SlideShare a Scribd company logo

Security Breakout Session

Splunk
Splunk

The document discusses how Splunk can provide analytics-driven security for higher education through ingesting and analyzing machine data. It outlines how advanced threats have evolved to be more coordinated and evasive. A new approach is needed that fuses technology, human intuition, and processes like collaboration to detect attackers through contextual behavioral analysis of all available data. Examples are provided of security questions that can be answered through Splunk analytics.

Technology
1 of 85
Download to read offline
Copyright  ©  2014  Splunk  Inc.   Splunk  for  Security     Analy<cs  Driven  Security  for   Higher  Educa<on     James  Brodsky     SE/Security  SME,  Splunk  
•  Splunk  for  Security  (20  min)   •  EDU  Case  Studies  (20  min)   •  Demonstra<on  of  the  Splunk  App  for  Enterprise  Security  (15  min,   <me  permiKng)   •  Q  &  A   Agenda  
3   Why  Splunk  for  Security?   Machine  Data  contains  a  DEFINITIVE  RECORD   of  all  Human  to  Machine  and  Machine  to   Machine  Interac<on.     Splunk  ingests,  stores,  and  analyzes  all  of  that  data  at  scale.  
4   Advanced  Threats  Are  Hard  to  Find   Cyber  Criminals     Na.on  States     Insider  Threats     4   Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014   100%    Valid  creden<als  were  used   40     Average  #  of  systems  accessed   229   Median  #  of  days  before  detec<on   67%   Of  vic<ms  were  no<fied  by   external  en<ty  
5   A`ackers  &  Threats  have  Changed  &  Matured   5   •  Goal-­‐oriented   •  Human  directed   •  Mul<ple  tools,  steps  &  ac<vi<es   •  New  evasion  techniques   •  Coordinated   •  Dynamic,  adjust  to  changes   People   •  Outsider  (organized  crime,  compe<tor,     na<on/state)     •  Insiders  (contractor,  disgruntled  employee)   Technology   •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day   •  Exploit  kits,  password  dumper,  etc.     Threat   Process   •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled   •  Threat  marketplaces  –  buy  and  rent  
6   Modern  Security  Programs  Need  More  than  Technology   6   People   •  Outsider  (organized  crime,  compe<tor,     na<on/state)     •  Insiders  (contractor,  disgruntled  employee)   Technology   •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day   •  Exploit  kits,  password  dumper,  etc.     Threat   Technology   •  Firewall,  An<-­‐malware,  AV,  IPS,  etc.     •  An<-­‐spam,  etc.   Solu.on   Process   •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled   •  Threat  marketplaces  –  buy  and  rent   Human     Intui.on  and  Observa.on       Coordina.on,  Collabora.on   and  Counter  Measures  
7   New  approach  to  security  opera<ons  is  needed   7   •  Goal-­‐oriented   •  Human  directed   •  Mul<ple  tools  &  ac<vi<es   •  New  evasion  techniques   •  Coordinated   •  Dynamic  (adjust  to  changes)   Threat   •  Analyze  all  data  for  relevance   •  Contextual  and  behavioral   •  Rapid  learning  and  response   •  Leverage  IOC  &  Threat  Intel   •  Share  info  &  collaborate   •  Fusion  of  technology,  people   &  process  
8   Here’s  one  example  of  a  new  approach  
9   But  it  should  be…  
10  
•  Who  is  working  on  Saturdays?   •  Who  is  badging  into  areas  that  they’re  not  supposed  to  be  in?   •  Who  accessed  that  server  with  admin  privs  over  the  past  year?   •  What  countries  are  genera<ng  the  most  inbound  traffic?  Outbound?     •  Which  firewalls  are  passing  ports  that  we’ve  never  seen  before?   •  What  endpoints  are  exhibi<ng  beaconing  behavior?   •  What  countries  are  we  communica<ng  with  that  we  don’t  do  business  in/have  students  registered  in?   •  What  vulns  are  found  on  my  network  and  what’s  been  trying  to  exploit  them?   •  Who’s  accessing  our  resources  with  the  same  creden<als  but  from  different  states  or  countries,  at  the   same  <me?   •  Who  is  accessing  our  compe<tor  websites  and  what’s  the  risk  associated  with  that?   •  Which  servers  are  querying  DNS  far  more  than  they  ever  normally  do  today?   •  Which  users  have  downloaded  content  from  known  phishing  URLs?   •  Whose  HR  data  has  changed  aper  being  infected  by  malware/visi<ng  a  phishing  link?   What  ques<ons  could  you  ask?  
12   From  Alert  Based  to  Analy<cs  Driven  Security   Tradi.onal  Alert-­‐based  Approach   Time  &  Event  based   Data  reduc<on   Event  correla<on   Detect  a`acks   Needle  in  a  haystack   Power  Users,  Specialist   12   Addi.onal  Analysis  Approach   ..and  phase,  loca<on,  more…   Data  inclusion   Mul<ple/dynamic  rela<onships   Detect  a`ackers   Hay  in  a  haystack   Everyone  -­‐  Analy<cs-­‐enabled  Team  
13  
