Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics

373 views

Published on

Slide deck delivered at the April Splunk User Group in Edinburgh: Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics.
Sign up to the group here: https://usergroups.splunk.com/group/splunk-user-group-edinburgh/

Published in: Data & Analytics
  • Hello! Who wants to chat with me? Nu photos with me here http://bit.ly/helenswee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics

  1. 1. Copyright © 2017 Splunk Inc. Splunk User Group Edinburgh Building Splunk Apps, Skills Development & Splunk UBA April 2017
  2. 2. Introduction - Harry McLaren 2 ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS – Role: Specialist Splunk Consultant & Enablement Lead – Specialism: Enterprise Security (SIEM) / Complex Deployments ● Splunk User Group Edinburgh: Leader / Founder
  3. 3. Introduction to ECS 3 Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year 2016
  4. 4. 4
  5. 5. Agenda • Housekeeping: Overview & House Rules • Presentation & Demo: Building Splunk Apps • Group Discussion: In-House Developed Apps • Presentation: Development Paths & Splunk Certification • Presentation & Demo: Splunk User Behaviour Analytics 5
  6. 6. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! 6
  7. 7. Building Splunk Apps Adam Thomson
  8. 8. Adam Thomson Alumnus of Edinburgh Napier university ECS - Associate Security Consultant 8
  9. 9. What is an App? Visualization, Analysis & Action ● Apps deliver a user experience designed to make Splunk immediately useful and relevant for typical tasks and roles. ● Apps simplify and optimize user tasks, yet allow access to the data and functions of the full platform. – Pre-built dashboards, reports, alerts and workflows – In-depth data analysis for power users – Point-and-click analytics to empower business users 9
  10. 10. What can we do with them? ● Most apps are focused on: – Carrying out Alert Actions – Inputs – Visualizations 10
  11. 11. Where do we get them from? ● Splunkbase.splunk.com – Splunkbase has a library has 1000+ apps and add-ons from Splunk, Partners, and the community. – Splunkbase has a range of Premium Apps or Free Apps for a manner of different categories ● Or Develop them yourself!!! 11
  12. 12. How can I Develop an App? Splunk Web From Editor 12 ● You don’t have to be a developer or familiar with XML Scripting to create an App. ● Splunk Web makes it easy to create a UI in a simple point and click manner
  13. 13. How can I Develop an App? Edit XML Directly 13 ● If you have some familiarity with Simple XML, but you are not a developer per say , and you want to create/customize your dashboards beyond want you can do in the Splunk Web editor ● Then you can hack away on the XML using your favorite text editor or in browser with Splunk Web.
  14. 14. Make it your own ● You can add your own artefacts to the Apps configurations to improve the appearance or the functionality ● Add your own images, emblems, logos etc. ● Configure workflow actions to trigger a script to carry out a specific action taking parameters from the output of the search/report 14
  15. 15. My approach to Developing Apps Hybrid Approach ● A combination of using both the Web Form Editor and the writing XML can go a long way... ● The Web Form Editor is great for creating a simple template with views and visualizations ● However writing the XML provides a much more granular approach to configuring the layout and appearance of the Apps ● Using XML allows for creation of much more advanced dashboards and visualisations 15
  16. 16. ECS Splunk Hackathon App Requirements ● We needed a central location to outline the instructions, guidelines and SPL language support etc ● The most elegant solution was to create an ECS branded app to house all of the information in 16
  17. 17. The Final Result… 17
  18. 18. The Final Result… 18
  19. 19. The Final Result… 19
  20. 20. Thank You
  21. 21. Splunk Development Paths Robert Williamson
  22. 22. Robert Williamson Alumnus of Edinburgh Napier university IBM - Security Specialist ECS - SOC Analyst, Senior SOC Analyst and Security Consultant 22
