mission possible: detect and prevent cyberattacks with splunk and palo alto networks

Copyright © 2015 Splunk, Inc.


Splunk + Palo Alto Networks Present: Mission: Possible Detect and Prevent Cyber AGacks


Splunk and Palo Alto Networks

2

Next Gen Firewalls w/ Next Gen Big Data

AnalyMcs

Splunk App for Palo Alto Networks

developed in 2011

15,000+ cumulaMve App downloads

Strong Alliance since 2010

First integraMon to offer AcMve Response

Today – App is in version 4.2.1 4.x


Today’s Speakers

3

Joe Goldberg •  Product MarkeMng, Security and Compliance, Splunk

Joerg Sieber •  Product MarkeMng, Palo Alto Networks


Legal NoMces During the course of this presentaMon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauMon you that such statements reflect our current expectaMons and esMmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaMon are being made as of the Mme and date of its live presentaMon. If reviewed a]er its live presentaMon, this presentaMon may not contain current or accurate informaMon. We do not assume any obligaMon to update any forward-‐looking statements we may make. In addiMon, any informaMon about our roadmap outlines our general product direcMon and is subject to change at any Mme without noMce. It is for informaMonal purposes only and shall not be incorporated into any contract or other commitment. Splunk and Palo Alto Networks undertake no obligaMon either to develop the features or funcMonality described or to include any such feature or funcMonality in a future release.

4


Agenda

5

Palo Alto Networks Overview

2 Demo of the Splunk for Palo Alto

Networks App

3 Next Steps

4 Splunk

Overview

1


Advanced Threats in the Headlines

Cyber Criminals

NaFon States

Insider Threats

“Another Day, Another Retailer in a Massive Credit Card Breach” – Bloomberg Businessweek, March 2014

“Edward Snowden Tells SXSW He'd Leak Those Secrets Again” – NPR, March 2014

“Iranian hackers compromised airlines, airports, criMcal infrastructure firms” – Computerworld, Dec 2014


Mission Impossible to Defeat?

7

100% Valid credenMals were used

40 Average # of systems accessed

205 Median # of days before detecMon

69% Of vicMms were noMfied by external enMty

Source: Mandiant M-‐Trends Report 2012, 2013, 2014, 2015


Mission Possible to Defeat!

8

Leading, Next-‐GeneraFon Technologies

SIEM Network/Endpoint


Splunk

9

1


Thousands of Customers and Analyst ValidaMon

10

Gartner MQ for SIEM 2014


Developer PlaRorm

Report and analyze

Custom dashboards

Monitor and alert

Ad hoc search

Real-‐Time

Splunk: The Plalorm for Machine Data

11

Cloud Infrastructure

Web Proxy

Data Loss PrevenMon

Storage Desktops

Packaged ApplicaMons

Custom ApplicaMons

Databases

DNS/ DHCP

Smartphones and Devices

Firewall

AuthenMcaMon

File servers

Endpoint

Badging records

Email servers

VPN

Real-‐Tim

e

Threat Intelligence

Asset and CMDB

Employee / HR Info

Data Stores

Network Segments / Honeypots

External Lookups

AnM malware Vuln

scans

IDS

Network Flows

Any amount, any locaMon, any source

Schema-‐on-‐the-‐fly

Universal indexing

No back-‐end RDBMS

No need to filter data


Splunk so]ware complements, replaces and goes beyond tradiMonal SIEMs

Top Splunk Security Use Cases

SECURITY AND COMPLIANCE REPORTING

REAL-‐TIME MONITORING OF KNOWN THREATS

MONITORING OF UNKNOWN

THREATS

INCIDENT INVESTIGATIONS AND FORENSICS

FRAUD DETECTION

INSIDER THREAT

12


Splunk Product Offerings

13

240+ SECURITY APPS SPLUNK APP FOR ENTERPRISE SECURITY

SPLUNK ENTERPRISE (CORE)

Stream data

Windows / AD / Exchange

Palo Alto Networks

Bit9

Sans DShield

DNS

OSSEC Snort

Cisco


Splunk Key DifferenMators vs TradiMonal SIEMs

14

•  Single product, UI, data store •  So]ware-‐only; install on commodity hardware •  Quick deployment + ease-‐of-‐use = fast Mme-‐to-‐value

•  Can index any data type •  All original/raw data indexed and searchable •  Big data architecture enables scale and speed •  Flexible search and reporMng enables beGer/faster threat

invesMgaMons and detecMon

•  Open plalorm with API, SDKs, Apps •  Use cases beyond security/compliance


IT OperaMons

ApplicaMon Delivery

Business AnalyMcs

Industrial Data and Internet of

Things

15

Splunk Is Used Across IT and the Business

Business AnalyMcs

Industrial Data and Internet of

Things

Security, Compliance and Fraud

Strong ROI and facilitates cross-‐department collabora7on


Palo Alto Networks

16

2


Pal Alto Networks At-‐a-‐Glance

CORPORATE HIGHLIGHTS

•  Founded in 2005; first customer shipment in 2007

•  Safely enabling applications and preventing cyber breaches

•  Able to address all enterprise cybersecurity needs

•  Exceptional ability to support global customers

•  Experienced team of 2,300+ employees

•  Q3 FY15: $234M revenue

$0

$200

$400

$600

FY09 FY10 FY11 FY12 FY13 FY14

$MM

REVENUES ENTERPRISE CUSTOMERS

4,700

9,000

13,500

19,000

0

4,000

8,000

12,000

16,000

20,000

Jul-11 Jul-12 Jul-13 Jul-14


Palo Alto Networks is proud to be named a

Leader once again. We are now a four-time

Magic Quadrant leader recognized for our

ability to execute and completeness of vision.

