Bob Pratt from Splunk presented on Splunk's User Behavior Analytics (UBA) product. UBA uses machine learning and behavioral analytics to detect cyber threats and insider threats by analyzing user, application, and entity behaviors. It reduces false positives by focusing on anomalies rather than signatures. Splunk collects log data from various sources and uses UBA to detect threats like account takeovers, lateral movement, and malware attacks in a more efficient manner than traditional SIEMs. Pratt demonstrated UBA's threat detection and investigation workflows.
2. Disclaimer
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not, be incorporated into any
contract or other commitment. Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or functionality in a future release.
3. About the Presenter
• Bob Pratt, Director of UBA PM, Splunk
• Employee #1 at Caspida
• Caspida acquired by Splunk in July 2015
5. Splunk Security Vision
Security Markets
SIEM Security Analytics Fraud & Business Risk Managed Security &
Intelligence Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Eco-system brokering
Machine Learning, Models, Threat Scoring, etc.
Enhanced Threat Detection & SOC
Efficiency
Behavioral Analytics: first is
UEBA, more to come Foundation for Fraud Analytics content for Subscription
7. Known Breach Incidents by Source
66%
Outsiders
582 incidents
34%
Insiders
304 incidents 888
Total Incidents
8. Cold War-Era Spying Makes a Resurgence
21.5M
US government personnel records stolen
Was it China?
GOVERNMENT HACKERS
Secretly gaining control of
nuclear plants
Corporate Espionage
Stealing company's secrets to give
corporations competitive edge.
Infrastructure Attacks
shutting down entire electricity
grid system.
Data Manipulation Attacks
question the integrity of data -alter
stock market trades or government
weather instrument readings
18. Web Gateway
Proxy Server
Firewall
Box, SF.com,
Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat
Stream, FS-ISAC or
other blacklists for
IPs/domains
DATA SOURCES
Active Directory/
Domain Controller
Single Sign-on
HRMS
VPN
DNS, DHCP
Identity/Auth SaaS/Mobile
Security
Products
External Threat
Feeds
Activity
(N-S, E-W)
K E Y OPTIONAL
Netflow, PCAP
DLP, File Server/Host
Logs
AWS CloudTrail
End-point
IDS, IPS, AV
19. SECURITY ANALYTICS
KILL-CHAIN
HUNTER
KEY WORKFLOWS - HUNTER
Investigate suspicious users, devices,
and applications
Dig deeper into identified anomalies
and threat indicators
Look for policy violations
20. THREAT DETECTION
KEY WORKFLOWS – SOC ANALYST
SOC ANALYST
Quickly spot threats within your
network
Leverage Threat Detection workflow
to investigate insider threats and
cyber attacks
Act on forensic details – deactivate
accounts, unplug network devices, etc.
23. WHY WAIT?
WATCH OUR LIVE
DEMO, VIDEO
ENGAGE WITH SAMPLE
DATA
GET UBA, CYBER THREAT
ASSESSMENT
1 2 3
24. To Learn More
• http://www.splunk.com/en_us/products/premium-solutions/user-behavior-
analytics.html
25. Splunk UBA Promo
Two limited-time offers—exclusively for customers attending Gov
Day Sacramento —to adopt Splunk UBA.
1. Splunk UBA Early Access Bundle, $99K
2. Splunk Security (Enterprise Security and UBA) Bundle, $150K
To qualify for these promotions, email uba-sales@splunk.com by
November 15, 2015 and must purchase by January 31, 2016.
A little bit about me, your host.
A little bit about my co presenter
Note: Use as a transition slide to introduce individual sections of the presentation. You can use this as your placeholder to announce a demo or other sections where you are moving to a new topic or speaker.
Note: Use as a transition slide to introduce individual sections of the presentation. You can use this as your placeholder to announce a demo or other sections where you are moving to a new topic or speaker.
Note: Use as a transition slide to introduce individual sections of the presentation. You can use this as your placeholder to announce a demo or other sections where you are moving to a new topic or speaker.
Note: Use as a transition slide to introduce individual sections of the presentation. You can use this as your placeholder to announce a demo or other sections where you are moving to a new topic or speaker.
List out any papers, videos, blogs etc. that would be appropriate. Some ideas of where to look include:
http://blogs.splunk.com
http://www.splunk.com/en_us/resources.html
http://www.splunk.com/en_us/customers.html
http://www.splunk.com/en_us/products.html
If you know of any upcoming events / activities specific to your topic, insert the logistics here:
Webcasts?
SplunkLive! Sessions?
Conferences?
Melissa can help make recommendations too if you are stuck.
Note: Use as a transition slide to introduce individual sections of the presentation. You can use this as your placeholder to announce a demo or other sections where you are moving to a new topic or speaker.