This document discusses how Splunk Enterprise Security can improve an organization's security posture. It begins with an overview of today's advanced cyber threats and common security tools like SIEMs. Splunk is presented as a security intelligence platform that can ingest and correlate machine data from many sources to detect known and unknown threats. The presentation then outlines five ways Splunk Enterprise Security can help: 1) detect external advanced threats, 2) detect insider threats, 3) leverage free external threat intelligence, 4) accelerate security investigations, and 5) provide advanced visualizations and analytics. A demo of the Splunk App for Enterprise Security is also included.

1. Copyright © 2015 Splunk Inc.
5 Ways to Improve
Your Security Posture
with Splunk Enterprise
Security

2. Legal NoDces
During the course of this presentaDon, we may make forward-looking statements regarding future events
or the expected performance of the company. We cauDon you that such statements reflect our current
expectaDons and esDmates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements made
in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aQer its live
presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any
obligaDon to update any forward-looking statements we may make. In addiDon, any informaDon about
our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce.
It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment.
Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any
such feature or funcDonality in a future release.
2

3. Today’s Speakers
3
MaVhias Maier
– Security Product MarkeDng
– Splunk
Niklas Blomquist
– Senior Sales Engineer & Security Expert
– Splunk

4. Agenda
● Threat Landscape & Splunk Overview
● 5 Ways The Splunk App for ES Can Improve Your Security Posture
● Demo: The Splunk App for Enterprise Security
● Q&A
4

5. Copyright © 2015 Splunk Inc.
Threat Landscape &
Splunk Overview
5

6. Advanced Threats Are Hard to Find
“Another Day, Another Retailer in a Massive
Credit Card Breach”
– Bloomberg Businessweek, March 2014
“Edward Snowden Tells SXSW He'd Leak
Those Secrets Again”
– NPR, March 2014
“Banks Seek U.S. Help on Iran Cyber aVacks”
– Wall Street Journal, Jan 2013
Cyber Criminals
Na.on States
Insider Threats
6
Source: Mandiant M-Trends Report 2012/2013/2014/2015
100% Valid credenDals were used
40
Average # of systems accessed
205
Median # of days before detecDon
69%
Of vicDms were noDfied by
external enDty

7. Intrusion
DetecDon
Firewall
Data Loss
PrevenDon
AnD-
Malware
Vulnerability
Scans
AuthenDcaDon
7
All Machine Data is Security Relevant
Tradi.onal SIEM

8. Servers
Storage
Desktops Email Web
TransacDon
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMBD
Intrusion
DetecDon
Firewall
Data Loss
PrevenDon
AnD-
Malware
Vulnerability
Scans
AuthenDcaDon
8
All Machine Data is Security Relevant
Tradi.onal SIEM

9. Thousands of Security Customers; MQ SIEM Leader
9
2015

10. Need Security Intelligence Plaoorm (SIEM + more!)
10
Real-.me
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
DetecDon
Firewall
Data Loss
PrevenDon
AnD-Malware
Vulnerability
Scans
AuthenDcaDon
Storage
Industrial
Control
Mobile

11. Need Security Intelligence Plaoorm (SIEM + more!)
11
Real-.me
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
DetecDon
Firewall
Data Loss
PrevenDon
AnD-Malware
Vulnerability
Scans
AuthenDcaDon
Storage
Industrial
Control
Mobile
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Network
Segments
External Lookups / Enrichment

12. Monitor &
Alert
Search &
Inves.gate
Custom
Dashboards &
Reports
Analy.cs &
Visualiza.on
Meets Key Needs of SOC Personnel
Need Security Intelligence Plaoorm (SIEM + more!)
12
Real-.me
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
DetecDon
Firewall
Data Loss
PrevenDon
AnD-Malware
Vulnerability
Scans
AuthenDcaDon
Storage
Industrial
Control
Mobile
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Network
Segments
External Lookups / Enrichment

13. Splunk soQware complements, replaces and goes beyond tradiDonal SIEMs
AnalyDcs-Driven Security Use Cases
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
13

14. User Behavior
Analy.cs (UBA)
240+ security apps Splunk
Enterprise Security
Splunk Security Intelligence Plaoorm
14
Palo Alto
Networks
NetFlow Logic
FireEye
Blue Coat
Proxy SG
OSSEC
Cisco Security
Suite
AcDve
Directory
F5 Security
Juniper Sourcefire

15. Copyright © 2015 Splunk Inc.
5 Ways Splunk
Enterprise Security
can Improve Your
Security Posture
15

16. First Need to Do the “Basic” Steps
16
• Threat modeling Step 1
• What are the threats? What are they aQer? What do they look like?
• What is the specific paVern in machine data?

17. First Need to Do the “Basic” Steps
17
• Threat modeling Step 1
• What are the threats? What are they aQer? What do they look like?
• What is the specific paVern in machine data?
Step 2 • Collect relevant machine data in one loca.on
• Network, endpoint, authenDcaDons, data stores with sensiDve data

18. First Need to Do the “Basic” Steps
18
• Threat modeling Step 1
• What are the threats? What are they aQer? What do they look like?
• What is the specific paVern in machine data?
• Map IPs and user names back to people
• Watch risky personnel more closely: privileged access, recently demoted, etc
• Watch assets with sensiDve data more closely
• Enrich with external content (threat intel, HR, asset
info) Step 3
Step 2 • Collect relevant machine data in one loca.on
• Network, endpoint, authenDcaDons, data stores with sensiDve data

19. 5 Ways To Improve Your Security Posture
19
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
WHAT HOW

20. 5 Ways To Improve Your Security Posture
20
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
WHAT HOW

21. 5 Ways To Improve Your Security Posture
21
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
WHAT HOW

22. 5 Ways To Improve Your Security Posture
22
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• InvesDgaDon Dmeline and InvesDgator Journal
• Asset/IdenDty InvesDgators
4 Accelerate incident inves.ga.ons
WHAT HOW

23. 5 Ways To Improve Your Security Posture
23
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• InvesDgaDon Dmeline and InvesDgator Journal
• Asset/IdenDty InvesDgators
4 Accelerate incident inves.ga.ons
• Anomaly detecDon
• Extreme Search capability's 5
Advanced visualiza.ons and
analy.cs
WHAT HOW

24. Demo: Splunk
Enterprise Security
24

25. Key Takeaways
● BeVer detect & defeat cyber threats with Splunk
● Put machine data, threat intel, & advanced
analyDcs to work for you
● Reduce chances of becoming a headline breach
● Automate your work to reduce Dme-per-incident
25

26. 26
TradiDonal SIEM Splunk
Next Steps
• Try Splunk Enterprise Security for free!
• Splunk.com > Free Splunk > Enterprise Security Sandbox
• Splunk.com > Community > DocumentaDon > Search Tutorial
• In 30 minutes will have imported data, run searches, created reports
• Free apps at Splunk.com > Community > Apps & Add-Ons
• For more help
• Free documentaDon and free Splunk Answers at Splunk.com > Community
• EducaDon Services, Professional Services, VARs, MSSPs
• Contact sales team at Splunk.com > About Us > Contact Us

27. Q&A

28. Thank You