This document summarizes how Splunk Enterprise Security can help organizations strengthen their security posture and operationalize security processes. It discusses how Splunk ES allows organizations to centralize analysis of endpoint, network, identity, and threat data for improved visibility. It also emphasizes developing an investigative mindset when handling alerts to efficiently determine the root cause. Finally, it explains how Splunk ES can operationalize security processes by providing a single source of truth and integrating security technologies to automate responses.

1. Solve Your Security Challenges
with Splunk Enterprise Security
Michel Oosterhof | Staff Sales Engineer
16 May 2018

2. During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

3. © 2018 SPLUNK INC.
1. Common Security Challenges
2. Methods to Strengthen Security Posture
3. How Splunk Can Help
What Can You
Expect From
This Session?

4. Common Security Challenges
Cyber Criminals
Nation States
Insider Threats
100%
Valid credentials were used
40
Average # of systems accessed
146
Median # of days before detection
65%
Of victims were notified by
external entity
Source: Mandiant M-Trends Report 2012/2013/2014/2015/2016/2017

5. Centralize
Analysis
Investigative
Mindset
Operationalize
Strengthen Your Security Posture

6. Central Analysis

7. Endpoint Access/Identity Network Threat
Intelligence
4 Ways to Improve Posture Quickly

8. What You Discover
▶ Frequency of application executions, unique applications
▶ Non-corporate approved applications
▶ Known malicious executables
Benefit
▶ Visibility into application executions
▶ Understanding of unknown applications – whom and
where and frequency
Understanding Your Endpoints
Processes, File Info/Access, User Activity
Endpoints
End Point System:
Windows Sysmon,
Network, File Info
Endpoint Security:
Virus, Malware, Spyware,
Whitelisting, Behaviors

9. What You Discover
▶ Credentials used in multiple locations, or shared by users
▶ Admin credential abuse
▶ Login frequencies, users moving around quickly
▶ Users failing authentications trying to discover
internal/external resources
Benefit
▶ Uncover unusual login patterns
▶ Track user behavior
Access and Identity
Who, Why and Credential Abuse
Access/Identity
Windows
Security Events:
Active Directory and
Authentication Logs

10. What You Discover
▶ Who talked to whom, traffic volumes (in/out)
▶ Malware download/delivery, C2, exfiltration
▶ Horizontal and vertical movement
Benefit
▶ Determine how threats got in
▶ Systems and endpoints communicating internally
▶ Detect intellectual property theft, insiders
Network Activity
Detecting Exfiltration and Unusual Communication
Network
Network Access:
ForeScout
Firewall:
Cisco, Palo Alto
Network:
DNS – Splunk Stream,
DNS Server

11. What You Discover
▶ High risk behaviors and patterns
▶ Undetected/unblocked malware and command & control activities
▶ Known indicators of compromise
Benefit
▶ Early warning of malicious activity
▶ Detect indication of C2 channels
▶ Confirm whether traffic going to compromised or watch-listed sites
▶ Compromised systems communicating with each other
▶ Compromised endpoints
Threat Intelligence
Known and Early Warning Indicators
Threat Intelligence
Threat Feeds:
Public, Free, Private,
Paid or Custom –
ThreatConnect, Anomali
Firewall: Cisco,
Palo Alto Networks

12. Search and
Investigate
Start Basic.
Other Security-Relevant Data
On-
Premises
Private
Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy
Meters
Firewall
Intrusion
Prevention
Dashboards
and Reports
Analytics and
Virtualization
Threat
Intelligence
Platform for Operational Intelligence
Add More Data for More Insights
Threat
Intelligence
Network
Endpoint
Access/Identity

13. Splunk
Enterprise Security
Demo

14. Investigation

15. Possibilities:
▶ Data Breach
▶ Infection(s)
▶ Account Takeover
▶ Application Fault
▶ Misconfiguration
▶ Missing patch
▶ User Error
▶ Other (Ignore)
Alert
Indicator
Data
Security Technologies Are Designed to Detect
Bad/Suspicious Activity
Endpoint
Network
Threat
Intelligence
Access/Identity

16. Developing an Investigative Mindset
What
happened?
Who was
involved?
When did it
start?
Where was
it seen?
How did it
get in?
How do I
contain it?
ALERT
What
specific
questions
do I want
answered?
Where do I look?What is the
logic / methodology
to apply?
What’s an
example?

17. If each alert takes
10 min to investigate...
▶ Helps anyone handling alerts
▶ Gain control of posture
• Old way – “escalate or ignore”
• New way – find out what is
actually going on
Importance of an Investigative Mindset
“Investigate” – gather data, analyze, pinpoint digital evidence
* assumes 14 – 28 cases in a shift
If you reduce to 5 minutes
If you handle 100 alerts a month
(5 alerts a day, 20 days in month)
100x10 = 1,000 min/60 = 16 hours
100x5 = 500 min/60 = 8 hours
You get a day back (8 hours)

18. Splunk
Enterprise Security
Investigations Demo

19. Operationalize

20. How Do You Operationalize it All?
Endpoint
Network
Threat
Intelligence
Access/Identity

21. Single Source of Truth
Endpoint
Network
Threat
Intelligence
Access/Identity
What
happened?
Who was
involved?
When did
it start?
Where was
it seen?
How did it
get in?
How do I
contain it?

22. Splunk ES Content Updates

23. Splunk ES Content Updates

24. Splunk ES Content Updates

25. Splunk is the Security Nerve Center

26. © 2018 SPLUNK INC.
Splunk Adaptive Response Initiative
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access

27. 57
Phantom Security Operations Platform
PLATFORMOVERVIEW
AUTOMATION
ORCHESTRATION
COLLABORATION
EVENT
MANAGEMENT
CASE
MANAGEMENT
REPORTING
& METRICS
Integrate your team, processes,
and tools together.
§ Work smarter by automating repetitive tasks allowing analysts
to focus on more mission-critical tasks.
§ Respond faster and reduce dwell times with automated detection,
investigation, and response.
§ Strengthen defenses by integrating existing security infrastructure
together so that each part is an active participant.

28. Analytics-Driven Security: Portfolio
Premium Solution
Enterprise Security
3rd Party Apps &
Add-ons (590+)
Premium Solution
User Behavior Analytics
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps & Add-ons
Network data
RDBMS (any) data Windows host data
Exchange data
Analytics for Hadoop
PCI ComplianceSecurity Essentials
App for AWS
ML Toolkit
Google Cloud
Microsoft Cloud
Windows Infrastructure
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Platform for Operational Intelligence

29. Proactive Operations: Start With Top 5 CIS Controls
Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent.
Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
SOURCE: Center for Internet Security
https://www.cisecurity.org/critical-controls.cfm

30. CIS Critical Security Controls
https://splunkbase.splunk.com/app/3064/#/overview
https://www.splunk.com/goto/Top20CSC

32. © 2018 SPLUNK INC.
1. Centralize Analysis of Key Activities
2. Use an Investigative Mindset
3. Operationalize Security Processes
Strengthen
Your Security
Posture

33. ORLANDO, FLORIDA
Walt Disney World Swan and Dolphin Hotels
.conf18:
Monday, October 1 – Thursday, October 4
Splunk University:
Saturday, September 29 – Monday, October 1