This document provides an overview of Splunk Enterprise Security and User Behavior Analytics (UBA). It discusses the evolving threat landscape and how Splunk has been recognized as a leader in security information and event management. The document outlines Splunk's analytics-driven security capabilities for threat detection, investigation, and response. It also describes new features for reducing storage costs, enhancing investigations, extending analytics with automation, and improving threat detection with UBA. The document promotes a quick UBA demo and mentions happy hour.

1. Copyright © 2014 Splunk Inc.
Splunk Enterprise
Security & UBA
Analytics-Driven Security
Matt Poland
Sr. Sales Engineer

2. The Ever-Changing Threat Landscape
2
53%
Victims notified by
external entity
100%
Valid credentials
were used
143
Median # of days
before detection
Source: Mandiant M-Trends Report 2012-2016

3. 3
Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security
Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases

4. Splunk – Analytics-Driven Security
4
• APT detection/hunting (kill chain method)
• Counter threat automation
• Threat Intelligence aggregation (internal & external)
• Fraud detection – ATO, account abuse
• Insider threat detection
• Replace SIEM @ lower TCO, increase maturity
• Augment SIEM @ increase coverage & agility
• Compliance monitoring, reporting, auditing
• Log retention, storage, monitoring, auditing
• Continuous monitoring/evaluation
• Incident response and forensic investigation
• Event searching, reporting, monitoring & correlation
• Rapid learning loop, shorten discover/detect cycle
• Rapid insight from all data
• Fraud analyst
• Threat Research/Intelligence
• Malware research
• Cyber Security/Threat
• Security
Analyst
• CSIRT
• Forensics
• Engineering
• Tier 1 Analyst
• Tier 2 Analyst
• Tier 3 Analyst
• Audit/Compliance
Security Operations Roles/Functions
Reactive
Proactive
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight

5. Connecting the “data-dots” via multiple/dynamic relationships
Persist, Repeat
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
Attacker, know relay/C2 sites, infected sites, file
hashes, IOC, attack/campaign intent and attribution
Where they went, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware
artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
Delivery, exploit
installation
Gain trusted
access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
5

6. Splunk Enterprise Security
Risk-Based Analytics Visualize and Discover
Relationships
Enrich Security Analysis with
Threat Intelligence
6
Splunk Enterprise Security is an advanced SIEM and Security Intelligence Platform
that empowers SecOps to monitor, detect, investigate and respond to attacks and
threats while minimizing risk and safeguarding your business.

7. Analytics Driven Security
Risk-Based Analytics to Align Security Operations With the Business
– Risk scoring framework enhances decision making by applying risk scores to any data
– Quickly and easily assign any KSI or KPI to any event to align with your current priorities
– Expose the contributing factors of a risk score for deeper insights
Visualize and Discover Relationships for Faster Detection and Investigation
– Visually fuse data, context and threat-intel across the stack and time to discern relationships
– Pre-built correlations, alerts and dashboards for detection, investigation and compliance
– Workflow actions and automated lookups enhance context building
Enrich Security Analysis with Threat Intelligence
– Automatically apply threat intelligence from any number of providers
– Apply threat intelligence to event data as well as wire data
– Conduct historical analysis using new threat intelligence across all data
7

8. Demo

9. Free ES Sandbox
Meeting – Cosmopolitan Password – SPLUNK2016
https://www.splunk.com/en_us/download-21.html

10. Common Information ModelCommonInformationModel
Network Traffic
Data Models
Malware Email Intrusion DetectionAuthentication ... 30 Models ...
action bytes_in bytes_out channel dest_ip dest_mac duration src_ip …...
• Network Traffic Data Model
FW Vendor A
• direction
• d_ip
• ….
FW Vendor B
• direction
• destin_ip
• ….
FW Vendor C
• Direction
• dest_ip
• ….
1
Contextual search / rules / reports
across different technologies
2
Dynamic field mapping allow structure
on the fly instead of normalization
Key
Purpose

11. 11
Managing Correlation Rules
Central framework to create / update / delete / import
correlated rules management for continuous adoption
Enable / Disable rules
ES CORRELATION RULE MANAGMENT
Splunk Inc. 2016 © - Page 11

12. Comparison – Event Correlation
• Construct as saved search, simply
generate indication of match.
• Self define a placeholder to hold events
and link it to process logic.
• Just pass on to the 3rd party incident
management / case management.
• Security incident alerts the flows into ES workflow
management process.
• Security event focused specific authoring
interface, just ready to define new condition.
• Pre-defined out-of-box correlations rules.

13. Threat Intelligence Framework
Finding hidden IOCs using comprehensive threat intelligence mappings
• Multiple
sources
• Multiple
transmission
types
• Multiple
transports
• Multiple data
formats
INTEL SOURCES
1. IP
2. Emails
3. URLs
4. Files
names/hashes
5. Processes
names
6. Services
7. Registry entries
8. X509 Certificates
9. Users
CATEGORIZE
Index, Extract,
Categorize
Manage / Audit
threat sources
• List status
• List mgmt.
• List location
COLLECT MANAGE
Data Management
SEARCH
Ad-hoc search,
analyze,
investigate,
prioritize
Data Search
CORRELATE
Match all IOCs in
existing log data
Generate alert for
any matches
KSI and trends
Security Dashboard
Correlation Data / Notable Events

14. Facebook ThreatExchange
• Provides domain names, IPs, hash threat
indicators
• Use with ad hoc searches and investigations
14
• Need an app ID and secret from Facebook
• Config Splunk add-on for FB ThreatExchange
• Customers already use !

15. What’s New?
15

16. Storage TCO Reduction Options
16
Reduce TSIDX for
historical data
Roll historical data
into Hadoop
Keeps data within existing
Splunk storage
Exports data but maintains
search capability
Flexible options to reduce storage requirements up to 80%

17. Enhanced Investigation Timeline
Add file attachments to
Investigation Timeline
17
Export Investigation Timeline as PDF

18. Extend Analytics-
driven Decisions and
Automation with
Adaptive Response in
Splunk ES
AUTOMATION VISUALIZATION
Enhance Analytics
With Glass Table
Views in Splunk ES

19. Adaptive Response: Analytics-driven Decisions, Automation
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
• Extract new insight by leveraging context, sharing data and
taking actions between Enterprise Security and Adaptive
Response partners

20. Adaptive Response Actions (Examples)
AUTOMATION
Category - Information gathering, Information conveyance, Permissions control
Task - Create, Update, Delete, Allow, Block
Subject – what will be acted upon (network, endpoint, etc)
Vendor – providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc

21. Insight from Across Ecosystem
21
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout

22. Glass Tables to Enhance Visual Analytics
• Simplify analysis by understanding the impact of security
metrics within a logical or physical Glass Table view
• Improve response times with nested views to display what’s
important or relevant
• Optimize workflow with drill-down to the supporting criteria
of the metric

23. UBA
23

24. Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

25. Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of
anomalies detected by machine learning.
Helps with real-time threat detection and
leverage to detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios
along with automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

26. Summary
26
UBA Results Across
SIEM Workflow
Rapid Investigation of
Advanced Threats
Enhanced
Insider Threat &
Cyber Attack
Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

27. Quick UBA Demo,
… then Happy Hour
27