This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.
3. VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL
5. 5
5
Splunk Security Vision
Security Markets
SIEM and
Compliance
Security Analytics
(supervised and
unsupervised)
Fraud and
Business Risk
Managed Security
and Intelligence
Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Ecosystem brokering
6. 6
Enterprise Security
Provides: SIEM and Security Intelligence Platform for security operations/command
centers
Functions: alert management, detects using correlation rules (pre-built), incident
response, security monitoring, breach response, threat intelligence automation,
statistical analysis, reporting, auditing
Persona service: SOC Analyst, security teams, incident responders, hunters, security
managers
Detections: pre-built advanced threat detection using statistical analysis, user
activity tracking, attacks using correlation searches, dynamic baselines
6
7. 7
User Behavior Analytics
Provides advanced threat detection using unsupervised machine learning –
enriches Splunk Enterprise Security (SIEM)
Functions: baselines behavior from log data and other data to detect
anomalies and threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
7
9. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
10. 10
Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant
for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases
11. 11
11
Splunk scores highest in 2016 Critical Capabilities for SIEM* report
in all three Use Cases
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and
should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
13. 13
Splunk Enterprise Security: Fast Facts
● Current version: 4.5 released on October 12, 2016
● Two major releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses
14. The best part of ES is free!
● You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization
17. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries
18. 18
Splunk Enterprise Security – SIEM and Security Intelligence
18
Q4 2014 Q2 2015 Q4 2015
ES 3.2
• Protocol
Intelligence
• Semantic
Search
ES 4.1
• Behavior
Anomalies
• Risk and Search in
Incident Review
• Facebook
ThreatExchange
ES 3.3
• Threat Intel
Framework
• User Activity
Monitoring
• Content Sharing
• Data Ingestion
ES 4.0
• Breach Analysis
• Integration with
Splunk UBA
• Enterprise
Security
Framework
Q2 2016
ES 4.2
• Adaptive
Response
enablement
• Performance
• Actions
Dashboard
• Search Driven
Lookup
Q3 2016
19. 19
SIEM Criteria for Enterprises
Logging and Deployment Splunk Solution
Real-time event data collection Splunk Enterprise
Scalable architecture, deployment flexibility A Splunk Enterprise
Log management, Search and Ad hoc Search Splunk Enterprise
SIEM Capabilities Splunk Solution
Incident Response and Management Splunk Enterprise Security
User monitoring Splunk Enterprise Security
Advanced Analytics Splunk Enterprise Security
Threat intelligence and Business Context Splunk Enterprise Security
Real-time Monitoring Splunk Enterprise Security
Advanced Threat Defense Splunk Enterprise Security
Data and application monitoring Splunk Enterprise and Enterprise Security
Deployment and Support Flexibility Splunk Enterprise and Enterprise Security
Based on Gartner Research Document : 2016 Critical Capabilities for SIEM
20. SplunkEnterpriseSecuritysupportsall SIEM usecases
MONITOR
REPORT
ANALYZE
INVESTIGAT
E
RESPOSE
COLLABORATE
DETECT
ALERT
ReportAd hoc
Search
Analyz
e
Collect Store
Pre-defined
views and
rules
Correlation
rules,
thresholds
Analysis
investigation
& context
enrichment
Enterprise-
wide
coordination
& response
SIEM
Security Ops Management
Alert & incident management,
policy based rules, out-of-box
security rules & analysis
Data Platform
Collect, Index data for search and
analysis, visualization. Dynamic
adhoc and statistical analysis
FUNCTIONS
21. 21
AUTOMATION
VISUALIZATION
ISUALIZATION DETECTION
What’s new in Enterprise Security 4.5?
