SlideShare a Scribd company logo

SSE Overview Deck - Swedish User Group.pdf

Ulf Thornander
Ulf Thornander

Presentation for the Stockholm User Group around what you can do and see in Splunk Security Essentials.

Software
1 of 39
© 2022 SPLUNK INC. Splunk Security Essentials Johan Bjerke Principal Security Strategist | SURGe
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements © 2022 SPLUNK INC.
© 2022 SPLUNK INC. Agenda 1. What is Splunk Security Essentials (SSE) 2. Finding Content 3. How do you deploy Content? 4. Dashboarding and Reporting
© 2022 SPLUNK INC. What Is SSE?
© 2022 SPLUNK INC. Widely Deployed Today 120k Over 12,000 downloads 14k Over 14,000 reporting installs 40 40 releases 4 Essentials has been around for four years Proven and Stable
© 2022 SPLUNK INC. Four Pillars Finding Content Learning Splunk Security Improve Production Measure Your Success Four ways in which SSE has delivered value to users
© 2022 SPLUNK INC. Finding Content
© 2019 SPLUNK INC. Security Content Library Browse, bookmark, and deploy 900+ security detections and analytic stories ● Repository of Security Content for Splunk Cloud, Enterprise Security, UEBA, and Phantom ● Deploy security content within clicks ● Enrich notable events and run analytics with context from content library ● Stay up to date on existing and emerging threats
© 2022 SPLUNK INC. How do you deploy content?
© 2019 SPLUNK INC. How do you deploy content? ● Showcase page with all details for content ● List and configure all prerequisites ● Run search ● Schedule content
© 2022 SPLUNK INC. Dashboarding and Reporting
© 2022 SPLUNK INC. MITRE ATT&CK Throughout App ATT&CK Descriptions in Incident Review and risk framework Enrich Enterprise Security View which detections handle techniques used by which Threat Groups, w/ MITRE's evidence MITRE Threat Groups Content Recommendations tied to techniques popular amongst many threat groups MITRE-based Content Advice Drilldown to a customized ATT&CK Matrix, correlate risky events across Tactics, Techniques Analyze ES Risk w/ ATT&CK ATT&CK Matrix highlighting gaps and showing content you can enable for free with existing data View Your ATT&CK Coverage Utilization Made Easier
© 2022 SPLUNK INC. MITRE ATT&CK Matrix See what techniques you have or don't have coverage for. Drill-down to see those detections. Annotate with threat groups that target you, or filter for techniques popular with many groups. Considering a new data source? Highlight the techniques it supports.
© 2022 SPLUNK INC. Automatic Dashboards Alternative to Alerts Driven by what data is in your environment, and follows all of Splunk's dashboard technical best practices
© 2022 SPLUNK INC. Monitor Data Ingest Understand Lag, and Impacted Detections Powered by Splunk's Machine Learning Toolkit
© 2022 SPLUNK INC. Track CIM Compliance Ensure Data Formatting SSE will analyze the most important CIM fields and evaluate whether your data matches.
© 2022 SPLUNK INC. How do you report enhancements or bugs?
© 2022 SPLUNK INC. Feedback ● If you are a customer - file a support ticket to get help. https://www.splunk.com/support ● If you want to report enhancements, use https://ideas.splunk.com/ ● Use the public Slack workspace, https://splunk-usergroups.slack.com/archives/C1S5BEF38
© 2022 SPLUNK INC. What’s New by version
© 2022 SPLUNK INC. What’s new in 3.3 ● New showcase template for content coming from Security Content API (ESCU) ● Custom bookmark status support ● Official documentation site on docs.splunk.com launched ● Added Zero Trust as a category ● Search multiple MITRE ATT&CK techniques on the Security Content page ● The ES Use Case Library is now populated and maintained by the app. ● Now a fully supported app! Full release notes
© 2022 SPLUNK INC. What’s new in 3.3 Easy to operationalize New fields from API included Security Content fully represented in SSE
© 2022 SPLUNK INC. Custom status for Bookmarks What’s new in 3.3 Official Docs site on Splunk.com
© 2022 SPLUNK INC. Zero Trust as category What’s new in 3.3 Search multiple MITRE ATT&CK techniques on the Security Content page
© 2022 SPLUNK INC. What’s new in 3.3 The ES Use Case Library is now populated and maintained by SSE
