This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

1. Copyright © 2016 Splunk Inc.
Splunk Enterprise Security & Splunk UBA Overview
SplunkLive Toronto 2016
Anurag Gurtu agurtu@splunk.com
Director, Product Marketing, Splunk Behavioral Analytics
Daniel Phaneuf dphaneuf@splunk.com
Splunk Systems Engineer

2. 2
2
> Anurag Gurtu agurtu@splunk.com
• 1 year at Splunk – Director, Product Marketing, Splunk
Behavioral Analytics
• 15 years in Security (Caspida, FireEye, Cisco, Tripwire,
Computer Associates) in following roles: Product
Management, Technical Marketing, R&D, Software
Development and Professional Services.
• CISSP and a few Cisco Certifications (Firewall, IPS, Routing,
and Switching)
Who Am I (1/2)

3. 3
3
> Daniel Phaneuf dphaneuf@splunk.com
• 1 year at Splunk – Senior Systems Engineer
• Based in Montreal
• 25 years in IT in following roles: SE, Sysadmin, Network
management and Security, Software and Hardware
development
• Not a security expert, Splunk expert
Who Am I (2/2)

4. 4
Legal Notices
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

5. 5
Agenda
Splunk Portfolio Update
Enterprise Security
User Behavior Analytics

6. 6
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

7. 7
All Data is Security Relevant
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional SIEM
Authentication

8. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

9. 9
Adaptive Response Initiative – RSA 2016
9
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain

10. Splunk Enterprise Security

11. Splunk Enterprise Security
Incident Investigations & ManagementAlerts & Dashboards & Reports
Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds
11

12. What’s new in Splunk Enterprise Security?

13. 13
Behavioral Analytics Brought to SIEM Workflow
• All UBA anomalies available in ES
• Manager – UBA Reporting within ES – pre-built, customizable
• SOC analyst – UBA Anomaly data available for correlation – alerts, threat intel, domain data
• Hunter/Investigator- Perform ad-hoc searching/pivoting for Incident Response and Breach Analysis
13
ES 4.1 and UBA 2.2
Detect and Investigate faster using ML integrated with SIEM

14. 14
Prioritize, Speed Investigations – Risk Score, Searches
• Use the new risk scores and quick
searches to determine the impact of an
incident quickly
• Use risk scores to generate actionable
alerts to respond on matters that
require immediate attention.
14
Streamlines Incident Review and Response

15. 15
Facebook ThreatExchange
• Provides domain names, IPs, hash threat
indicators
• Use with ad hoc searches and investigations
15
• Need an app ID and secret from Facebook
• Config Splunk add-on for FB ThreatExchange
• Customers already use !

16. 16
Enhanced Investigation Timeline
Add file attachments to
Investigation Timeline
16
Export Investigation Timeline as PDF

17. 17
Replacing a SIEM @ Cisco
Challenges
• SIEM could not meet security needs
• Very difficult to index non-security or custom app log data
• Serious scale and speed issues. 10GB/day and searches took > 6 minutes
• Difficult to customize, reliance on pre-built rules which generated false positives
Splunk Solution
• Easy to index any type of machine data from any source
• Over 60 simultaneous users, correlations, reporting, advanced threat detection
• Use all data + flexible searches and reporting = empowered team
• 900 GB/day and searches take < minute. 7 global data centers with 350TB store
• Estimated that Splunk is 25% the cost of a traditional SIEM
“We moved to Splunk
from traditional SIEM
as Splunk is designed
and engineered for “big
data” use cases. Our
previous SIEM was not
and simply could not
scale to the data
volumes we have. “
- Gavin Reid, Leader,
Cisco Computer
Security Incident
Response Team

18. Must read for anyone operating a SOC
Cisco CSIRT playbook

19. Splunk User Behavior Analytics

20. 20
Familiar With These Breaches?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Pentagon Unclassified
Email System
4K
PII Records

21. 21
What Is The Problem COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

22. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Cyber Attack Detection Insider Threat Detection Security Analytics
Platform for Machine Data

23. Splunk User Behavioral Analytics
FIVE FOUNDATIONAL Pillars
Platform for Machine Data
Behavior Baseline &
Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Anomaly Detection Threat Detection

24. What’s new in Splunk UBA?

25. 25
Enhanced Insider Threat And Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2

26. 26
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

27. 27
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

28. 28
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
§ Risk Percentile & Dynamic Peer Groups
§ Support for Additional 3rd Party Devices
UBA 2.2

29. A Few Customer Findings
q Malicious Domain
q Beaconing Activity
q Malware: Asprox
q Webshell Activity
q Pass The Hash Attack
q Suspicious Privileged
Account activity
q Exploit Kit: Fiesta
q Lateral Movement
q Unusual Geo Location
q Privileged Account
Abuse
q Access Violations
q IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

30. 30
What Customers Have To Say About Splunk UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be oneof themost advanced technologies within thebehavioralanalytics space.
Randolph Barr, CSO, Saba

31. ES & UBA Demo

32. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

33. 33
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

34. Thank You!