The document discusses building an analytics-driven security operations center (SOC) using Splunk. It begins with an overview of challenges with traditional SOCs, such as efficacy, staffing, siloization, and costs. It then covers trends in security operations like increased capabilities, automation, use of threat intelligence, and threat hunting. The document outlines components of the security operations toolchain including the log data platform, asset inventory, case management, and common data sources. It presents Splunk as a nerve center for security operations that can provide adaptive security architecture, threat intelligence framework, advanced analytics, automated processes, and proactive hunting and investigation. Finally, it shares examples of how customers have used Splunk to build intelligence-driven SO

1. Copyright © 2016 Splunk Inc.
Building the Analytics
Driven SOC
Girish Bhat

2. 2
Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.

3. 3
3
> Dave Herrald dherrald@splunk.com|@daveherrald
- Senior Security Architect, Splunk Security
Practice
- 20+ years in IT and security
-Information security officer, security architect,
pen tester, consultant, SE, system/network
engineer
- GIAC GSE #79, former SANS Mentor
# whoami

4. Agenda
4
A look at traditional
security operations
1
Best practices and
emerging trends
2
The security ops
technology stack
3
Splunk and the
Analytics Driven
SOC
4

5. 5
Splunk – Leader in Security
Company (NASDAQ: SPLK)
• Founded 2004, first software release in 2006
• HQ: San Francisco / Regional HQ: London, Hong Kong
• Over 2,000 employees, based in 12 countries
Business Model / Products
• Free download to massive scale
• Splunk Enterprise, Splunk Cloud, Splunk Light
• Splunk Enterprise Security, User Behavior Analytics
12,000+ Customers
• Customers in 100 countries
• 80+ of the Fortune 100
• Largest license: Over 1 Petabyte per day

6. 6
Splunk: The Platform for Machine Data
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Online
Services
Web
Proxy
Data Loss
Prevention
Storage Desktops
Packaged
Applications
Custom
Applications
Databases
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
File
servers
Endpoint
Threat
Intelligence
Asset
& CMDB
Employee /
HR Info
Data
Stores
Applications
External Lookups
Badging
records
Email
servers
VPN

7. 7
Splunk Security Solutions
SECURITY &
COMPLIANCE
REPORTING
MONITORING OF
KNOWN THREATS
ADVANCED AND
UNKNOWN
THREAT
DETECTION
INCIDENT
INVESTIGATIONS &
FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
MORE
…
SECURITY APPS & ADD-ONS SPLUNK
USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
SPLUNK
ENTERPRISE SECURITY
SPLUNK
APP FOR PCI

8. 8
Source : EY Global Information Security Survey 2015

9. 9
How-to guides…

10. Traditional Security
Operations

11. 11
Traditional Security Program: The Big Picture
1

12. 12
Traditional Security Program: The Big Picture
1
It’s complicated…

13. 13
Traditional Security Critical Path
13
Risk &
Compliance
Security
Architecture
Security
Engineering
Security
Operations
(Includes SOC)
Security Operations: part of the bigger picture…

14. 14
Traditional SOC
“Alert triage”
“Alert pipeline”

15. 15
What is a SOC?
● A place?
● A person or a team?
● A set of practices?
● A set of tools?

16. 16
Security Operations
The organizational capability to detect
and respond to threats.

17. 17
A SOC by any other name…
The organizational capability to detect
and respond to threats.
● VSOC
● Cyber Defense Center
● Cyber Fusion Center
● Cybersecurity Operation Center
● Multifunction NOC/SOC
● Command SOC
● Crew SOC?
https://www.gartner.com/doc/3479617

18. 18
Three Interrelated Components of Security
1
Process
PeopleTechnology

19. 19
Bottom Line
Technology exists to serve people and processes.

20. 20
Challenges with the traditional SOC (1)
Efficacy

21. 21
Challenges with the traditional SOC (2)
Staffing

22. 22
Challenges with the traditional SOC (3)
Remember
this?
Risk &
Compliance
Security
Architecture
Security
Engineering
Security
Operations
(Includes SOC)

23. 23
Challenges with the traditional SOC (3)
Silo-ization

24. 24
Challenges with the traditional SOC (4)
Cost
…and opportunity cost

25. Trends in Security
Operations

26. 26
New Capabilities in the SOC
● Alert Management
● Incident Response
● Toolchain engineering
● Threat intelligence
(consumption and creation)
● Threat hunting
● Vulnerability management
● Red team
SOC++
Alert
Management
IR / CSIRT
Toolchain
Engineering
Threat intelHunting
Vuln.
Management
Red Team