© 2022 SPLUNK INC. What’s new in 3.3 Now fully supported!
© 2022 SPLUNK INC. What’s new in 3.2 MITRE ATT&CK Sub-Techniques fully supported for the content and the Analytics Advisor ATT&CK Software object added to Analytics Advisor and Security Content Support for Annotations framework in ES 6.3+ Security Content from the Splunk Research team (i.e. ESCU) is automatically downloaded into SSE using the Splunk Security Content API. SSE will automatically be up to date with the latest content. NIST/CIS mapping support for the detections Major UI improvements for mapping Content in SSE to local correlation searches
© 2022 SPLUNK INC. MITRE ATT&CK Sub-Techniques What’s new in 3.2 ATT&CK Matrix Security Content All content have been re-mapped to the new Sub-Technique IDs Sub-Techniques provide a more granular link between a detection a
© 2022 SPLUNK INC. ● Sub-Techniques makes the ATT&CK Framework more closely linked to the methods and procedures that attacker will actually perform. ● You can better create detections that map to a specific Sub-Technique. ● Detection coverage (like the ATT&CK Matrix in SSE) should in theory become more honest about the current coverage state. MITRE ATT&CK Sub-Techniques Why is this important?
© 2022 SPLUNK INC. Support for MITRE ATT&CK Software ATT&CK Matrix Security Content Available in SSE 3.2.2 Filter content list directly in Security Content Allows you to do Threat Modelling for things like ransomware and hacker tools
© 2022 SPLUNK INC. Support for ES Annotations ES Correlation Search Page Attached to ES Risk Objects Available in ES 6.3+ The annotations are stored in action.correlationsearch.annotations in JSON format in the savedsearches.conf file. Enrichment data will be added to the Annotations Framework when scheduling a search through SSE.
© 2022 SPLUNK INC. Automatic Content Updates Update Notification Content Updated Using the Splunk Security Content API. No need to update any apps to have the latest detections. 1 2
© 2022 SPLUNK INC. NIST and CIS Mapping Better Industry Framework support Available on Content and Showcase Pages
© 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Supports 1-Many Links Manage mappings directly on showcase page. Link multiple saved searches to one content card. Supports 1-Many Mappings
© 2022 SPLUNK INC. Improvements to Content Mapping Create Custom Content from saved search Content Mapping made more robust and supporting more scenarios Use saved search as a template for new content in SSE. This will ensure notable event enrichment works on more scenarios. More robust enrichment lookup behavior
© 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Why is this Important? Provides enrichment fields for Notable and Risk Events which are displayed on the ES Incident Review page. Incident Review Content Mappings are the link between the SSE repository and what is actually running in production.
© 2022 SPLUNK INC. Minor 3.1 Content Improvements Added MITRE ATT&CK Platform (Cloud, SaaS etc.) to the Content and the MITRE Matrix dashboard Word export improved Major UI improvement for mapping Content in SSE to local correlation searches Many small UI improvements
© 2022 SPLUNK INC. Splunk Security Essentials 3.0 Understands your data and your enabled content to make recommendations on what to deploy next. Helps you learn Splunk, learn security, and learn how most people start using Splunk for security. Improves your production deployments with MITRE ATT&CK and other tools. Documents and shows off your successes The Splunk app that makes security easier
© 2022 SPLUNK INC. Appendix
© 2022 SPLUNK INC. Connecting Products to Data to Detections Data Source Categories (e.g., App-Aware FW) Sources / Sourcetypes / Indexes • Event Volume • Avg Event Size • # of Hosts • CIM Compliance • Ingest Latency Logical Products (e.g., PAN FW) • Description • Coverage Level • (Configurable Metadata) Content • MITRE ATT&CK • Kill Chain • Categories Active Saved Search on System <Push Content Metadata to ES> Data Inventory Introspection Data Inventory Content Dashboards Correlation Search Introspection

