This document provides an overview of Splunk User Behavior Analytics (UBA). It begins with forward-looking statements and disclaimers. It then introduces the presenter and outlines an agenda covering Splunk's security vision, today's threat landscape, an overview of UBA and machine learning, and a product overview of Splunk UBA. Key use cases of Splunk UBA are described as advanced cyber attacks and malicious insider threats. The document highlights what Splunk UBA does including automated threat detection across various data sources using machine learning. Workflows for threat detection and investigation are outlined. The presentation concludes by inviting the audience to a live demo and providing details on limited-time promotional offers for Splunk UBA and Security bundles

1. Copyright © 2015 Splunk Inc.
Splunk UBA: What is
it?
Karthik Kannan
Splunk Behavioral Analytics

2. Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make. In addition,
any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not, be incorporated into any
contract or other commitment. Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or functionality in a future release.

3. About the Presenter
• Karthik Kannan
• Formerly, co-founder of Caspida
• Caspida acquired by Splunk in July 2015
3

4. Agenda
• Splunk’s Vision for Security
• Today’s Threat Landscape
• UBA: an overview
• The significance of Machine Learning
• Splunk UBA: product overview
• How can you leverage this in your environment?
4

5. Vision

6. 6
Splunk Security Vision
Security Markets
SIEM Security Analytics Fraud & Business Risk Managed Security &
Intelligence Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Eco-system brokering
Machine Learning, Models, Threat Scoring, etc.
Enhanced Threat Detection & SOC
Efficiency
Behavioral Analytics: first is
UEBA, more to come Foundation for Fraud Analytics content for Subscription

7. Splunk is the Security Nerve Center
App
Servers
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints

8. Threat Landscape

9. ENTERPRISE CHALLENGES
THREATS
PEOPLE
EFFICIENCY
Cyber Attacks, Insider
Threats, Hidden,
Or Unknown
Availability of
Security Expertise
Too Many Alerts And
False Positives

10. Nation-State Attacks
10
21.5M
US government personnel records stolen
Was it China?
GOVERNMENT HACKERS
Secretly gaining control of
nuclear plants
Corporate Espionage
Stealing company's secrets to give
corporations competitive edge.
Infrastructure Attacks
shutting down entire electricity
grid system.
Data Manipulation Attacks
question the integrity of data -alter
stock market trades or government
weather instrument readings

11. Breach Incidents by Source
11
66%
Outsiders
582 incidents
34%
Insiders
304 incidents 888
Total Incidents

12. 12
34% 84,4M
Healthcare
31% 77,1M
Government
15% 37.5M
Technology
8% 18.6M
Retail
6% 15.7M
Education
<1% 683K
Financial
5% 13.3M
Other246M
Total Loss
As of Jun 2015
56.6K / hour 16 / sec1.4M / day 943 / min
Stolen/Lost Data Records

13. UBA: An Overview

14. OLD PARADIGM
SIGNATURES
RULES HUMAN
ANALYSIS

15. NEW PARADIGM: DATA-SCIENCE
DRIVEN BEHAVIORAL ANALYTICS
BIG DATA
DRIVEN
SECURITY
ANALYTICS
MACHINE
LEARNING

16. 1
SECURITY BREACHES
SPLUNK UBA detects
with BEHAVIORAL THREAT DETECTION

17. The Significance of
Machine Learning

18. Purpose-built Machine LearningThreatAttackCorrelation
Polymorphic Attack Analysis
Behavioral Peer Group Analysis
User & Entity Behavior Baseline
Entropy/Rare Event Detection
Cyber Attack / External Threat Detection
Reconnaissance, Botnet and C&C Analysis
Lateral Movement Analysis
Statistical Analysis
Data Exfiltration Models
IP Reputation Analysis
Insider Threat Detection
User/Device Dynamic Fingerprinting

