This document discusses how Splunk Enterprise Security can improve an organization's security posture. It begins with an overview of today's advanced cyber threats and common security tools like SIEMs. Splunk is presented as a security intelligence platform that can ingest and correlate machine data from many sources to detect known and unknown threats. The presentation then outlines five ways Splunk Enterprise Security can help: 1) detect external advanced threats, 2) detect insider threats, 3) leverage free external threat intelligence, 4) accelerate security investigations, and 5) provide advanced visualizations and analytics. A demo of the Splunk App for Enterprise Security is also included.
18. First Need to Do the “Basic” Steps
18
• Threat modeling Step 1
• What are the threats? What are they aQer? What do they look like?
• What is the specific paVern in machine data?
• Map IPs and user names back to people
• Watch risky personnel more closely: privileged access, recently demoted, etc
• Watch assets with sensiDve data more closely
• Enrich with external content (threat intel, HR, asset
info) Step 3
Step 2 • Collect relevant machine data in one loca.on
• Network, endpoint, authenDcaDons, data stores with sensiDve data
22. 5 Ways To Improve Your Security Posture
22
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• InvesDgaDon Dmeline and InvesDgator Journal
• Asset/IdenDty InvesDgators
4 Accelerate incident inves.ga.ons
WHAT HOW
23. 5 Ways To Improve Your Security Posture
23
• CorrelaDons (A + B + C in certain Dme period)
• Baseline normal & then spot outliers/abnormaliDes
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensiDve data and/or data exfiltraDon
• Terminated employee accounts being used
• Employees on vacaDon logging into criDcal systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• InvesDgaDon Dmeline and InvesDgator Journal
• Asset/IdenDty InvesDgators
4 Accelerate incident inves.ga.ons
• Anomaly detecDon
• Extreme Search capability's 5
Advanced visualiza.ons and
analy.cs
WHAT HOW