Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk Discovery Dusseldorf: September 2017 - Security Session

591 views

Published on

The Splunk experience came to Dusseldorf on September 20th 2017! Attendees learnt how to bring together all their different systems to help achieve their security goals.

Published in: Technology
  • ⇒ www.HelpWriting.net ⇐ is a good website if you’re looking to get your essay written for you. You can also request things like research papers or dissertations. It’s really convenient and helpful.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I think you need a perfect and 100% unique academic essays papers have a look once this site i hope you will get valuable papers, HelpWriting.net
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Splunk Discovery Dusseldorf: September 2017 - Security Session

  1. 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. 20. SEPTEMBER 2017 | DÜSSELDORF
  2. 2. © 2017 SPLUNK INC. Agenda Discovery Düsseldorf | 20. September 2017 Presentation Speaker 09:00 – 09:15 Splunk Überblick Frank Böning | Vice President Central Europe, Splunk 09:15 – 09:30 Buttercup Games Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk 09:30 – 10:00 Splunk @ Vodafone Eugen Rogoza | Integration Lead mCommerce, Vodafone 10:00 – 11:00 Daten-getriebene Einblicke in Ihre IT Operations René Siekermann | IT Markets Specialist EMEA, Splunk 11:00 – 11:30 Break 11:30 – 12:30 Best Practices für Ihre Security Strategie Angelo Brancato | Security Markets Specialist EMEA, Splunk 12:30 – 13:00 Operational Intelligence Demo Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk 13:00 – 14:00 Mittagessen 14:00 Ende der Veranstaltung
  3. 3. © 2017 SPLUNK INC. Who am I Angelo Brancato Splunker, Security Specialist angelo@splunk.com
  4. 4. © 2017 SPLUNK INC.© 2017 SPLUNK INC. The State of Security Operations 2017
  5. 5. © 2017 SPLUNK INC. http://www.informationisbeautiful.net https://www.splunk.com/en_us/solutions/solution-areas/ security-and-fraud/the-state-of-security-operations.html IDC Security Response Readiness - Risk unknown - In denial of breach - No Incident Response (IR) plans - Ad-Hoc / Reactive - Limited resources - custom tools - Basic alarming - IR on roadmap - Limited resources - Risk understood - SIEM in place - Basic run books - Some integrations - Internal & external resourcing - Assume breached - Formal run books - Formal and (annually) tested IR plan - Panel of specialists - Proactive threat hunting - Best Practices & continuous improvement - IR plans tested regularly (agile) - Holistic security view - Forensic investigation and legal agreement to share IR data - Integration and Automation - Internal and external resources 2
  6. 6. © 2017 SPLUNK INC. http://www.informationisbeautiful.net Investigation How Splunk can help: Right decision, at the right time Visibility Automation Threat Hunting Situational Awareness Risk Scoring SOC Run Books Adaptive Response Business Enablement https://www.splunk.com/en_us/solutions/solution-areas/ security-and-fraud/the-state-of-security-operations.html IDC Security Response Readiness 2
  7. 7. © 2017 SPLUNK INC. http://www.informationisbeautiful.net Hunting How Splunk can help: Right decision, at the right time Visibility Automation Business Enablement Risk Scoring Situational Awareness Investigation SOC Playbooks Adaptive Response https://www.splunk.com/en_us/solutions/solution-areas/ security-and-fraud/the-state-of-security-operations.html IDC Security Response Readiness
  8. 8. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk Vision & Strategy
  9. 9. © 2017 SPLUNK INC.
  10. 10. © 2017 SPLUNK INC.
  11. 11. © 2017 SPLUNK INC. Avoid the “Medienbruch” Drawing from independent.co.uk, modified
  12. 12. © 2017 SPLUNK INC. D I F F E R E N T People A S K I N G D I F F E R E N T Questions O F T H E Same Data Enterprise Machine Data Fabric Business Analytics IT Operations Security Operations Application Development & Delivery Internet of Things Splunk
  13. 13. © 2017 SPLUNK INC. SOC Playbooks Analytics-Driven Security Machine Data Monitor Detect Investigate Respond Schema-On-Read Adaptive Response Enterprise On-Premise, Cloud, Hybrid Universal Indexing Tier 1 - Alert Analyst Tier 2 - Incident Responder Tier 3 - SME / Hunter Process People Technology Enterprise Security & UEBA http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html
  14. 14. © 2017 SPLUNK INC. IT Operations Application Delivery Industrial Data & IoT Business Analytics, Future Markets IT Security, Compliance & Fraud Analytics-Driven Security Monitor Detect Investigate Respond Enterprise On-Premise, Cloud, Hybrid Machine Data Enterprise Security & UEBA Different people asking different questions… …of the same data.
