Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar: Splunk Enterprise Security Deep Dive: Analytics


Published on

Splunk Enterprise Security (ES) ist ein Analytics-getriebenes SIEM, das Security Operations Teams erfolgreich bei der Gefahrenbekämpfung unterstützt. Aber wussten Sie auch schon, dass es aus einem Framework aufgebaut ist, das ganz individuell genutzt werden kann, um spezifische Sicherheitsanforderungen angehen zu können?

In unserem Webinar zeigen wir Ihnen die technischen Details hinter dem ES-Framework:

- Asset- und Identitäts-Korrelationen
- beachtenswerte Events
- Threat intelligence
- Risikoanalyse
- Investigation und Adaptive Response

Wir werden Alltags-Beispiele besprechen und Ihnen anhand einer Demo die Schlüssel-Frameworks zeigen, die Ihnen dabei helfen werden, Securityprobleme zu lösen.

Published in: Technology

Webinar: Splunk Enterprise Security Deep Dive: Analytics

  1. 1. Copyright © 2016 Splunk Inc. Splunk Enterprise Security Deep Dive
  2. 2. Safe Harbor Statement During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. 2
  3. 3. Speakers 3 Matthias Maier, CISSP + CEH Security Product Marketing Udo Götzen, CISSP Senior Sales Engineer
  4. 4. Computing Security Excellence Awards 4 Splunk: • Best SIEM • Security Vendor of the Year
  5. 5. Splunk – Leader in Cybersecurity 5 Company (NASDAQ: SPLK) • Founded 2004, first software release in 2006 • HQ: San Francisco / Regional HQ: London, Hong Kong • Over 2,500 employees, based in 12 countries Business Model / Products • Free download to massive scale • Splunk Enterprise, Splunk Cloud, Splunk Light • Hunk: Splunk Analytics for Hadoop 12,000+ Customers • Customers in 100 countries • 85 of the Fortune 100 • Largest license: Over 1 Petabytes per day
  6. 6. Analytics-driven Security Risk- Based Context and Intelligence Connecting Data and People 6
  8. 8. Platform for Machine Data Splunk Enterprise Security Analytics-driven SIEM Identify, Prioritize & Manage Security Events Detect, Investigate Threats and Respond Streamline Incident Response Security Nerve Center
  9. 9. Splunk Enterprise Security: Frameworks 9 Framework Detail Notable Events Identify noteworthy incidents from events and then manage state Asset & Identity performs asset and identity correlation for fields that might be present in an event Threat Intelligence Consume and manage threat feeds, data Risk Analysis Identify actions that raise the risk profile of individuals or assets Adaptive Response Interface for retrieving, sending and running actions by integrating with external applications
  10. 10. 10 Splunk scores highest in 2016 Critical Capabilities for SIEM* report in all three Use Cases *Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
  11. 11. SIEM Use Cases Critical Capabilities* ES Frameworks * Gartner Research Document : 2016 Critical Capabilities for SIEM Basic Security Monitoring Advanced Threat Defense Forensics and Incident Response Real-Time Monitoring User Monitoring Incident Response and Management Advanced Analytics Threat intelligence & Business Context Advanced Threat Defense Data and Application Monitoring Deployment and Support Flexibility Notable Events Asset & Identity Threat Intelligence Risk Analysis Adaptive Response
  12. 12. The Frameworks of ES
  13. 13. What is Enterprise Security? 13 A collection of Frameworks Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  14. 14. 14 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response Notable Event
  15. 15. Notable Events 15 Where Correlation Searches are Surfaced
  16. 16. 16 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response Asset and Identity
  17. 17. Asset and Identity 17 System Inventory in ES
  18. 18. 18 Enterprise Security Notable Event Asset and Identity Threat Intelligence Threat Intelligence Adaptive Response Risk Analysis
  19. 19. Risk Analysis 19 Adds context… Risk score displayed in Incident Review Risk Score Displayed in Incident Review
  20. 20. 20 Enterprise Security Notable Event Asset and Identity Risk Analysis Risk Analysis Adaptive Response Threat Intelligence
  21. 21. Threat Intelligence 21 Indicators Everywhere
  22. 22. Threat Intelligence 22 Certificates Domains Email File HTTP IP addresses Processes Registry Services Users
  23. 23. Law Enforcement Feeds TAXII Cybox XML distribute OpenIOC Formatted text Emails RSS CSV Flat file push pull redistribute retrieve Broad Coverage via Multiple Threat Intelligence Feeds From Various Sources STIX REST Proprietary Proprietary Unstructured text transmission type transport / messaging Data formats Use (task)ISAC Feed 1 ISAC Feed 2 Agency Feed 1 Agency Feed 2 Commercial Service 2 Commercial Service 1 Community Feed Open- Source Feed Other Enrichment Services Other Enrichment Services Gather intel on darknets Gather intel per industry Onboard new intel Centralize all intel Monitor and triage alerts Update ticket status / details Auto-search, real time Auto-search, historical Use for analysis / IR Collect / provide forensics Use to hunt / uncover Use to hunt / link events Determine impact on network Determine impact on assets Determine impact on data Share info with partners It does not have to be this complex
  24. 24. Collect, manage Categorize Correlate Search Data Management Threat Activity Correlation Data / Notable Events Data Search Threat Intelligence Framework Framework built-in Splunk Enterprise Security
  25. 25. 25 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response Adaptive Response
  26. 26. Adaptive Response Framework 26 Correlation Search > AlertSearch > Alert Meta, bro
  27. 27. Splunk as the Security Nerve Center Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel
  28. 28. Insight from Across Ecosystem Effectively leverage security infrastructure to gain a holistic view 1. Palo Alto Networks 2. Anomali 3. Phantom 4. Cisco 5. Fortinet 6. Threat Connect 7. Ziften 8. Acalvio 9. Proofpoint 10. CrowdStrike 11.Symantec (Blue Coat) 12.Qualys 13.Recorded Future 14.Okta 15.DomainTools 16.Cyber Ark 17.Tanium 18.Carbon Black 19.ForeScout Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel
  29. 29. Enterprise Security 33 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  30. 30. Demo
  31. 31. Wrap Up
  32. 32. Operating Model 36 Canned alerts are 80% effective in the first instance, and always provide value by gathering some additional information
  33. 33. Splunk Response Process 37 Risk score triggers alert for target OPs team responds, gathers info, claims notable events & updates them with info OPs team creates incidents for automated in- depth malware scans an/or automated forensics, updates events OPs team submits any binary samples from target to enterprise AV vendor, requests AC scan & cleanup Infosec confirm using Splunk & data collected by Ops that target is clean. If target is not clean, IS can request rebuild or access to target for more forensics Notes 1. Integration with ServiceNow is planned 2. Process is Pareto-inspired: 80% of events can be handled by this process, on 80% of the infrastructure (Windows, server/client) and resolved at least 80% effective in the first instance 3. For events which OPs cannot resolve (no skills, no access) they can always add value by collecting information about the target
  34. 34. Free Cloud Trial Free Software Download Free Enterprise Security Sandbox Get Started in Minutes – 1 32
  35. 35. Q&A