14   2013-­‐08-­‐09  16:21:38  10.11.36.29  98483  148  TCP_HIT  200  200  0  622  -­‐  -­‐  OBSERVED  GET   www.neverbeenseenbefore.com    HTTP/1.1  0  "Mozilla/4.0  (compa<ble;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR   2.0.50727;  InfoPath.1;  MS-­‐RTC  LM  8;  .NET  CLR  1.1.4322;  .NET  CLR  3.0.4506.2152;  )  User  John  Doe,"       08/09/2013  16:23:51.0128event_status="(0)The  opera<on  completed  successfully.  "pid=1300   process_image="John  DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“  registry_type   ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosopWindows  NTCurrentVersion  Printers   PrintProviders  John  Doe-­‐PCPrinters{}  NeverSeenbefore"  data_type""   2013-­‐08-­‐09T12:40:25.475Z,,exch-­‐hub-­‐den-­‐01,,exch-­‐mbx-­‐cup-­‐00,,,STOREDRIVER,DELIVER, 79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,   hacker@neverseenbefore.com  ,  Please  open  this  a`achment  with  payroll  informa<on,,  , 2013-­‐08-­‐09T22:40:24.975Z   Spear-­‐phishing  –  Advanced  Analy<cs   Sources   Time  Range   Endpoint   Logs   Web  Proxy   Email  Server   All  three  occurring  within  a  24-­‐hour  period   User  Name   User  Name   Rarely  seen  email  domain   Rarely  visited  web  site   User  Name   Rarely  seen  service  
15   Servers   Storage   Desktops  Email   Web   Transac<on   Records   Network   Flows   DHCP/  DNS   Hypervisor   Custom   Apps   Physical   Access   Badges   Threat   Intelligence   Mobile   CMDB   Intrusion     Detec<on   Firewall   Data  Loss   Preven<on   An<-­‐ Malware   Vulnerability   Scans   Authen<ca<on   15   All  Machine  Data  is  Security  Relevant  
16   Servers   Storage   Desktops  Email   Web   Transac<on   Records   Network   Flows   DHCP/  DNS   Hypervisor   Custom   Apps   Physical   Access   Badges   Threat   Intelligence   Mobile   CMBD   Intrusion     Detec<on   Firewall   Data  Loss   Preven<on   An<-­‐ Malware   Vulnerability   Scans   Authen<ca<on   16   All  Machine  Data  is  Security  Relevant   Tradi.onal  SIEM  
17   If  we  can  build  a  complete  picture,  we   disrupt  the  Kill  Chain,  we  disrupt  the   adversary   17  
18   Report   and     analyze   Custom     dashboards   Monitor     and  alert   Ad  hoc     search   18   Developer   PlaQorm   Machine  Data   Real-­‐.me  or  Batch   Online   Services   Web   Services   Servers   Security   GPS   Loca<on   Storage   Desktops   Networks   Packaged   Applica<ons   Custom   Applica<ons  Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   RFID   Datacenter   Private     Cloud   Public     Cloud   External  Lookups   Kill  Chain  Analysis  Across  Technology/Devices   Threat   Intelligence   Asset     &  CMDB   Employee   Info   Data   Stores  Applica.ons  
19   Connec<ng  the  “data-­‐dots”  via  mul<ple/dynamic  rela<onships   Persist,  Repeat   Threat  intelligence   Auth  -­‐  User  Roles   Host     Ac.vity/Security   Network     Ac.vity/Security   A`acker,  know  relay/C2  sites,  infected  sites,  IOC,   a`ack/campaign  intent  and  a`ribu<on   Where  they  went  to,  who  talked  to  whom,  a`ack   transmi`ed,  abnormal  traffic,  malware  download   What  process  is  running  (malicious,  abnormal,  etc.)   Process  owner,  registry  mods,  a`ack/malware   ar<facts,  patching  level,  a`ack  suscep<bility   Access  level,  privileged  users,  likelihood  of  infec<on,   where  they  might  be  in  kill  chain     Delivery,  exploit   installa.on   Gain  trusted   access   Exfiltra.on  Data  Gathering  Upgrade  (escalate)   Lateral  movement   Persist,  Repeat     19  
20   Kill  Chain  Demo  Link:     h`ps://splunkevents.webex.com/splunkevents/lsr.php? RCID=beec1404b8b7ca27ae25bb418a906259   20  
EDU  Case  Studies   ASU  –  phishing   EDU1  –  DMCA   Duke  –  direct  deposit   EDU2  –  bomb  threat    
22   Where  did  this  info  come  from?   •  ASU,  Duke,  and  [pres<gious  private  university  in  Boston]  have   all  acknowledged  use  of  Splunk  publicly   •  Security  has  been  a  driving  factor  for  adop<on  for  all  three   •  I  cannot  do  these  jus9ce  –  they  are  mere  highlights.  I  thank  the   Splunkers  from  these  universi9es  profusely   •  NONE  OF  THESE  SCHOOLS  OFFICIALLY  ENDORSE  SPLUNK.   They  have  shared  this  informa9on  in  the  spirit  of  collabora9on.   •  Visit  below  URL  for  slides  and  recordings:   h`p://conf.splunk.com  22  
ASU   Originally  from  C.  Kurtz  
24   24  
25   25  
26   26  
27   27  
28   28  
Quick  GeoIP/ Haversine  Demo  
30   30  
31   31   Automa<on…  
32   32  
33   33   •  Wordstats  –  Search  for  data  that  has  significant  “shannon   entropy”  –  good  for  finding,  for  example,  DGA  domains   •  Phishing  Lookup  –  Compare  URLs  found  in  data  for  known   phishing  sites   •  Sen<ment  Analysis  –  Analyze  phrases  found  in  data  (such  as   tweets)  and  determine  if  they  are  posi<ve  or  nega<ve     •  SPLICE  –  Consume  IOCs  in  STIX,  CybOX,  OpenIOC  formats  and   compare  your  data  to  filenames,  hashes,  domains,  URLs,  etc   found  within   Other  Li`le-­‐Known  Security  Apps  
[pres<gious  private   university  in  Boston]  
35   35  
36   36  
37   37  
38   38  
39   39   DMCA  Viola<on  Repor<ng   •  DMCA  Viola<ons  regularly  sent  via  email   from  industry  representa<ves   •  Use  Splunk  to  figure  out  who  had  that  IP   address  during  the  <mestamp  given   (dashboard  form  searches)   •  Use  DB  Connect  or  API  query  of  student/ employee  database  to  match  IP  to  MAC,   and  iden<fy  system  owner   •  No<fy  system  owner  of  copyright   viola<on   We  can  automate   much  of  this,  too.  
