3. Agenda
● Threat Landscape & Splunk Overview
● 5 Möglichkeiten zur Verbesserung Ihrer Security mit Splunk Enterprise
Security
● Demo
● Q&A
3
4. Legal Notices
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements made
in this presentation are being made as of the time and date of its live presentation. If reviewed after its live
presentation, this presentation may not contain current or accurate information. We do not assume any
obligation to update any forward-looking statements we may make. In addition, any information about
our roadmap outlines our general product direction and is subject to change at any time without
notice. It is for informational purposes only and shall not be incorporated into any contract or other
commitment. Splunk undertakes no obligation either to develop the features or functionality described or
to include any such feature or functionality in a future release.
4
6. Advanced Threats Are Hard to Find
“Another Day, Another Retailer in a Massive
Credit Card Breach”
– Bloomberg Businessweek, March 2014
“Edward Snowden Tells SXSW He'd Leak
Those Secrets Again”
– NPR, March 2014
“Banks Seek U.S. Help on Iran Cyber attacks”
– Wall Street Journal, Jan 2013
Cyber Criminals
Nation States
Insider Threats
6
Source: Mandiant M-Trends Report 2012/2013/2014/2015
100%
Valid credentials were used
40
Average # of systems accessed
205
Median # of days before detection
69%
Of victims were notified by
external entity
10. Need Security Intelligence Platform (SIEM + more!)
10
Real-time
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Authentication
Storage
Industrial
Control
Mobile
11. Need Security Intelligence Platform (SIEM + more!)
11
Real-time
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Authentication
Storage
Industrial
Control
Mobile
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Network
Segments
External Lookups / Enrichment
12. Monitor &
Alert
Search &
Investigate
Custom
Dashboards &
Reports
Analytics &
Visualization
Meets Key Needs of SOC Personnel
Need Security Intelligence Platform (SIEM + more!)
12
Real-time
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Authentication
Storage
Industrial
Control
Mobile
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Network
Segments
External Lookups / Enrichment
13. Splunk software complements, replaces and goes beyond traditional SIEMs
Analytics-Driven Security Use Cases
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
13
14. User Behavior
Analytics (UBA)
240+ security appsSplunk
Enterprise Security
Splunk Security Intelligence Platform
14
Palo Alto
Networks
NetFlow Logic
FireEye
Blue Coat
Proxy SG
OSSEC
Cisco Security
Suite
Active
Directory
F5 Security
Juniper Sourcefire
16. First Need to Do the “Basic” Steps
16
• Threat modelingStep 1
• What are the threats? What are they after? What do they look like?
• What is the specific pattern in machine data?
17. First Need to Do the “Basic” Steps
17
• Threat modelingStep 1
• What are the threats? What are they after? What do they look like?
• What is the specific pattern in machine data?
Step 2 • Collect relevant machine data in one location
• Network, endpoint, authentications, data stores with sensitive data
18. First Need to Do the “Basic” Steps
18
• Threat modelingStep 1
• What are the threats? What are they after? What do they look like?
• What is the specific pattern in machine data?
• Map IPs and user names back to people
• Watch risky personnel more closely: privileged access, recently demoted, etc
• Watch assets with sensitive data more closely
• Enrich with external content (threat intel, HR, asset info)Step 3
Step 2 • Collect relevant machine data in one location
• Network, endpoint, authentications, data stores with sensitive data
19. 5 Ways To Improve Your Security Posture
19
• Correlations (A + B + C in certain time period)
• Baseline normal & then spot outliers/abnormalities
• Risk scoring
1 Detect external, advanced threats
WHAT HOW
20. 5 Ways To Improve Your Security Posture
20
• Correlations (A + B + C in certain time period)
• Baseline normal & then spot outliers/abnormalities
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensitive data and/or data exfiltration
• Terminated employee accounts being used
• Employees on vacation logging into critical systems
2 Detect insider threats
WHAT HOW
21. 5 Ways To Improve Your Security Posture
21
• Correlations (A + B + C in certain time period)
• Baseline normal & then spot outliers/abnormalities
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensitive data and/or data exfiltration
• Terminated employee accounts being used
• Employees on vacation logging into critical systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
WHAT HOW
22. 5 Ways To Improve Your Security Posture
22
• Correlations (A + B + C in certain time period)
• Baseline normal & then spot outliers/abnormalities
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensitive data and/or data exfiltration
• Terminated employee accounts being used
• Employees on vacation logging into critical systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• Investigation timeline and Investigator Journal
• Asset/Identity Investigators
4 Accelerate incident investigations
WHAT HOW
23. 5 Ways To Improve Your Security Posture
23
• Correlations (A + B + C in certain time period)
• Baseline normal & then spot outliers/abnormalities
• Risk scoring
1 Detect external, advanced threats
• Abnormal access to sensitive data and/or data exfiltration
• Terminated employee accounts being used
• Employees on vacation logging into critical systems
2 Detect insider threats
• 15+ feeds from Emerging Threats, SANS, STIX/TAXII
• Bad IPs, HTTP domains, file hashes, processes, registries,
services, X509 certs, users
3 Use free, external threat intel
• Incident Review framework and detail
• Investigation timeline and Investigator Journal
• Asset/Identity Investigators
4 Accelerate incident investigations
• Anomaly detection
• Extreme Search capability's5
Advanced visualizations and
analytics
WHAT HOW
25. Key Takeaways
● Better detect & defeat cyber threats with Splunk
● Put machine data, threat intel, & advanced
analytics to work for you
● Reduce chances of becoming a headline breach
● Automate your work to reduce time-per-incident
25
26. 26
Traditional SIEMSplunk
Next Steps
• Try Splunk Enterprise Security for free!
