The document is a presentation by Splunk Inc. detailing their enterprise security solutions, including forward-looking statements about the company's performance and product direction. It highlights their accolades, customer base, and various security frameworks and capabilities related to threat detection, incident response, and risk analysis. Splunk emphasizes their analytics-driven approach to security and integration with external applications to enhance their services.

1. Copyright © 2016 Splunk Inc.
Splunk Enterprise
Security
Deep Dive

2. Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
2

3. Speakers
3
Matthias Maier, CISSP + CEH
Security Product Marketing
Udo Götzen, CISSP
Senior Sales Engineer

4. Computing Security Excellence Awards
4
Splunk:
• Best SIEM
• Security Vendor of the Year

5. Splunk – Leader in Cybersecurity
5
Company (NASDAQ: SPLK)
• Founded 2004, first software release in 2006
• HQ: San Francisco / Regional HQ: London, Hong Kong
• Over 2,500 employees, based in 12 countries
Business Model / Products
• Free download to massive scale
• Splunk Enterprise, Splunk Cloud, Splunk Light
• Hunk: Splunk Analytics for Hadoop
12,000+ Customers
• Customers in 100 countries
• 85 of the Fortune 100
• Largest license: Over 1 Petabytes per day

6. Analytics-driven Security
Risk-
Based
Context and
Intelligence
Connecting Data
and People
6

7. Splunk Security Solutions
MORE
…
SECURITY APPS & ADD-ONS SPLUNK
USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
SPLUNK
ENTERPRISE SECURITY
SPLUNK
APP FOR PCI
SECURITY &
COMPLIANCE
REPORTING
MONITORING OF
KNOWN THREATS
ADVANCED AND
UNKNOWN
THREAT
DETECTION
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT

8. Platform for Machine Data
Splunk Enterprise Security
Analytics-driven SIEM
Identify, Prioritize &
Manage Security Events
Detect, Investigate
Threats and Respond
Streamline
Incident Response
Security Nerve Center

9. Splunk Enterprise Security: Frameworks
9
Framework Detail
Notable Events Identify noteworthy incidents from events and then manage state
Asset & Identity performs asset and identity correlation for fields that might be
present in an event
Threat Intelligence Consume and manage threat feeds, data
Risk Analysis Identify actions that raise the risk profile of individuals or assets
Adaptive Response Interface for retrieving, sending and running actions by integrating
with external applications

10. 10
Splunk scores highest in 2016 Critical Capabilities for SIEM*
report in all three Use Cases
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and
should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

11. SIEM Use Cases Critical Capabilities* ES Frameworks
* Gartner Research Document : 2016 Critical Capabilities for SIEM
Basic Security Monitoring
Advanced Threat Defense
Forensics and Incident
Response
Real-Time Monitoring
User Monitoring
Incident Response and Management
Advanced Analytics
Threat intelligence & Business Context
Advanced Threat Defense
Data and Application Monitoring
Deployment and Support Flexibility
Notable Events
Asset & Identity
Threat Intelligence
Risk Analysis
Adaptive Response

12. The Frameworks of ES

13. What is Enterprise Security?
13
A collection of Frameworks
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response

14. 14
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response
Notable
Event

15. Notable Events
15
Where Correlation Searches are Surfaced

16. 16
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response
Asset and
Identity

17. Asset and Identity
17
System Inventory in ES

18. 18
Enterprise Security
Notable
Event
Asset and
Identity
Threat
Intelligence
Threat
Intelligence
Adaptive
Response
Risk
Analysis

19. Risk Analysis
19
Adds context…
Risk score displayed in
Incident Review
Risk Score Displayed in
Incident Review

20. 20
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Risk
Analysis
Adaptive
Response
Threat
Intelligence

21. Threat Intelligence
21
Indicators Everywhere

22. Threat Intelligence
22
Certificates
Domains
Email
File
HTTP
IP addresses
Processes
Registry
Services
Users

23. Law
Enforcement
Feeds
TAXII
Cybox
XML
distribute
OpenIOC
Formatted
text
Emails
RSS
CSV
Flat
file
push
pull
redistribute
retrieve
Broad
Coverage via
Multiple
Threat
Intelligence
Feeds From
Various
Sources
STIX
REST
Proprietary
Proprietary
Unstructured
text
transmission
type
transport /
messaging
Data formats
Use (task)ISAC
Feed 1
ISAC
Feed 2
Agency Feed
1
Agency Feed
2
Commercial
Service 2
Commercial
Service 1
Community
Feed
Open-
Source
Feed
Other
Enrichment
Services
Other
Enrichment
Services
Gather intel on darknets
Gather intel per industry
Onboard new intel
Centralize all intel
Monitor and triage alerts
Update ticket status / details
Auto-search, real time
Auto-search, historical
Use for analysis / IR
Collect / provide forensics
Use to hunt / uncover
Use to hunt / link events
Determine impact on network
Determine impact on assets
Determine impact on data
Share info with partners
It does not have to be this complex

24. Collect, manage Categorize Correlate Search
Data Management Threat Activity Correlation Data / Notable Events Data Search
Threat Intelligence Framework
Framework built-in Splunk Enterprise Security

25. 25
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response
Adaptive
Response

26. Adaptive Response Framework
26
Correlation Search > AlertSearch > Alert
Meta, bro

27. Splunk as the Security Nerve Center
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel

32. Insight from Across Ecosystem
Effectively leverage security infrastructure to gain a holistic view
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11.Symantec (Blue Coat)
12.Qualys
13.Recorded Future
14.Okta
15.DomainTools
16.Cyber Ark
17.Tanium
18.Carbon Black
19.ForeScout
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel

33. Enterprise Security
33
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response

34. Demo

35. Wrap Up

36. Operating Model
36
Canned alerts are 80%
effective in the first
instance, and always
provide value by
gathering some
additional information

37. Splunk Response Process
37
Risk score
triggers alert for
target
OPs team
responds,
gathers info,
claims notable
events &
updates them
with info
OPs team
creates
incidents for
automated in-
depth malware
scans an/or
automated
forensics,
updates events
OPs team
submits any
binary samples
from target to
enterprise AV
vendor,
requests AC
scan & cleanup
Infosec confirm
using Splunk &
data collected
by Ops that
target is clean.
If target is not
clean, IS can
request rebuild
or access to
target for more
forensics
Notes
1. Integration with ServiceNow is planned
2. Process is Pareto-inspired: 80% of events can be handled by this
process, on 80% of the infrastructure (Windows, server/client)
and resolved at least 80% effective in the first instance
3. For events which OPs cannot resolve (no skills, no access) they
can always add value by collecting information about the target

38. Free
Cloud Trial
Free Software
Download
Free
Enterprise Security
Sandbox
Get Started in Minutes – splunk.com
1 32

39. Q&A