mission possible splunk+paloaltonetworks_6_2015
TRANSCRIPT
Copyright © 2015 Splunk, Inc.
Copyright © 2015 Splunk, Inc.
Splunk + Palo Alto Networks Present: Mission: Possible Detect and Prevent Cyber AGacks
Copyright © 2015 Splunk, Inc.
Splunk and Palo Alto Networks
2
Next Gen Firewalls w/ Next Gen Big Data
AnalyMcs
Splunk App for Palo Alto Networks
developed in 2011
15,000+ cumulaMve App downloads
Strong Alliance since 2010
First integraMon to offer AcMve Response
Today – App is in version 4.2.1 4.x
Copyright © 2015 Splunk, Inc.
Today’s Speakers
3
Joe Goldberg • Product MarkeMng, Security and Compliance, Splunk
Joerg Sieber • Product MarkeMng, Palo Alto Networks
Copyright © 2015 Splunk, Inc.
Legal NoMces During the course of this presentaMon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauMon you that such statements reflect our current expectaMons and esMmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaMon are being made as of the Mme and date of its live presentaMon. If reviewed a]er its live presentaMon, this presentaMon may not contain current or accurate informaMon. We do not assume any obligaMon to update any forward-‐looking statements we may make. In addiMon, any informaMon about our roadmap outlines our general product direcMon and is subject to change at any Mme without noMce. It is for informaMonal purposes only and shall not be incorporated into any contract or other commitment. Splunk and Palo Alto Networks undertake no obligaMon either to develop the features or funcMonality described or to include any such feature or funcMonality in a future release.
4
Copyright © 2015 Splunk, Inc.
Agenda
5
Palo Alto Networks Overview
2 Demo of the Splunk for Palo Alto
Networks App
3 Next Steps
4 Splunk
Overview
1
Copyright © 2015 Splunk, Inc.
Advanced Threats in the Headlines
Cyber Criminals
NaFon States
Insider Threats
“Another Day, Another Retailer in a Massive Credit Card Breach” – Bloomberg Businessweek, March 2014
“Edward Snowden Tells SXSW He'd Leak Those Secrets Again” – NPR, March 2014
“Iranian hackers compromised airlines, airports, criMcal infrastructure firms” – Computerworld, Dec 2014
Copyright © 2015 Splunk, Inc.
Mission Impossible to Defeat?
7
100% Valid credenMals were used
40 Average # of systems accessed
205 Median # of days before detecMon
69% Of vicMms were noMfied by external enMty
Source: Mandiant M-‐Trends Report 2012, 2013, 2014, 2015
Copyright © 2015 Splunk, Inc.
Mission Possible to Defeat!
8
Leading, Next-‐GeneraFon Technologies
SIEM Network/Endpoint
Copyright © 2015 Splunk, Inc.
Splunk
9
1
Copyright © 2015 Splunk, Inc.
Thousands of Customers and Analyst ValidaMon
10
Gartner MQ for SIEM 2014
Copyright © 2015 Splunk, Inc.
Developer PlaRorm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Real-‐Time
Splunk: The Plalorm for Machine Data
11
Cloud Infrastructure
Web Proxy
Data Loss PrevenMon
Storage Desktops
Packaged ApplicaMons
Custom ApplicaMons
Databases
DNS/ DHCP
Smartphones and Devices
Firewall
AuthenMcaMon
File servers
Endpoint
Badging records
Email servers
VPN
Real-‐Tim
e
Threat Intelligence
Asset and CMDB
Employee / HR Info
Data Stores
Network Segments / Honeypots
External Lookups
AnM malware Vuln
scans
IDS
Network Flows
Any amount, any locaMon, any source
Schema-‐on-‐the-‐fly
Universal indexing
No back-‐end RDBMS
No need to filter data
Copyright © 2015 Splunk, Inc.
Splunk so]ware complements, replaces and goes beyond tradiMonal SIEMs
Top Splunk Security Use Cases
SECURITY AND COMPLIANCE REPORTING
REAL-‐TIME MONITORING OF KNOWN THREATS
MONITORING OF UNKNOWN
THREATS
INCIDENT INVESTIGATIONS AND FORENSICS
FRAUD DETECTION
INSIDER THREAT
12
Copyright © 2015 Splunk, Inc.
