Security Track session

1. Security Track
Opera/onal Security Intelligence

2. 2
Splunk Live Security Track Today
13:00-14:00: Opera-onal Security Intelligence
14:00-15:00: Splunk for Enterprise Security featuring User
Behavior Analy/cs
15:00-16:00: Cloud Breach – Detec/on and Response
16:00-17:00: Happy Hour
17:00 – 19:30: Splunk London User Group Mee8ng
ê Register and more Info/Agenda: hOps://usergroups.splunk.com

3. Opera/onalizing Security Intelligence
MaOhias Maier
CISSP, CEH, Product Marke/ng Manager

4. 4
Who I am
• Now Product Marke/ng Manager EMEA
• 7 Years Consultant Security + Big Data
• 3+ Years at Splunk, McAfee (Intel Security),
Tibco LogLogic
• worked with top organiza/ons across
industries advising customers
• CISSP, Cer/fied ethical Hacker

5. 5
Disclaimer
5
During the course of this presenta/on, we may make forward looking statements regarding future
events or the expected performance of the company. We cau/on you that such statements reflect our
current expecta/ons and es/mates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in the this presenta/on are being made as of the /me and date of its live
presenta/on. If reviewed acer its live presenta/on, this presenta/on may not contain current or
accurate informa/on. We do not assume any obliga/on to update any forward looking statements we
may make.
In addi/on, any informa/on about our roadmap outlines our general product direc/on and is subject to
change at any /me without no/ce. It is for informa/onal purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obliga/on either to develop the features
or func/onality described or to include any such feature or func/onality in a future release.

6. 6
Agenda
The super hero and the fish market – a short story
What is Security Intelligence
For the bosses
Demos and Examples

7. 7
hOps://i.y/mg.com/vi/4GmMNF1b0Lw/maxresdefault.jpg

8. 8 hOp://www.technobuffalo.com/wp-content/uploads/2015/07/Xena.jpeg

9. 9
hOps://epicheroism.files.wordpress.com/2013/09/
kratos_god_of_war-1680x1050.jpg

10. 10
hOp://www.entrust.com/wp-content/uploads/2013/02/
Entrust-MobileDemo-RSA20131.jpg

11. 11

12. 12

13. 13
hOp://www.123rf.com/photo_30266410_seaOle-july-5-customers-at-pike-place-fish-company-wait-to-order-fish-at-the-famous-seafood-market-.html

14. 14
Lone hacker…

15. 15
Organized Criminals

16. 16
Crossing the Chasm

17. 17
Crossing the Chasm

18. 18
Security Intelligence
Informa/on relevant to protec/ng an
organiza/on from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that informa/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI

19. 19
Security Intelligence
Informa/on relevant to protec/ng an
organiza/on from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that informa/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI

20. 20
Intelligence
Ac/onable informa/on that provides an
organiza/on with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates mul/ple processes and
prac/ces designed to protect the organiza/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI

21. 21
Intelligence
Ac/onable informa/on that provides an
organiza/on with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates mul/ple processes and
prac/ces designed to protect the organiza/on.
hOp://wha/s.techtarget.com/defini/on/security-intelligence-SI

22. 22
Opera/onalizing Security Intelligence

23. 23
Connec/ng People and Data
Through a Nerve Center

24. Opera-onalizing Security Intelligence
Risk-Based Context and Intelligence
Connec-ng
People and Data
24

25. 25
Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

26. 26
Requirements: Risk Based Analy/cs

27. 27
Network Endpoint Access
Data Sources
Threat Intelligence

28. Persist, Repeat
Threat Intelligence
Access/Iden-ty
Endpoint
Network
AOacker, know relay/C2 sites, infected sites, IOC,
aOack/campaign intent and aOribu/on
Where they went to, who talked to whom, aOack
transmiOed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, aOack/malware
ar/facts, patching level, aOack suscep/bility
Access level, privileged users, likelihood of infec/on,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detec/on
• PCLM
• DHCP
• OS logs
• Patching
• Ac/ve Directory
• LDAP
• CMDB
• Opera/ng system
• Database
• VPN, AAA, SSO
Data Sources Required
• Web proxy
• NetFlow
• Network

