13
hOp://www.123rf.com/photo_30266410_seaOle-july-5-customers-at-pike-place-fish-company-wait-to-order-fish-at-the-famous-seafood-market-.html
18
SecurityIntelligence
Informa/onrelevanttoprotec/nganorganiza/onfromexternalandinsidethreatsaswellastheprocesses,policiesandtoolsdesignedtogatherandanalyzethatinforma/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI
19
SecurityIntelligence
Informa/onrelevanttoprotec/nganorganiza/onfromexternalandinsidethreatsaswellastheprocesses,policiesandtoolsdesignedtogatherandanalyzethatinforma/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI
20
Intelligence
Ac/onableinforma/onthatprovidesanorganiza/onwithdecisionsupportandpossiblyastrategicadvantage.SIisacomprehensiveapproachthatintegratesmul/pleprocessesandprac/cesdesignedtoprotecttheorganiza/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI
21
Intelligence
Ac/onableinforma/onthatprovidesanorganiza/onwithdecisionsupportandpossiblyastrategicadvantage.SIisacomprehensiveapproachthatintegratesmul/pleprocessesandprac/cesdesignedtoprotecttheorganiza/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI
25
Alerts
Alert1 Alert2
HostA HostB
Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved
Worth an Investigation? Which one to investigate first?
Persist,Repeat
ThreatIntelligence
Access/Iden-ty
Endpoint
Network
AOacker,knowrelay/C2sites,infectedsites,IOC,aOack/campaignintentandaOribu/on
Wheretheywentto,whotalkedtowhom,aOacktransmiOed,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,aOack/malwarear/facts,patchinglevel,aOacksuscep/bility
Accesslevel,privilegedusers,likelihoodofinfec/on,wheretheymightbeinkillchain
• Third-partythreatintel• Open-sourceblacklist• Internalthreatintelligence
• Firewall,IDS,IPS• DNS• Email
• Endpoint(AV/IPS/FW)• Malwaredetec/on• PCLM
• DHCP• OSlogs• Patching
• Ac/veDirectory• LDAP• CMDB
• Opera/ngsystem• Database• VPN,AAA,SSO
DataSourcesRequired
• Webproxy• NetFlow• Network
29
RiskBasedAnaly/cs
Network Endpoint AccessThreatIntelligence
Rules/String/Regexmatching Sta/s/caloutliersandanomalies SessionandBehaviorprofiling Scoringandaggrega-on
30
Alerts
Alert1 Alert2
HostA HostB
Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved
Worth an Investigation? Which one to investigate first?
31
Example-Situa/onDay1
• HostA:IDSSignatureTriggers
• Source:NetworkIDS
Day5
• HostA:AVSystemTriggers
• Source:An/Virus
Day10
• HostA:Mul/plefailedloginsfromthishost
• Source:Ac/veDirectory
Day20
• HostA:accessingunusualnetworksegments
• Source:NetworkTrafficCorrela/on
32
Context:RiskScoringDay1
• HostA:IDSSignatureTriggers
• Source:NetworkIDS
Day5
• HostA:AVSystemTriggers
• Source:An/Virus
Day10
• HostA:Mul/plefailedloginsfromthishost
• Source:Ac/veDirectory
Day20
• HostA:accessingunusualnetworksegments
• Source:NetworkTrafficCorrela/on
RiskScoreHostA:0+10
RiskScoreHostA:10+30
RiskScoreHostA:40+30
RiskScoreHostA:70+5
35
ContextandIntelligence Integrateacrosstechnologies Automatedcontextmatching Automatedcontextacquisi/on Postprocessingandpostanalysis
ThreatIntelligence
Asset&CMDB
API/SDKIntegra-ons
DataStores
Applica-ons
36
Alerts
Alert1 Alert2
HostA HostB
Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved
Worth an Investigation? Which one to investigate first?
37
Alerts
Alert1 Alert2
HostA HostB
Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved
RiskScoreHostA:75 RiskScoreHostB:5
Worth an Investigation? Which one to investigate first?
38
Alerts
Alert1 Alert2
HostA HostB
Accessingunusualnetworksegments MalwareFoundbutcouldn’tberemoved
RiskScoreHostA:75 RiskScoreHostB:5
SystemOwner:JuergenKloppLoca/on:Liverpool
SystemOwner:DonaldDuckDepartment:Duckburg
Confiden/alityLevel:High Confiden/alityLevel:Low
Worth an Investigation? Which one to investigate first?
42
Connec/ngPeopleandData Humanmediatedautoma/on Sharingandcollabora/on Freeforminves-ga-on–humanintui-on Interactwithviewsandworkflows Anydata,alldata
Automa/on Collabora/on Inves/ga/on Workflows Alldata
46
SECURITYUSECASES
In
SECURITY&COMPLIANCEREPORTING
REAL-TIMEMONITORINGOFKNOWNTHREATS
MONITORINGOFUNKNOWN,ADVANCEDTHREATS
INCIDENTINVESTIGATIONS&FORENSICS
INSIDERTHREAT
46
SplunkCanComplementORReplaceanExis/ngSIEM
INSIDERTHREAT
47
SPLUNKFORSECURITY
47
SECURITYAPPS&ADD-ONS SPLUNKAPPFORPCI
SIEM SecurityAnaly/cs Fraud,ThecandAbuse
PlaqormforSecurityServices
SPLUNKUSERBEHAVIORANALYTICS
Wiredata
Windows= SIEMintegra/on
RDBMS(any)data
SPLUNKENTERPRISESECURITY
49
Adap/veResponseRemedia/nguseraccounttakeover
Detect:• MaliciousLogons
Respond:• ResetPassword
OrchestrateAutoma/on
51
SPLUNK IS THE NERVE CENTER
51
App Endpoint/Server
Cloud
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Iden/ty
Network
54
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+AppsinSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-onlabs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7thAnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCer/fiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP• SavethousandsonSplunkeduca/on!