Splunk Product Offerings
13
240+ SECURITY APPS SPLUNK APP FOR ENTERPRISE SECURITY
SPLUNK ENTERPRISE (CORE)
Stream data
Windows / AD / Exchange
Palo Alto Networks
Bit9
Sans DShield
DNS
OSSEC Snort
Cisco
Copyright © 2015 Splunk, Inc.
Splunk Key DifferenMators vs TradiMonal SIEMs
14
• Single product, UI, data store • So]ware-‐only; install on commodity hardware • Quick deployment + ease-‐of-‐use = fast Mme-‐to-‐value
• Can index any data type • All original/raw data indexed and searchable • Big data architecture enables scale and speed • Flexible search and reporMng enables beGer/faster threat
invesMgaMons and detecMon
• Open plalorm with API, SDKs, Apps • Use cases beyond security/compliance
Copyright © 2015 Splunk, Inc.
IT OperaMons
ApplicaMon Delivery
Business AnalyMcs
Industrial Data and Internet of
Things
15
Splunk Is Used Across IT and the Business
Business AnalyMcs
Industrial Data and Internet of
Things
Security, Compliance and Fraud
Strong ROI and facilitates cross-‐department collabora7on
Copyright © 2015 Splunk, Inc.
Palo Alto Networks
16
2
Copyright © 2015 Splunk, Inc.
Pal Alto Networks At-‐a-‐Glance
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer shipment in 2007
• Safely enabling applications and preventing cyber breaches
• Able to address all enterprise cybersecurity needs
• Exceptional ability to support global customers
• Experienced team of 2,300+ employees
• Q3 FY15: $234M revenue
$0
$200
$400
$600
FY09 FY10 FY11 FY12 FY13 FY14
$MM
REVENUES ENTERPRISE CUSTOMERS
4,700
9,000
13,500
19,000
0
4,000
8,000
12,000
16,000
20,000
Jul-11 Jul-12 Jul-13 Jul-14
Copyright © 2015 Splunk, Inc.
Palo Alto Networks is proud to be named a
Leader once again. We are now a four-time
Magic Quadrant leader recognized for our
ability to execute and completeness of vision.
Gartner, Magic Quadrant for Enterprise Network Firewalls, Adam Hils, et al, April 22, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from go.paloaltonetworks.com/gartnermq2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
2015 Magic Quadrant for Enterprise Network Firewalls
Copyright © 2015 Splunk, Inc.
Enabling ApplicaMons, Users and Content
19
Copyright © 2015 Splunk, Inc.
Failure of Legacy Architectures
Anti-APT for port 80 APTs
Anti-APT for port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited Visibility Manual Response Lacks Integration
Vendor 1 Vendor 2
Vendor 3 Vendor 4
Internet ConnecMon Malware Intelligence
DNS Alert Endpoint Alert
AV Alert
SMTP Alert AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
Copyright © 2015 Splunk, Inc.
Delivering a Next GeneraMon Security Plalorm
NATIVELY INTEGRATED EXTENSIBLE
AUTOMATED
THREAT INTELLIGENCE
CLOUD
NEXT-‐GENERATION FIREWALL
ADVANCED ENDPOINT PROTECTION
Copyright © 2015 Splunk, Inc.
Threat Intelligence Cloud
THREAT INTELLIGENCE CLOUD
WildFire
Threat Prevention
URL Filtering
Automatically identified
THE UNKNOWN REMEDIATION Automatically prevented
192,000 AnM-‐malware protecMons per day 24,000 URL protecMons per day 12,000 DNS protecMons per day
192,000
24,000
12,000
ProtecMons delivered automaMcally in 15 minutes Rich forensics and reporMng for quick, detailed invesMgaMon
15 minutes
forensics reporMng
Forensics and Reporting
Copyright © 2015 Splunk, Inc.
Safely Enable ApplicaMons
Visibility into all applicaMons and users on the network
Remove threats from wanted traffic
Cloud
REDUCE AND CONTROL RISK
FACILITATE ACCESS
Allow desired applicaMons by user, limit high-‐risk features
Copyright © 2015 Splunk, Inc.
Demo of the Splunk for Palo Alto Networks App
24
3
Copyright © 2015 Splunk, Inc.