27. 27
What About Managed Security Services?
● Alert Management
● Incident Response
● Toolchain engineering
● Threat intelligence
(consumption and creation)
● Threat hunting
● Vulnerability management
● Red team
SOC++
Alert
Management
IR / CSIRT
Toolchain
Engineering
Threat intelHunting
Vuln.
Management
Red Team

28. 28
Automation in the SOC
• Response – maybe
• Context gathering – definitely
• Automate “Tier 1”
• Places a high premium on
toolchain integration

29. 29
Processes in the SOC
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf

30. 30
Maturing Use of Threat Intelligence
Threat list + raw network data =
DNS
web proxy
email
endpoint
…
The “Threat list wind tunnel”

31. 31
Effective Threat Intelligence Consumption
alerts + threat intel = insight
Hunting New detection
mechanism

32. 32
Network (Meta)data

33. 33
Network (Meta)data
NetFlow (or variant)
Succinct
5-tuple + traffic size
Easytm
to analyze
Good context for buck
No payload
PCAP
Voluminous
Ground truth
Lots of storage / overhead
Ultimate context
Full payload
Stream / Bro
Succinct
5-tuple + traffic size
Easily searchable!
Tune-able
Adaptive fidelity
Customizable
Payload elements

34. 34
Threat Hunting (Active Defense)
…effort by analysts who purposely set
out to identify and counteract
adversaries that may already be in the
environment.
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

35. 35
How are SOC Teams Hunting?
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
● Start with a hypothesis that considers:
§ Assets (often crown jewels)
§ Threats
§ Vulnerabilities
§ Countermeasures
● Requires lots of data
● Flexible platform to ask/answer questions
● Data science / ML / Analytics

36. 36
How are SOC Teams Hunting?
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
Most important, hunters are
innovative analysts who understand
their threat landscape and their
organization well enough to ask the
right questions and find the answers.

37. 37
Data Science, ML, and Analytics

38. The Security
Operations Toolchain

39. 39
Log Data Platform
• Single source of truth
• Retention and integrity
• Any data source
• Easy correlation
• Automation / integration
• Performant and scalable
• Full fidelity
• Normalized?
• Hunting
• Forensic investigation
• Alerting
• Dashboards
• Visualization
• Analytics (ML?)

40. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries

41. 41
Asset Inventory and Identity Data
Often multiple sources of record – that’s OK
• CMDB, Vuln scans, Passive detection, DHCP, NAC
• Active directory, LDAP, IAM
Network diagrams
Categorization
• PCI, ICS, Administrative, Default,
Comprehensive yet lightweight and easy to maintain
Must be easy to correlate to log data

42. 42
Case and Investigation Management
• Ticketing system
• Workflow
• Supports prioritization
• Supports collaborative investigation
• Provides metrics
• Supports automation
• Auditable

43. 43
Common SOC Data Sources
• Firewall
• Network metadata
• Authentication
• Server
• Windows / Linux
• Endpoint
• EDR, AV, HD/RAM images
• IDS / IPS
• VPN
• Application
• Threat intel
• Vulnerability
• Assets and Identities

44. Splunk as the Security
Operations Nerve Center

45. 45
Splunk as the Security Operations Nerve Center

46. 46
1. Adopt an Adaptive Security Architecture
To Prevent, Detect, Respond and Predict need:
- Correlation across all security relevant data
- Insights from existing security architectures
- Advanced analytics techniques such as machine learning
Platform for Operational Intelligence
4000+ Apps
and Add-Ons
Splunk Security
Solutions

47. 47
2. Threat Intelligence – Splunk Threat Intel Framework
Automatically collect,
aggregate and de-duplicate
threat feeds from a broad set
of sources
Support for STIX/TAXII,
OpenIOC, Facebook and more
Build your own data to create
your own Threat Intel
Out of the box Activity and
Artifact dashboards
Prioritize, contextualize and
analyze threats and remediate
Law Enforcement
Feeds
ISAC Feed
Agency Feeds
Commercial
Service
Community
Feed
Open-Source
Feed
Other Enrichment
Services
• Monitor and triage alerts
• Determine impact on
network, assets
• Use for analysis / IR
• Collect / provide forensics
• Use to hunt / uncover /link
events
• Share info with partners

