How to detect and respond to the accidental breach
•Download as PPTX, PDF•
1 like•499 views
Account takeover as a result of the hapless user remains one of the primary vectors for security breaches, and yet this is poorly understood by European organizations. Recent research from IDC revealed that eight in 10 organizations overly rely on traditional approaches to security that focus mainly on system protection and cannot detect and respond to the user activites that can result in a compromise. Nearly a third do not use basic methods of breach detection and fewer than one in five have any form of security analytics in place. This webinar, hosted byDuncan Brown, Research Director, IDC highlighted the security maturity of European organizations and how you can mature your cyber security program with Splunk.
Recommended
Recommended
More Related Content
Viewers also liked
Viewers also liked (15)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
How to detect and respond to the accidental breach
- 1. Copyright © 2016 Splunk Inc. The Impact of the Hapless User: Detecting & Responding to the Accidental Breach Matthias Maier Product Marketing Manager, Splunk Duncan Brown Research Director, IDC
- 2. Agenda About Splunk IDC: The impact of the hapless user: Detecting & responding to the accidental breach Customer Spotlight Analytics Driven Security •Showcase: Risk Scoring •Showcase: Security Response Automation •Recap Q&A 2
- 3. 3 Make machine data accessible, usable and valuable to everyone. 3
- 4. 4 Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Internet of Things and Industrial Data
- 5. IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Internet of Things and Industrial Data 5 Delivers Value Across IT and the Business Security, Compliance and Fraud
- 6. 6 Single Platform for Security Intelligence SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECT UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Splunk Complements, Replaces and Goes Beyond Existing SIEMs
- 7. The impact of the hapless user: Detecting & responding to the accidental breach Duncan Brown Research Director
- 8. Meet Dave © IDC Visit us at IDC.com and follow us on Twitter: @IDC 8
- 9. No patch for stupidity © IDC Visit us at IDC.com and follow us on Twitter: @IDC 9
- 10. What firms worry about © IDC Visit us at IDC.com and follow us on Twitter: @IDC 10 5% 12% 16% 19% 27% 28% 42% 67% Vulnerabilities in own software Malicious Insider Threat Lack of patching Vulnerabilities in 3rd party software Poor end user security practices Phishing attacks Advanced persistent threats Virus attacks and other malware What, in your opinion, are the most damaging form of threats your company faces?
- 11. What firms focus on? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 11 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Fraud Theft of company data Unauthorised access to commercial or confidential company data Unauthorised access to customer or personnel accounts and/or data Destruction (deletion) of company data or assets Compromised account (stolen credentials) with administrator privileges Over-privileged accounts (too much access beyond assigned duties) Not at all important Slightly important Moderately important Very important Extremely important To what extent do you see the following threats important to manage?
- 12. Why is the insider threat so hard to find? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 12 13% 18% 19% 24% 26% 32% 36% 39% 40% HR department co-ordination issues Internal politics Poor identity and access management No visibility into what's happening across silos Data privacy laws do not allow it Lack of employee screening Not knowing what normal looks like Lack of personnel education and/or training Not knowing what to look for What are the biggest obstacles to investigating threats using valid credentials?
- 13. Organisations are not facing inwards © IDC Visit us at IDC.com and follow us on Twitter: @IDC 13 Which of the following security technologies do you currently use in your organisation? Analytics Forensics & Incident Investigation Systems No Yes Yes
- 14. Copyright © 2016 Splunk Inc. Customer Spotlight 14
- 16. Bad Things Don’t Just ‘Happen’ 1 Major Incident 30 Minor Incidents 300 Near Misses 3,000 Unsafe Acts 30,000 Bad Practices
- 17. What is Normal?
- 18. Centralized Security Visibility at our Operations Bridge
- 19. Improved Incident Investigation Workflow When an alert is triggered we send an automated email to the system owner with instructions of what to do next Activity Alert Investigation New member added to Domain Admin Group E-Mail to infrastructure owners with detailed description & instructions for review Owner reviews the activity and makes decision
- 20. My Tips Encourage system owners to share their data by providing shared operational benefits Empower the users – send alerts and reports straight to them. Don’t let the security team be a bottleneck
- 22. Analytics-Driven Security Risk- Based Context and Intelligence Connecting Data and People 22
- 23. Security Intelligence 23 Developer Platform Report and analyze Custom dashboards Monitor, alert and respond Ad hoc search Threat Intelligence Asset & CMDB Employee Info Data Stores Applications Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint External Lookups
- 24. 24 Products for Security and Compliance Splunk Enterprise Security 390+ Security Apps Splunk User Behavior Analytics Palo Alto Networks FireEye Symantec DShield DNS OSSEC NetFlow Logic Cisco Security Suite F5 Security PCI Compliance Active Directory Blue Coat Proxy SG
- 25. Copyright © 2016 Splunk Inc. Showcase Risk Scoring in Cyber Security Splunk Enterprise Security
- 26. Alerts Alert 1 Alert 2 Host A Host B Accessing unusual network segments Malware Found but couldn’t be removed Worth an Investigation? Which one to investigate first?
