UEBA (поведенческая аналитика в части ИБ): технологии обнаружения аномалий в ...Банковское обозрение
UEBA (поведенческая аналитика в части ИБ): технологии обнаружения аномалий в действиях авторизованного пользователя. Олег Бакшинский, , IBM Россия и СНГ
UEBA (поведенческая аналитика в части ИБ): технологии обнаружения аномалий в ...Банковское обозрение
UEBA (поведенческая аналитика в части ИБ): технологии обнаружения аномалий в действиях авторизованного пользователя. Олег Бакшинский, , IBM Россия и СНГ
Презентация с InfoSecurity Russia 2017, в которой я попробовал описать, какими функциями должен обладать современный NGFW и почему у разных вендоров совершенно разное восприятие этого термина и его наполнения.
Презентация с InfoSecurity Russia 2017, в которой я попробовал описать, какими функциями должен обладать современный NGFW и почему у разных вендоров совершенно разное восприятие этого термина и его наполнения.
Обзор применения искусственного интеллекта в кибербезопасности как с позитивной, так и с негативной стороны. Как ИИ используют безопасники. Как ИИ используют хакеры. Какие угрозы могут быть для ИИ.
9. Monitor &
Alert
Search &
Investigate
Custom
Dashboards &
Reports
Analytics &
Visualization
Meets Key Needs of SOC Personnel
10)Добавляем данные от других источников
9
Real-time
Machine Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/ DNS
Custom
Apps
Badges
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Authentication
Storage
Industrial
Control
Mobile Security Intelligence платформа
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Network
Segments
External Lookups / Enrichment
10. API
SDKs UI
Network Traffic
Analysis
Identity & Access
Control
Perimeter
Defense
EmailPayload Analysis
Endpoint Behavior
Analysis
Endpoint Change
Tracking
DLP
Security Analytics
Threat Intelligence
Cloud Security
Данные от систем безопасности
10
11. 11
Данные от IT систем
API
SDKs UI
Server, Storage,
Network
Server
Virtualization
Operating
Systems
Custom
Applications
Business
Applications
Cloud
Services
App Performance
MonitoringTicketing/Other
Web Intelligence
Mobile
Applications
Stream
Собираем, ищем и анализируем, получаем знание в реальном времени.
At it’s core, the Splunk platform enables you to:
Collect data from anywhere – with universal forwarding and indexing technology.
Search and analyze across all your data – with powerful search and schema-on-the-fly technology.
Rapidly deliver real-time insights from machine data to IT and business people – through a powerful UI and dashboards.
This is what we call Operational Intelligence.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Миссия Спланка ведет вашу компанию к успеху
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Need a Security Intelligence platform which is a SIEM plus more. We will come back to that later. In summary this platform can automatically sift through hundreds or thousands of daily security-related events to alert on and assign severity levels to only the handful of incidents that really matter. For these incidents, the platform then enables SOC analysts to quickly research and remediate incidents.
This platform can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into the platform for indexing. The platform should also be able to leverage lookups and external data to enrich existing data. This is showed on the bottom and includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, application lookups, and more. Correlation searches can include this external content. So for example the platform can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or the platform can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events.
A SOC can then perform the use cases on the top right on the data. These use cases cover all the personnel tiers in the SOC so they can all leverage the platform. They can search through the data, monitor the data and be alerted in real-time if search parameters are met. This includes cross-data source correlation rules which help find the proverbial needle in the haystack so the SOC only needs to focus on the tiny number of priority incidents that matter hidden among a sea of events. The raw data can be aggregated in seconds for custom reports and dashboards. Also the platform should be one that developers can build on. It uses a well documented Rest API and several SDKs so developers and external applications can directly access and act on the data within it.
To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos.
The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
A range of plugins, templates and full-fledged apps are available to help you collect, analyze and harness data from every layer of your technology stack. Even if you’re using a product that’s not listed here, Splunk still doesn’t limit you – you can still index data from that technology.
One of the key benefits of using Splunk software and cloud services is the ability to correlate machine data across silos, providing visibility across the entire Application Delivery and IT Ops landscape.
A range of plugins, templates and full-fledged apps are available to help you collect, analyze and harness data from every layer of your technology stack. Even if you’re using a product that’s not listed here, Splunk still doesn’t limit you – you can still index data from that technology.
One of the key benefits of using Splunk software and cloud services is the ability to correlate machine data across silos, providing visibility across the entire Application Delivery and IT Ops landscape.
More than 8,400 customers in 100 countries have purchased the enterprise license of Splunk. This includes a majority of the Fortune 100. Enterprises, service providers and government agencies in 100 countries use Splunk to improve service levels, reduce IT operations costs, mitigate security risks and drive new levels of operational visibility.
As they gain new visibility into their real-time and historical machine data, Splunk’s customers are finding answers and solving the most challenging issues facing IT and the business.
Проблема заказчиков – биг дата
Рост объема – скорости – разновидности – сути
What is this machine data, and why is it a big deal?
Well, it’s one of the fastest growing, most complex and most valuable segments of data.
All the webservers, applications, network devices, mobile devices, sensors – all of the technology infrastructure running your enterprise – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner.
Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
Characteristics of machine data – the four V’s - the last two are the most interesting / challenging.
Splunk has an active community:
There is also an emerging ecosystem of new companies building apps on top of the Splunk Enterprise platform. These companies are taking advantage of open APIs and new platform capabilities to create an entirely new generation of applications.
How many of you have used Splunk Answers? Our technical support is consistently rated as industry leading and Splunk Answers has answers to thousands of questions. It’s the go to place for your questions – and answers.
You can participate in meet-ups and User Groups or you can contribute to our forums. You can also local SplunkLive events to hear how your peers are using machine data.
Splunk software and cloud services are simple to deploy, scale from a single server deployment to global large-scale operations and delivers fast payback. Whether you’re using Hadoop, deploying in the cloud, or searching for an on-premises solution, getting started with Splunk software was designed from the ground up to be as frictionless possible.
We have multiple options for getting started, designed to suit your needs:
Try out Hunk, Splunk Cloud and Splunk Enterprise with our free online sandboxes.
Want try it out on premises? Free downloads of Hunk and Splunk Enterprise are available. The product you download is the same product that scales to ingest petabytes of data per day.
3. Already running with Amazon Cloud deployments? AMIs for Splunk Enterprise and Hunk make it easy to get up and running.