Splunk for Palo Alto Networks App
25
• Includes: Technology add-‐on, dashboards, form boxes, custom commands • Use cases: ReporMng, trending, incident invesMgaMons, interacMon with PAN
Copyright © 2015 Splunk, Inc.
Geung the App
• Free download and documentaMon at Splunk.com > Community > Apps and Add-‐Ons hGp://apps.splunk.com/app/491
• Available on GitHub for cloning and forking hGps://github.com/PaloAltoNetworks-‐BD/SplunkforPaloAltoNetworks
26
Copyright © 2015 Splunk, Inc.
Architecture
27
Splunk App for Enterprise Security
Splunk for Palo Alto Networks App
Splunk Palo Alto Networks
Splunk Enterprise
PAN firewalls
Panorama
Traps agent
Traps server
Wildfire
Copyright © 2015 Splunk, Inc.
Data Flow if Just Firewalls
28
Splunk App for Enterprise Security
Splunk for Palo Alto Networks App
Splunk Palo Alto Networks
Splunk Enterprise
PAN firewalls
Panorama
Traps agent
Traps server
Wildfire
OR
Copyright © 2015 Splunk, Inc.
Data Flow if also Wildfire
29
Splunk App for Enterprise Security
Splunk for Palo Alto Networks App
Splunk Palo Alto Networks
Splunk Enterprise
PAN firewalls
Panorama
Traps agent
Traps server
Wildfire
Copyright © 2015 Splunk, Inc.
Data Flows if also Traps
30
Splunk App for Enterprise Security
Splunk for Palo Alto Networks App
Splunk Palo Alto Networks
Splunk Enterprise
PAN firewalls
Panorama
Traps agent
Traps server
Wildfire
Copyright © 2015 Splunk, Inc.
Data Flows from Splunk to PAN
31
Splunk App for Enterprise Security
Splunk for Palo Alto Networks App
Splunk Palo Alto Networks
Splunk Enterprise
PAN firewalls
Panorama
Traps agent
Traps server
Wildfire
OR
Copyright © 2015 Splunk, Inc.
Summary / Next Steps
32
4
Copyright © 2015 Splunk, Inc.
Why Splunk Customers Need Palo Alto Networks
Layered defenses with network and endpoint security
Beder APT detecFon
with WildFire and Traps
Rich PAN data enables more SIEM/Splunk
value
33
Copyright © 2015 Splunk, Inc. 34
Layered defenses with a SIEM and
non-‐PAN data
Beder APT detecFon with Splunk anomaly detecFon and correlaFons
Turn PAN IOCs into Splunk searches
Why Palo Alto Networks Customers Need Splunk
Broader, richer, longer-‐term, more flexible reporFng
…and don’t forget network monitoring, IT opera7ons, app mgmt use cases….
Copyright © 2015 Splunk, Inc. 35
Improved security
Less costs and revenue loss
Synergies/Benefits of Joint SoluMon
Integrated funcFonality
with Splunk for PAN App and
custom commands
Copyright © 2015 Splunk, Inc.
TradiMonal SIEM Splunk Learn More About Splunk
• If new user, try Splunk for free! Ø Download free Splunk at www.splunk.com Ø Splunk Tutorial:
hGp://docs.splunk.com/DocumentaMon/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial
• Download Splunk App for Palo Alto Networks: hGps://splunkbase.splunk.com/app/491/
• More security informaMon at: hGp://www.splunk.com/en_us/soluMons/soluMon-‐areas/security-‐and-‐fraud.html
• Contact sales team: [email protected] 36
Copyright © 2015 Splunk, Inc.
TradiMonal SIEM Splunk Learn More About Palo Alto Networks
• Watch On-‐Demand Demo of Next GeneraMon Firewall: Paloaltonetworks.com > Resources > Demos
• Schedule an Enterprise Risk Report: hdp://connect.paloaltonetworks.com/avr-‐alt
• Contact Sales at: Paloaltonetworks.com > Contact
37
Copyright © 2015 Splunk, Inc.
Thank You!
Copyright © 2015 Splunk, Inc.
Geung Data in to the App
• Add Splunk server IP as syslog receiver in PAN • Add an inputs.conf stanza in Splunk
• E.g. If you configured the PAN to send to UDP 514 • Edit $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf [udp://514] index= pan_logs connection_host = ip sourcetype = pan_log no_appending_timestamp = true
39