  23. 23. FREE!!! Certification Courses Splunk Education Offerings 23
  24. 24. Courses for Users 24
  25. 25. Courses for Administrators 25
  26. 26. Courses for Architects 26
  27. 27. Certification Paths 27
  28. 28. Certificates and Badges 28 Robert Williamson. Splunk Certified Admin Jun 14, 2016DATE: 6.3VERSION: Cert-103777LICENSE #:
  29. 29. Duration of certification Splunk Certified Power User = 24.5 hours Creates and manages knowledge objects that are used across an organization. ● Training: Using Splunk | Searching and Reporting with Splunk |Creating Splunk Knowledge Objects | Splunk Infrastructure Overview Splunk Certified Administrator = 21 hours System administrators who manage a Splunk Enterprise environment. ● Training: Enterprise System Administration | Enterprise Data Administration Splunk Certified Architect = 20 hours Design and implement Splunk installations including enterprise-level deployments. ● Training: Advanced Dashboards and Visualizations | Architecting and Deploying Splunk | Splunk Cluster Administration | Advanced Searching and Reporting 29
  30. 30. Specialist Courses Courses for Splunk Cloud Customers Splunk Education's learning path for Splunk Cloud customers offers courses for end users as well those in charge of managing Splunk Cloud users, data inputs, and configurations. Courses for App Developers Harness the power of Splunk's Web Framework. Create rich, interactive dashboards and forms, and package Splunk knowledge objects for distribution across your organization, or share your masterpiece with the world on the Splunk Apps site. Courses for Enterprise Security Customers Learn to install, configure, manage, and use the Splunk App for Enterprise Security. Two learning paths cover both security analysts and Splunk administrators or architects. Courses for IT Service Intelligence Customers Learn to install, configure, manage, and use Splunk for IT Service Intelligence (ITSI). Learn about ITSI architecture, deployment planning, installation, service design and implementation. 30
  31. 31. Thank You
  32. 32. Splunk UBA Harry McLaren
  33. 33. 33 Legacy SIEM type technologies aren’t enough to detect insider threats and advanced adversaries and are poorly designed for rapid incident response. SIEM: Security Information & Event Management
  34. 34. 34 Inadequate Contextual Data 68% of respondentsin the survey said that reportsoften only indic ated c hanges without spec ifying what the c hange was. Innocuous Events of Interest 81% of respondentssaid that SIEM reportsc ontain too muc h extraneous information and were overwhelmed with false positives. 2016 SIEM Efficiency Survey, conducted by Netwrix
  35. 35. 35 Accelerating Pace of Data Volume | Velocity | Variety | Variability
  36. 36. 36 Splunk’s Security Platform
  37. 37. 37 1995 2002 2008 2011 2015 END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS TECHNOLOGY DEVELOPMENT
  38. 38. 38 Kill Chain - Events Overload
  39. 39. DETECT ADVANCED CYBERATTACKS DETECT MALICIOUS INSIDER THREATS ANOMALY DETECTION THREAT DETECTION UNSUPERVISED MACHINE LEARNING BEHAVIOR BASELINING & MODELING REAL-TIME & BIG DATA ARCHITECTURE What is Splunk User Behavioral Analytics?
  40. 40. INSIDER THREAT John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates hisprivileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Day 1 . . Day 2 . . Day N
  41. 41. MACHINELEARNING EVOLUTION EVOLUTION COMPLEXITY RULES - THRESHOLD POLICY - THRESHOLD POLICY - STATISTICS UNSUPERVISED MACHINE LEARNING POLICY - PEERGROUP STATISTICS SUPERVISED MACHINE LEARNING
  42. 42. MULTI-ENTITY BEHAVIORAL MODEL APPLICATION USER HOST NETWORK DATA
  43. 43. Splunk UBA Demo
  44. 44. Any Questions? 44
  45. 45. Coming Splunk Events! ● International Conference on Big Data in Cyber Security in Edinburgh – by the Cyber Academy @ Wed 10 May 2017, 09:00 – 17:00 BST – ECS Splunk Hackathon in the Morning! ● SplunkLive! at Intercontinental at the O2, London – by Splunk @ Thur May 11th, 2017, 09:00 – 17:00 BST – ECS Key Sponsor! 45
  46. 46. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via www.splunk402.com/chat – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk 46
  47. 47. Thank You

×