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 

Recommended

March 2023 PNW User Group
March 2023 PNW User GroupMarch 2023 PNW User Group
March 2023 PNW User Group
Amanda Richardson
 
November 2021 Splunk PNW User Group
November 2021 Splunk PNW User GroupNovember 2021 Splunk PNW User Group
November 2021 Splunk PNW User Group
Amanda Richardson
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
December Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group MeetupDecember Bengaluru Splunk User Group Meetup
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
Splunk
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Vikram Kumar Yadav
 
Splunk and Multicloud
Splunk and MulticloudSplunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
Splunk
 
Splunk und Multi-Cloud
Splunk und Multi-CloudSplunk und Multi-Cloud
Splunk und Multi-Cloud
Splunk
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdfSplunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
Splunk
 
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data InDeploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
NiketNilay
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by Splunk
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
Henry Schreiner
 

More Related Content

Similar to SSE Overview Deck - Swedish User Group.pdf

SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 

Similar to SSE Overview Deck - Swedish User Group.pdf (20)

Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Alle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform ReleaseAlle Neuigkeiten im letzten Plattform Release
Alle Neuigkeiten im letzten Plattform Release
 
What's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform ReleaseWhat's New with the Latest Splunk Platform Release
What's New with the Latest Splunk Platform Release
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOpsSplunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
 
Splunk and Multicloud
Splunk and MulticloudSplunk and Multicloud
Splunk and Multicloud
 
Splunk and Multicloud
Splunk and Multicloud Splunk and Multicloud
Splunk and Multicloud
 
Splunk und Multi-Cloud
Splunk und Multi-CloudSplunk und Multi-Cloud
Splunk und Multi-Cloud
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdfSplunk PNW User Group - Seattle - 2023-06-28.pdf
Splunk PNW User Group - Seattle - 2023-06-28.pdf
 
IoT Analytics @ splunk
IoT Analytics @ splunkIoT Analytics @ splunk
IoT Analytics @ splunk
 
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data InDeploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
 
Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01Splunk bangalore user group 2020-06-01
Splunk bangalore user group 2020-06-01
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
SplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by SplunkSplunkLive! London 2017 - DevOps Powered by Splunk
SplunkLive! London 2017 - DevOps Powered by Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk PlatformTurning Data Into Business Outcomes with the Splunk Platform
Turning Data Into Business Outcomes with the Splunk Platform
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT TroubleshootingSplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
 

Recently uploaded

Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
Roberto Bettazzoni
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
Tomasz Kowalczewski
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
SelfMade bd
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio, Inc.
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
Andrea Goulet
 

Recently uploaded (20)

Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
Abortion Clinic In Stanger ](+27832195400*)[ 🏥 Safe Abortion Pills In Stanger...
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)[GRCPP] Introduction to concepts (C++20)
[GRCPP] Introduction to concepts (C++20)
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
 