Gartner, Magic Quadrant for Enterprise Network Firewalls, Adam Hils, et al, April 22, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from go.paloaltonetworks.com/gartnermq2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2015 Magic Quadrant for Enterprise Network Firewalls


Enabling ApplicaMons, Users and Content

19


Failure of Legacy Architectures

Anti-APT for port 80 APTs

Anti-APT for port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for outbound DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited Visibility Manual Response Lacks Integration

Vendor 1 Vendor 2

Vendor 3 Vendor 4

Internet ConnecMon Malware Intelligence

DNS Alert Endpoint Alert

AV Alert

SMTP Alert AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert


Delivering a Next GeneraMon Security Plalorm

NATIVELY INTEGRATED EXTENSIBLE

AUTOMATED

THREAT INTELLIGENCE

CLOUD

NEXT-‐GENERATION FIREWALL

ADVANCED ENDPOINT PROTECTION


Threat Intelligence Cloud

THREAT INTELLIGENCE CLOUD

WildFire

Threat Prevention

URL Filtering

Automatically identified

THE UNKNOWN REMEDIATION Automatically prevented

192,000 AnM-‐malware protecMons per day 24,000 URL protecMons per day 12,000 DNS protecMons per day

192,000

24,000

12,000

ProtecMons delivered automaMcally in 15 minutes Rich forensics and reporMng for quick, detailed invesMgaMon

15 minutes

forensics reporMng

Forensics and Reporting


Safely Enable ApplicaMons

Visibility into all applicaMons and users on the network

Remove threats from wanted traffic

Cloud

REDUCE AND CONTROL RISK

FACILITATE ACCESS

Allow desired applicaMons by user, limit high-‐risk features


Demo of the Splunk for Palo Alto Networks App

24

3


Splunk for Palo Alto Networks App

25

•  Includes: Technology add-‐on, dashboards, form boxes, custom commands •  Use cases: ReporMng, trending, incident invesMgaMons, interacMon with PAN


Geung the App

•  Free download and documentaMon at Splunk.com > Community > Apps and Add-‐Ons hGp://apps.splunk.com/app/491

•  Available on GitHub for cloning and forking hGps://github.com/PaloAltoNetworks-‐BD/SplunkforPaloAltoNetworks

26


Architecture

27

Splunk App for Enterprise Security


Splunk Palo Alto Networks

Splunk Enterprise

PAN firewalls

Panorama

Traps agent

Traps server

Wildfire


Data Flow if Just Firewalls

28




Splunk Enterprise

PAN firewalls

Panorama

Traps agent

Traps server

Wildfire

OR


Data Flow if also Wildfire

29




Splunk Enterprise

PAN firewalls

Panorama

Traps agent

Traps server

Wildfire


Data Flows if also Traps

30




Splunk Enterprise

PAN firewalls

Panorama

Traps agent

Traps server

Wildfire


Data Flows from Splunk to PAN

31




Splunk Enterprise

PAN firewalls

Panorama

Traps agent

Traps server

Wildfire

OR


Summary / Next Steps

32

4


Why Splunk Customers Need Palo Alto Networks

Layered defenses with network and endpoint security

Beder APT detecFon

with WildFire and Traps

Rich PAN data enables more SIEM/Splunk

value

33

Copyright © 2015 Splunk, Inc. 34

Layered defenses with a SIEM and

non-‐PAN data

Beder APT detecFon with Splunk anomaly detecFon and correlaFons

Turn PAN IOCs into Splunk searches

Why Palo Alto Networks Customers Need Splunk

Broader, richer, longer-‐term, more flexible reporFng

…and don’t forget network monitoring, IT opera7ons, app mgmt use cases….


TradiMonal SIEM Splunk Learn More About Splunk

•  If new user, try Splunk for free! Ø  Download free Splunk at www.splunk.com Ø  Splunk Tutorial:

hGp://docs.splunk.com/DocumentaMon/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

•  Download Splunk App for Palo Alto Networks: hGps://splunkbase.splunk.com/app/491/

•  More security informaMon at: hGp://www.splunk.com/en_us/soluMons/soluMon-‐areas/security-‐and-‐fraud.html

•  Contact sales team: [email protected] 36


TradiMonal SIEM Splunk Learn More About Palo Alto Networks

•  Watch On-‐Demand Demo of Next GeneraMon Firewall: Paloaltonetworks.com > Resources > Demos

•  Schedule an Enterprise Risk Report: hdp://connect.paloaltonetworks.com/avr-‐alt

•  Contact Sales at: Paloaltonetworks.com > Contact

37


Thank You!


Geung Data in to the App

• Add Splunk server IP as syslog receiver in PAN • Add an inputs.conf stanza in Splunk

• E.g. If you configured the PAN to send to UDP 514 • Edit $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf [udp://514] index= pan_logs connection_host = ip sourcetype = pan_log no_appending_timestamp = true

39

mission possible: detect and prevent cyberattacks with splunk and palo alto networks

Technology

realtime splunk

splunk overview

paloalto networks overview

joegoldberg productmarkemng

developer plarorm reportand

ofdays beforedetecmon

anysource schema

y universal indexing