40   40  
Duke     Originally  from  J.  Hopkins,  P.  BaJon,  E.  Hope  
42   42  
43   43  
44   44  
45   45  
46   46  
47   47  
48   48  
49   49  
50   50  
51   51  
52   52  
53   53  
54   54  
55   55  
56   56  
57   57  
58   58  
59   59  
60   60  
61   61  
62   62  
63   63  
[large  university  in  the   northeast]  -­‐  Inves<ga<ng  a   Bomb  Threat  
65   A  large  university  in  the  Northeast…   •  Student  needed  more  <me  to  prep  for  an  exam,  so  decided  to   e-­‐mail  in  a  bomb  threat  to  campus  security.  “I’m  going  to  blow   up  the  science  building…”   •  He  did  this  via  Tor  so  as  to  remain  anonymous.   •  Campus  security  worked  with  security  team  and  FBI  to   inves<gate,  using  Splunk.  How?   65  
66   Search  Ideas   •  What  can  provide  us  with  what  students  are  searching?   •  Proxy  logs,  Wire  Data   •  Needle  in  a  haystack  –  who  has  been  searching  for  “anonymous   email”  over  the  past  week?   •  Once  we  have  an  IP  or  a  MAC  or  both,  then  con<nue   inves<ga<on  –  we  will  use  DHCP  logs,  AP  logs,  and  correla<ng   with  several  structured  data  sources.   66  
67   Search  Terms  against  Wire  or  Proxy  Data   67   •  Where  else  did  they  go?  If  we  see  them  “disappear”  perhaps  h`ps?   Tor?  
68   Search  Terms  against  Wire  or  Proxy  Data   68   •  Downloaded  Tor.  But  we  have  a  MAC  address  and  an  IP  address… let’s  use  those  to  dig  further…  
69   Search  Terms  against  DHCP  logs   69   •  Use  MAC  to  get  a  hostname,  how  about  access  point  logs?  
70   Search  Terms  against  AP  logs   70   •  Just  search  the  hostname  or  the  MAC  we  found  against  AP  logs.  We   can  link  to  residence  hall…  
71   Mapping  it  out   •  Where  is  the  residence  hall?  Simple  lookup:  provide  Splunk   with  lat/lon  of  all  access  points…   71  
72   Who  is  it?   •  All  users  of  campus  network  have  to  register  MAC  addresses,   so…use  Splunk  DB  Connect  (DBX)  to  a`ach  to  data   warehouse…   72   10:DD:B1:B7:EB:A8,jbombalot@myschool.edu,jbrodsky-­‐mbp15,jb45478  
73   Who  is  it?   •  Now  we  have  context  in  our  search  results.   73   •  Let’s  correlate  network  ID  with  another  DB  of  student  info.    
74   In  sum…   •  Proxy  logs  or  wire  data  allowed  us  to  look  for  suspicious   search  terms  and  find  an  IP  address  doing  those  searches.   •  DHCP  logs  and  AP  logs  allowed  us  to  find  a  MAC  address   associated  with  those  searches.   •  Linking  the  AP  logs  with  geographic  data  allows  us  to  see   where  the  user  was.   •  Linking  the  MAC  address  with  registra<on  database  lets  us  find   a  “network  ID”  that  registered  the  device  doing  the  searching.   •  Linking  network  ID  with  student  database  allows  us  to  see   informa<on  about  student.   74  
Enterprise  Security  Demo  (Time   PermiKng)  
76   ES  Demo  Link:     h`p://www.splunk.com/view/SP-­‐CAAAJP6   76  
In  Conclusion  
78   Security  is  a  team  sport  and  takes  a  village!   78  
Leverage  a  rich  Eco  System   79   Security  Intelligence  pla„orm   200+ SECURITY APPS/ADD-ONS SPLUNK FOR ENTERPRISE SECURITY Cisco     WSA,  ESA,     ISE,  SF   Palo  Alto     Networks   FireEye   DShield   DNS   OSSEC   VENDOR COMMUNITY CUSTOM APPS Symantec   ADDITIONAL SPLUNK APPS …   Threat   Stream  
Customer  and  Industry  Recogni<on   80   2800  Security  Customers   Leader  in  Gartner  SIEM  MQ     Splunk   Industry  Awards  
81   Analy<cs  Driven  Security  –     Empowering  People  and  Data   A  security  intelligence  pla„orm  should  enable   any  Security  Program  to  leverage  Technology,   Human  Exper<se,  and  Business/IT  Processes  in   the  most  effec<ve  way  to  deliver  on  security   81  
82   Why  Splunk?   Integrated,  Holis.c  &  Open     •  Single  product  &  data  store   •  All  original  machine  data  is   indexed  and  searchable   •  Open  pla„orm  with  API,  SDKs,   +500  Apps   Flexible  &  Empowering       •  Schema  on  read     •  Search  delivers  accurate,  faster   inves<ga<ons  and  detec<on   •  Powerful  visualiza<ons  and   analy<cs  help  iden<fy  outliers   Simplicity,  Speed  and  Scale     •  Fast  deployment    +    ease-­‐of-­‐ use    =    rapid  <me-­‐to-­‐value   •  Runs  on  commodity  hardware,   virtualized  and/or  in  the  cloud   •  Scales  as  your  needs  grow     All  Your  Data  in  One  Place:   Increases  Collabora<on  and  Partnership,  Eliminates  Silos  &  Delivers  Proven  ROI  
83   83 Tradi<onal  SIEM  Splunk   Next  Steps   •  Info,  data  sheets,  white  papers,  recorded  demos  at:   Ø  Splunk.com  >  Solu<ons  >  Security   Ø  Splunk.com  >  Solu<ons  >  Compliance   Ø  conf.splunk.com  for  full  EDU  presenta<ons   •  Try  Splunk  for  free!   Ø  Download  Splunk  at  www.splunk.com   Ø  Go  to  Splunk.com  >  Community  >  Documenta<on  >  Search  Tutorial     Ø  In  30  minutes  will  have  imported  data,  run  searches,  created  reports     Ø  Security  Apps  at  h`ps://apps.splunk.com/   •  Contact  sales  team  at  Splunk.com  >  About  Us  >  Contact  
Q&A  
Thank  You  

