Uploaded bySplunk
Splunk Discovery Day Düsseldorf 2016 - Splunk für Security
Splunk Enterprise Security is an advanced security information and event management (SIEM) and security intelligence platform that allows organizations to monitor, detect, investigate, and respond to cyberattacks and threats. It provides risk-based analytics, security intelligence, continuous monitoring of security domains, and incident response capabilities through features like alerts and dashboards, pre-built searches, threat intelligence integration, and an investigation timeline. The platform helps connect data from various sources to gain security insights and identify unknown threats.
More Related Content
Similar to Splunk Discovery Day Düsseldorf 2016 - Splunk für Security
Splunk Discovery Day Düsseldorf 2016 - Splunk für Security
- 1. Copyright © 2014Splunk Inc. Splunk Enterprise Security Analytics-Driven Security
- 2.
- 3. The Ever-Changing ThreatLandscape 3 53% Victims notified by external entity 100% Valid credentials were used 143 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
- 4.
- 5. Security Intelligence 6 Developer Platform Report and analyze Custom dashboards Monitor and alert Adhoc search Threat Intelligence Asset & CMDB Employee Info Data Stores Applications Online Services Web Services Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices Firewall Authentication Threat Intelligence Servers Endpoint External Lookups
- 6. Connecting the “data-dots”via multiple/dynamic relationships Persist, Repeat Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, file hashes, IOC, attack/campaign intent and attribution Where they went, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, exploit installation Gain trusted access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat 7
- 7. Security Intelligence UseCases SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Complement, replace and go beyond traditional SIEMs 8
- 8. Splunk Enterprise Security Risk-BasedAnalytics Visualize and Discover Relationships Enrich Security Analysis with Threat Intelligence 9 Splunk Enterprise Security is an advanced SIEM and Security Intelligence Platform that empowers SecOps to monitor, detect, investigate and respond to attacks and threats while minimizing risk and safeguarding your business.
- 9. Splunk Enterprise Security IncidentInvestigations & ManagementAlerts & Dashboards & Reports Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds 11
- 10. Continuous Monitoring with theSplunk Enterprise Security
- 11.
- 12.
- 13. 1Risk-based security Continuous Monitoring forSecurity Domains 15
- 14.
- 15. Incident Response with theSplunk Enterprise Security
- 16. 1Risk-based security Fast Incident Reviewand Investigation 18
- 17. Visual Investigations forAll Assets and Users 19
- 18. Broad and DeepInvestigation 20
- 19. 1Risk-based security Enrich Security Analysiswith the Threat Intelligence Framework 21
- 20.
- 21. Investigator Journal Feature Benefits Focuson tracking attack activities while the system tracks the investigation Streamline the process of investigating advanced threats 23 Solution • Track searches and activities to understand actions taken, information seen • Review activities at any point in the investigation • Return to any prior activity to follow a different path to complete the investigation
- 22. Investigation Timeline Feature Benefits Betterunderstand, visualize and communicate attack details and investigative actions of multi-step threats 24 Solution • Combine raw events, actions, and annotation notes (Search, Views, Filters, Event status) • See time relationship between events • Create and manage investigation reports
- 23. Enterprise Security Framework FeatureBenefits Address constantly changing security requirements by expanding ecosystem Further enhance the abilities, allowing organizational knowledge object sharing 25 Solution • Create, access, and extend ES functionality with apps that can run within ES • Able to easily utilize ES framework features (Risk, Threat, Notable Events, Identity & Asset) • Modular ways to export import rules, views, configurations, key indicator searches and other contents via easy import/export user experience.
- 24.
- 25. Behavioral Analytics Broughtto SIEM Workflow • All UBA anomalies available in ES • Manager – UBA Reporting within ES – pre-built, customizable • SOC analyst – UBA Anomaly data available for correlation – alerts, threat intel, domain data • Hunter/Investigator- Perform ad-hoc searching/pivoting for Incident Response and Breach Analysis 27 ES 4.1 and UBA 2.2 Detect and Investigate faster using ML integrated with SIEM
- 26. Prioritize, Speed Investigations– Risk Score, Searches • Use the new risk scores and quick searches to determine the impact of an incident quickly • Use risk scores to generate actionable alerts to respond on matters that require immediate attention. 28 Streamlines Incident Review and Response
- 27. Facebook ThreatExchange • Providesdomain names, IPs, hash threat indicators • Use with ad hoc searches and investigations 29 • Need an app ID and secret from Facebook • Config Splunk add-on for FB ThreatExchange • Customers already use !
- 28. Enhanced Investigation Timeline Addfile attachments to Investigation Timeline 30 Export Investigation Timeline as PDF
- 29.
