This presentation introduces security analytics methods, emphasizing the capabilities and features of Splunk Security Essentials (SSE) for detecting suspicious activities. It outlines key components such as analytics methods, alert creation, and the importance of operationalizing security insights for both novice and advanced users. The session highlights the significance of customization in detection use cases and the potential integration with Splunk's enterprise security solutions.

1. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Intro to Security
Analytics Methods
München, 26.03.2019
Joachim Gebauer | Staff Sales Engineer, CISM, CISSP | Splunk

2. © 2019 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. © 2019 SPLUNK INC.
Personal Introduction
Joachim Gebauer
Staff Sales Engineer | CISM | CISSP
Security SME

4. © 2019 SPLUNK INC.
► Maybe a user of Splunk Security Essentials?
► All Levels of Splunk Experience
► You probably like security
Who are you?
Technical Business
New to Splunk
Years of Splunk
YOU

5. © 2019 SPLUNK INC.
Key Takeaways from This Session
Improved ability to
detect potentially
suspicious activity
Free, powerful out-
of-the-box security
analytics methods

6. © 2019 SPLUNK INC.
1. Security Analytics 101
2. Splunk Security Essentials
(SSE) Overview
3. SSE Demo/Walk Through
4. End-to-End Scenario
5. Wrap Up
Agenda

7. © 2019 SPLUNK INC.
Splunk Security Pillars and Portfolio
DATA ANALYTICS OPERATIONS
• Universal indexing
• Petabyte scale
• Multi-schema
• Search, alert, report, visualize
• Broad support
Machine Learning Toolkit
(MLTK)
ES CONTENT
UPDATE
ADAPTIVE RESPONSE
ADAPTIVE
OPERATIONS
FRAMEWORK

8. Common Security Challenges
Malicious
Insiders
Advanced
External
Attackers
Commodity
Malware

9. First Time Seen
powered by stats
Time Series Analysis with
Standard Deviation
General Security
Analytics Searches
Analytics Methods
Types of Use Cases

10. General Security
Analytics Searches
First Time Seen
powered by stats
Analytics Methods
Types of Use Cases
Time Series Analysis with
Standard Deviation

11. Analytics Methods
Types of Use Cases
First Time Seen
powered by stats
Time Series Analysis with
Standard Deviation
General Security
Analytics Searches

12. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules

13. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules

14. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules

15. © 2019 SPLUNK INC.
Splunk Security
Essentials Overview

16. Identify bad guys:
• 450+ security analytics methods
• Free on Splunkbase – use on Splunk Enterprise
• Target external and insider threats
• Advanced threat detection, compliance, and more
• Scales from small to massive companies
• Data source onboarding guidance
• MITRE ATT&CK and Kill Chain mappings
• Save from app, send hits to ES / UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.

18. Splunk Security Essentials App – Runs on Splunk Enterprise
QUICK EASY FREE

19. 1
9
Security Journey – Data-Driven Approach

20. • AWS CloudTrail + VPC Flow
• Cisco ASA
• Linux Security Logs
• Microsoft Sysmon
• Microsoft Office 365
• Palo Alto Networks
• Stream DNS
• Symantec AV
• Windows Security
Data Onboarding Guides

21. © 2019 SPLUNK INC.
SSE Demo

22. • Download from apps.splunk.com
• Install on your Search Head, standalone
Splunk server, or even a laptop
• Browse use cases that match your needs
• Data Source Check shows other use
cases for your existing data
• Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials

23. Open the Splunk Security Essentials App
First Open Splunk
Security Essentials
Then Open
Use Cases

24. • For those just starting out, it can be
hard to know what data you need
• Every use case comes with pre-req
checks to show if you have the data
• If you don’t, follow the links
Pre-requisite Checks

25. • Data Source Check tells you what’s possible
• Runs all pre-req checks
Or Check EVERYTHING
Click “Start
Searches”

26. Create Posture Dashboards
• Run the data
source check
first
• Allow it to
complete the
check
• Then click
“Create Posture
Dashboards”
button

27. Posture Dashboards (cont’d)
If You Don’t Have
Live Data Yet,
Click “Demo Datasets”
Number of Available
Visualizations will
Update Accordingly

28. Posture Dashboards (cont’d)
Select Desired
Visualization
Category (or
Categories)
Select Non-Default
Searches if Desired
Generate
Selected
Dashboards!

29. Posture Dashboards (cont’d)
• Essential Account Security
• Data sources include General Authentication, Windows 10,
and Active Directory
• Essential Host Security
• Data sources include Windows Endpoint, Anti-virus
• Essential Network Security
• Data sources include Firewall, Next-Gen Firewall, and
Web Proxy

30. • Read through a few of the use cases
• Filter for use cases you care about
Take a Minute to Review Use Cases

31. Let’s Start With a Simple Example
Click on “Concentration of
Hacker Tools by Filename”

32. © 2019 SPLUNK INC.
► A search you might not think
of, but is easy to use
► Input: CSV file with
suspicious filenames
► Input: Process launch logs
(Windows, Sysmon, Carbon
Black, etc.)
► Looks for those file names
concentrated in a short
period of time
Concentration of Hacker Tools by Filename

33. Applying to Live Data
Click Live Data
See a Live Search

34. • Phishing is a big
risk
• Many approaches
to mitigating with
Splunk
An Advanced Splunk Search
Click on ‘Emails with
Lookalike Domains’
From Journey
Select Stage 4
From Data Sources,
Filter to Email Logs