  15. 15. © 2017 SPLUNK INC. Avoid the “Medienbruch” Drawing from independent.co.uk, modified
  16. 16. © 2017 SPLUNK INC. Reactive Proactive Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Real-time Risk Insight Security Operations Maturity
  17. 17. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Journey to SOC Maturity (with live-demo)
  18. 18. © 2017 SPLUNK INC. Analytics-Driven Security Risky behavior detection Entity profiling, scoring Kill chain, graph analysis Unsupervised Machine Learning Human-driven Analytics ML-driven Analytics Data ingestion, Universal Indexing, Schema-on- Read, Log Aggregation Search and Report Monitor and Alert Splunk Security Essentials (for Ransomware), CIS Top 20, PCI Compliance, Machine Learning Toolkit etc. Enterprise • Correlation- and Notable Event Framework • Risk Scoring Framework • OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories • Incident Investigation & Response workflow • Adaptive Response • Glass Tables, etc… Realm of Known Realm of Unknown
  19. 19. © 2017 SPLUNK INC. Enterprise Developer Platform (REST API, SDKs) Security Essentials Security Essentials for Ransomware Splunk App for PCI Compliance Machine Learning Toolkit CIS Top 20 Critical Security Controls Add-Ons Splunk Stream Human-driven Analytics ML-driven AnalyticsSIEM Cyber Security Investigator On-Premise, Cloud, Hybrid Analytics-Driven Security
  20. 20. © 2017 SPLUNK INC. Splunk CIS* Top 20 (Best Practice) Critical Controls https://www.cisecurity.org/controls/ https://splunkbase.splunk.com/app/3064/ CIS Top 20 controls improve risk posture against real-world threats The control areas grew out of an international consortium Splunk can monitor PCI compliance and generate Alerts for non-compliance In case of non-compliance Splunk can carry out recommended actions 40+ Dashboards Splunk CIS Top 20 Critical Security Controls *CIS: Center of Internet Control https://www.cisecurity.org/controls/
  21. 21. © 2017 SPLUNK INC. Splunk Premium App for PCI Compliance https://splunkbase.splunk.com/app/2897/ Compliance Overview Incident Review and Management Asset and Identity Aware Scorecards and Reports Measures effectiveness and status of PCI compliance technical controls Meets PCI requirements around log retention/review, and continuous monitoring Fast ability to get to cause of non- compliance or answer auditor data requests Covers up to PCI DSS v3.1 standards Splunk App for PCI Compliance
  22. 22. © 2017 SPLUNK INC. Security Essentials 50+ use cases (common in UEBA products) Target external attackers and insider threat Scales from small to massive companies Can sends results to ES/UBA https://splunkbase.splunk.com/app/3435/ Security Essentials Detection Methods Time series analysis (with standard deviation) First time analysis (powered by stats) General Splunk searches
  23. 23. © 2017 SPLUNK INC. Security Essentials for Ransomware https://splunkbase.splunk.com/app/3593/ Fake Windows Processes Malicious Command Line Executions Monitor AutoRun Reported Registry Keys Monitoring Successful Backups Monitor Successful Windows Update Monitoring Unsuccessful Backups Monitor Successful Windows Update Ransomware extensions Ransomware Note Files Ransomware Vulnerabilities SMB traffic Allowed Spike in SMB traffic Detect TOR Traffic Office Spawns Unusual Process Detection via Statistical Analysis Detection via Windows Registry Detection via Shannon Entropy Detection via Fake Windows Processes Detection via File Encryption Events Detection via DNS Traffic Detection via Sysmon Logs Detection via Firewall Logs Detection via IDS Events Detection via Network Activity Detection via SMB Events Detection via Deletion of Shadow Copies Forensics via log2timeline Prevention via Lag Detection Prevention via Vulnerability Management Prevention via Backup Activity Prevention via Automated File Analysis Security Essentials for Ransomware Use Cases Detection Methods
  24. 24. © 2017 SPLUNK INC. Cyber Security Investigator https://splunkbase.splunk.com/app/3361/ traffic today compared to normal Email traffic compared to normal What are the count of windows related alerts over the last week? Hourly traffic to China Which accounts were recently deleted? Top accounts with failed logins Show me traffic for app dns Show me the systems where user ghost exists How does traffic look during non-business hours compared to during business hours? Event count over time by top 10 hosts What's the average number of vulnerabilities across all of our systems Graph the hourly max response time of web requests Malware signatures on more than 10 distinct hosts Websites with the most bytes … i.e. Insight Engines Cyber Security Investigator for Splunk