Recommended

Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
Splunk
 
SplunkLive! Splunk App for VMware
SplunkLive! Splunk App for VMwareSplunkLive! Splunk App for VMware
SplunkLive! Splunk App for VMwareSplunk
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT Breakout
Splunk
 

Recommended

Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk
 
Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-OnSplunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
Splunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
Splunk
 
SplunkLive! Splunk App for VMware
SplunkLive! Splunk App for VMwareSplunkLive! Splunk App for VMware
SplunkLive! Splunk App for VMwareSplunk
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Splunk
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
SplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT BreakoutSplunkLive! London - Splunk App for Stream & MINT Breakout
SplunkLive! London - Splunk App for Stream & MINT Breakout
Splunk
 
SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
Splunk
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXP
Splunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
Splunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting
Splunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out Session
Georg Knon
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout Session
Georg Knon
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentation
Greg Hanchin
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
Splunk
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
Splunk
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - Baylor
Splunk
 
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational IntelligenceSplunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
Splunk
 
Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016
Splunk
 
Using Data Science for Cybersecurity
Using Data Science for CybersecurityUsing Data Science for Cybersecurity
Using Data Science for Cybersecurity
VMware Tanzu
 
Splunk at Aaron's Inc
Splunk at Aaron's IncSplunk at Aaron's Inc
Splunk at Aaron's Inc
Splunk
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
Splunk
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Cloudera, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 

More Related Content

What's hot

SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
Splunk
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXP
Splunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
Splunk
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting
Splunk
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out Session
Georg Knon
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout Session
Georg Knon
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentation
Greg Hanchin
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
Splunk
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
Splunk
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - Baylor
Splunk
 
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational IntelligenceSplunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
Splunk
 
Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016
Splunk
 
Using Data Science for Cybersecurity
Using Data Science for CybersecurityUsing Data Science for Cybersecurity
Using Data Science for Cybersecurity
VMware Tanzu
 
Splunk at Aaron's Inc
Splunk at Aaron's IncSplunk at Aaron's Inc
Splunk at Aaron's Inc
Splunk
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
Splunk
 

What's hot (20)

SplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT OperationsSplunkLive! - Splunk for IT Operations
SplunkLive! - Splunk for IT Operations
 
SplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXPSplunkLive! Utrecht 2016 - NXP
SplunkLive! Utrecht 2016 - NXP
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boardingSplunkLive! Splunk Enterprise 6.3 - Data On-boarding
SplunkLive! Splunk Enterprise 6.3 - Data On-boarding
 
Splunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT TroubleshootingSplunk Enterprise for IT Troubleshooting
Splunk Enterprise for IT Troubleshooting
 
