SlideShare a Scribd company logo

Splunk Webinar Best Practices für Incident Investigation

Georg Knon
Georg Knon

Splunk Webinar Best Practices für Incident Investigation

Software
1 of 37
Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  für   Incident  Inves=ga=on  
Copyright  ©  2015  Splunk  Inc.   Legal  No=ces   During  the  course  of  this  presenta=on,  we  may  make  forward-­‐looking  statements  regarding  future  events   or  the  expected  performance  of  the  company.  We  cau=on  you  that  such  statements  reflect  our  current   expecta=ons  and  es=mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could   differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our   forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made   in  this  presenta=on  are  being  made  as  of  the  =me  and  date  of  its  live  presenta=on.    If  reviewed  aRer  its  live   presenta=on,  this  presenta=on  may  not  contain  current  or  accurate  informa=on.      We  do  not  assume  any   obliga=on  to  update  any  forward-­‐looking  statements  we  may  make.    In  addi=on,  any  informa=on  about   our  roadmap  outlines  our  general  product  direc=on  and  is  subject  to  change  at  any  =me  without  no=ce.     It  is  for  informa=onal  purposes  only  and  shall  not  be  incorporated  into  any  contract  or  other  commitment.     Splunk  undertakes  no  obliga=on  either  to  develop  the  features  or  func=onality  described  or  to  include  any   such  feature  or  func=onality  in  a  future  release.   2  
Copyright  ©  2015  Splunk  Inc.   Ihr  Webcast  Team   3   Ma#hias  Maier   Senior  Sales  Engineer   mmaier@splunk.com   Thomas  Huber   Major  Account  Manager   thuber@splunk.com  
Copyright  ©  2015  Splunk  Inc.   Agenda   !   Splunk  Overview   !   Best  Prac=ces  for  Scoping  Infec=ons  &  Disrup=ng  Breaches   !   Live  Demo:  Incident  Inves=ga=on   !   Q&A     4  
5   Make  machine  data  accessible,   usable  and  valuable  to  everyone.     5  5  5  
Copyright  ©  2015  Splunk  Inc.   COLLECT  DATA   FROM  ANYWHERE   SEARCH   AND  ANALYZE   EVERYTHING   GAIN  REAL-­‐TIME   OPERATIONAL   INTELLIGENCE   The  Power  of  Splunk   6  
7   Turning  Machine  Data  Into  Business  Value   Index  Untapped  Data:  Any  Source,  Type,  Volume   Online   Services   Web   Services   Servers   Security   GPS   Loca=on   Storage   Desktops   Networks   Packaged   Applica=ons   Custom   Applica=ons  Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   RFID   On-­‐   Premises   Private     Cloud   Public     Cloud    Ask  Any  QuesOon   ApplicaOon  Delivery   Security,  Compliance,   and  Fraud   IT  OperaOons   Business  AnalyOcs   Industrial  Data  and   the  Internet  of  Things  
8   Why  Splunk?   FAST  TIME-­‐TO-­‐VALUE   ONE  PLATFORM,  MULTIPLE  USE  CASES   VISIBILITY  ACROSS  STACK,  NOT  JUST  SILOS   ASK  ANY  QUESTION  OF  DATA   ANY  DATA,  ANY  SOURCE  
Copyright  ©  2015  Splunk  Inc.   Phases  of  Opera=onal  Intelligence   ReacOve   Search   and   Inves=gate   Proac=ve   Monitoring   and  Aler=ng   Opera=onal   Visibility   ProacOve   Real-­‐=me     Business     Insight  
10   Plahorm  for  Applica=on  Delivery   and  IT  Opera=ons   ROOT  CAUSE   AND  ISSUE   RESOLUTION   PROACTIVE   MONITORING     AND  REAL-­‐TIME   ALERTING   DELIVER  BETTER   QUALITY  CODE   FASTER   CLOUD  APP  AND   INFRASTRUCTURE   MONITORING   MOBILE  APP   TROUBLESHOOTING   USER  &  USAGE   ANALYTICS  
11   Single  Plahorm  for  Security  Intelligence   SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECT     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Splunk  Complements,  Replaces  and  Goes  Beyond  Exis=ng  SIEMs  
12   Single  Plahorm  for  Security  Intelligence   SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECT     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Splunk  Complements,  Replaces  and  Goes  Beyond  Exis=ng  SIEMs  
Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  for  Scoping  Infec=ons  &   Disrup=ng  Breaches   13  
Copyright  ©  2015  Splunk  Inc.   14   Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014   67%   Vic=ms  no=fied   by  external   en=ty   100%   Valid  creden=als   were  used   229   Median  #  of   days  before   detec=on   The  Ever-­‐changing  Threat  Landscape  
Copyright  ©  2015  Splunk  Inc.   15   Threat  Intelligence  Network   Endpoint   Access/Iden=ty   Data  Sources  Required  
Copyright  ©  2015  Splunk  Inc.   Data  Sources  Required   Persist,  Repeat   Known  relay/C2  sites,  infected  sites,  IOC,  amack/ campaign  intent  and  amribu=on   Who  talked  to  whom,  traffic,  malware  download/ delivery,  C2,  exfiltra=on,  lateral  movement   Running  process,  services,  process  owner,  registry   mods,  file  system  changes,  patching  level,  network   connec=ons  by  process/service   Access  level,  privileged  use/escala=on,  system   ownership,  user/system/service  business  cri=cality     16   •  3rd  party  Threat  Intel   •  Open  source  blacklist   •  Internal  threat  intelligence   •  Firewall,  IDS,  IPS   •  DNS   •  Email   •  Web  Proxy   •  NetFlow   •  Network   •  AV/IPS/FW   •  Malware  detec=on   •  Config  Management   •  Performance   •  OS  logs   •  File  System   •  Directory  Services   •  Asset  Mgmt   •  Authen=ca=on  Logs   •  Applica=on  Services   •  VPN,  SSO   Threat  intelligence   Access/IdenOty   Endpoint   Network  
Copyright  ©  2015  Splunk  Inc.   The  capabili=es  required  to  dis=nguish  an   infec=on  from  a  breach   17  
Copyright  ©  2015  Splunk  Inc.   Capabili=es  -­‐  Scoping  Infec=ons  and  Breach   18   Report  and     analyze   Custom     dashboards   Monitor     and  alert   Ad  hoc     search   Threat   Intelligence   Asset     &  CMDB   Employee   Info   Data   Stores  ApplicaOons   Raw  Events   Online   Services   Web   Services   Security   GPS   Loca=on   Storage   Desktops   Networks   Packaged   Applica=ons   Custom   Applica=ons   Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   Firewall   Authen=ca=on   Threat   Intelligence   Servers   Endpoint  
