Bob Pratt from Splunk presented on Splunk's User Behavior Analytics (UBA) product. UBA uses machine learning and behavioral analytics to detect cyber threats and insider threats by analyzing user, application, and entity behaviors. It reduces false positives by focusing on anomalies rather than signatures. Splunk collects log data from various sources and uses UBA to detect threats like account takeovers, lateral movement, and malware attacks in a more efficient manner than traditional SIEMs. Pratt demonstrated UBA's threat detection and investigation workflows.

1. Copyright © 2014 Splunk Inc.
Detect Cyber-Attacks and
Insider Threat with Splunk
User Behavior Analytics
Bob Pratt, Director of UBA PM, Splunk

2. Disclaimer
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not, be incorporated into any
contract or other commitment. Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or functionality in a future release.

3. About the Presenter
• Bob Pratt, Director of UBA PM, Splunk
• Employee #1 at Caspida
• Caspida acquired by Splunk in July 2015

4. Vision

5. Splunk Security Vision
Security Markets
SIEM Security Analytics Fraud & Business Risk Managed Security &
Intelligence Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Eco-system brokering
Machine Learning, Models, Threat Scoring, etc.
Enhanced Threat Detection & SOC
Efficiency
Behavioral Analytics: first is
UEBA, more to come Foundation for Fraud Analytics content for Subscription

6. Threat Landscape

7. Known Breach Incidents by Source
66%
Outsiders
582 incidents
34%
Insiders
304 incidents 888
Total Incidents

8. Cold War-Era Spying Makes a Resurgence
21.5M
US government personnel records stolen
Was it China?
GOVERNMENT HACKERS
Secretly gaining control of
nuclear plants
Corporate Espionage
Stealing company's secrets to give
corporations competitive edge.
Infrastructure Attacks
shutting down entire electricity
grid system.
Data Manipulation Attacks
question the integrity of data -alter
stock market trades or government
weather instrument readings

9. ENTERPRISE CHALLENGES
THREATS
PEOPLE
EFFICIENCY
Cyber Attacks, Insider
Threats, Hidden,
Or Unknown
Availability of
Security Expertise
Too Many Alerts And
False Positives

10. Majority of the
Threat Detection Solutions
focus on the KNOWNS.
UNKNOWNS?
What about the

11. UBA: An Overview

12. OLD PARADIGM
SIGNATURES
RULES HUMAN
ANALYSIS

13. NEW PARADIGM: DATA-SCIENCE
DRIVEN BEHAVIORAL ANALYTICS
BIG DATA
DRIVEN
SECURITY
ANALYTICS
MACHINE
LEARNING

14. 1
SECURITY BREACHES
SPLUNK UBA detects
with BEHAVIORAL THREAT DETECTION

15. CUSTOMER THREATS UNCOVERED
ACCOUNT TAKEOVER
• Privileged account compromise
• Data loss
LATERAL MOVEMENT
• Pass-the-hash kill chain
• Privilege escalation
INSIDER THREATS
• Misuse of credentials
• IP theft
MALWARE ATTACKS
• Hidden malware activity
• Advanced Persistent Threats (APTs)
BOTNET, C&C
• Malware beaconing
• Data exfiltration
USER & ENTITY BEHAVIOR ANALYTICS
• Login credential abuse
• Suspicious behavior

16. WHAT DOES SPLUNK UBA DO?
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
AUTOMATED THREAT DETECTION
& SECURITY ANALYTICS
Baseline KPIsAnalytics
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA

17. MULTI-ENTITY FOCUSED
User
App
Systems (VMs, Hosts)
Network
Data

18. Web Gateway
Proxy Server
Firewall
Box, SF.com,
Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat
Stream, FS-ISAC or
other blacklists for
IPs/domains
DATA SOURCES
Active Directory/
Domain Controller
Single Sign-on
HRMS
VPN
DNS, DHCP
Identity/Auth SaaS/Mobile
Security
Products
External Threat
Feeds
Activity
(N-S, E-W)
K E Y OPTIONAL
Netflow, PCAP
DLP, File Server/Host
Logs
AWS CloudTrail
End-point
IDS, IPS, AV

19. SECURITY ANALYTICS
KILL-CHAIN
HUNTER
KEY WORKFLOWS - HUNTER
 Investigate suspicious users, devices,
and applications
 Dig deeper into identified anomalies
and threat indicators
 Look for policy violations

20. THREAT DETECTION
KEY WORKFLOWS – SOC ANALYST
SOC ANALYST
 Quickly spot threats within your
network
 Leverage Threat Detection workflow
to investigate insider threats and
cyber attacks
 Act on forensic details – deactivate
accounts, unplug network devices, etc.

21. SECURITY ANALYTICS
ADVANCED

22. Who’s up for a live demo?!?

23. WHY WAIT?
WATCH OUR LIVE
DEMO, VIDEO
ENGAGE WITH SAMPLE
DATA
GET UBA, CYBER THREAT
ASSESSMENT
1 2 3

24. To Learn More
• http://www.splunk.com/en_us/products/premium-solutions/user-behavior-
analytics.html

25. Splunk UBA Promo
Two limited-time offers—exclusively for customers attending Gov
Day Sacramento —to adopt Splunk UBA.
1. Splunk UBA Early Access Bundle, $99K
2. Splunk Security (Enterprise Security and UBA) Bundle, $150K
To qualify for these promotions, email uba-sales@splunk.com by
November 15, 2015 and must purchase by January 31, 2016.

26. Questions?

27. Thank You!