Presented at SplunkLive! Warsaw 2016

1. Copyright © 2016 Splunk Inc.
Security Session
Philipp Drieger
Sales Engineer

2. 2
Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.

3. 3
Agenda
Splunk for Security
ZEUS Demo

4. Splunk for Security

5. 5

6. 6
CYBER
CRIMINALS
MALICIOUS
INSIDERS
NATION
STATES
6

7. 7
Advanced Threats Are Hard to Find
7
Cyber Criminals
Nation States
Insider Threats
Source: Mandiant M-Trends Report 2012/2013/2014
100%
Valid credentials were used
40
Average # of systems accessed
229
Median # of days before detection
67%
Of victims were notified by
external entity

8. 8 8
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-
Malware
Vulnerability
Scans
Traditional
Authentication
All Data is Security Relevant = Big Data

9. 9
Solution: Splunk, The Engine For Machine Data
9
Online
Services
Web
Services
Servers
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Real-Time
Machine Data
References – Coded fields, mappings, aliases
Dynamic information – Stored in non-traditional formats
Environmental context – Human maintained files, documents
System/application – Available only using application request
Intelligence/analytics – Indicators, anomaly, research, white/blacklist

10. 10
Fraud
Detection
Insider
Threat
Advanced
Threat
Detection
Security &
Compliance
Reporting
Incident
Analysis &
Investigations
Real-time
Monitoring
& Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Security &
Compliance
Reporting
Incident
Analysis &
Investigations
Real-time
Monitoring
& Alerting

11. 11 1
1
Example Patterns of Fraud in Machine Data
Industry Type of Fraud/Theft/Abuse Pattern
Financial Services Account takeover
Abnormally high number or dollar amounts of wire transfer
withdrawals
Healthcare Physician billing Physician billing for drugs outside their expertise area
E-Tailing Account takeover Many accounts accessed from one IP
Telecoms Calling plan abuse
Customer making excessive amount of international calls
on an unlimited plan
Online Education Student loan fraud
Student receiving federal loan has IP in “high-risk” overseas
country and is absent from online classrooms and forums

12. 12
Insider Threat
What To Look For Data Source
Abnormally high number of file transfers to USB or CD/DVD OS
Abnormally large amount of data going to personal webmail account or uploaded to external
file hosting site
Email / web server
Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD
Above actions + employee is on an internal watchlist as result of transfer / demotion / poor
review / impending layoff
HR systems / above
User name of terminated employee accessing internal system AD / HR systems
12

13. 13
Example of Advanced Threat Activities
1
3
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
Emails
to the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security

14. 14
Connect the “Data-Dots” to See the Whole Story
1
4
Persist, Repeat
Threat intelligence
Auth - User Roles,
Corp Context
Host
Activity/Security
Network
Activity/Security
Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign
intent and attribution
Where they went to, who talked to whom, attack transmitted,
abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process
owner, registry mods, attack/malware artifacts, patching level,
attack susceptibility
Access level, privileged users, likelihood of infection, where they
might be in kill chain
Delivery, Exploit
Installation
Gain Trusted
Access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
• Third-party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall
• IDS / IPS
• Vulnerability scanners
• Web Proxy
• NetFlow
• Network
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating System
• Database
• VPN, AAA, SSO

15. 15
Threat intelligence
Host
Activity/Security
Network
Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
Security Ecosystem for Coverage and Protection
Auth - User Roles,
Corp Context

16. 16
STIX/TAXII and Open IOC 101
• Info sharing across companies
and industries
• Standardized XML
• IOCs include IPs, web/email
domains, hashes, processes,
registry key, certificates

17. 17
Threat Intelligence in Splunk

18. 18
Sample TAXII Feeds
User Community Organisation
Cyber Threat XChange Health Information Trust Alliance
Defense Security Information Exchange Defense Industrial Base Information and Sharing
and Analysis Organization
ICS-ISAC Industrial Control System Information Sharing and
Analysis Center
NH-ISAC National Health Cybersecurity
Intelligence Platform
National Health Information and Analysis Center
FS-ISAC / Soltra Edge Financial Services Information Sharing and
Analyses Center (FS-ISAC)
Retail Cyber Intelligence Sharing Center,
Intelligence Sharing Portal
Retail Information Sharing and Analysis Center
(Retail-ISAC)
More: http://stixproject.github.io/supporters/

19. ZEUS Demo