- 30. Splunk Enterprise Security– Release Summary 32 Q3 2014 Q4 2014 Q2 2015 ES 3.1 •Risk Framework •Guided Search •Unified Search Editor •Threatlist Scoring •Threatlist Audit ES 4.0 •Breach Analysis •Integration with Splunk UBA •Enterprise Security Framework ES 3.2 •Protocol Intelligence •Semantic Search ES 3.3 •Threat Intel Framework •User Activity Monitoring •Content Sharing •Data Ingestion Q4 2015 ES 4.1 •Behavior Anomalies •Risk and Search in Incident Review •Facebook ThreatExchange Q1 2016
- 31. SIEM comparison to theSplunk Enterprise Security
- 32. SIEM comparison toSplunk LEGACY SIEM SPLUNK Data sources Limited Any technology, device Custom Device Support Difficult Easy Add Intelligence Difficult Easy Customized Reporting Required 3rd party App Built-in (from search) Speed of Search/Reporting Slow and Unusable Fast and Responsive Correlation Difficult (rule-based) Easy (search-based) Scalability Limited Extensible 34
- 33.
- 34. Analytics via SIEMin the Cloud Challenges • Detect, investigate and remediate threats and attacks using a Cloud platform – strategy alignment • Reduce TCO of security operations – minimize CapEx and OpEx • Secure, scalable infrastructure to support a range of security use cases Customer Solution : SIEM in the Cloud • Malware Protection, User Account Protection and DLP • Search across all data sets in the Cloud and/or on-premise data by using a single pane of glass • Insight from all security relevant data by use of ready to use Splunk Apps and partner add-ons. 36
- 35. Integra Challenges • Customers wanttheir data and communications services delivered on a network that has a level of security that goes beyond what other providers & the public Internet provides Splunk Solution : Splunk Enterprise Security • Detecting potentially compromised accounts: Splunk ES alerted security teams when an employee’s administrative account was attempting to route data through a country in which Integra does not operate networks. • Detecting compromised systems: Splunk ES alerted Integra when a laser printer was sending out SSL traffic and played a critical role as the investigative team isolated the printer and its network – eventually discovering it had been compromised and needed a firmware update. • Detecting malware infections: Integra has detected several instances of malware and malware attempts. • Detecting malicious activity missed by other solutions: Splunk has helped Integra to detect previously unseen suspicious security events in customers’ networks. “Splunk software is playing a central role in helping Integra’s SOC and our suite of services set the highest standards for protection against threats” Steve Fisher, VP of network planning and security
- 36. Risk Driven SecurityIntelligence Platform Challenges • Preventing attacks to process online orders every 4 seconds from 180+ countries. • Managing security across data centers in the US, UK, Italy, and Asia • Keeping the trust & high availability in hostile enviroment - Confidentiality, Integrity, Completeness • Fragmented security ecosystem Customer Solution • Moved from a technology oriented approach to an info-centric approach • From standard dashboards to real-time dynamic dashboards. • Moved from a security event to full context-aware security information 38
- 37. Building an IntelligenceDriven SOC Challenges • Existing SIEM not adequate - struggled to bring in appropriate data • Unable to perform advanced investigations, severe scale/performance issues • Looking to build a new SOC with modern solution Customer Solution • Centralized logging of all required machine data at scale and full visibility • Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users • Tailored advanced correlation searches & IR workflow • Faster and deeper incident investigations • Greater SOC efficiencies - all SOC/CSIRT working off same UI/data • Executive dashboards to measure and manage risk 39
- 38. Thousands of GlobalSecurity Customers 40
- 39. 41 Rapid Ascent inthe Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 40. Free Cloud Trial Free Software Download Free EnterpriseSecurity Sandbox Get started in minutes – splunk.com 1 32
- 41.
Editor's Notes
- #3 Let’s start with today’s ever changing threat landscape: With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries: the cyber criminals, the nation states and also the malicious Insiders; All going after major stakes of our life, our company and our nation.
- #4 There are three numbers in the cyber security statistics are very telling, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 143 days to detect a breach; With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- #5 People are the most important part of your business. Splunk empowers your security teams with data. Your security teams perform a number of tasks <next slide>
- #7 And use your Splunk environment to collect, analyze and enrich all this data that you are collecting. You will be well prepared to detect new attacks and quickly respond to the next breach.
- #8 The explains the “layers of security” or the “security stack” used to detect different aspects of an attack. This is a common approach and should resonant with the audience customer. Companies, solution providers, product vendors are trying to pull these things together to detection certain aspects of attacks. Example – WebSense is focusing on webgateway, email gateway and data loss – they focus on the network activity/security Example – Fireeye – focusing on malware payload analysis, added endpoint (mandiant agent), investigation platform (MIR), and IPS (network intrusion prevention) Our point is most security solutions can be classified into each of these layers and most companies will bring in 1-several from each layer to combine into a holistic view. Splunk can bring in additional context including the auth/user, environmental via the enrichment/lookup feature, as well as threat intelligence that is becoming important because knowledge about the external threat (attacker) is critical to knowing who is attacking and the attacking infrastructure (C&C servers, infected sites, etc.)
