4. Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described orto includeany suchfeatureor functionalityina futurerelease.
4
5. Splunk – Leader in Security
5
Company (NASDAQ: SPLK)
• Founded 2004, first software release in 2006
• HQ: San Francisco / Regional HQ: London, Hong Kong
• Over 2,500 employees, based in 12 countries
Business Model / Products
• Free download to massive scale
• Splunk Enterprise, Splunk Cloud, Splunk Light
• Splunk Analytics for Hadoop
12,500+ Customers
• Customers in 100 countries
• 85 of the Fortune 100
• Largest license: Over one petabyte per day
7. Splunk Security Solutions
MORE
…
SECURITY &
COMPLIANCE
REPORTING
MONITORING OF
KNOWN
THREATS
ADVANCED AND
UNKNOWN
THREAT
DETECTION
INCIDENT
INVESTIGATION
S & FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
SECURITY APPS & ADD-ONS
Wire data
Windows = SIEM integration
RDBMS (any) data
SPLUNK
USER BEHAVIOR ANALYTICS
SPLUNK
ENTERPRISE SECURITY
SPLUNK
APP FOR PCI
Cisco, WSA,
ESA, ISE, SF
Palo Alto
Networks
OSSEC
Symantec FireEye DShiel
d
8. How familiar are you with Splunk?
• I already use Splunk
• I am considering using Splunk
• I do not use Splunk
• I am not familiar with Splunk
• Other (enter below)
Please enter your selection in the Polling Panel below
8
9. Common SIEM Use Cases
9
SECURITY &
COMPLIANCE
REPORTING
Forensics and
Incident Response
Basic Security
Monitoring
Advanced Threat
Detection
* Gartner 2016 SIEM Magic Quadrant
10. 10
Splunk Scores Highest in 2016 Critical Capabilities for SIEM*
Report in All Three Use Cases
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be
evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to
select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
11. Please enter your selection in the Polling Panel below
11
Which product do you use as your SIEM?
• IBM QRadar
• LogRhythm
• HP Arcsight
• McAfee Nitro
• Splunk
• None
• Other (enter below)
24. 24
End Point
Protection
Firewall /
IDS
Application
Other
Log Data
Application Performance Monitoring,
Metrics, and Drill-down
Helpdesk
Staff
Security
Analysts
Migration Options
Log Manager SIEM Manager
1. Standalone
2. Splunk to SIEM Manager
3. Log Manager to Splunk
4. Replace legacy SIEM
CEF/Other
Generic legacy SIEM deployment
25. 25
End Point
Protection
Firewall /
IDS
Application
Other
Log Data
Application Performance Monitoring,
Metrics, and Drill-down
Helpdesk
Staff
Security
Analysts
Option 1 – Standalone
Log Manager SIEM Manager
Data sent to legacy and Splunk
• SIEM for correlation, alerts, workflow
• Splunk for incident
investigations/forensics
• Often syslog-ng or equivalent before
Splunk/SIEM
CEF/Other
26. 26
End Point
Protection
Firewall /
IDS
Application
Other
Log Data
Option 2 – Splunk to SIEM Manager
SIEM
Manager
Splunk replaces Log Manager
Splunk for log aggregation and incident
investigation/forensics
SIEM Manager for correlation, alerts, workflow
2 options for Splunk-to-SIEM Manager data flow:
1. At index time, Splunk can forward raw or filtered data to
existing SIEM Manager
2. At search time, Splunk can forward selected, and/or enriched
events in CEF format/other format to SIEM Manager/other
Can combine the two options
Splunk alerts can also be sent to SIEM Manager
Optional
CEF/Other
Optional:
Splunk app for
CEF/Other
27. 27
End Point
Protection
Firewall /
IDS
Application
Other
Log Data
Application Performance Monitoring,
Metrics, and Drill-down
Helpdesk
Staff
Security
Analysts
Option 2 – Splunk to SIEM Manager
SIEM
Manager
Use case for both options: Do not want to send all data to SIEM
Manager for $/scale reasons
1. At index time, Splunk can forward raw or filtered events as
syslog via TCP or UDP, or as raw TCP to appropriate connector
– Real time only. Requires editing Splunk config files.
