This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

1. Copyright © 2016 Splunk Inc.
Splunk Security Analytics,
SIEM & UBA Overview
SplunkLive Austin 2016
Muddu Sudhakar
VP & GM Security & IoT Splunk
Twitter: @smuddu

2. 2
Legal Notices
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

3. 3
Agenda
Splunk Portfolio Update
User Behavior Analytics
Enterprise Security

4. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

5. 5
App
Servers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center
Identity

6. 6
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

7. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

8. 8
All Data is Security Relevant
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional SIEM
Authentication

9. 9
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

10. Splunk for Security, Compliance & Fraud
Platform for Machine Data
Security &
Compliance Reporting
Monitor & Detect
Known/Unknown Threats
Fraud
Detection
Insider
Threat
Incident Investigations
& Forensics
Security
Analytics

11. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

12. 12
Adaptive Response Initiative – RSA 2016
12
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain

13. Splunk Enterprise Security
SplunkLive Austin 2016
Muddu Sudhakar
VP & GM Security & IoT Splunk
Twitter: @smuddu

14. Splunk Enterprise Security
Incident Investigations & ManagementAlerts & Dashboards & Reports
Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds
14

15. What’s new in Splunk Enterprise Security?

16. 16
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
16
ES 4.1 and UBA 2.2

17. 17
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

18. 18
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

19. 19
Replacing a SIEM @ Cisco
Challenges
• SIEM could not meet security needs
• Very difficult to index non-security or custom app log data
• Serious scale and speed issues. 10GB/day and searches took > 6 minutes
• Difficult to customize, reliance on pre-built rules which generated false positives
Splunk Solution
• Easy to index any type of machine data from any source
• Over 60 simultaneous users, correlations, reporting, advanced threat detection
• Use all data + flexible searches and reporting = empowered team
• 900 GB/day and searches take < minute. 7 global data centers with 350TB store
• Estimated that Splunk is 25% the cost of a traditional SIEM
“We moved to Splunk
from traditional SIEM
as Splunk is designed
and engineered for “big
data” use cases. Our
previous SIEM was not
and simply could not
scale to the data
volumes we have. “
- Gavin Reid, Leader,
Cisco Computer
Security Incident
Response Team

20. Must read for anyone operating a SOC
Cisco CSIRT playbook

21. What is Splunk UBA?

22. 22
FAMILIAR WITH THESE BREACHES?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Pentagon Unclassified
Email System
4K
PII Records

23. 23
WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

24. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Cyber Attack Detection Insider Threat Detection Security Analytics
Platform for Machine Data

25. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
Behavior Baselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics

26. A Few CUSTOMER FINDINGS
 Malicious Domain
 Beaconing Activity
 Malware: Asprox
 Webshell Activity
 Pass The Hash Attack
 Suspicious Privileged
Account activity
 Exploit Kit: Fiesta
 Lateral Movement
 Unusual Geo Location
 Privileged Account
Abuse
 Access Violations
 IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

27. 27
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba

28. 28
What’s THE LATEST?
28
UBA Results Across
SIEM Workflow
Rapid Investigation
of Advanced
Threats
Enhanced Insider
Threat & Cyber
Attack Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

29. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

30. PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE
AT A MINIMUM

31. What’s New in UBA 2.2

32. 32
Enhanced Insider Threat and Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2

33. 33
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

34. 34
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

35. 35
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
 Risk Percentile & Dynamic Peer Groups
 Support for Additional 3rd Party Devices
UBA 2.2

36. ES & UBA Demo

37. 37
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

38. Thank You!