• Splunk.com > Free Splunk > Enterprise Security Sandbox
• Splunk.com > Community > Documentation > Search Tutorial
• In 30 minutes will have imported data, run searches, created reports
• Free apps at Splunk.com > Community > Apps & Add-Ons
• For more help
• Free documentation and free Splunk Answers at Splunk.com > Community
• Education Services, Professional Services, VARs, MSSPs
• Contact sales team at Splunk.com > About Us > Contact Us
This and next slide he does not talk to them. Instead says we have slides to help the partner talk to them.
==
The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, whether it be credit cards or IP, and many of their victims unfortunately end up in the headlines.
Cyber criminals include the credit card theft at Target and Neiman Marcus. Nation state attacks include Iran and China attacking governments and private sector companies to steal intellectual property and/or national secrets.
FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats.
APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports.
100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected.
The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors
243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions.
63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
Over 2500 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
Need a Security Intelligence platform which is a SIEM plus more. We will come back to that later. In summary this platform can automatically sift through hundreds or thousands of daily security-related events to alert on and assign severity levels to only the handful of incidents that really matter. For these incidents, the platform then enables SOC analysts to quickly research and remediate incidents.
This platform can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into the platform for indexing. The platform should also be able to leverage lookups and external data to enrich existing data. This is showed on the bottom and includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, application lookups, and more. Correlation searches can include this external content. So for example the platform can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or the platform can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events.
A SOC can then perform the use cases on the top right on the data. These use cases cover all the personnel tiers in the SOC so they can all leverage the platform. They can search through the data, monitor the data and be alerted in real-time if search parameters are met. This includes cross-data source correlation rules which help find the proverbial needle in the haystack so the SOC only needs to focus on the tiny number of priority incidents that matter hidden among a sea of events. The raw data can be aggregated in seconds for custom reports and dashboards. Also the platform should be one that developers can build on. It uses a well documented Rest API and several SDKs so developers and external applications can directly access and act on the data within it.
Need a Security Intelligence platform which is a SIEM plus more. We will come back to that later. In summary this platform can automatically sift through hundreds or thousands of daily security-related events to alert on and assign severity levels to only the handful of incidents that really matter. For these incidents, the platform then enables SOC analysts to quickly research and remediate incidents.
This platform can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into the platform for indexing. The platform should also be able to leverage lookups and external data to enrich existing data. This is showed on the bottom and includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, application lookups, and more. Correlation searches can include this external content. So for example the platform can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or the platform can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events.
A SOC can then perform the use cases on the top right on the data. These use cases cover all the personnel tiers in the SOC so they can all leverage the platform. They can search through the data, monitor the data and be alerted in real-time if search parameters are met. This includes cross-data source correlation rules which help find the proverbial needle in the haystack so the SOC only needs to focus on the tiny number of priority incidents that matter hidden among a sea of events. The raw data can be aggregated in seconds for custom reports and dashboards. Also the platform should be one that developers can build on. It uses a well documented Rest API and several SDKs so developers and external applications can directly access and act on the data within it.
Need a Security Intelligence platform which is a SIEM plus more. We will come back to that later. In summary this platform can automatically sift through hundreds or thousands of daily security-related events to alert on and assign severity levels to only the handful of incidents that really matter. For these incidents, the platform then enables SOC analysts to quickly research and remediate incidents.
This platform can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into the platform for indexing. The platform should also be able to leverage lookups and external data to enrich existing data. This is showed on the bottom and includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, application lookups, and more. Correlation searches can include this external content. So for example the platform can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or the platform can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events.
A SOC can then perform the use cases on the top right on the data. These use cases cover all the personnel tiers in the SOC so they can all leverage the platform. They can search through the data, monitor the data and be alerted in real-time if search parameters are met. This includes cross-data source correlation rules which help find the proverbial needle in the haystack so the SOC only needs to focus on the tiny number of priority incidents that matter hidden among a sea of events. The raw data can be aggregated in seconds for custom reports and dashboards. Also the platform should be one that developers can build on. It uses a well documented Rest API and several SDKs so developers and external applications can directly access and act on the data within it.
1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it.
On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.
The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
This is step one of the SOC build out and prioritizes where to get started.
1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization.
2. The “indicators of compromise”
3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations)
4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately.
Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.
This is step one of the SOC build out and prioritizes where to get started.
1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization.
2. The “indicators of compromise”
3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations)
4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately.
Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.
This is step one of the SOC build out and prioritizes where to get started.
1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization.
2. The “indicators of compromise”
3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations)
4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately.
Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.
This is step one of the SOC build out and prioritizes where to get started.
1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization.
2. The “indicators of compromise”
3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations)
4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately.
Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.
This is step one of the SOC build out and prioritizes where to get started.
1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization.
2. The “indicators of compromise”
3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations)
4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately.
Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.