Copyright  ©  2015  Splunk  Inc.   19   Capabilities - Scoping Infections and Breach   Analy=cs   Context  &   Intelligence   Connec=ng  Data     and  People  
Copyright  ©  2015  Splunk  Inc.   Adversary  Perspec=ve  -­‐  Amack  Kill  Chain   Erkundung   Weaponiza=on   Delivery   Exploita=on   Installa=on   Command  and   Control  (C2)   Ac=ons  on   Objec=ves   20   hmp://www.lockheedmar=n.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf    
Copyright  ©  2015  Splunk  Inc.   Exploita=on  !=  GameOver   21  
Copyright  ©  2015  Splunk  Inc.   Kill  Chain  –  Breach  Example   22   hmp  (web)  session  to   command  &  control   server     Remote  control   Steal  data   Persist  in  company   Rent  as  botnet   WEB    Delivery        Exploita=on        Installa=on                    C2      Ac=ons  on  Objec=ves   .pdf   .pdf  executes  &  unpacks  malware   overwri=ng  and  running  “allowed”  programs   Svchost.exe  Calc.exe   Amacker  creates   malware,  embed  in  .pdf,     emails     to  the  target   MAIL   Read  email,  open  amachment   Threat  intelligence   Access/IdenOty   Endpoint   Network  
Copyright  ©  2015  Splunk  Inc.   Demo  –  Incident  Inves=ga=on   23  
Copyright  ©  2015  Splunk  Inc.   Demo  Review   !   Challenge:   –  Difficult  to  go  from  threat-­‐intel  match  to  root  cause   –  Hard  to  determine  –  was  there  a  breach?   !   Sources   –  Threat  Intel  –  open  source  threat  intel  feed   –  Network  –  web  proxy  logs,  email  logs   –  Endpoint  –  endpoint  monitoring  agent   –  Access/Iden=ty  –  asset  management  database   !   Finding  the  root  cause:  connec=ng  the  dots   –  Match  the  threat-­‐intel  IP  to  network  data  to  iden=fy  the  infected  machine   –  Iden=fy  the  malicious  process  by  mapping  network  data  to  endpoint  data   –  Discover  the  infected  email  by  matching  local  file  access  to  email  data   24  
Copyright  ©  2015  Splunk  Inc.   Demo  –  Scoping  if  targeted  Amack   25  
Copyright  ©  2015  Splunk  Inc.   Splunk  Inves=ga=on  Part  2   1.  Where  did  this  file  come  from?   2.  This  file  exists  in  mul=ple  sources  and  we  have  a  threat  match.   3.  IP  54.211.114.134  accessed  2nd_qtr_2014_report.pdf  from   bumercupgames.com  web  portal   cymru_hmp   *  2nd_qtr_2014_report.pdf   threat_intel_source   54.211.114.134   Web  Portal  
Copyright  ©  2015  Splunk  Inc.   Splunk  Inves=ga=on  Part  2   4.  What  else  did  this  IP  have  access  to?   5.  How  did  the  file  end  up  on  Chris  Gilberts  computer?   6.  Are  there  other  events  from  the  email  sender  host?  (No  but  message  slipped   through  detec=on.)   54.211.114.134   wp-­‐login.php   Brute  force  amack   jose.dave@butercupgames.com   194.151.189.201   chris.gilbert@bumercupgames.com   194.151.189.201   Mail  Gateway   An=virus   Passed  Message  
Copyright  ©  2015  Splunk  Inc.     Exploita=on               Act  on  Intent       Erkundung             Web  Portal  is  Compromised   PDF  file  is  stolen   An  email  with  a  malicious  amachment  is  sent   A  worksta=on  is  compromised   Data  is  stolen   Stolen  PDF   Portal   Malicious     Email   Infected   Endpoint   Exfil   Kill  Chain  Summary  
Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  –  Breach  Response  Posture   !   Bring  in  data  from  (minimum  at  least  one  from  each  category):   –  Network  –  next  gen  firewall  or  web  proxy,  email,  dns   –  Endpoint  –  windows  logs,  registry  changes,  file  changes   –  Threat  Intelligence  –  open  source  or  subscrip=on  based   –  Access  and  Iden=ty  –  authen=ca=on  events,  machine-­‐user  mapping   !   Establish  a  security  intelligence  plahorm  so  analysts  can:   –  Contextualize  events,  analy=cs  and  alerts   –  Automate  their  analysis  and  explora=on   –  Share  techniques  and  results  to  learn  and  improve   29  
Copyright  ©  2015  Splunk  Inc.   Infizierungen  sind  unvermeidbar,   zu  Datenpannen  muss  es  aber  nicht  kommen   30  
Copyright  ©  2015  Splunk  Inc.   Thousands  of  Global  Security  Customers   31  
Copyright  ©  2015  Splunk  Inc.   Industry  Recogni=on   32   2012   2013   This research note is restricted to the personal use o Table 2. Product/Service Rating on Critical Capabilities Product/Service Rating AccelOps AlienVault BlackStratus EventTracker HP(ArcSight) IBMSecurity(QRadar) LogRhythm McAfee(ESM) NetIQ Real-Time Monitoring 3.50 3.00 3.00 2.9 4.1 4.0 3.75 3.75 3.90 Threat Intelligence 3.00 3.50 2.50 1.5 4.0 4.0 3.25 4.00 1.50 Behavior Profiling 2.50 3.50 2.50 2.8 4.0 4.5 3.38 3.50 3.25 Data and User Monitoring 2.97 2.43 2.16 3.2 4.2 3.8 3.41 4.44 3.56 Application Monitoring 2.90 3.65 2.90 3.2 4.5 4.3 4.10 4.20 3.40 Analytics 2.44 3.19 2.94 2.9 3.8 3.7 3.30 3.59 2.44 Log Management and Reporting 2.75 3.00 2.50 3.4 4.0 3.8 3.75 3.25 3.63 Deployment/Support Simplicity 3.50 4.00 3.00 4.3 3.7 4.3 4.25 4.00 3.50 Source: Gartner (June 2014) Page 32 of 37
Dev.splunk.com  40,000+  quesOons   and  answers   600+  apps   Local  User  Groups     and   SplunkLive!  events   33   Thriving  Community  
Copyright  ©  2015  Splunk  Inc.   34 Tradi=onal  SIEM  Splunk   Next  Steps   •  Info,  case  study,  analyst  report  at:   Ø  Splunk.com  >  Solu=ons  >  Security  &  Fraud   •  Try  Splunk  Enterprise  for  free!   Ø  Download  Splunk  soRware  at  hmp://www.splunk.com/download   Ø  Go  to  Splunk.com  >  Community  >  Documenta=on  >  Search  Tutorial     Ø  In  30  minutes,  you  will  have  imported  data,  run  searches,  created  reports     Ø  Free  apps  at  Splunk.com  >  Community  >  Apps     •  Contact  sales  team  at  Splunk.com  >  About  Us  >  Contact  
Copyright  ©  2015  Splunk  Inc.   Tech  Brief  –  Advanced  Threat  Detec=on  and  Response   ! hmp://www.splunk.com/web_assets/pdfs/secure/Splunk_for_APT_Tech_Brief.pdf     35  
Copyright  ©  2015  Splunk  Inc.   Tradi=onal  SIEM   Contact  us  /  Q&A   www.surveymonkey.com/s/DACH_Webinare   36   Ma#hias  Maier   Senior  Sales  Engineer   mamhias@splunk.com   Thomas  Huber   Major  Account  Manager   thuber@splunk.com  
Copyright  ©  2015  Splunk  Inc.   Thank  You!!!     Mamhias@splunk.com  

