This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

1. Copyright © 2016 Splunk Inc.
Enterprise Security &
UBA Overview
SplunkLive Charlotte 2016
Eric Motz, Sr SE Manager
Technical Splunk Guy

2. 2
2
> Eric Motz eric@splunk.com
• 5+ years at Splunk
• Client Architect, SE, Sr SE Mgr
• 20+ years in IT and security
• Oracle Advanced Programs Group – Civilian
and Intel, Mercury, HP, Splunk
• CISSP – passed the test.
whoami

3. 3
LEGAL NOTICES
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

4. 4
Agenda
Splunk Portfolio Update
Enterprise Security 4.1
User Behavior Analytics 2.2

5. 5
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

6. 6
What’s New ?
6
UBA Results Across
SIEM Workflow
Rapid Investigation
of Advanced
Threats
Enhanced Insider
Threat & Cyber
Attack Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

7. Copyright © 2016 Splunk Inc.
Enterprise Security 4.1
7

8. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

9. 9
App
Servers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center
Identity

10. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

11. More Honors – March 2016
● Best SIEM Solution
● Best Fraud Prevention Solution

12. 12
ES Fast Facts
● Current version: 4.1 announced at RSA
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses

13. The best part of ES is free!
● You’ve got a bunch of systems…
● How to bring in:
● Network Gateway AV
● Windows + OS X + Linux AV
● Network Sandboxing
● Advanced Endpoint Protection
Need: Common Information Model
CIM = Data Normalization

14. Copyright © 2016 Splunk Inc.
NORMALIZATION?!?

15. Copyright © 2016 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.

16. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries

17. 17
Splunk Enterprise Security –
Basic, Advanced SIEM Use Cases and Security Intelligence
17
Q3 2014 Q4 2014 Q2 2015
ES 3.1
• Risk Framework
• Guided Search
• Unified Search
Editor
• Threatlist Scoring
• Threatlist Audit
ES 4.0
• Breach Analysis
• Integration
with Splunk
UBA
• Enterprise
Security
Framework
ES 3.2
• Protocol
Intelligence
• Semantic Search
ES 3.3
• Threat Intel
Framework
• User Activity
Monitoring
• Content
Sharing
• Data Ingestion
Q4 2015
ES 4.1
• Behavior
Anomalies
• Risk and Search in
Incident Review
• Facebook
ThreatExchange
Q1 2016

18. 20
Open Solutions Framework
Supports critical security related management framework features
20
Enterprise
Security
Framework
• Notable Events Framework
• Thereat Intelligence
Framework
• Risk Scoring Framework
• Identity & Asset Framework
Customer Apps
APPs /
Content
Partner Apps
APPs /
Content
Splunk Apps
APPs /
Content
• Export
• Import
• Share
• Summarization Framework
• Alerting & Scheduling
• Visualization Framework
• Application Framework
External
Instance

19. What’s new in Splunk Enterprise Security 4.1 ?

20. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

21. 23
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
23
ES 4.1 and UBA 2.2

22. 24
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

23. 25
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

24. Incident Response
When working an incident which phase generally takes the longest to complete in your
organization?
9%
32%
15%
16%
25%
3%
0% 5% 10% 15% 20% 25% 30% 35%
Preparation
Identification/Scoping
Containment/Mitigation
Eradication/Remediation
Root Cause Analysis
Lessons Learned/Recovery
Column %
Source: © 2016 Enterprise Management Associates, Inc.
N=100

25. 27
Adaptive Response Initiative
27
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain

26. ES Demo

27. User Behavior Analytics

28. 33
FAMILIAR WITH THESE THREATS?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Pentagon Unclassified
Email System
4K
PII Records

29. 34
SO, WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

30. 35
EXTERNAL
ATTACK
USER ACTIVITY
Peter and Sam access a compromised website -
backdoor gets installed
The attacker uses Peter’s stolen credential and VPNs into
Domain Controller
The attacker uses the backdoors to download and execute
WCE – password cracker
Peter’s and Sam’s devices begin communicating with
CnC
The attacker logs in as Sam and accesses sensitive
documents from a file share
The attacker steals the admin Kerberos ticket and
escalates the privileges for Sam
The attacker uses Peter’s VPN credential to connect,
copies the docs to an external staging server, and logs
out after three hours
Day 1
.
.
Day 2
.
.
Day N

31. 36
INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N

32. 37
WHAT IS
SPLUNK UBA?
DETECT ADVANCED CYBERATTACKS
DETECT MALICIOUS INSIDER THREATS

33. 38
THE FOUNDATION
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR
BASELINING &
MODELING
REAL-TIME & BIG DATA
ARCHITECTURE

34. 39
REAL-TIME & BIG
DATA ARCHITECTURE
SCALABLE
ARCHITECTURE
500M
EVENTS

35. 40
MULTI-ENTITY BEHAVIORAL MODEL
Temporal Window
USER HOST NETWORK APPLICATION DATA
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
ACTIVITY A ACTIVITY C ACTIVITY F ACTIVITY B ACTIVITY L

36. 41
EVOLUTION
COMPLEXITY
RULES - THRESHOLD
POLICY - THRESHOLD
POLICY - STATISTICS
UNSUPERVISED
MACHINE LEARNING
POLICY - PEER
GROUP STATISTICS
SUPERVISED
MACHINE LEARNING
LARGEST LIBRARY
OF UNSUPERVISED ML ALGORITHMS

37. 42
DESIGNED FOR A
HUNTER
ANOMALY DETECTION
APPLYING ML AGAINST
BEHAVIOR BASELINES

38. 43
DESIGNED FOR A
SOC ANALYST
THREAT DETECTION
ML DRIVEN AUTOMATED
ANOMALY CORRELATION

39. PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM

40. A Few CUSTOMER FINDINGS
 Malicious Domain
 Beaconing Activity
 Malware: Asprox
 Webshell Activity
 Pass The Hash Attack
 Suspicious Privileged
Account activity
 Exploit Kit: Fiesta
 Lateral Movement
 Unusual Geo Location
 Privileged Account
Abuse
 Access Violations
 IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

41. 46
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK
UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba

42. 47
WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY

43. What’s New in UBA 2.2

44. 49
Enhanced Insider Threat and Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2

45. 50
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

46. 51
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

47. 52
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
 Risk Percentile & Dynamic Peer Groups
 Support for Additional 3rd Party Devices
UBA 2.2

48. UBA Demo

49. 56
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

50. Thank You!