19. Splunk UBA:
Product Overview

20. KEY USE-CASES
20
Advanced Cyber-
Attacks
Malicious Insider
Threats

21. CUSTOMER THREATS UNCOVERED
ACCOUNT TAKEOVER
• Privileged account compromise
• Data loss
LATERAL MOVEMENT
• Pass-the-hash kill chain
• Privilege escalation
INSIDER THREATS
• Misuse of credentials
• IP theft
MALWARE ATTACKS
• Hidden malware activity
• Advanced Persistent Threats (APTs)
BOTNET, C&C
• Malware beaconing
• Data exfiltration
USER & ENTITY BEHAVIOR ANALYTICS
• Login credential abuse
• Suspicious behavior

22. WHAT DOES SPLUNK UBA DO?
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
AUTOMATED THREAT DETECTION
& SECURITY ANALYTICS
Baseline KPIsAnalytics
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA

23. MULTI-ENTITY FOCUSED
User
App
Systems (VMs, Hosts)
Network
Data

24. Web Gateway
Proxy Server
Firewall
Box, SF.com,
Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat
Stream, FS-ISAC or
other blacklists for
IPs/domains
DATA SOURCES
Active Directory/
Domain Controller
Single Sign-on
HRMS
VPN
DNS, DHCP
Identity/Auth SaaS/Mobile
Security
Products
External Threat
Feeds
Activity
(N-S, E-W)
K E Y OPTIONAL
Netflow, PCAP
DLP, File Server/Host
Logs
AWS CloudTrail
End-point
IDS, IPS, AV

25. SECURITY ANALYTICS
KILL-CHAIN
HUNTER
KEY WORKFLOWS - HUNTER
 Investigate suspicious users, devices,
and applications
 Dig deeper into identified anomalies
and threat indicators
 Look for policy violations

26. THREAT DETECTION
KEY WORKFLOWS – SOC ANALYST
SOC ANALYST
 Quickly spot threats within your
network
 Leverage Threat Detection workflow
to investigate insider threats and
cyber attacks
 Act on forensic details – deactivate
accounts, unplug network devices, etc.

27. INSIDER THREAT
USER ACTIVITIES RISK/THREAT DETECTION AREAS
John logs in via VPN from 1.0.63.14
Unusual Geo (China)
Unusual Activity Time3:00 PM
Unusual Machine Access
(lateral movement; individual +
peer group)
3:15 PMJohn (Admin) performs an ssh as root to a new
machine from the BizDev department
Unusual Zone (CorpPCI) traversal
(lateral movement)3:10 PM
John performs a remote desktop on a system as
Administrator on the PCI network zone
3:05 PM Unusual Activity Sequence
(AD/DC Privilege Escalation)
John elevates his privileges for the PCI network
Excessive Data Transmission
(individual + peer group)
Unusual Zone combo (PCIcorp)
6:00 PMJohn (Adminroot) copies all the negotiation docs
to another share on the corp zone
Unusual File Access
(individual + peer group)3:40 PM
John (Adminroot) accesses all the excel and
negotiations documents on the BizDev file shares
Multiple Outgoing Connections
Unusual VPN session duration (11h)11:35 PMJohn (Adminroot) uses a set of Twitter handles to
chop and copy the data outside the enterprise

28. SECURITY ANALYTICS
ADVANCED

29. Differentiators
Competitors
Big Data, extensible platform
Completely Machine Learning Driven
Fully integrated Splunk security portfolio
Automated action (Detect & Respond)
The only platform with a holistic Kill Chain
Technology Approach Splunk

30. Who’s up for a
live demo?!?

31. WHY WAIT?
WATCH OUR LIVE
DEMO, VIDEO
ENGAGE WITH SAMPLE
DATA
GET UBA, CYBER THREAT
ASSESSMENT
1 2 3

32. To Learn More
• http://www.splunk.com/en_us/products/premium-solutions/user-behavior-
analytics.html
32

33. Splunk UBA Promo
Two limited-time offers—exclusively for customers attending Gov &
Ed Day LA —to adopt Splunk UBA.
1. Splunk UBA Early Access Bundle, $99K
2. Splunk Security (Enterprise Security and UBA) Bundle, $150K
To qualify for these promotions, email uba-sales@splunk.com by
November 30, 2015 and must purchase by January 31, 2016.
33

34. Questions?