Recommended

Splunk IT Service Intelligence
Splunk IT Service IntelligenceSplunk IT Service Intelligence
Splunk IT Service IntelligenceGeorg Knon
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionGeorg Knon
 
Splunk Webinar: IT Operations Demo für Troubleshooting & Dashboarding
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingSplunk Webinar: IT Operations Demo für Troubleshooting & Dashboarding
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingGeorg Knon
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 

Recommended

Splunk IT Service Intelligence
Splunk IT Service IntelligenceSplunk IT Service Intelligence
Splunk IT Service IntelligenceGeorg Knon
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGeorg Knon
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionGeorg Knon
 
Splunk Webinar: IT Operations Demo für Troubleshooting & Dashboarding
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingSplunk Webinar: IT Operations Demo für Troubleshooting & Dashboarding
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingGeorg Knon
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunk
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Splunk
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
SplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 SessionSplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 SessionSplunk
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkHow to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkSplunk
 
Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingSplunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-onSplunk
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 
SplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für SecuritySplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für SecuritySplunk
 
SplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunk
 
SplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT OperationsSplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT OperationsSplunk
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedaryane
 
Incident Mgmt Nov 08
Incident Mgmt Nov 08Incident Mgmt Nov 08
Incident Mgmt Nov 08empower
 

More Related Content

What's hot

Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaEdureka!
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Splunk
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionSplunk
 
SplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 SessionSplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 SessionSplunk
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkHow to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkSplunk
 
Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingSplunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-onSplunk
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 
SplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für SecuritySplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für SecuritySplunk
 
SplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunk
 
SplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT OperationsSplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT OperationsSplunk
 

What's hot (19)

Splunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | EdurekaSplunk Tutorial for Beginners - What is Splunk | Edureka
Splunk Tutorial for Beginners - What is Splunk | Edureka
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
 
Getting started with Splunk Breakout Session
Getting started with Splunk Breakout SessionGetting started with Splunk Breakout Session
Getting started with Splunk Breakout Session
 
SplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 SessionSplunkLive! What's New in Splunk 6 Session
SplunkLive! What's New in Splunk 6 Session
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkHow to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk
 
Splunk Enterprise 6.4
Splunk Enterprise 6.4Splunk Enterprise 6.4
Splunk Enterprise 6.4
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
What's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-BoardingWhat's New in 6.3 + Data On-Boarding
What's New in 6.3 + Data On-Boarding
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data OnboardingSplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
SplunkLive! München 2016 - Splunk Enterprise 6.3 - Data Onboarding
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with Splunk
 
SplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für SecuritySplunkLive! München 2016 - Splunk für Security
SplunkLive! München 2016 - Splunk für Security
 
SplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT OperationsSplunkLive! München 2016 - Splunk für IT Operations
SplunkLive! München 2016 - Splunk für IT Operations
 
SplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT OperationsSplunkLive! Splunk for IT Operations
SplunkLive! Splunk for IT Operations
 

Viewers also liked

Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedaryane
 
Incident Mgmt Nov 08
Incident Mgmt Nov 08Incident Mgmt Nov 08
Incident Mgmt Nov 08empower
 
Incident Investigation Training by Zenith
Incident Investigation Training by ZenithIncident Investigation Training by Zenith
Incident Investigation Training by ZenithAtlantic Training, LLC.
 
Incident investigation and reporting
Incident investigation and reportingIncident investigation and reporting
Incident investigation and reportingJillian Bower
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...Splunk
 
A Guide to Effective Incident Investigation
A Guide to Effective Incident InvestigationA Guide to Effective Incident Investigation
A Guide to Effective Incident InvestigationOlivier Serrat
 
Accident reporting ,investigation & analysis (cif&b)
Accident reporting ,investigation & analysis (cif&b)Accident reporting ,investigation & analysis (cif&b)
Accident reporting ,investigation & analysis (cif&b)mallareddy1975
 

Viewers also liked (9)

Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
C-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updatedC-TPAT Fciq presentation 20121018 updated
C-TPAT Fciq presentation 20121018 updated
 
Incident Mgmt Nov 08
Incident Mgmt Nov 08Incident Mgmt Nov 08
Incident Mgmt Nov 08
 
Drowning Incident Analysis
Drowning Incident AnalysisDrowning Incident Analysis
Drowning Incident Analysis
 
Incident Investigation Training by Zenith
Incident Investigation Training by ZenithIncident Investigation Training by Zenith
Incident Investigation Training by Zenith
 
Incident investigation and reporting
Incident investigation and reportingIncident investigation and reporting
Incident investigation and reporting
 
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
SplunkLive Sydney Scaling and best practice for Splunk on premise and in the ...
 
A Guide to Effective Incident Investigation
A Guide to Effective Incident InvestigationA Guide to Effective Incident Investigation
A Guide to Effective Incident Investigation
 
Accident reporting ,investigation & analysis (cif&b)
Accident reporting ,investigation & analysis (cif&b)Accident reporting ,investigation & analysis (cif&b)
Accident reporting ,investigation & analysis (cif&b)
 

Similar to Splunk Webinar Best Practices für Incident Investigation

Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Erin Sweeney
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityGeorg Knon
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 
SplunkLive! Wien - Splunk für Security
SplunkLive! Wien - Splunk für SecuritySplunkLive! Wien - Splunk für Security
SplunkLive! Wien - Splunk für SecuritySplunk
 
SplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsGabrielle Knowles
 
SplunkLive Auckland - Operational Intelligence
SplunkLive Auckland - Operational IntelligenceSplunkLive Auckland - Operational Intelligence
SplunkLive Auckland - Operational IntelligenceSplunk
 
SplunkLive Wellington 2015 - Operational Intelligence
SplunkLive Wellington 2015 - Operational IntelligenceSplunkLive Wellington 2015 - Operational Intelligence
SplunkLive Wellington 2015 - Operational IntelligenceSplunk
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018Splunk
 
Virtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersVirtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersSplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 

Similar to Splunk Webinar Best Practices für Incident Investigation (20)

Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
 
Splunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat DefenseSplunk conf2014 - Operationalizing Advanced Threat Defense
Splunk conf2014 - Operationalizing Advanced Threat Defense
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout Session
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breaches
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
SplunkLive! Wien - Splunk für Security
SplunkLive! Wien - Splunk für SecuritySplunkLive! Wien - Splunk für Security
SplunkLive! Wien - Splunk für Security
 
SplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für SecuritySplunkLive! Zürich - Splunk für Security
SplunkLive! Zürich - Splunk für Security
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT Operations
 
SplunkLive Auckland - Operational Intelligence
SplunkLive Auckland - Operational IntelligenceSplunkLive Auckland - Operational Intelligence
SplunkLive Auckland - Operational Intelligence
 