- #10 Splunk for Enterprise Security provides the capabilities to run your security operations, combat Fraud and much more! Customers use Enterprise Security to power their Next Generation Cyber Threat Fusion center to fend off today’s advance threats. <next slide>…
- #12 All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows. Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity Manage and investigate incidents by correlating event data and contextual information from any data source Pre-built statistical capabilities identify unusual activity and reduce false positives Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management
- #14 Get a library of security posture widgets to place on any dashboard or easily create your own. See security events by location, host, source type, asset groupings and geography. KPIs provide real-time trending and monitoring of your security posture. The Security Posture dashboard gives you a complete view of what’s going on in your enterprise. The dashboard objects are customizable – You don’t need to know any custom languages or wait for long development times- -- you can add/remove new KSI/KPI on the fly. -- you can change KSI/KPI thresholds on the fly. -- add/remove/organize dashboard widgets with mouse clicks
- #15 Add/remove KSI/KPI with a few clicks Modify KSI/KPI thresholds on the fly
- #16 Pre-built reports and dashboards for Access Protection, Endpoint Protection, Network Protection, Asset and Identity Center Simplify monitoring and exception analysis Satisfy compliance and forensics requirements to track activity Increase the effectiveness of security and IT tools across the enterprise
- #17 Risk Based Analytics Align Security Operations With the Business Use risk scores as a core component of business decision making processes Use relative terms to describe risk instead of ambiguous numerical values - Relative terms create consistency of interpretation and action. E.g. what does it mean if a KSI was 451 or 339 ? Is that good? Or bad? Instead if we say, the risk score is ‘high’ or the number of alerts is ‘average’, we know what actions to take or not to take. Transparently expose the score’s contributing factors Assign any KSI/KPI to an event to produce a risk score using the Risk Framework
- #19 Pre-built correlation searches trigger alerts across the security stack Alerts are based on baselines of rolling time windows and not static values - Autoconfiguring thresholds improve threat detection for hard to find attacks and reduce false positives. Use the Incident Review dashboard to manage alerts, filter, assign, prioritize and comment on alerts. Incident Review dashboard is the starting point for investigation. Expand the alert tab to get more information. Use Event Actions to get contextual drill downs and acquire deeper context
- #20 Give all users the ability to find relationships visually Visually organize and fuse any data to discern any context Create event swim lanes from from the web UI
- #21 Drill down to raw events Use contextual workflow actions to pivot to dashboards and reports Initiate wire data capture to acquire protocol intelligence during investigations
- #22 Automatically integrate any number of open, proprietary or local threat intelligence feeds Aggregate, de-duplicate and assign weights to all threat intelligence sources/providers Simplify threat intelligence and make it a core component of your security operations workflow with Pre-built alerts and correlations Integrate threat intelligence via APIs, Web feeds, Scripts, CSV files or create your own local threat lists Threat intelligence is applied to all data including wire data protocol information - e.g. email envelopes New threat intelligence from any source, can be applied to all historical data
- #23 Simplify protocol and user profiling using -built reports for wire data Accelerate workflow and report creation with pre-built reports that expose the most important fields in common protocols Pre-built reports expose the important fields from protocol data – email headers, ssl certificates and dns Wire data is essential to understanding your overall security posture and investigating threats and breaches. - Enterprise security 3.2 makes it easy for your analyst to get value from wire data by exposing the most important fields and making searching and investigation easier.
- #24 So the solution we specifically wanted to deliver was, / using investigation timeline Create and manage investigation reports Combines raw events, actions, annotation history to the timeline Track status of event / or suppression history to the timeline See time relationship between events in the timeline So we can “Better understand, visualize and communicate attack details”
- #25 So the solution we specifically wanted to deliver was, / using investigation timeline Create and manage investigation reports Combines raw events, actions, annotation history to the timeline Track status of event / or suppression history to the timeline See time relationship between events in the timeline So we can “Better understand, visualize and communicate attack details”
- #26 On top of ES open solutions framework, users and developers can utilize full ES frameworks (Risk, Threat, Notable, Identity & Asset) even new Investigation timeline. and modular ways to rapidly expand rules, views, configurations, key indicator searches This opens doors for new security service or business models. Our VARs and technology partners will be very excited to hear about potential new opportunities we crate for them.
- #41 Over 4000 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
- #42 Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.