29. 29
Risk Based Analy/cs
Network Endpoint Access Threat Intelligence
Rules/String/Regex matching
Sta/s/cal outliers and anomalies
Session and Behavior profiling
Scoring and aggrega-on

30. 30
Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

31. 31
Example - Situa/on
Day 1
• Host A: IDS
Signature
Triggers
• Source:
Network
IDS
Day 5
• Host A: AV
System
Triggers
• Source:
An/Virus
Day 10
• Host A:
Mul/ple
failed logins
from this
host
• Source:
Ac/ve
Directory
Day 20
• Host A:
accessing
unusual
network
segments
• Source:
Network
Traffic
Correla/on

32. 32
Context: Risk Scoring
Day 1
• Host A: IDS
Signature
Triggers
• Source:
Network
IDS
Day 5
• Host A: AV
System
Triggers
• Source:
An/Virus
Day 10
• Host A:
Mul/ple
failed logins
from this
host
• Source:
Ac/ve
Directory
Day 20
• Host A:
accessing
unusual
network
segments
• Source:
Network
Traffic
Correla/on
Risk Score
Host A: 0 + 10
Risk Score
Host A: 10 + 30
Risk Score
Host A: 40 + 30
Risk Score
Host A: 70 + 5

33. 33
Demo 1

34. 34
Requirements: Context and Intelligence

35. 35
Context and Intelligence
Integrate across technologies
Automated context matching
Automated context acquisi/on
Post processing and post analysis
Threat
Intelligence
Asset
& CMDB
API/SDK
Integra-ons
Data
Stores
Applica-ons

36. 36
Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

37. 37
Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
Worth an Investigation?
Which one to investigate first?

38. 38
Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
System Owner: Juergen Klopp
Loca/on: Liverpool
System Owner: Donald Duck
Department: Duckburg
Confiden/ality Level: High Confiden/ality Level: Low
Worth an Investigation?
Which one to investigate first?

39. 39
Splunk Sample:

40. 40 hOp://www.entrust.com/wp-content/uploads/2013/02/Entrust-MobileDemo-RSA20131.jpg

41. 41
Requirements: Connec/ng Data and People

42. 42
Connec/ng People and Data
Human mediated automa/on
Sharing and collabora/on
Free form inves-ga-on – human intui-on
Interact with views and workflows
Any data, all data
Automa/on Collabora/on Inves/ga/on Workflows All data

43. 43
Demo 2

44. 44
Visual Inves/ga/ons – Kill Chain

45. Opera-onalizing Security Intelligence
Risk-Based Context and Intelligence
Connec-ng
People and Data
45

46. 46
SECURITY USE CASES
In
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN,
ADVANCED
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
INSIDER
THREAT
46
Splunk Can Complement OR Replace an Exis/ng SIEM
INSIDER
THREAT

47. 47
SPLUNK FOR SECURITY
47
SECURITY APPS & ADD-ONS
SPLUNK
APP FOR PCI
SIEM Security Analy/cs
Fraud, Thec
and Abuse
Plaqorm for
Security Services
SPLUNK
USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integra/on
RDBMS (any) data
SPLUNK
ENTERPRISE SECURITY

48. 48

49. 49
Adap/ve Response
Remedia/ng user account take over
Detect:
• Malicious Logons
Respond:
• Reset Password
Orchestrate Automa/on

50. 50

51. 51
SPLUNK IS THE NERVE CENTER
51
App Endpoint/
Server
Cloud
Threat
Intelligence
Firewall
Web
Proxy
Internal Network
Security
Iden/ty
Network

52. 52
Connec/ng People and Data
Through a Nerve Center

53. 53
Gesng Started
Splunk
Enterprise Free
Download
Enterprise
Security Cloud
Trial
Splunk UBA
Proof of Value

54. 54
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Cer/fied for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk educa/on!

55. 55
Crossing the Chasm

56. 56
Thank You
@MaOhias_by