SplunkLive Wellington 2015 - Operational Intelligence
SplunkLive Wellington 2015 - Operational IntelligenceSplunkLive Wellington 2015 - Operational Intelligence
SplunkLive Wellington 2015 - Operational Intelligence
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Virtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/CustomersVirtual SplunkLive! for Higher Education Overview/Customers
Virtual SplunkLive! for Higher Education Overview/Customers
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 

More from Georg Knon

Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...
Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...
Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...Georg Knon
 
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...Georg Knon
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomGeorg Knon
 
SplunkLive! Zürich 2016 - Use Case Helvetia
SplunkLive! Zürich 2016 - Use Case HelvetiaSplunkLive! Zürich 2016 - Use Case Helvetia
SplunkLive! Zürich 2016 - Use Case HelvetiaGeorg Knon
 
SplunkLive! Zürich 2016 - Use Case Adcubum
SplunkLive! Zürich 2016 - Use Case AdcubumSplunkLive! Zürich 2016 - Use Case Adcubum
SplunkLive! Zürich 2016 - Use Case AdcubumGeorg Knon
 
Splunk Webinar: Splunk für Application Management
Splunk Webinar: Splunk für Application ManagementSplunk Webinar: Splunk für Application Management
Splunk Webinar: Splunk für Application ManagementGeorg Knon
 
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...Georg Knon
 
Splunk Webinar: Verwandeln Sie Datensilos in Operational Intelligence
Splunk Webinar: Verwandeln Sie Datensilos in Operational IntelligenceSplunk Webinar: Verwandeln Sie Datensilos in Operational Intelligence
Splunk Webinar: Verwandeln Sie Datensilos in Operational IntelligenceGeorg Knon
 
5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer SecurityGeorg Knon
 
Data models pivot with splunk break out session
Data models pivot with splunk break out sessionData models pivot with splunk break out session
Data models pivot with splunk break out sessionGeorg Knon
 
Splunk IT Service Intelligence
Splunk IT Service IntelligenceSplunk IT Service Intelligence
Splunk IT Service IntelligenceGeorg Knon
 
Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Georg Knon
 
Webinar splunk cloud saa s plattform für operational intelligence
Webinar splunk cloud saa s plattform für operational intelligenceWebinar splunk cloud saa s plattform für operational intelligence
Webinar splunk cloud saa s plattform für operational intelligenceGeorg Knon
 
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit InformationenSplunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit InformationenGeorg Knon
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysGeorg Knon
 
Splunk und das Triage Tool THOR
Splunk und das Triage Tool THORSplunk und das Triage Tool THOR
Splunk und das Triage Tool THORGeorg Knon
 
Splunk live! roma 2015 HBG Gaming presentation
Splunk live! roma 2015 HBG Gaming presentationSplunk live! roma 2015 HBG Gaming presentation
Splunk live! roma 2015 HBG Gaming presentationGeorg Knon
 
Splunk live! milan 2015 Cerved presentation
Splunk live! milan 2015 Cerved presentationSplunk live! milan 2015 Cerved presentation
Splunk live! milan 2015 Cerved presentationGeorg Knon
 
Splunk live! Italy 2015
Splunk live! Italy 2015Splunk live! Italy 2015
Splunk live! Italy 2015Georg Knon
 

More from Georg Knon (20)

Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...
Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...
Splunk Webinar: Verwandeln Sie Daten in wertvolle Erkenntnisse - Machine Lear...
 
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...
 
SplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case SwisscomSplunkLive! Zürich 2016 - Use Case Swisscom
SplunkLive! Zürich 2016 - Use Case Swisscom
 
SplunkLive! Zürich 2016 - Use Case Helvetia
SplunkLive! Zürich 2016 - Use Case HelvetiaSplunkLive! Zürich 2016 - Use Case Helvetia
SplunkLive! Zürich 2016 - Use Case Helvetia
 
SplunkLive! Zürich 2016 - Use Case Adcubum
SplunkLive! Zürich 2016 - Use Case AdcubumSplunkLive! Zürich 2016 - Use Case Adcubum
SplunkLive! Zürich 2016 - Use Case Adcubum
 
Splunk Webinar: Splunk für Application Management
Splunk Webinar: Splunk für Application ManagementSplunk Webinar: Splunk für Application Management
Splunk Webinar: Splunk für Application Management
 
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...
Webinar Big Data zur Echtzeit-Betrugserkennung im eBanking nutzen mit Splunk ...
 
Splunk Webinar: Verwandeln Sie Datensilos in Operational Intelligence
Splunk Webinar: Verwandeln Sie Datensilos in Operational IntelligenceSplunk Webinar: Verwandeln Sie Datensilos in Operational Intelligence
Splunk Webinar: Verwandeln Sie Datensilos in Operational Intelligence
 
5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security5 Möglichkeiten zur Verbesserung Ihrer Security
5 Möglichkeiten zur Verbesserung Ihrer Security
 
Data models pivot with splunk break out session
Data models pivot with splunk break out sessionData models pivot with splunk break out session
Data models pivot with splunk break out session
 
Splunk IT Service Intelligence
Splunk IT Service IntelligenceSplunk IT Service Intelligence
Splunk IT Service Intelligence
 
Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015
 
Webinar splunk cloud saa s plattform für operational intelligence
Webinar splunk cloud saa s plattform für operational intelligenceWebinar splunk cloud saa s plattform für operational intelligence
Webinar splunk cloud saa s plattform für operational intelligence
 
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit InformationenSplunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
 
Splunk und das Triage Tool THOR
Splunk und das Triage Tool THORSplunk und das Triage Tool THOR
Splunk und das Triage Tool THOR
 
Splunk live! roma 2015 HBG Gaming presentation
Splunk live! roma 2015 HBG Gaming presentationSplunk live! roma 2015 HBG Gaming presentation
Splunk live! roma 2015 HBG Gaming presentation
 
Splunk live! milan 2015 Cerved presentation
Splunk live! milan 2015 Cerved presentationSplunk live! milan 2015 Cerved presentation
Splunk live! milan 2015 Cerved presentation
 
Splunk live! Italy 2015
Splunk live! Italy 2015Splunk live! Italy 2015
Splunk live! Italy 2015
 

Recently uploaded

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 

Recently uploaded (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 

Splunk Webinar Best Practices für Incident Investigation

  • 1. Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  für   Incident  Inves=ga=on  
  • 2. Copyright  ©  2015  Splunk  Inc.   Legal  No=ces   During  the  course  of  this  presenta=on,  we  may  make  forward-­‐looking  statements  regarding  future  events   or  the  expected  performance  of  the  company.  We  cau=on  you  that  such  statements  reflect  our  current   expecta=ons  and  es=mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could   differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our   forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made   in  this  presenta=on  are  being  made  as  of  the  =me  and  date  of  its  live  presenta=on.    If  reviewed  aRer  its  live   presenta=on,  this  presenta=on  may  not  contain  current  or  accurate  informa=on.      We  do  not  assume  any   obliga=on  to  update  any  forward-­‐looking  statements  we  may  make.    In  addi=on,  any  informa=on  about   our  roadmap  outlines  our  general  product  direc=on  and  is  subject  to  change  at  any  =me  without  no=ce.     It  is  for  informa=onal  purposes  only  and  shall  not  be  incorporated  into  any  contract  or  other  commitment.     Splunk  undertakes  no  obliga=on  either  to  develop  the  features  or  func=onality  described  or  to  include  any   such  feature  or  func=onality  in  a  future  release.   2  
  • 3. Copyright  ©  2015  Splunk  Inc.   Ihr  Webcast  Team   3   Ma#hias  Maier   Senior  Sales  Engineer   mmaier@splunk.com   Thomas  Huber   Major  Account  Manager   thuber@splunk.com  
  • 4. Copyright  ©  2015  Splunk  Inc.   Agenda   !   Splunk  Overview   !   Best  Prac=ces  for  Scoping  Infec=ons  &  Disrup=ng  Breaches   !   Live  Demo:  Incident  Inves=ga=on   !   Q&A     4  
  • 5. 5   Make  machine  data  accessible,   usable  and  valuable  to  everyone.     5  5  5  
  • 6. Copyright  ©  2015  Splunk  Inc.   COLLECT  DATA   FROM  ANYWHERE   SEARCH   AND  ANALYZE   EVERYTHING   GAIN  REAL-­‐TIME   OPERATIONAL   INTELLIGENCE   The  Power  of  Splunk   6  
  • 7. 7   Turning  Machine  Data  Into  Business  Value   Index  Untapped  Data:  Any  Source,  Type,  Volume   Online   Services   Web   Services   Servers   Security   GPS   Loca=on   Storage   Desktops   Networks   Packaged   Applica=ons   Custom   Applica=ons  Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   RFID   On-­‐   Premises   Private     Cloud   Public     Cloud    Ask  Any  QuesOon   ApplicaOon  Delivery   Security,  Compliance,   and  Fraud   IT  OperaOons   Business  AnalyOcs   Industrial  Data  and   the  Internet  of  Things  
  • 8. 8   Why  Splunk?   FAST  TIME-­‐TO-­‐VALUE   ONE  PLATFORM,  MULTIPLE  USE  CASES   VISIBILITY  ACROSS  STACK,  NOT  JUST  SILOS   ASK  ANY  QUESTION  OF  DATA   ANY  DATA,  ANY  SOURCE  
  • 9. Copyright  ©  2015  Splunk  Inc.   Phases  of  Opera=onal  Intelligence   ReacOve   Search   and   Inves=gate   Proac=ve   Monitoring   and  Aler=ng   Opera=onal   Visibility   ProacOve   Real-­‐=me     Business     Insight  
  • 10. 10   Plahorm  for  Applica=on  Delivery   and  IT  Opera=ons   ROOT  CAUSE   AND  ISSUE   RESOLUTION   PROACTIVE   MONITORING     AND  REAL-­‐TIME   ALERTING   DELIVER  BETTER   QUALITY  CODE   FASTER   CLOUD  APP  AND   INFRASTRUCTURE   MONITORING   MOBILE  APP   TROUBLESHOOTING   USER  &  USAGE   ANALYTICS  
