Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
4. The Ever-Changing Threat Landscape
53%
Victims notified by
external entity
100%
Valid credentials
were used
229
Median # of days
before detection
Source: Mandiant M-Trends Report 2012-2016
5. Source: Verizon DBR
Attacks often start with an email:
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
23%OF RECIPENTS OPEN PHISHING
MESSAGES
11%OF RECIPENTS CLICK ON
ATTACHMENTS
6. 6
True Story: State of Michigan (SOM) – User account spoofing
• Phishing Mail: Mailbox reached storage
limit...
• Outlook Web Access Portal custom design
of SOM was rebuilt by attacker
• Provide E-Mail, Username, Password and
Date of Birth...
To how many Users was the mail delivered?
How many clicked?
How many filled out?
• Delivered to 2800 Employees before
being blocked
• 155 Employees clicked the link
• 144 Employees provided their credentials
Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann
9. 9
Turning Machine Data Into Business Value
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Internet of Things and
Industrial Data
10. SECURITY USE CASES
In
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN,
ADVANCED
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
INSIDER
THREAT
Splunk Can Complement OR Replace an Existing SIEM
INSIDER
THREAT
11. 11
Products for Security and Compliance
Splunk
Enterprise Security
390+
Security Apps
Splunk User
Behavior Analytics
Palo Alto
Networks
FireEye
Symantec
DShield
DNS
OSSEC
NetFlow
Logic
Cisco
Security Suite
F5 Security
PCI
Compliance
Active
Directory
Blue Coat
Proxy SG
15. 15
APT Transaction Flow Across Data Sources
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
17. What is Enterprise Security?
1
A collection of Frameworks
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response
18. 18
Splunk Positioned as a Leader in Gartner 2016 Magic
Quadrant for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and CriticalCapabilities for Security Informationand Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in
the context of the entire document. The Gartner document is availableupon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases
19. Splunk and the SANS CIS Critical Security Controls
The CIS Critical Security Controls (CSC) are a time-proven, prioritized, “what works” list of 20
controls that can be used to minimize security risks to enterprise systems and the critical data they
maintain. These controls are derived from and “cross-walked” to controls in NIST Special
Publication 800-53. They are also known as the Consensus Audit Guidelines (CAG).
Formerly managed by SANS and the Council on CyberSecurity, the CIS CSC are currently governed
by the Center for Internet Security (CIS) and are considered the “de facto yardstick by which
corporate security programs can be measured,” according to the Cybersecurity Law Institute.
Read the e-book:
http://www.splunk.com/web_assets/pdfs/secure/Splunk-and-the-SANS-Top-20-Critical-Security-Controls.pdf
Download the free App:
https://splunkbase.splunk.com/app/3064/
20. Splunk Security Essentials App
Over 50 Search examples for use cases off the following domains:
• Access Domain
• Data Domain
• Network Domain
• Threat Domain
• Endpoint Domain
• Data Sources Used
Download the free App:
https://splunkbase.splunk.com/app/3435/
21. Source: Verizon DBR
IF IT HAPPENS TODAY?
HOW LONG DOES IT TAKE YOU TO
ANSWER UPCOMING QUESTIONS?
50%CLICK ON PHISHING LINKS
WITHIN THE FIRST HOUR
22. 22
Next Step: Discovery Workshop
What’s your Security Use Case?
• Cost justification against your management
• Success measurement
• Prioritization
• Scoping of data sources / data volume / costs
• Establishing organizational processes
• Data privacy justification
23. Explore:
How Travis Perkins built
a SOC in the Cloud
http://blogs.splunk.com/2016/09/14/trust-
and-resilience-at-the-speed-of-business-
how-travis-perkins-built-a-lean-soc-with-
splunk-in-the-cloud/
Join:
Our Community with
Apps, Ask Questions or
join a SplunkLive! event
https://www.splunk.com/en_us/community.html
Try:
Splunk Enterprise Security
in our Sandbox with 50+
Data Sources
https://www.splunk.com/getsplunk/es_sandbox
Q&A
Thank you
Editor's Notes
A fundamental change is going on in the threat landscape. Traditional defenses are no longer enough. While the User Interface might look nice a fundamental shift is undergoing. With more and more cloud and software as a service perimeter security is more and more challenged. Also with the digital transformation new services need to be protected and just protecting systems is no longer enough. Identity becomes the new perimeter that needs to be protected.
