This document summarizes an presentation about operationalizing security intelligence. It discusses three key aspects: 1. Using risk-based analytics to prioritize alerts based on correlating events over time and assigning risk scores to hosts. This helps determine which alerts require immediate investigation. 2. Adding context to alerts by integrating data from different technologies, matching context, and acquiring additional context through APIs. This provides more insight into prioritizing alerts. 3. Connecting security data with people by enabling human-mediated automation, collaboration, free-form investigation through interactive views and workflows. This allows leveraging all security data and human intuition in investigations. The presentation promotes operationalizing security intelligence through these approaches and evaluating Spl

1. Operationalizing
Security Intelligence
Matthias Maier
CISSP, CEH, Product Marketing Manager

2. Who I am
• Now Product Marketing Manager EMEA
• 8 Years Consultant Security + Big Data
• 3+ Years at Splunk, McAfee (Intel Security),
Tibco LogLogic
• worked with top organizations across
industries advising customers
• CISSP, Certified ethical Hacker

3. 3
Make machine data accessible,
usable and valuable to everyone.
3

4. 4
Turning Machine Data Into Business Value
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Internet of Things and
Industrial Data

5. SECURITY USE CASES
In
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN,
ADVANCED
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
INSIDER
THREAT
Splunk Can Complement OR Replace an Existing SIEM
INSIDER
THREAT

6. Disclaimer
6
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.

7. Agenda
The super hero and the fish market – a short story
What is Security Intelligence
Examples of Operationalizing Security Intelligence
Call to action

8. https://i.ytimg.com/vi/4GmMNF1b0Lw/maxresdefault.jpg

9. http://www.technobuffalo.com/wp-content/uploads/2015/07/Xena.jpeg

10. https://epicheroism.files.wordpress.com/2013/09/k
war-1680x1050.jpg

11. http://www.entrust.com/wp-
content/uploads/2013/02/Entrust-MobileDemo-
RSA20131.jpg

14. http://www.123rf.com/photo_30266410_seattle-july-5-customers-at-pike-place-fish-company-wait-to-order-fish-at-the-famous-seafood-market-.html

15. Lone hacker…

16. Organized Criminals

17. Crossing the Chasm

18. Crossing the Chasm

19. Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI

20. Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI

21. Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI

22. Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI

23. Operationalizing Security Intelligence

24. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

25. Operationalizing Security Intelligence
1. Risk-Based 2. Context and Intelligence
3. Connecting
People and Data
25

26. Network Endpoint Access
Data Sources
Threat Intelligence

27. Persist, Repeat
Threat Intelligence
Access/Identity
Endpoint
Network
Attacker, know relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went to, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware
artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
• Third-party threat intel
• Open-source blacklist
• Internal threat intelligence
• Firewall, IDS, IPS
• DNS
• Email
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating system
• Database
• VPN, AAA, SSO
Data Sources Required
• Web proxy
• NetFlow
• Network

28. Requirement 1: Risk Based Analytics

29. Risk Based Analytics
Network Endpoint AccessThreat Intelligence
Rules/String/Regex matching
Statistical outliers and anomalies
Session and Behavior profiling
Scoring and aggregation

30. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

31. Example - Situation
Day 1
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day 5
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day 10
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Day 20
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation

32. Context: Risk Scoring
Day 1
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day 5
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day 10
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Day 20
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation
Risk Score
Host A: 0 + 10
Risk Score
Host A: 10 + 30
Risk Score
Host A: 40 + 30
Risk Score
Host A: 70 + 5

33. Requirement 2: Context and Intelligence

34. Context and Intelligence
Integrate across technologies
Automated context matching
Automated context acquisition
Post processing and post analysis
Threat
Intelligence
Asset
& CMDB
API/SDK
Integrations
Data
Stores
Applications

35. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?

36. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
Worth an Investigation?
Which one to investigate first?

37. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
System Owner: Juergen Klopp
Location: Liverpool
System Owner: Donald Duck
Department: Duckburg
Confidentiality Level: High Confidentiality Level: Low
Worth an Investigation?
Which one to investigate first?

38. http://www.entrust.com/wp-content/uploads/2013/02/Entrust-MobileDemo-RSA20131.jpg

39. Requirement 3: Connecting Data and People

40. Connecting People and Data
Human mediated automation
Sharing and collaboration
Free form investigation – human intuition
Interact with views and workflows
Any data, all data
Automation Collaboration Investigation Workflows All data

41. Visual Investigations – Kill Chain

42. Operationalizing Security Intelligence
1. Risk-Based 2. Context and Intelligence
3. Connecting
People and Data
42

43. Crossing the Chasm

44. Call to action
Today:
• Visit the Splunk booth and get a live demo of an Incident Investigation
• Pick up your free t-shirt
• Get at 4pm free beer at the booth!
Next 7 Days:
• Try Splunk Cloud Enterprise Security Sandbox to explore hands on
• Think about use cases or visibility gaps you have today that can be addressed!
Next 90 Days:
• Schedule a Splunk Workshop onsite to explore how you can mature your
security program with the help of Machine Data

45. 45
Thank You
@Matthias_by