  • 11. 11   Single  Plahorm  for  Security  Intelligence   SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECT     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Splunk  Complements,  Replaces  and  Goes  Beyond  Exis=ng  SIEMs  
  • 12. 12   Single  Plahorm  for  Security  Intelligence   SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECT     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Splunk  Complements,  Replaces  and  Goes  Beyond  Exis=ng  SIEMs  
  • 13. Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  for  Scoping  Infec=ons  &   Disrup=ng  Breaches   13  
  • 14. Copyright  ©  2015  Splunk  Inc.   14   Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014   67%   Vic=ms  no=fied   by  external   en=ty   100%   Valid  creden=als   were  used   229   Median  #  of   days  before   detec=on   The  Ever-­‐changing  Threat  Landscape  
  • 15. Copyright  ©  2015  Splunk  Inc.   15   Threat  Intelligence  Network   Endpoint   Access/Iden=ty   Data  Sources  Required  
  • 16. Copyright  ©  2015  Splunk  Inc.   Data  Sources  Required   Persist,  Repeat   Known  relay/C2  sites,  infected  sites,  IOC,  amack/ campaign  intent  and  amribu=on   Who  talked  to  whom,  traffic,  malware  download/ delivery,  C2,  exfiltra=on,  lateral  movement   Running  process,  services,  process  owner,  registry   mods,  file  system  changes,  patching  level,  network   connec=ons  by  process/service   Access  level,  privileged  use/escala=on,  system   ownership,  user/system/service  business  cri=cality     16   •  3rd  party  Threat  Intel   •  Open  source  blacklist   •  Internal  threat  intelligence   •  Firewall,  IDS,  IPS   •  DNS   •  Email   •  Web  Proxy   •  NetFlow   •  Network   •  AV/IPS/FW   •  Malware  detec=on   •  Config  Management   •  Performance   •  OS  logs   •  File  System   •  Directory  Services   •  Asset  Mgmt   •  Authen=ca=on  Logs   •  Applica=on  Services   •  VPN,  SSO   Threat  intelligence   Access/IdenOty   Endpoint   Network  
  • 17. Copyright  ©  2015  Splunk  Inc.   The  capabili=es  required  to  dis=nguish  an   infec=on  from  a  breach   17  
  • 18. Copyright  ©  2015  Splunk  Inc.   Capabili=es  -­‐  Scoping  Infec=ons  and  Breach   18   Report  and     analyze   Custom     dashboards   Monitor     and  alert   Ad  hoc     search   Threat   Intelligence   Asset     &  CMDB   Employee   Info   Data   Stores  ApplicaOons   Raw  Events   Online   Services   Web   Services   Security   GPS   Loca=on   Storage   Desktops   Networks   Packaged   Applica=ons   Custom   Applica=ons   Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   Firewall   Authen=ca=on   Threat   Intelligence   Servers   Endpoint  
  • 19. Copyright  ©  2015  Splunk  Inc.   19   Capabilities - Scoping Infections and Breach   Analy=cs   Context  &   Intelligence   Connec=ng  Data     and  People  
  • 20. Copyright  ©  2015  Splunk  Inc.   Adversary  Perspec=ve  -­‐  Amack  Kill  Chain   Erkundung   Weaponiza=on   Delivery   Exploita=on   Installa=on   Command  and   Control  (C2)   Ac=ons  on   Objec=ves   20   hmp://www.lockheedmar=n.com/content/dam/lockheed/data/corporate/documents/LM-­‐White-­‐Paper-­‐Intel-­‐Driven-­‐Defense.pdf    
  • 21. Copyright  ©  2015  Splunk  Inc.   Exploita=on  !=  GameOver   21  
  • 22. Copyright  ©  2015  Splunk  Inc.   Kill  Chain  –  Breach  Example   22   hmp  (web)  session  to   command  &  control   server     Remote  control   Steal  data   Persist  in  company   Rent  as  botnet   WEB    Delivery        Exploita=on        Installa=on                    C2      Ac=ons  on  Objec=ves   .pdf   .pdf  executes  &  unpacks  malware   overwri=ng  and  running  “allowed”  programs   Svchost.exe  Calc.exe   Amacker  creates   malware,  embed  in  .pdf,     emails     to  the  target   MAIL   Read  email,  open  amachment   Threat  intelligence   Access/IdenOty   Endpoint   Network  
  • 23. Copyright  ©  2015  Splunk  Inc.   Demo  –  Incident  Inves=ga=on   23  
  • 24. Copyright  ©  2015  Splunk  Inc.   Demo  Review   !   Challenge:   –  Difficult  to  go  from  threat-­‐intel  match  to  root  cause   –  Hard  to  determine  –  was  there  a  breach?   !   Sources   –  Threat  Intel  –  open  source  threat  intel  feed   –  Network  –  web  proxy  logs,  email  logs   –  Endpoint  –  endpoint  monitoring  agent   –  Access/Iden=ty  –  asset  management  database   !   Finding  the  root  cause:  connec=ng  the  dots   –  Match  the  threat-­‐intel  IP  to  network  data  to  iden=fy  the  infected  machine   –  Iden=fy  the  malicious  process  by  mapping  network  data  to  endpoint  data   –  Discover  the  infected  email  by  matching  local  file  access  to  email  data   24  
