You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.

1. Operationalizing Security Intelligence
Monzy Merza
@monzymerza

2. 2
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.

3. 3
Agenda
The super hero and the fish market – a short story
What is Security Intelligence
For the bosses
Demos and Examples

4. 4
https://i.ytimg.com/vi/4GmMNF1b0Lw/maxresdefault.jpg

5. 5
https://epicheroism.files.wordpress.com/2013
/09/kratos_god_of_war-1680x1050.jpg

6. 6
http://www.entrust.com/wp-
content/uploads/2013/02/Entrust-
MobileDemo-RSA20131.jpg

7. 7

8. 8

9. 9
http://www.123rf.com/photo_30266410_seattle-july-5-customers-at-pike-
place-fish-company-wait-to-order-fish-at-the-famous-seafood-market-.html

10. 10
Lone hacker…

11. 11
Organized Criminals

12. 12
Crossing the Chasm

13. 13
Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI

14. 14
Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI

15. 15
Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI

16. 16
Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI

17. 17
Operationalizing Security Intelligence

18. 18
Connecting People and Data
Through a Nerve Center

19. Operationalizing Security Intelligence
Risk-Based Context and Intelligence
Connecting
People and Data
19

20. 20
Requirements: Risk Based Analytics

21. 21 2
Network Endpoint Access
Data Sources
Threat Intelligence

22. 22
Data Sources
Persist, Repeat
Known relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Who talked to whom, traffic, malware
download/delivery, C2, exfiltration, lateral movement
Running process, services, process owner, registry
mods, file system changes, patching level, network
connections by process/service
Access level, privileged use/escalation, system
ownership, user/system/service business criticality
2
2
• 3rd party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Web Proxy
• NetFlow
• Network
• AV/IPS/FW
• Malware detection
• Config Management
• Performance
• OS logs
• File System
• Directory Services
• Asset Mgmt
• Authentication Logs
• Application Services
• VPN, SSO
Threat intelligence
Access/Identity
Endpoint
Network

23. 23
Risk Based Analytics
Network Endpoint AccessThreat Intelligence
Rules/String/Regex matching
Statistical outliers and anomalies
Scoring and aggregation
Session and Behavior profiling

24. 24
Requirements: Context and Intelligence

25. 25
Context and Intelligence
Integrate across technologies
Automated context matching
Automated context acquisition
Post processing and post analysis
Threat
Intelligence
Asset
& CMDB
API/SDK
Integrations
Data
Stores
Applications

26. 26
http://www.entrust.com/wp-
content/uploads/2013/02/Entrust-
MobileDemo-RSA20131.jpg

27. 27
Requirements: Connecting Data and People

28. 28
Connecting People and Data
Human mediated automation
Sharing and collaboration
Free form investigation – human intuition
Interact with views and workflows
Any data, all data
Automation Collaboration Investigation Workflows All data

29. Operationalizing Security Intelligence
Risk-Based Context and Intelligence
Connecting
People and Data
29

30. 30
Demo 1

31. 31
SECURITY USE CASES
In
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN,
ADVANCED
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
INSIDER
THREAT
3
Splunk Can Complement OR Replace an Existing SIEM
INSIDER
THREAT

32. 32
SPLUNK FOR SECURITY
3
SECURITY APPS & ADD-ONS
SPLUNK
APP FOR PCI
SIEM Security Analytics
Fraud, Theft
and Abuse
Platform for
Security Services
SPLUNK
USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
SPLUNK
ENTERPRISE SECURITY

33. 33
Demo 2

34. 34

35. 35
Adaptive Response- Remediating USB Malware
Detect
Eject Malicious USB
Block Network CommunicationsOrchestrate Automation

36. 36
SPLUNK IS THE NERVE CENTER
36
App Endpoint/
Server
Cloud
Threat
Intelligence
Firewall
Web
Proxy
Internal Network
Security
Identity
Network

37. 37
Connecting People and Data
Through a Nerve Center

38. 38
Getting Started
Splunk
Enterprise Free
Download
Enterprise
Security Cloud
Trial
Splunk UBA
Proof of Value

39. 39
What’s Next – DC Area
Workshops in Mclean, VA
These workshops are tailored for beginner users that are new to Splunk and
have not used it before.
April 7: Introduction to Splunk Enterprise
April 27: Introduction to Splunk Enterprise Security
May 12: Introduction to Splunk Enterprise
May 12: Introduction to Splunk IT Service Intelligence
See more at: http://www.doyouknowsplunk.com/
User Groups in DC/VA/MD:
April 18, 2016, Baltimore, MD
April 21, 2016, Herndon, VA
April 27, 2016, McLean, VA
April 18, 2016, Baltimore, MD
April 21, 2016, Herndon, VA

40. 40
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

41. 41
Crossing the Chasm

42. 4
Thank You
@monzymerza