SSE Overview Deck - Swedish User Group.pdf

  • 1. © 2022 SPLUNK INC. Splunk Security Essentials Johan Bjerke Principal Security Strategist | SURGe
  • 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved. Forward- Looking Statements © 2022 SPLUNK INC.
  • 3. © 2022 SPLUNK INC. Agenda 1. What is Splunk Security Essentials (SSE) 2. Finding Content 3. How do you deploy Content? 4. Dashboarding and Reporting
  • 4. © 2022 SPLUNK INC. What Is SSE?
  • 5. © 2022 SPLUNK INC. Widely Deployed Today 120k Over 12,000 downloads 14k Over 14,000 reporting installs 40 40 releases 4 Essentials has been around for four years Proven and Stable
  • 6. © 2022 SPLUNK INC. Four Pillars Finding Content Learning Splunk Security Improve Production Measure Your Success Four ways in which SSE has delivered value to users
  • 7. © 2022 SPLUNK INC. Finding Content
  • 8. © 2019 SPLUNK INC. Security Content Library Browse, bookmark, and deploy 900+ security detections and analytic stories ● Repository of Security Content for Splunk Cloud, Enterprise Security, UEBA, and Phantom ● Deploy security content within clicks ● Enrich notable events and run analytics with context from content library ● Stay up to date on existing and emerging threats
  • 9. © 2022 SPLUNK INC. How do you deploy content?
  • 10. © 2019 SPLUNK INC. How do you deploy content? ● Showcase page with all details for content ● List and configure all prerequisites ● Run search ● Schedule content
  • 11. © 2022 SPLUNK INC. Dashboarding and Reporting
  • 12. © 2022 SPLUNK INC. MITRE ATT&CK Throughout App ATT&CK Descriptions in Incident Review and risk framework Enrich Enterprise Security View which detections handle techniques used by which Threat Groups, w/ MITRE's evidence MITRE Threat Groups Content Recommendations tied to techniques popular amongst many threat groups MITRE-based Content Advice Drilldown to a customized ATT&CK Matrix, correlate risky events across Tactics, Techniques Analyze ES Risk w/ ATT&CK ATT&CK Matrix highlighting gaps and showing content you can enable for free with existing data View Your ATT&CK Coverage Utilization Made Easier
  • 13. © 2022 SPLUNK INC. MITRE ATT&CK Matrix See what techniques you have or don't have coverage for. Drill-down to see those detections. Annotate with threat groups that target you, or filter for techniques popular with many groups. Considering a new data source? Highlight the techniques it supports.
  • 14. © 2022 SPLUNK INC. Automatic Dashboards Alternative to Alerts Driven by what data is in your environment, and follows all of Splunk's dashboard technical best practices
  • 15. © 2022 SPLUNK INC. Monitor Data Ingest Understand Lag, and Impacted Detections Powered by Splunk's Machine Learning Toolkit
  • 16. © 2022 SPLUNK INC. Track CIM Compliance Ensure Data Formatting SSE will analyze the most important CIM fields and evaluate whether your data matches.
  • 17. © 2022 SPLUNK INC. How do you report enhancements or bugs?
  • 18. © 2022 SPLUNK INC. Feedback ● If you are a customer - file a support ticket to get help. https://www.splunk.com/support ● If you want to report enhancements, use https://ideas.splunk.com/ ● Use the public Slack workspace, https://splunk-usergroups.slack.com/archives/C1S5BEF38
  • 19. © 2022 SPLUNK INC. What’s New by version
  • 20. © 2022 SPLUNK INC. What’s new in 3.3 ● New showcase template for content coming from Security Content API (ESCU) ● Custom bookmark status support ● Official documentation site on docs.splunk.com launched ● Added Zero Trust as a category ● Search multiple MITRE ATT&CK techniques on the Security Content page ● The ES Use Case Library is now populated and maintained by the app. ● Now a fully supported app! Full release notes
  • 21. © 2022 SPLUNK INC. What’s new in 3.3 Easy to operationalize New fields from API included Security Content fully represented in SSE
  • 22. © 2022 SPLUNK INC. Custom status for Bookmarks What’s new in 3.3 Official Docs site on Splunk.com
  • 23. © 2022 SPLUNK INC. Zero Trust as category What’s new in 3.3 Search multiple MITRE ATT&CK techniques on the Security Content page
  • 24. © 2022 SPLUNK INC. What’s new in 3.3 The ES Use Case Library is now populated and maintained by SSE