  25. 25. © 2017 SPLUNK INC. Security Stream https://splunkbase.splunk.com/app/1809/ Metadata Collection Live Interface Collection Option Commercial App Detection (300+) NetFlow Collector Aggregation Mode Filtering at Endpoint Out-of-Box Content Distributed Forwarder Mgt 1GbE and 10GbE link options Get visibility into applications performance and user experience Understand database activity and performance without impacting database operation Improve security and application intelligence with DNS analytics Splunk Stream Layer Examples 7. Application HTTP, SMTP 6. Presentation TLS 5. Session SCP 4. Transport TCP, UDP 3. Network IPv4, IPv6 2. Data Link Ethernet 1. Physical Ethernet, WiFi Deployment: • Out-of-band (stub) with tap or SPAN port • In-line directly on monitored host Collection: • Technical Add-On (TA) with Splunk Universal Forwarder (UF) • Independent Stream Forwarder using HTTP Event Collector (HEC) Any Linux Host Splunk Indexers TLS/HEC Splunk Indexers Splunk Forwarder TLS
  26. 26. © 2017 SPLUNK INC. MLT – applied example: DGA Analyzer This is an example a Splunk SE built It uses the MLT to very reliably detect DGA generated domain names Machine Learning Toolkit https://splunkbase.splunk.com/app/2890/
  27. 27. © 2017 SPLUNK INC. Enterprise Security Pre-built searches, alerts, reports, dashboards, threat intel feeds and workflow. 27 Dashboards & Reports Incident Investigations and Management Statistical Outliers & Risk Scoring Asset & Identity Aware • Correlation- and Notable Event Framework • Risk Scoring Framework • OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories • Incident Investigation & Response workflow • Adaptive Response • Glass Tables, etc…
  28. 28. © 2017 SPLUNK INC. WAF & App Security Orchestration Network Threat Intelligence Internal Network Security Identity and Access Endpoints Firewall Web Proxy MONITORING AUTOMATION: Splunk Adaptive Response Partnerships Enterprise Security ▶ Adaptive Response
  29. 29. © 2017 SPLUNK INC. HUMAN MACHINE AUTHORING: Security Machine Learning & Data Science User and Entity Behavior Analytics
  30. 30. © 2017 SPLUNK INC. Use machine data to meet customer expectation I expect detailed App usage analytics I expect 360° visibility into how my business is performing I expect security dashboards, reports and real-time alerts and risk scoring I expect a secure IT environment What do you expect? I expect network and equipment uptime I expect you to protect my data I expect compliance I expect Risk reduction I expect an effective and secure App. DevOps
  31. 31. © 2017 SPLUNK INC. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM .conf2017: The 8th Annual Splunk Conference
  32. 32. © 2017 SPLUNK INC.© 2017 SPLUNK INC. THANK YOU
  33. 33. © 2017 SPLUNK INC. Join: Our Community with Apps, Ask Questions or join a online session! https://www.splunk.com/en_us/community.html Try: Splunk Security Online Experience (No Download) https://www.splunk.com/en_us/solutions/solution- areas/security-and-fraud/security- investigation/getting-started.html Explore: Splunkbase – our online store of over 1000+ apps https://splunkbase.splunk.com/
  34. 34. © 2017 SPLUNK INC.© 2017 SPLUNK INC. GDPR
  35. 35. © 2017 SPLUNK INC. EVOLUTION: Splunk for GDPR
  36. 36. © 2017 SPLUNK INC. Prove GDPR Security Controls are enforced Detect, Prevent and Investigate Data Breaches Search and Report on Personal Data Processing Splunk for GDPR
  37. 37. © 2017 SPLUNK INC. Splunk for GDPR Detect, Prevent and Investigate Data Breaches The Forrester Wave: Security Analytics Platforms, Q1 2017Gartner MQ for SIEM, Aug. 2016 IT Operations Application Delivery Industrial Data & IoT Business Analytics, Future Markets IT Security, Compliance & Fraud Monitor Detect Investigate Respond Enterprise ES, UEBA On-Premise, Cloud, Hybrid | Analytics for Hadoop Different people asking different questions… …of the same data. Machine Data Article 33 - Notification of a personal data breach to the supervisory authority Article 34 - Communication of a personal data breach to the data subject Data Breach Notification
  38. 38. © 2017 SPLUNK INC. Splunk for GDPR Prove GDPR Security Controls are enforced Article 32 - Security of processing Article 58 - Supervisory Investigative Powers Risk Minimization Report Compliance DPIA
  39. 39. © 2017 SPLUNK INC. Splunk for GDPR Search and Report on Personal Data Processing Article 30 - Records of Processing Activity Article 5, 15, 17, 18 and 28 - Data Subject Rights Supply chain Obligations Right to be Forgotten Right of rectification Right of access Right of data portability …
  40. 40. © 2017 SPLUNK INC. Agile DevSecOps – Real-Time Risk Scoring

×