Getting started with Splunk - Break out Session
Getting started with Splunk - Break out SessionGetting started with Splunk - Break out Session
Getting started with Splunk - Break out Session
 
Splunk for IT Operations Breakout Session
Splunk for IT Operations Breakout SessionSplunk for IT Operations Breakout Session
Splunk for IT Operations Breakout Session
 
Splunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentationSplunk for vmware virtualization customer presentation
Splunk for vmware virtualization customer presentation
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breachesSplunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk EMEA Webinar: Scoping infections and disrupting breaches
 
SplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealthSplunkLive! Customer Presentation – athenahealth
SplunkLive! Customer Presentation – athenahealth
 
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk Enterprise for InfoSec Hands-On Breakout Session
Splunk Enterprise for InfoSec Hands-On Breakout Session
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
SplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - BaylorSplunkLive! Austin Customer Presentation - Baylor
SplunkLive! Austin Customer Presentation - Baylor
 
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational IntelligenceSplunk - Verwandeln Sie Datensilos in Operational Intelligence
Splunk - Verwandeln Sie Datensilos in Operational Intelligence
 
SplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunkLive! Tampa: Splunk for Security - Hands-On Session
SplunkLive! Tampa: Splunk for Security - Hands-On Session
 
Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016Splunk Discovery Day Düsseldorf 2016
Splunk Discovery Day Düsseldorf 2016
 
Using Data Science for Cybersecurity
Using Data Science for CybersecurityUsing Data Science for Cybersecurity
Using Data Science for Cybersecurity
 
Splunk at Aaron's Inc
Splunk at Aaron's IncSplunk at Aaron's Inc
Splunk at Aaron's Inc
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
 

Similar to Security Breakout Session

Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Cloudera, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
Splunk
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
Splunk
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionBlue Coat
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
Priyanka Aash
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
Harry McLaren
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
Splunk
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
Vladyslav Radetsky
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Webinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM SolutionWebinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM Solution
JK Tech
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
Adeo Security
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-Era
JK Tech
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest ResumeDhishant Abrol
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 

Similar to Security Breakout Session (20)

Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
Revolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat ProtectionRevolutionizing Advanced Threat Protection
Revolutionizing Advanced Threat Protection
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Webinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM SolutionWebinar - Feel Secure with revolutionary OTM Solution
Webinar - Feel Secure with revolutionary OTM Solution
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Microsoft Avanced Threat Analytics
Microsoft Avanced Threat AnalyticsMicrosoft Avanced Threat Analytics
Microsoft Avanced Threat Analytics
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-Era
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest Resume
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 

Recently uploaded (20)

ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

Security Breakout Session

  • 1. Copyright  ©  2014  Splunk  Inc.   Splunk  for  Security     Analy<cs  Driven  Security  for   Higher  Educa<on     James  Brodsky     SE/Security  SME,  Splunk  
  • 2. •  Splunk  for  Security  (20  min)   •  EDU  Case  Studies  (20  min)   •  Demonstra<on  of  the  Splunk  App  for  Enterprise  Security  (15  min,   <me  permiKng)   •  Q  &  A   Agenda  
  • 3. 3   Why  Splunk  for  Security?   Machine  Data  contains  a  DEFINITIVE  RECORD   of  all  Human  to  Machine  and  Machine  to   Machine  Interac<on.     Splunk  ingests,  stores,  and  analyzes  all  of  that  data  at  scale.  
  • 4. 4   Advanced  Threats  Are  Hard  to  Find   Cyber  Criminals     Na.on  States     Insider  Threats     4   Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014   100%    Valid  creden<als  were  used   40     Average  #  of  systems  accessed   229   Median  #  of  days  before  detec<on   67%   Of  vic<ms  were  no<fied  by   external  en<ty  
  • 5. 5   A`ackers  &  Threats  have  Changed  &  Matured   5   •  Goal-­‐oriented   •  Human  directed   •  Mul<ple  tools,  steps  &  ac<vi<es   •  New  evasion  techniques   •  Coordinated   •  Dynamic,  adjust  to  changes   People   •  Outsider  (organized  crime,  compe<tor,     na<on/state)     •  Insiders  (contractor,  disgruntled  employee)   Technology   •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day   •  Exploit  kits,  password  dumper,  etc.     Threat   Process   •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled   •  Threat  marketplaces  –  buy  and  rent  
  • 6. 6   Modern  Security  Programs  Need  More  than  Technology   6   People   •  Outsider  (organized  crime,  compe<tor,     na<on/state)     •  Insiders  (contractor,  disgruntled  employee)   Technology   •  Malware,  bots,  backdoors,  rootkits,  zero-­‐day   •  Exploit  kits,  password  dumper,  etc.     Threat   Technology   •  Firewall,  An<-­‐malware,  AV,  IPS,  etc.     •  An<-­‐spam,  etc.   Solu.on   Process   •  A`ack  Lifecycle,  mul<-­‐stage,  remote  controlled   •  Threat  marketplaces  –  buy  and  rent   Human     Intui.on  and  Observa.on       Coordina.on,  Collabora.on   and  Counter  Measures  
  • 7. 7   New  approach  to  security  opera<ons  is  needed   7   •  Goal-­‐oriented   •  Human  directed   •  Mul<ple  tools  &  ac<vi<es   •  New  evasion  techniques   •  Coordinated   •  Dynamic  (adjust  to  changes)   Threat   •  Analyze  all  data  for  relevance   •  Contextual  and  behavioral   •  Rapid  learning  and  response   •  Leverage  IOC  &  Threat  Intel   •  Share  info  &  collaborate   •  Fusion  of  technology,  people   &  process  
  • 8. 8   Here’s  one  example  of  a  new  approach  
  • 9. 9   But  it  should  be…  
  • 10. 10  
  • 11. •  Who  is  working  on  Saturdays?   •  Who  is  badging  into  areas  that  they’re  not  supposed  to  be  in?   •  Who  accessed  that  server  with  admin  privs  over  the  past  year?   •  What  countries  are  genera<ng  the  most  inbound  traffic?  Outbound?     •  Which  firewalls  are  passing  ports  that  we’ve  never  seen  before?   •  What  endpoints  are  exhibi<ng  beaconing  behavior?   •  What  countries  are  we  communica<ng  with  that  we  don’t  do  business  in/have  students  registered  in?   •  What  vulns  are  found  on  my  network  and  what’s  been  trying  to  exploit  them?   •  Who’s  accessing  our  resources  with  the  same  creden<als  but  from  different  states  or  countries,  at  the   same  <me?   •  Who  is  accessing  our  compe<tor  websites  and  what’s  the  risk  associated  with  that?   •  Which  servers  are  querying  DNS  far  more  than  they  ever  normally  do  today?   •  Which  users  have  downloaded  content  from  known  phishing  URLs?   •  Whose  HR  data  has  changed  aper  being  infected  by  malware/visi<ng  a  phishing  link?   What  ques<ons  could  you  ask?  
  • 12. 12   From  Alert  Based  to  Analy<cs  Driven  Security   Tradi.onal  Alert-­‐based  Approach   Time  &  Event  based   Data  reduc<on   Event  correla<on   Detect  a`acks   Needle  in  a  haystack   Power  Users,  Specialist   12   Addi.onal  Analysis  Approach   ..and  phase,  loca<on,  more…   Data  inclusion   Mul<ple/dynamic  rela<onships   Detect  a`ackers   Hay  in  a  haystack   Everyone  -­‐  Analy<cs-­‐enabled  Team  
  • 13. 13  