  • 25. © 2022 SPLUNK INC. What’s new in 3.3 Now fully supported!
  • 26. © 2022 SPLUNK INC. What’s new in 3.2 MITRE ATT&CK Sub-Techniques fully supported for the content and the Analytics Advisor ATT&CK Software object added to Analytics Advisor and Security Content Support for Annotations framework in ES 6.3+ Security Content from the Splunk Research team (i.e. ESCU) is automatically downloaded into SSE using the Splunk Security Content API. SSE will automatically be up to date with the latest content. NIST/CIS mapping support for the detections Major UI improvements for mapping Content in SSE to local correlation searches
  • 27. © 2022 SPLUNK INC. MITRE ATT&CK Sub-Techniques What’s new in 3.2 ATT&CK Matrix Security Content All content have been re-mapped to the new Sub-Technique IDs Sub-Techniques provide a more granular link between a detection a
  • 28. © 2022 SPLUNK INC. ● Sub-Techniques makes the ATT&CK Framework more closely linked to the methods and procedures that attacker will actually perform. ● You can better create detections that map to a specific Sub-Technique. ● Detection coverage (like the ATT&CK Matrix in SSE) should in theory become more honest about the current coverage state. MITRE ATT&CK Sub-Techniques Why is this important?
  • 29. © 2022 SPLUNK INC. Support for MITRE ATT&CK Software ATT&CK Matrix Security Content Available in SSE 3.2.2 Filter content list directly in Security Content Allows you to do Threat Modelling for things like ransomware and hacker tools
  • 30. © 2022 SPLUNK INC. Support for ES Annotations ES Correlation Search Page Attached to ES Risk Objects Available in ES 6.3+ The annotations are stored in action.correlationsearch.annotations in JSON format in the savedsearches.conf file. Enrichment data will be added to the Annotations Framework when scheduling a search through SSE.
  • 31. © 2022 SPLUNK INC. Automatic Content Updates Update Notification Content Updated Using the Splunk Security Content API. No need to update any apps to have the latest detections. 1 2
  • 32. © 2022 SPLUNK INC. NIST and CIS Mapping Better Industry Framework support Available on Content and Showcase Pages
  • 33. © 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Supports 1-Many Links Manage mappings directly on showcase page. Link multiple saved searches to one content card. Supports 1-Many Mappings
  • 34. © 2022 SPLUNK INC. Improvements to Content Mapping Create Custom Content from saved search Content Mapping made more robust and supporting more scenarios Use saved search as a template for new content in SSE. This will ensure notable event enrichment works on more scenarios. More robust enrichment lookup behavior
  • 35. © 2022 SPLUNK INC. Improvements to Content Mapping Showcase page Why is this Important? Provides enrichment fields for Notable and Risk Events which are displayed on the ES Incident Review page. Incident Review Content Mappings are the link between the SSE repository and what is actually running in production.
  • 36. © 2022 SPLUNK INC. Minor 3.1 Content Improvements Added MITRE ATT&CK Platform (Cloud, SaaS etc.) to the Content and the MITRE Matrix dashboard Word export improved Major UI improvement for mapping Content in SSE to local correlation searches Many small UI improvements
  • 37. © 2022 SPLUNK INC. Splunk Security Essentials 3.0 Understands your data and your enabled content to make recommendations on what to deploy next. Helps you learn Splunk, learn security, and learn how most people start using Splunk for security. Improves your production deployments with MITRE ATT&CK and other tools. Documents and shows off your successes The Splunk app that makes security easier
  • 38. © 2022 SPLUNK INC. Appendix
  • 39. © 2022 SPLUNK INC. Connecting Products to Data to Detections Data Source Categories (e.g., App-Aware FW) Sources / Sourcetypes / Indexes • Event Volume • Avg Event Size • # of Hosts • CIM Compliance • Ingest Latency Logical Products (e.g., PAN FW) • Description • Coverage Level • (Configurable Metadata) Content • MITRE ATT&CK • Kill Chain • Categories Active Saved Search on System <Push Content Metadata to ES> Data Inventory Introspection Data Inventory Content Dashboards Correlation Search Introspection