Adaptive Response Glass Tables
Extend Analytics-driven
Decisions and Automation
Enhance Visual Analytics With
Glass Table Views
Use connected intelligence for
security operations to gain full
visibility and responsiveness
across your security ecosystem
Create custom visualizations that
reflect your workflows, topology,
detect, investigate and respond
sequences with dashboards,
summary views with relevant
context to suit your needs
22. 22
Adaptive Response: Analytics-driven Decisions, Automate
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
• Extract new insight by leveraging context, sharing data and
taking actions between Enterprise Security and Adaptive
Response partners
23. 23
Accelerate Detection, Investigation and Response
• Use the correlation search builder
to configure and automate and
attach the results to notable events
• In incident review, configure and
execute responses and queries
across the security ecosystem
• Use the actions dashboard to
search and review responses taken
and their results
24. 24
Adaptive Response Actions (Examples)
AUTOMATION
Category - Information gathering, Information conveyance, Permissions control
Task - Create, Update, Delete, Allow, Block
Subject – what will be acted upon (network, endpoint, etc)
Vendor – providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc
25. 25
Insight from Across Ecosystem
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout
26. 26
Glass Tables to Enhance Visual Analytics
• Simplify analysis by understanding the impact of security
metrics within a logical or physical Glass Table view
• Improve response times with nested views to display what’s
important or relevant
• Optimize workflow with drill-down to the supporting criteria
of the metric
27. 27
Simplify Analysis with Custom Views of Security Metrics
• Custom visualizations that
reflect workflows,
topology, detect,
investigate and respond
sequences with
dashboards, summary
• Views with relevant
context to suit your needs
Example: Threat KPI Glass Table
31. 31
DISCLAIMER
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.
33. 33
SO, WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?
34. 34
EXTERNAL
ATTACK
USER ACTIVITY
Peter and Sam access a compromised website -
backdoor gets installed
The attacker uses Peter’s stolen credential and VPNs into
Domain Controller
The attacker uses the backdoors to download and execute
WCE – password cracker
Peter’s and Sam’s devices begin communicating with
CnC
The attacker logs in as Sam and accesses sensitive
documents from a file share
The attacker steals the admin Kerberos ticket and
escalates the privileges for Sam
The attacker uses Peter’s VPN credential to connect,
copies the docs to an external staging server, and logs
out after three hours
Day 1
.
.
Day 2
.
.
Day N
35. 35
INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
37. 37
WHAT IS SPLUNK UBA?
Splunk User Behavior Analytics
(Splunk® UBA) is an out-of-the-
box solution that helps
organizations find known,
unknown, and hidden threats
using data science, machine
learning, behavior baseline and
peer group analytics.
38. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
Behavior Baselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics
39. 39
INSIDER
THREAT
Day 1
.
.
Day 2
.
.
Day N
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Unusual Machine Access
(Lateral Movement; Individual
& Peer Group)
Unusual Zone (CorpPCI)
traversal (Lateral Movement)
Unusual Activity Sequence
Unusual Zone Combination
(PCICorp)
Unusual File Access
(Individual & Peer Group)
Multiple Outgoing Connections
& Unusual SSL session duration
41. PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
42. 42
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
“Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that don’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.”
Mark Grimse, VP IT Security, Rambus
“A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.”
Randolph Barr, CSO, Saba
43. 43
WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY
45. 45
• 6000+ IT, Security and Business Professionals
• 3 days of technical content
• 180+ sessions + hands-on labs
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
PLUS Splunk University
• Three days: Sept 23-25, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
#splunkconf2017
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – log search and analytics for small IT environments
Hunk – for analytics on data in Hadoop
The products can pull in data from virtually any source to support multiple use cases.
Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
For the purposes of this discussion we’ll be talking about and seeing Splunk ES 4.5 and UBA 3.0, running on top of our current release of Splunk Enterprise 6.5.
Splunk solutions provide capabilities across the modern security markets – from left to right – Splunk isn’t a traditional SIEM but provides SIEM capabilities via Enterprise Security. Enterprise Security also helps with various compliance regulations, and if you need a more specific approach to PCI we have a separate app just for that. Then we provide various methods for security analytics – nothing in Splunk is set in stone or tied down which is a major advantage over rigid SIEM technology. If you want to hunt through your data and create your own searches for analytics – go right ahead with Core Splunk and ES. If you’d rather have a fully curated, out of the box machine learning driven experience, or also want that – then that’s UBA. We are also finding that customers can and do leverage our platform to analyze for fraud and business risk. And finally, many of our partners are offering managed security services with our platform at the center.
Enterprise Security is a premium app designed to be used in a SOC or incident response group, and it provides SIEM-like functions on top of the Splunk Enterprise or Splunk Cloud platform.
UBA is very different – it is a standalone platform and doesn’t necessarily need the Splunk Enterprise platform to do what it does. We expect it to be used by SOC analysts and hunters. It is specifically designed to surface vetted threats about outside attackers and insiders, and it does this with a software appliance based approach.
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything.
. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
…that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
…we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and more
Detect, investigate and respond by overcoming silos
A critical security concern for banks is fraud. So let’s hear how Orrstown Bank uses Splunk.
We’re headed to the East Coast!
2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!