Your SlideShare is downloading. ×
0
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
SplunkLive! Hamburg / München Enterprise Security 2.4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SplunkLive! Hamburg / München Enterprise Security 2.4

163

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
163
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright*©*2013*Splunk*Inc.*Splunk*App*for*Enterprise*Security*Ma?hias*Maier,*CISSP*System*Engineer*
  • 2. SIEM*is*a*SIEVE*for*Today’s*Threats*2TradiGonal*SIEM*Typical*SIEM*Architecture*Data*ReducGon*Model*Splunk*The*‘Trouble’*with*TradiGonal*SIEMs**! Model*predetermines*invesGgaGons*! Lack*of*flexibility*! Lack*of*scalability*! Can’t*reQanalyze*‘old’*SEM*events*with*new*or*addiGonal*data*! Specializes*in*‘Known*Threat’*detecGon*
  • 3. Splunk*App*for*Enterprise*Security*"  Scalability*to*manage*mulGQterabytes*of*realQGme*and*historical*data*"  PreQbuilt*security*correlaGon*rules,*reports,*and*dashboards*"  StaGsGcal*analysis*for*defining*‘normal’*"  Incident*invesGgaGon*and*management*framework*First*soluGon*with*outQofQtheQbox*content*to*manage*known*and*unknown*threats.*Security)Analysts)SOC)Staff) Security)Execs/Mgrs) Security)Auditors)
  • 4. “DefenseQinQdepth”*Requires*a*New*Strategy*4*Two$types$of$analysis$to$fight$today’s$threats$TradiGonal*Monitoring*for*Known*Events**•  In*the*‘wild’*but*prevalent*•  Uses*vendor*supplied*signatures*•  Generally*caught*by*IDS/IPS,*AV*or*firewall*•  Reported*to*tradiGonal*SIEM*StaGsGcal*Analysis*for*Unknown*Events**•  Hidden*in*terabytes*of*‘normal’*user*acGvity*•  Circumvents*perimeter*defenses*•  O`en*uses*HTTP*to*communicate*•  Much*harder*to*find*without*advanced*analyGcs*
  • 5. Analysis*of*realQGme*and*historical*data*using*Splunk*staGsGcal*analyGcs*to*be?er*understand,*detect*and*address*unknown*threats.*5*Enterprise*Security*2.4*Content*Focus*
  • 6. New*ES*2.4*Features*6*New)Sta;s;cal))Analysis)Dashboards)Manual)Notable)Event)Crea;on)Improved)List)/)Lookup)Edi;ng)Proxy)Traffic)
  • 7. New*Dashboard:*Traffic*Size*Analysis*7*Compare*traffic*data*with*staGsGcal*data*to*find*outliers*IdenGfy*suspicious*data*exfiltraGon*pa?erns*DrillQdown*to*look*for*anomalous*source/dest*traffic*
  • 8. New*Dashboard:*HTTP*Category*Analysis*8*InvesGgate*‘unknown’*HTTP*traffic*Find*low*volume*traffic*acGvity*Compare*with*staGsGcal*data*to*find*outliers*Look*for*suspicious*pa?erns*of*acGvity*by*category*
  • 9. New*dashboard:*URL*Length*Analysis*9*Compare*each*URL*staGsGcally*to*idenGfy*outliers*InvesGgate*long*URLs*where*no*referrer*exists*See*how*many*assets*are*talking*to*the*URL*Look*for*long*URLs*that*may*include*embedded*C&C*instrucGons*
  • 10. New*Dashboard:*New*Domain*Analysis*10*IdenGfy*unexpected*top*level*domain*acGvity*Hosts*talking*to*recently*registered*domains*Discover*outlier*acGvity*to*newly*registered*domains*
  • 11. New*Dashboard:*HTTP*User*Agent*Analysis*11*Whitelist*or*blacklist*specific*user*agents*Visualize*outliers*as*compared*to*staGsGcally*normal*acGvity*Evaluate*user*agents*for*command*and*control*acGvity*Find*unexpected*HTTP*communicaGon*acGvity*
  • 12. Create*Manual*Notable*Events*12*"   Open*an*incident*against*any*data*using*a*workflow*acGon*"   Assign*the*incident*for*response*
  • 13. Per*Panel*Filtering*"   Whitelist*items*so*they*do*not*show*up*in*the*list*"   Blacklist*items*to*make*them*show*up*"   Write*correlaGon*searches*against*blacklisted*items*to*generate*notable*events*"   Manually*enter*items*with*wildcards*13*
  • 14. New*and*Improved*List*/*Lookup*Editor*14*"   More*easily*edit*values*in*each*of*the*columns*"   Color*coding*for*specialized*fields*for*added*visual*clarity*"   Add*new*rows*of*data*with*a*single*rightQclick*acGon*
  • 15. Customer*Quote*15*"Finding*advanced*threats*is*hard.*What*Splunk*has*done*with*the*Enterprise*Security*2.4*release*is*make*it*easier*to*find*and*visualize*unusual*characterisGcs*of*data*using*staGsGcs,"*said*Jim*Krev,*Sr.*Security*Manager,*Fieldglass*Inc.***"This*can*help*to*detect*a*malicious*payload*le`*on*a*host*and*its*outbound*communicaGon.*The*visualizaGons*also*make*it*easier*for*me*to*assure*management*that*our*AV*so`ware*is*working*sufficiently*and*we*have*had*no*payload*problems."*
  • 16. Applies*staGsGcal*models*on*machine*data*to*help*find*pa?erns*and*detect*anomalous*behaviors*created*by*unknown*threats.*16*Enterprise*Security*2.4*Delivers*
  • 17. *Other*Apps*17*
  • 18. Thank*You*

×