Account takeover as a result of the hapless user remains one of the primary vectors for security breaches, and yet this is poorly understood by European organizations. Recent research from IDC revealed that eight in 10 organizations overly rely on traditional approaches to security that focus mainly on system protection and cannot detect and respond to the user activites that can result in a compromise. Nearly a third do not use basic methods of breach detection and fewer than one in five have any form of security analytics in place.
This webinar, hosted byDuncan Brown, Research Director, IDC highlighted the security maturity of European organizations and how you can mature your cyber security program with Splunk.
4. 4
Turning Machine Data Into Business Value
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Internet of Things and
Industrial Data
19. Improved Incident Investigation Workflow
When an alert is triggered
we send an automated
email to the system owner
with instructions of what
to do next
Activity
Alert
Investigation
New member
added to
Domain Admin
Group
E-Mail to infrastructure
owners with detailed
description &
instructions for review
Owner reviews
the activity and
makes decision
20. My Tips
Encourage system owners to share
their data by providing shared
operational benefits
Empower the users – send alerts
and reports straight to them. Don’t
let the security team be a
bottleneck
26. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?
27. Aggregation: Sample
Day -15
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day -10
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day -5
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Today
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation
28. Context: Risk Scoring
Day -15
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day -10
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day -5
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Today
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation
Risk Score
Host A: 0 + 10
Risk Score
Host A: 10 + 30
Risk Score
Host A: 40 + 30
Risk Score
Host A: 70 + 5
31. Adaptive Response: Analytics-driven Decisions, Automation
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
• Extract new insight by leveraging context, sharing data and
taking actions between Enterprise Security and Adaptive
Response partners
32. Insight from Across Ecosystem
32
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout
34. Recap
34
Reduce risk and
lower operational
costs
Don't let IT
security be the
bottleneck
Focus on the
important security
incidents
Automated and
human-assisted
execution of
playbooks
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence.
The insights gained from machine data support a number of use cases and can drive value across your organization.
[In North America]
Splunk Cloud is available in North America and offers Splunk Enterprise as a cloud-based service – essentially empowering you with Operational Intelligence without any operational effort.
Splunk is a Security Intelligence Platform and we can address a number of security use cases. We’re more flexible than a SIEM and can be used for non-security use cases. Splunk software can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection and finding insider threats.
They’re focusing too much attention on 12% of the problem
But they can also result from hapless users having their account hijacked. You need forensics to tell, but this is only done after the fact.
Industry
• Telecommunication
Splunk Use Cases
• Security
Challenges
Fraud detection and report generation for e-payment
Online banking security and threat detection
Splunk Products
• Splunk Enterprise
Data Sources
Payment Applications
OS (700 Linux, 1200 Solaris, 500 Windows)
Databases (52 Oracle & MSSQL)
Network Devices and Appliances
Case Study
http://www.splunk.com/en_us/customers/success-stories/postfinance.html
Video:
http://www.splunk.com/en_us/resources/video.9oMGI5MzE6pX2zLFOsqUYEiwVRjcJBVm.html
.CONF Session:
http://conf.splunk.com/session/2015/conf2015_PHoffman_PostFinance_UsingSplunkSearchLanguage_HowSplunkConnectsBusiness.pdf
Blog:
http://blogs.splunk.com/2016/05/09/postfinance-bank-on-splunk-to-improve-fraud-detection/
People are the most important part of your business. Splunk empowers your security teams with data.
Your security teams perform a number of tasks <next slide>
And use your Splunk environment to collect, analyze and enrich all this data that you are collecting.
You will be well prepared to detect new attacks and quickly respond to the next breach.
The Spunk Security Intelligence Platforms consists of multiple components. Foundational to the platform is Splunk Enterprise, our core product. Every Splunk deployment includes this for indexing and storage. Using this alone, customers can perform searches and easily build reports/dashboards from their data. A variety of applications can be installed on top of the Splunk Enterprise, ranging from 3rd party vendor apps, community developed apps and Splunk Apps. You can build apps on top for your use or to share within your company. Apps are a collection of reports, dashboards, and searches purpose-built for a specific use.
Our premium security app is the Splunk Enterprise Security. It provides out-of-the-box security workflow, dashboards, reports, correlation rules that bring together security and infrastructure technologies across your company. Any of the apps can be mixed-and-matched to achieve the desired level of functionality.
Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and more
Detect, investigate and respond by overcoming silos
Splunk software and cloud services are simple to deploy, scale from a single server deployment to global large-scale operations and delivers fast payback. Whether you’re using Hadoop, deploying in the cloud, or searching for an on-premises solution, getting started with Splunk software was designed from the ground up to be as frictionless possible.
We have multiple options for getting started, designed to suit your needs:
Try out Hunk, Splunk Cloud and Splunk Enterprise with our free online sandboxes.
Want try it out on premises? Free downloads of Hunk and Splunk Enterprise are available. The product you download is the same product that scales to ingest petabytes of data per day.
3. Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.