  • 14. 14   2013-­‐08-­‐09  16:21:38  10.11.36.29  98483  148  TCP_HIT  200  200  0  622  -­‐  -­‐  OBSERVED  GET   www.neverbeenseenbefore.com    HTTP/1.1  0  "Mozilla/4.0  (compa<ble;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR   2.0.50727;  InfoPath.1;  MS-­‐RTC  LM  8;  .NET  CLR  1.1.4322;  .NET  CLR  3.0.4506.2152;  )  User  John  Doe,"       08/09/2013  16:23:51.0128event_status="(0)The  opera<on  completed  successfully.  "pid=1300   process_image="John  DoeDeviceHarddiskVolume1WindowsSystem32neverseenbefore.exe“  registry_type   ="CreateKey"key_path="REGISTRYMACHINESOFTWAREMicrosopWindows  NTCurrentVersion  Printers   PrintProviders  John  Doe-­‐PCPrinters{}  NeverSeenbefore"  data_type""   2013-­‐08-­‐09T12:40:25.475Z,,exch-­‐hub-­‐den-­‐01,,exch-­‐mbx-­‐cup-­‐00,,,STOREDRIVER,DELIVER, 79426,<20130809050115.18154.11234@acme.com>,johndoe@acme.com,,685191,1,,,   hacker@neverseenbefore.com  ,  Please  open  this  a`achment  with  payroll  informa<on,,  , 2013-­‐08-­‐09T22:40:24.975Z   Spear-­‐phishing  –  Advanced  Analy<cs   Sources   Time  Range   Endpoint   Logs   Web  Proxy   Email  Server   All  three  occurring  within  a  24-­‐hour  period   User  Name   User  Name   Rarely  seen  email  domain   Rarely  visited  web  site   User  Name   Rarely  seen  service  
  • 15. 15   Servers   Storage   Desktops  Email   Web   Transac<on   Records   Network   Flows   DHCP/  DNS   Hypervisor   Custom   Apps   Physical   Access   Badges   Threat   Intelligence   Mobile   CMDB   Intrusion     Detec<on   Firewall   Data  Loss   Preven<on   An<-­‐ Malware   Vulnerability   Scans   Authen<ca<on   15   All  Machine  Data  is  Security  Relevant  
  • 16. 16   Servers   Storage   Desktops  Email   Web   Transac<on   Records   Network   Flows   DHCP/  DNS   Hypervisor   Custom   Apps   Physical   Access   Badges   Threat   Intelligence   Mobile   CMBD   Intrusion     Detec<on   Firewall   Data  Loss   Preven<on   An<-­‐ Malware   Vulnerability   Scans   Authen<ca<on   16   All  Machine  Data  is  Security  Relevant   Tradi.onal  SIEM  
  • 17. 17   If  we  can  build  a  complete  picture,  we   disrupt  the  Kill  Chain,  we  disrupt  the   adversary   17  
  • 18. 18   Report   and     analyze   Custom     dashboards   Monitor     and  alert   Ad  hoc     search   18   Developer   PlaQorm   Machine  Data   Real-­‐.me  or  Batch   Online   Services   Web   Services   Servers   Security   GPS   Loca<on   Storage   Desktops   Networks   Packaged   Applica<ons   Custom   Applica<ons  Messaging   Telecoms   Online   Shopping   Cart   Web   Clickstreams   Databases   Energy   Meters   Call  Detail   Records   Smartphones   and  Devices   RFID   Datacenter   Private     Cloud   Public     Cloud   External  Lookups   Kill  Chain  Analysis  Across  Technology/Devices   Threat   Intelligence   Asset     &  CMDB   Employee   Info   Data   Stores  Applica.ons  
  • 19. 19   Connec<ng  the  “data-­‐dots”  via  mul<ple/dynamic  rela<onships   Persist,  Repeat   Threat  intelligence   Auth  -­‐  User  Roles   Host     Ac.vity/Security   Network     Ac.vity/Security   A`acker,  know  relay/C2  sites,  infected  sites,  IOC,   a`ack/campaign  intent  and  a`ribu<on   Where  they  went  to,  who  talked  to  whom,  a`ack   transmi`ed,  abnormal  traffic,  malware  download   What  process  is  running  (malicious,  abnormal,  etc.)   Process  owner,  registry  mods,  a`ack/malware   ar<facts,  patching  level,  a`ack  suscep<bility   Access  level,  privileged  users,  likelihood  of  infec<on,   where  they  might  be  in  kill  chain     Delivery,  exploit   installa.on   Gain  trusted   access   Exfiltra.on  Data  Gathering  Upgrade  (escalate)   Lateral  movement   Persist,  Repeat     19  
  • 20. 20   Kill  Chain  Demo  Link:     h`ps://splunkevents.webex.com/splunkevents/lsr.php? RCID=beec1404b8b7ca27ae25bb418a906259   20  
  • 21. EDU  Case  Studies   ASU  –  phishing   EDU1  –  DMCA   Duke  –  direct  deposit   EDU2  –  bomb  threat    
  • 22. 22   Where  did  this  info  come  from?   •  ASU,  Duke,  and  [pres<gious  private  university  in  Boston]  have   all  acknowledged  use  of  Splunk  publicly   •  Security  has  been  a  driving  factor  for  adop<on  for  all  three   •  I  cannot  do  these  jus9ce  –  they  are  mere  highlights.  I  thank  the   Splunkers  from  these  universi9es  profusely   •  NONE  OF  THESE  SCHOOLS  OFFICIALLY  ENDORSE  SPLUNK.   They  have  shared  this  informa9on  in  the  spirit  of  collabora9on.   •  Visit  below  URL  for  slides  and  recordings:   h`p://conf.splunk.com  22  
  • 23. ASU   Originally  from  C.  Kurtz  
  • 33. 33   33   •  Wordstats  –  Search  for  data  that  has  significant  “shannon   entropy”  –  good  for  finding,  for  example,  DGA  domains   •  Phishing  Lookup  –  Compare  URLs  found  in  data  for  known   phishing  sites   •  Sen<ment  Analysis  –  Analyze  phrases  found  in  data  (such  as   tweets)  and  determine  if  they  are  posi<ve  or  nega<ve     •  SPLICE  –  Consume  IOCs  in  STIX,  CybOX,  OpenIOC  formats  and   compare  your  data  to  filenames,  hashes,  domains,  URLs,  etc   found  within   Other  Li`le-­‐Known  Security  Apps  
  • 39. 39   39   DMCA  Viola<on  Repor<ng   •  DMCA  Viola<ons  regularly  sent  via  email   from  industry  representa<ves   •  Use  Splunk  to  figure  out  who  had  that  IP   address  during  the  <mestamp  given   (dashboard  form  searches)   •  Use  DB  Connect  or  API  query  of  student/ employee  database  to  match  IP  to  MAC,   and  iden<fy  system  owner   •  No<fy  system  owner  of  copyright   viola<on   We  can  automate   much  of  this,  too.  
  • 41. Duke     Originally  from  J.  Hopkins,  P.  BaJon,  E.  Hope  