2. At search time, Splunk can forward selected, transformed,
and/or enriched events in CEF/other format to SIEM Manager
– Use cases: Want to send enriched/combined data to SIEM Manager. Or,
want to avoid having to pay for costly new connector/other
– Example: Splunk App for CEF uses datamodels to process data to CEF
– App outputs as syslog over TCP
Splunk alerts can also be sent to SIEM Manager via a script that
outputs the alert
Optional
CEF
Optional:
Splunk App
for CEF
28. 28
End Point
Protection
Firewall /
IDS
Application
Other
Log Data
Application Performance Monitoring,
Metrics, and Drill-down
Helpdesk
Staff
Security
Analysts
Option 3 – Log Manager to Splunk
Splunk replaces SIEM Manager
• Splunk for incident
investigation/forensics,
correlation, alerts, workflow
• Logger for log aggregation
• Takes advantage of existing Logger
deployment and connectors
Log Manager
Optional:
Extraction
Utility
Optional
CEF/Other
*SIEM logging tool
30. 30
The Process
Find desired investigation
processes and implement hunting
standards
Identify alerts and map to existing
alerting workflows
and look for automation
Develop dashboards, reporting
and alerting for existing and
desired cases
Assess native and custom
correlation rules and workflows
Correlation Alerting
VisualizationInvestigation
31. Insights & Dashboard Recommendations (Example)
Phase 1
Notable Events
Framework
Swimlane
Analysis
Malware, Traffic
& IDS Center
Malware
Operations &
Search
Protocol Center
User Center
Identity
Investigator
Access Tracker
Phase 2 > 3
Extend all in
Phase 1
Threat
Correlation
User Monitoring
Enhanced Threat
Hunting
Intelligence
Aggregation &
Monitoring
Threat Hunting &
Artefacts
Patient
Zero/Lateral
Movement *
Database, web
and payment
monitoring
Traffic Analysis
Database & Web
Center *
User Agent String
Analysis
Security Posture
Dashboards
Risk Scoring
Compliance
monitoring (I.e.
PCI DSS, SOX)
Vulnerability
Center
Analyst Workflow
Security Maturity GrowthPhase 1: Enhanced Visibility
Phase 2: Build Fortress & Deploy
Operational Security Architecture
* Custom or data source dependent
33. Case Study: Luxury Retailer Replaces Legacy SIEM
Challenges
• Antiquated SIEM left company vulnerable to data breaches and bad publicity
• Lacked PCI and security compliance
• Cumbersome to ingest and extract data
• Data was static, difficult to search and impossible to analyze
• Required bloated SOC team plus managed service provider
Benefits
• Fast implementation: replaced underperforming SIEM in only 6 weeks
• Added capabilities to prevent security breaches, mitigate fraud and ensure PCI compliance
• Gained ability to protect customer data and company reputation
• Managing SecOps with lean, nimble team
• Expanding scalable big data analytics platform to be leveraged beyond security
Solution
34. Case Study: Financial Firm Replaces Legacy SIEM
Challenges
• Unable to handle growing volumes of data, minimize risk
• Slow security investigations
• Lack of integration with governance, risk and compliance (GRC) solution
• Required expensive consultants to keep data collectors up to date and functional
Benefits
• Rapid implementation resulting in more than 100 use cases
• Ability to ingest growing volumes of data, scaling to more than terabytes
• Quickly generate security searches and respond to actionable alerts in seconds
• Replaced legacy SIEM in few months
Solution
38. Next Steps
• Attend a SIEM replacement workshop
– Interactive session
– Offered in a small group format at your location or convenient location
• Contact Splunk sales
• Use the Splunk Security Professional Services experts
38
39. Are you interested in attending a SIEM Replacement Workshop?
• Yes, please contact me
• No, I’m not interested
Please enter your selection in the Polling Panel below
39