  • 25. Copyright  ©  2015  Splunk  Inc.   Demo  –  Scoping  if  targeted  Amack   25  
  • 26. Copyright  ©  2015  Splunk  Inc.   Splunk  Inves=ga=on  Part  2   1.  Where  did  this  file  come  from?   2.  This  file  exists  in  mul=ple  sources  and  we  have  a  threat  match.   3.  IP  54.211.114.134  accessed  2nd_qtr_2014_report.pdf  from   bumercupgames.com  web  portal   cymru_hmp   *  2nd_qtr_2014_report.pdf   threat_intel_source   54.211.114.134   Web  Portal  
  • 27. Copyright  ©  2015  Splunk  Inc.   Splunk  Inves=ga=on  Part  2   4.  What  else  did  this  IP  have  access  to?   5.  How  did  the  file  end  up  on  Chris  Gilberts  computer?   6.  Are  there  other  events  from  the  email  sender  host?  (No  but  message  slipped   through  detec=on.)   54.211.114.134   wp-­‐login.php   Brute  force  amack   jose.dave@butercupgames.com   194.151.189.201   chris.gilbert@bumercupgames.com   194.151.189.201   Mail  Gateway   An=virus   Passed  Message  
  • 28. Copyright  ©  2015  Splunk  Inc.     Exploita=on               Act  on  Intent       Erkundung             Web  Portal  is  Compromised   PDF  file  is  stolen   An  email  with  a  malicious  amachment  is  sent   A  worksta=on  is  compromised   Data  is  stolen   Stolen  PDF   Portal   Malicious     Email   Infected   Endpoint   Exfil   Kill  Chain  Summary  
  • 29. Copyright  ©  2015  Splunk  Inc.   Best  Prac=ces  –  Breach  Response  Posture   !   Bring  in  data  from  (minimum  at  least  one  from  each  category):   –  Network  –  next  gen  firewall  or  web  proxy,  email,  dns   –  Endpoint  –  windows  logs,  registry  changes,  file  changes   –  Threat  Intelligence  –  open  source  or  subscrip=on  based   –  Access  and  Iden=ty  –  authen=ca=on  events,  machine-­‐user  mapping   !   Establish  a  security  intelligence  plahorm  so  analysts  can:   –  Contextualize  events,  analy=cs  and  alerts   –  Automate  their  analysis  and  explora=on   –  Share  techniques  and  results  to  learn  and  improve   29  
  • 30. Copyright  ©  2015  Splunk  Inc.   Infizierungen  sind  unvermeidbar,   zu  Datenpannen  muss  es  aber  nicht  kommen   30  
  • 31. Copyright  ©  2015  Splunk  Inc.   Thousands  of  Global  Security  Customers   31  
  • 32. Copyright  ©  2015  Splunk  Inc.   Industry  Recogni=on   32   2012   2013   This research note is restricted to the personal use o Table 2. Product/Service Rating on Critical Capabilities Product/Service Rating AccelOps AlienVault BlackStratus EventTracker HP(ArcSight) IBMSecurity(QRadar) LogRhythm McAfee(ESM) NetIQ Real-Time Monitoring 3.50 3.00 3.00 2.9 4.1 4.0 3.75 3.75 3.90 Threat Intelligence 3.00 3.50 2.50 1.5 4.0 4.0 3.25 4.00 1.50 Behavior Profiling 2.50 3.50 2.50 2.8 4.0 4.5 3.38 3.50 3.25 Data and User Monitoring 2.97 2.43 2.16 3.2 4.2 3.8 3.41 4.44 3.56 Application Monitoring 2.90 3.65 2.90 3.2 4.5 4.3 4.10 4.20 3.40 Analytics 2.44 3.19 2.94 2.9 3.8 3.7 3.30 3.59 2.44 Log Management and Reporting 2.75 3.00 2.50 3.4 4.0 3.8 3.75 3.25 3.63 Deployment/Support Simplicity 3.50 4.00 3.00 4.3 3.7 4.3 4.25 4.00 3.50 Source: Gartner (June 2014) Page 32 of 37
  • 33. Dev.splunk.com  40,000+  quesOons   and  answers   600+  apps   Local  User  Groups     and   SplunkLive!  events   33   Thriving  Community  
  • 34. Copyright  ©  2015  Splunk  Inc.   34 Tradi=onal  SIEM  Splunk   Next  Steps   •  Info,  case  study,  analyst  report  at:   Ø  Splunk.com  >  Solu=ons  >  Security  &  Fraud   •  Try  Splunk  Enterprise  for  free!   Ø  Download  Splunk  soRware  at  hmp://www.splunk.com/download   Ø  Go  to  Splunk.com  >  Community  >  Documenta=on  >  Search  Tutorial     Ø  In  30  minutes,  you  will  have  imported  data,  run  searches,  created  reports     Ø  Free  apps  at  Splunk.com  >  Community  >  Apps     •  Contact  sales  team  at  Splunk.com  >  About  Us  >  Contact  
  • 35. Copyright  ©  2015  Splunk  Inc.   Tech  Brief  –  Advanced  Threat  Detec=on  and  Response   ! hmp://www.splunk.com/web_assets/pdfs/secure/Splunk_for_APT_Tech_Brief.pdf     35  
  • 36. Copyright  ©  2015  Splunk  Inc.   Tradi=onal  SIEM   Contact  us  /  Q&A   www.surveymonkey.com/s/DACH_Webinare   36   Ma#hias  Maier   Senior  Sales  Engineer   mamhias@splunk.com   Thomas  Huber   Major  Account  Manager   thuber@splunk.com  
  • 37. Copyright  ©  2015  Splunk  Inc.   Thank  You!!!     Mamhias@splunk.com