- 27. Aggregation: Sample Day -15 •Host A: IDS Signature Triggers •Source: Network IDS Day -10 •Host A: AV System Triggers •Source: AntiVirus Day -5 •Host A: Multiple failed logins from this host •Source: Active Directory Today •Host A: accessing unusual network segments •Source: Network Traffic Correlation
- 28. Context: Risk Scoring Day -15 •Host A: IDS Signature Triggers •Source: Network IDS Day -10 •Host A: AV System Triggers •Source: AntiVirus Day -5 •Host A: Multiple failed logins from this host •Source: Active Directory Today •Host A: accessing unusual network segments •Source: Network Traffic Correlation Risk Score Host A: 0 + 10 Risk Score Host A: 10 + 30 Risk Score Host A: 40 + 30 Risk Score Host A: 70 + 5
- 29. Demo Splunk Enterprise Security Risk Scoring 29
- 30. Copyright © 2016 Splunk Inc. Showcase Security Response Automation Splunk Enterprise Security
- 31. Adaptive Response: Analytics-driven Decisions, Automation • Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation times • Improve operational efficiency using workflow-based context with automated and human-assisted decisions • Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners
- 32. Insight from Across Ecosystem 32 Effectively leverage security infrastructure to gain a holistic view Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel 1. Palo Alto Networks 2. Anomali 3. Phantom 4. Cisco 5. Fortinet 6. Threat Connect 7. Ziften 8. Acalvio 9. Proofpoint 10. CrowdStrike 11. Symantec (Blue Coat) 12. Qualys 13. Recorded Future 14. Okta 15. DomainTools 16. Cyber Ark 17. Tanium 18. Carbon Black 19. ForeScout
- 33. Demo Splunk Enterprise Security Adaptive Response 33
- 34. Recap 34 Reduce risk and lower operational costs Don't let IT security be the bottleneck Focus on the important security incidents Automated and human-assisted execution of playbooks
- 35. FREE ONLINE ENTERPRISE SECURITY SANDBOX FREE DOWNLOAD FREE AMAZON MACHINE IMAGES (AMI) 35 Easy to Try & Get Started 1 32
- 36. Q&A
Editor's Notes
- At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
- Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. The insights gained from machine data support a number of use cases and can drive value across your organization. [In North America] Splunk Cloud is available in North America and offers Splunk Enterprise as a cloud-based service – essentially empowering you with Operational Intelligence without any operational effort.
- Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
- They’re focusing too much attention on 12% of the problem But they can also result from hapless users having their account hijacked. You need forensics to tell, but this is only done after the fact.
- Industry • Telecommunication Splunk Use Cases • Security Challenges Fraud detection and report generation for e-payment Online banking security and threat detection Splunk Products • Splunk Enterprise Data Sources Payment Applications OS (700 Linux, 1200 Solaris, 500 Windows) Databases (52 Oracle & MSSQL) Network Devices and Appliances Case Study http://www.splunk.com/en_us/customers/success-stories/postfinance.html Video: http://www.splunk.com/en_us/resources/video.9oMGI5MzE6pX2zLFOsqUYEiwVRjcJBVm.html .CONF Session: http://conf.splunk.com/session/2015/conf2015_PHoffman_PostFinance_UsingSplunkSearchLanguage_HowSplunkConnectsBusiness.pdf Blog: http://blogs.splunk.com/2016/05/09/postfinance-bank-on-splunk-to-improve-fraud-detection/
- People are the most important part of your business. Splunk empowers your security teams with data. Your security teams perform a number of tasks <next slide>
- And use your Splunk environment to collect, analyze and enrich all this data that you are collecting. You will be well prepared to detect new attacks and quickly respond to the next breach.
- The Spunk Security Intelligence Platforms consists of multiple components. Foundational to the platform is Splunk Enterprise, our core product. Every Splunk deployment includes this for indexing and storage. Using this alone, customers can perform searches and easily build reports/dashboards from their data. A variety of applications can be installed on top of the Splunk Enterprise, ranging from 3rd party vendor apps, community developed apps and Splunk Apps. You can build apps on top for your use or to share within your company. Apps are a collection of reports, dashboards, and searches purpose-built for a specific use. Our premium security app is the Splunk Enterprise Security. It provides out-of-the-box security workflow, dashboards, reports, correlation rules that bring together security and infrastructure technologies across your company. Any of the apps can be mixed-and-matched to achieve the desired level of functionality.
- Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and more Detect, investigate and respond by overcoming silos
- Splunk software and cloud services are simple to deploy, scale from a single server deployment to global large-scale operations and delivers fast payback. Whether you’re using Hadoop, deploying in the cloud, or searching for an on-premises solution, getting started with Splunk software was designed from the ground up to be as frictionless possible. We have multiple options for getting started, designed to suit your needs: Try out Hunk, Splunk Cloud and Splunk Enterprise with our free online sandboxes. Want try it out on premises? Free downloads of Hunk and Splunk Enterprise are available. The product you download is the same product that scales to ingest petabytes of data per day. 3. Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.