35. © 2019 SPLUNK INC.
► A very long search you don’t
have to run
► Detects typos, like
company.com → campany.com
► Supports subdomains for typo
detection
► Detects suspicious
subdomains, like company.com
→company.yourithelpdesk.com
A Phishing Search Larger Than Your Pond

36. © 2019 SPLUNK INC.
► Splunk can also build baselines easily
► Let’s look at a Time Series Spike
► This detects anomalies via Standard Deviation
What About Baselines
From Data Sources,
Filter to Print Server Logs
Then, Increase in
Pages Printed

37. © 2019 SPLUNK INC.
► A measure of the variance for a series of numbers
What is Standard Deviation?
User Day One Day Two Day Three Day Four Avg Stdev
Jane 100 123 79 145 111.75 28.53
Jack 100 342 3 2 111.75 160.23
User Day Five # StDev from Average … aka How Unusual?
Jane 500 13.6
Jack 500 2.42
SUPER Anomalous!

38. © 2019 SPLUNK INC.
● Our search looks for printer logs
● Sums per day, per user
● Note the tooltips everywhere!
Increase in Pages Printed
► Our search looks for
printer logs
► Sums per day,
per user
► Note the tooltips
everywhere!
Click “Detect Spikes” to find outliers

39. © 2019 SPLUNK INC.
► Just click Show SPL to see
how the search works
► Learn this once… it applies
to all time series spikes!
► (Or just use the app)
Want to Learn That SPL for Yourself?

40. © 2019 SPLUNK INC.
► Want to use that search?
► Just click Schedule Alert
► Searches will auto send to ES
Risk or UBA if you have either
► Or just email to yourself
Want to Schedule That Search?

41. © 2019 SPLUNK INC.
► We can use baseline to find new combinations too
► This can help with any noisy search you have today
What Else Do You Have For Me?
Then, Authentication Against a
New Domain Controller

42. © 2019 SPLUNK INC.
► This search uses stats
earliest() and latest()
per User, DC
► If the earliest() is recent,
it’s anomalous
► This works for any
combination!
Authentication Against a New DC
Click “Detect New Values” for outliers

43. © 2019 SPLUNK INC.
Example Scenario

44. © 2019 SPLUNK INC.
► Actor:
Malicious Insider (because it’s hardest)
► Motivation:
Going to work for competitor
► Target:
Accounts, Opportunities, Contacts in Salesforce
► Additional Target:
Sales Proposals in Box
► Exfiltration:
Upload to a remote server
Apply Splunk to Real Life Scenario
Malicious Insider
Jane Smith
Director of Finance
* Photo of Splunker – not an actual malicious insider

45. © 2019 SPLUNK INC.
► No proxy
► No standard file servers
► No agents on laptop
► Cloud Services with their own APIs
► How would you detect that?
Monitoring Challenges

46. © 2019 SPLUNK INC.
► Collect Relevant Logs
• Ingest Salesforce Event Log File
• https://splunkbase.splunk.com/app/1931/
• Ingest Box Data
• https://splunkbase.splunk.com/app/2679/
► Install Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
► Configure Analytics
• e.g., schedule Salesforce.com searches
• e.g., build a custom Box use case
Set Up
About 1 Hour of Work

47. © 2019 SPLUNK INC.
► New clients accessing SFDC API
► High-risk activity
► 1st-time peer group query of
sensitive data
► New sensitive tables being queried
► Other searches indicating potential
exfil
Example Salesforce.com Searches

48. © 2019 SPLUNK INC.
Targeting Our Search
▪ Our Malicious Insider, Jane Smith, also
downloaded some proposals from Box
▪ Finding Box downloads spikes is easy,
but we want focus on the Proposal Folder
▪ We will use the Detect Spikes assistant
to help us

49. © 2019 SPLUNK INC.
► Do you want to build your own detections like this?
► What if your environment is totally custom?
► No product has ever worked out of the box, and
that’s why you like Splunk, right?
► We’ve got you covered.
“My Environment is So Custom”
Click Advanced,
then “Detect Spikes”

50. © 2019 SPLUNK INC.
• | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
• Looking for “count” by “user” with “6” standard deviations

51. © 2019 SPLUNK INC.
• | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
• Looking for “count” by “user” with “6” standard deviations
Got Her!

52. © 2019 SPLUNK INC.
► Save / schedule the alert – send to Splunk Enterprise Security or UBA
• Or send via email to analyst
Operationalize!

53. © 2019 SPLUNK INC.
Wrap Up

54. © 2019 SPLUNK INC.
1. Splunk Security Essentials teaches you
new detection use cases
2. Easy to operationalize – standalone or
with Splunk Enterprise Security and UBA
3. Makes it easy to customize use cases
4. As you advance, look to ES or UBA to
improve threat detection, and ES and
Phantom to accelerate containment,
investigation, and response
What Did
We Cover?

55. © 2019 SPLUNK INC.
► Download from
apps.splunk.com
► Find use cases that
match your needs
► Data Source Check
shows other use cases
for your existing data
► Evaluate free tools to
meet gaps,
such as Microsoft
Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!

56. The Splunk Platform

57. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Thank You.
Don’t forget to rate this session
in the SplunkLive! mobile app