There are three numbers in the cyber security statistics that prove this trend, and we should pay close attention to:
100% of breaches are done using valid credentials;
And it still takes average 229 days to detect a breach;
With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials.
If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
Looking at the typical data sources used by legacy SIEMs is not enough. It would be like boxing yourself into a tight space and having to fight against your attackers and defend against your threats from that position.
You need to be able to see outside the box, go beyond your traditional security solutions and gain security insight from all your data – for example e-mail tracking logs to know who got the e-mails, web log to know who
The rise of big data has forced IT organizations to transition from a focus on structured, relational data, to accommodate unstructured data, driven by the volume, velocity and variety of today’s applications and systems. As the data has changed from structured data to unstructured data, the technology approach needs to change as well.
When you don’t know what data types you’ll need to analyze tomorrow or what questions you need to ask in a week, flexibility becomes a key component of your technology decisions. The ability to index any data type, search across silos and avoid being locked into a rigid schema opens a new world of analytics and business insights to your organization.
Schema at Read – Enables you ask any question of the deal
Search – Enables rapid, iterative exploration of the data along with advanced analytics
Universal Indexing – Enables you to ingest any type of machine data
Horizontal scaling over commodity hardware enables big data analytics
Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence.
The insights gained from machine data support a number of use cases and can drive value across your organization. Today we will focus on Security.
If we talk about Security there are different categories where you can map your use cases and requirements to. The quickest win is to start with building capabilities for incident investigation and forensics – so in case something goes wrong in your environment you can ask questions how an attacker got in, what data was accessed and you can properly scope breaches and security incidents. You can also start hunting for threats in case you assume you’re already breached. Then you can go into the pro-active step with monitoring your security controls and policies through compliance monitoring. This can be external compliance regulations like PCI, GDPR, ISO2700X or even tracking your Internal IT Policy.
Then you can do real-time monitoring of known threats – every of your security solutions like IPS, IDS, Vulnerability Manager, Firewall, AntiVirus, VPN Servers and more have all their own dashboards and events – you want to have a centralized security posture to be able to ask: Which security walls in my organization did a specific user or system hit. This allows you also to measure the efficiency of your security tools for example.
Then you can use the data to do own powerful correlations with our powerful splunk search language to detect unknown threats and combine security events and non security events like activity data. You can enrich data with threat intelligence and apply risk scores for aggregating notable activity.
Last but not least you can also analyze and detect insider threat. This can be on one side malicious insiders who might leave the company and take personal data with them as well as hapless users who had been tricked by social engineering or phishing and their account was taken over by an external attacker which then use the credentials for their attacks and accessing your networks, e-mail mailboxes etc.
The Spunk Security Intelligence Platforms consists of multiple components. Foundational to the platform is Splunk Enterprise, our core product. Every Splunk deployment includes this for indexing and storage. Using this alone, customers can perform searches and easily build reports/dashboards from their data. A variety of applications can be installed on top of the Splunk Enterprise, ranging from 3rd party vendor apps, community developed apps and Splunk Apps. You can build apps on top for your use or to share within your company. Apps are a collection of reports, dashboards, and searches purpose-built for a specific use.
Our premium security app is the Splunk Enterprise Security. It provides out-of-the-box security workflow, dashboards, reports, correlation rules that bring together security and infrastructure technologies across your company. Any of the apps can be mixed-and-matched to achieve the desired level of functionality.
To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos.
The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider.
The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
We at Splunk not just have great Software. We want to ensure customer success in all we do with your organization. We know how amazing our dashboards look like and there are no limits yet we have experienced on the technical side with our strong platform foundation.
However no limits and not putting you in a pre-definied box can from time to time be challenging – so knowing your security use cases is key. What is the final goal of the solution you’re looking for? Your use case will lead that you get more then nice dashboards – the use case ensures that you have actionable information and findings. The better the use case the more successful you will be! We can help and guide you to the journey to collect your use cases. We have a use case discovery workshop available as well as many inspirational customer stories to share! We can map them out together with you, apply them to your organization, scope the volume and costs as well as organizational processes to establish – then we can prioritize them and start our joint Journey!
The best part is that Splunk is really easy to try and deploy.
We have multiple options for getting started:
- Try out Splunk Enterprise, Splunk Cloud, or light with our free downloads or online trials.
- Or try our free software download. The free Splunk Enterprise download is the same product that scales to ingest petabytes of data per day.
- Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.