  • 64. [large  university  in  the   northeast]  -­‐  Inves<ga<ng  a   Bomb  Threat  
  • 65. 65   A  large  university  in  the  Northeast…   •  Student  needed  more  <me  to  prep  for  an  exam,  so  decided  to   e-­‐mail  in  a  bomb  threat  to  campus  security.  “I’m  going  to  blow   up  the  science  building…”   •  He  did  this  via  Tor  so  as  to  remain  anonymous.   •  Campus  security  worked  with  security  team  and  FBI  to   inves<gate,  using  Splunk.  How?   65  
  • 66. 66   Search  Ideas   •  What  can  provide  us  with  what  students  are  searching?   •  Proxy  logs,  Wire  Data   •  Needle  in  a  haystack  –  who  has  been  searching  for  “anonymous   email”  over  the  past  week?   •  Once  we  have  an  IP  or  a  MAC  or  both,  then  con<nue   inves<ga<on  –  we  will  use  DHCP  logs,  AP  logs,  and  correla<ng   with  several  structured  data  sources.   66  
  • 67. 67   Search  Terms  against  Wire  or  Proxy  Data   67   •  Where  else  did  they  go?  If  we  see  them  “disappear”  perhaps  h`ps?   Tor?  
  • 68. 68   Search  Terms  against  Wire  or  Proxy  Data   68   •  Downloaded  Tor.  But  we  have  a  MAC  address  and  an  IP  address… let’s  use  those  to  dig  further…  
  • 69. 69   Search  Terms  against  DHCP  logs   69   •  Use  MAC  to  get  a  hostname,  how  about  access  point  logs?  
  • 70. 70   Search  Terms  against  AP  logs   70   •  Just  search  the  hostname  or  the  MAC  we  found  against  AP  logs.  We   can  link  to  residence  hall…  
  • 71. 71   Mapping  it  out   •  Where  is  the  residence  hall?  Simple  lookup:  provide  Splunk   with  lat/lon  of  all  access  points…   71  
  • 72. 72   Who  is  it?   •  All  users  of  campus  network  have  to  register  MAC  addresses,   so…use  Splunk  DB  Connect  (DBX)  to  a`ach  to  data   warehouse…   72   10:DD:B1:B7:EB:A8,jbombalot@myschool.edu,jbrodsky-­‐mbp15,jb45478  
  • 73. 73   Who  is  it?   •  Now  we  have  context  in  our  search  results.   73   •  Let’s  correlate  network  ID  with  another  DB  of  student  info.    
  • 74. 74   In  sum…   •  Proxy  logs  or  wire  data  allowed  us  to  look  for  suspicious   search  terms  and  find  an  IP  address  doing  those  searches.   •  DHCP  logs  and  AP  logs  allowed  us  to  find  a  MAC  address   associated  with  those  searches.   •  Linking  the  AP  logs  with  geographic  data  allows  us  to  see   where  the  user  was.   •  Linking  the  MAC  address  with  registra<on  database  lets  us  find   a  “network  ID”  that  registered  the  device  doing  the  searching.   •  Linking  network  ID  with  student  database  allows  us  to  see   informa<on  about  student.   74  
  • 75. Enterprise  Security  Demo  (Time   PermiKng)  
  • 76. 76   ES  Demo  Link:     h`p://www.splunk.com/view/SP-­‐CAAAJP6   76  
  • 78. 78   Security  is  a  team  sport  and  takes  a  village!   78  
  • 79. Leverage  a  rich  Eco  System   79   Security  Intelligence  pla„orm   200+ SECURITY APPS/ADD-ONS SPLUNK FOR ENTERPRISE SECURITY Cisco     WSA,  ESA,     ISE,  SF   Palo  Alto     Networks   FireEye   DShield   DNS   OSSEC   VENDOR COMMUNITY CUSTOM APPS Symantec   ADDITIONAL SPLUNK APPS …   Threat   Stream  
  • 80. Customer  and  Industry  Recogni<on   80   2800  Security  Customers   Leader  in  Gartner  SIEM  MQ     Splunk   Industry  Awards  
  • 81. 81   Analy<cs  Driven  Security  –     Empowering  People  and  Data   A  security  intelligence  pla„orm  should  enable   any  Security  Program  to  leverage  Technology,   Human  Exper<se,  and  Business/IT  Processes  in   the  most  effec<ve  way  to  deliver  on  security   81  
  • 82. 82   Why  Splunk?   Integrated,  Holis.c  &  Open     •  Single  product  &  data  store   •  All  original  machine  data  is   indexed  and  searchable   •  Open  pla„orm  with  API,  SDKs,   +500  Apps   Flexible  &  Empowering       •  Schema  on  read     •  Search  delivers  accurate,  faster   inves<ga<ons  and  detec<on   •  Powerful  visualiza<ons  and   analy<cs  help  iden<fy  outliers   Simplicity,  Speed  and  Scale     •  Fast  deployment    +    ease-­‐of-­‐ use    =    rapid  <me-­‐to-­‐value   •  Runs  on  commodity  hardware,   virtualized  and/or  in  the  cloud   •  Scales  as  your  needs  grow     All  Your  Data  in  One  Place:   Increases  Collabora<on  and  Partnership,  Eliminates  Silos  &  Delivers  Proven  ROI  
  • 83. 83   83 Tradi<onal  SIEM  Splunk   Next  Steps   •  Info,  data  sheets,  white  papers,  recorded  demos  at:   Ø  Splunk.com  >  Solu<ons  >  Security   Ø  Splunk.com  >  Solu<ons  >  Compliance   Ø  conf.splunk.com  for  full  EDU  presenta<ons   •  Try  Splunk  for  free!   Ø  Download  Splunk  at  www.splunk.com   Ø  Go  to  Splunk.com  >  Community  >  Documenta<on  >  Search  Tutorial     Ø  In  30  minutes  will  have  imported  data,  run  searches,  created  reports     Ø  Security  Apps  at  h`ps://apps.splunk.com/   •  Contact  sales  team  at  Splunk.com  >  About  Us  >  Contact