48. 48
3. Use Advanced Analytics – Native ML and UBA
Simplify detection and focus on real alerts
Accelerate anomaly and threat detection – minimize attacks and insider threat
Use Machine Learning toolkit - solutions to suit your workflow
Premium Machine learning solution - User Behavior Analytics
– Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM

49. 49
4. Proactively Hunt and Investigate - Considerations
● Organizational maturity
● Domain and product experience
● Tools: Network, Endpoint, Threat Intel, Access
● Security relevant data, historical, raw data
● Flexibility and ad hoc

50. 50
5. Automate whenever feasible
App Servers
Network
Threat Intelligence
Firewall
Internal Network
Security Endpoints
Use rules and machine learning to
automate routine aspects of
detection and investigation
Extract insights from existing security
stack by use of common interface
Take actions with confidence for
faster decisions and response
Automate any process along the
continuous monitoring, response &
analytics cycle
Splunk Adaptive Response

51. 51
What is Splunk Enterprise Security?
5
Enterprise Security
Asset and
Identity
Correlation
Notable
Event
Threat
Intelligence
Risk
Analysis
Adaptive
Response
A collection of Frameworks

52. 52
Splunk Security Partners
https://www.splunk.com/partners/

53. Customer Success

54. 54
Building an Intelligence Driven SOC
Challenges
• Existing SIEM not adequate - struggled to bring in appropriate data
• Unable to perform advanced investigations, severe scale/performance issues
• Looking to build a new SOC with modern solution
Customer Solution
• Centralized logging of all required machine data at scale and full visibility
• Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users
• Tailored advanced correlation searches & IR workflow
• Faster and deeper incident investigations
• Greater SOC efficiencies - all SOC/CSIRT working off same UI/data
• Executive dashboards to measure and manage risk
54

55. 55
Citywide SOC for situational awareness
Challenges
• Slow responses to security incidents
• Inadequate situational awareness of security events
• Limited threat intelligence
• Disparate logs from over 40 departments were difficult to aggregate
Customer Solution : Splunk Cloud with Enterprise Security
• Real-time, citywide, 24/7 network surveillance
• Stronger protection of digital assets and infrastructure
• Shared threat intelligence with federal agencies
• Reduced headcount and lower operational costs

56. 56
Build an insourced SOC in months
Challenges
• Wide range of security requirements
– Internal audits (financial, PCI)
– Protect internal info and assets
– Cloud firewall, DDOS
• Cultural and Organizational
– Security not a priority, Outsourced SecOps
– Information hoarding and data silos
Customer Solution : Splunk Enterprise Security
• Changed culture - security first mindset with controls
• Detect, prevent and respond to attacks in own
environment, with 24/7 security analysis of customers
• Rapid detection and deep investigation
• Detect Web App attacks, discover compromised cards

57. 57
Maturing SOC
Challenges
• Legacy SIEM : Unstable, Inflexible, Clunky
• Limited skilled resources
• High false negative and false positive
Customer Solution : Splunk Cloud with Enterprise Security
• Developed processes : Rule set, naming
• SOC process : Playbook, training, automated documentation
• Enabled SOC to identify patterns of behavior in a single event rather than
be bombarded by thousands of low-value incidents

58. Wrapping up

59. Free
Cloud Trial
Free Software
Download
Free
Enterprise Security
Sandbox
Get started in minutes – splunk.com
1 32

60. Copyright © 2016 Splunk Inc.
• 5,000+ IT and Business Professionals
• 175+ Sessions
• 80+ Customer Speakers
PLUS Splunk University
• Three days: Sept 23-25, 2017
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
CONF.SPLUNK.COM
The 8th Annual Splunk Worldwide Users’ Conference

61. Copyright © 2016 Splunk Inc.

62. 62
Can I play BOTS?
62
Yes!
• RSA Conference 2017
• Splunk .conf 2017
• Online / continuous? Stay tuned
New scenarios
and data sets

63. 63
Resources Cited
How to Plan, Design, Operate and Evolve a SOC
https://www.gartner.com/doc/3479617
Crafting the InfoSec Playbook
https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406
Splunk SOC Advisory Services
https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdf
Ten Strategies of a World-Class Cybersecurity Operations Center
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf
Maturing Workday’s SOC with Splunk
https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
The Five Characteristics of an Intelligence Driven Security Operations Center
https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-center
The Who, What, Where, When, Why and How of Effective Threat Hunting
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-
36785
Exploring the Frameworks of Splunk Enterprise Security
https://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf

64. Thank you!
dherrald@splunk.com|@daveherrald