This document summarizes how Splunk Enterprise Security can help organizations strengthen their security posture and operationalize security processes. It discusses how Splunk ES allows organizations to centralize analysis of endpoint, network, identity, and threat data for improved visibility. It also emphasizes developing an investigative mindset when handling alerts to efficiently determine the root cause. Finally, it explains how Splunk ES can operationalize security processes by providing a single source of truth and integrating security technologies to automate responses.
4. Common Security Challenges
Cyber Criminals
Nation States
Insider Threats
100%
Valid credentials were used
40
Average # of systems accessed
146
Median # of days before detection
65%
Of victims were notified by
external entity
Source: Mandiant M-Trends Report 2012/2013/2014/2015/2016/2017
8. What You Discover
▶ Frequency of application executions, unique applications
▶ Non-corporate approved applications
▶ Known malicious executables
Benefit
▶ Visibility into application executions
▶ Understanding of unknown applications – whom and
where and frequency
Understanding Your Endpoints
Processes, File Info/Access, User Activity
Endpoints
End Point System:
Windows Sysmon,
Network, File Info
Endpoint Security:
Virus, Malware, Spyware,
Whitelisting, Behaviors
9. What You Discover
▶ Credentials used in multiple locations, or shared by users
▶ Admin credential abuse
▶ Login frequencies, users moving around quickly
▶ Users failing authentications trying to discover
internal/external resources
Benefit
▶ Uncover unusual login patterns
▶ Track user behavior
Access and Identity
Who, Why and Credential Abuse
Access/Identity
Windows
Security Events:
Active Directory and
Authentication Logs
10. What You Discover
▶ Who talked to whom, traffic volumes (in/out)
▶ Malware download/delivery, C2, exfiltration
▶ Horizontal and vertical movement
Benefit
▶ Determine how threats got in
▶ Systems and endpoints communicating internally
▶ Detect intellectual property theft, insiders
Network Activity
Detecting Exfiltration and Unusual Communication
Network
Network Access:
ForeScout
Firewall:
Cisco, Palo Alto
Network:
DNS – Splunk Stream,
DNS Server
11. What You Discover
▶ High risk behaviors and patterns
▶ Undetected/unblocked malware and command & control activities
▶ Known indicators of compromise
Benefit
▶ Early warning of malicious activity
▶ Detect indication of C2 channels
▶ Confirm whether traffic going to compromised or watch-listed sites
▶ Compromised systems communicating with each other
▶ Compromised endpoints
Threat Intelligence
Known and Early Warning Indicators
Threat Intelligence
Threat Feeds:
Public, Free, Private,
Paid or Custom –
ThreatConnect, Anomali
Firewall: Cisco,
Palo Alto Networks
12. Search and
Investigate
Start Basic.
Other Security-Relevant Data
On-
Premises
Private
Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy
Meters
Firewall
Intrusion
Prevention
Dashboards
and Reports
Analytics and
Virtualization
Threat
Intelligence
Platform for Operational Intelligence
Add More Data for More Insights
Threat
Intelligence
Network
Endpoint
Access/Identity
15. Possibilities:
▶ Data Breach
▶ Infection(s)
▶ Account Takeover
▶ Application Fault
▶ Misconfiguration
▶ Missing patch
▶ User Error
▶ Other (Ignore)
Alert
Indicator
Data
Security Technologies Are Designed to Detect
Bad/Suspicious Activity
Endpoint
Network
Threat
Intelligence
Access/Identity
16. Developing an Investigative Mindset
What
happened?
Who was
involved?
When did it
start?
Where was
it seen?
How did it
get in?
How do I
contain it?
ALERT
What
specific
questions
do I want
answered?
Where do I look?What is the
logic / methodology
to apply?
What’s an
example?
17. If each alert takes
10 min to investigate...
▶ Helps anyone handling alerts
▶ Gain control of posture
• Old way – “escalate or ignore”
• New way – find out what is
actually going on
Importance of an Investigative Mindset
“Investigate” – gather data, analyze, pinpoint digital evidence
* assumes 14 – 28 cases in a shift
If you reduce to 5 minutes
If you handle 100 alerts a month
(5 alerts a day, 20 days in month)
100x10 = 1,000 min/60 = 16 hours
100x5 = 500 min/60 = 8 hours
You get a day back (8 hours)
20. How Do You Operationalize it All?
Endpoint
Network
Threat
Intelligence
Access/Identity
21. Single Source of Truth
Endpoint
Network
Threat
Intelligence
Access/Identity
What
happened?
Who was
involved?
When did
it start?
Where was
it seen?
How did it
get in?
How do I
contain it?
27. 57
Phantom Security Operations Platform
PLATFORMOVERVIEW
AUTOMATION
ORCHESTRATION
COLLABORATION
EVENT
MANAGEMENT
CASE
MANAGEMENT
REPORTING
& METRICS
Integrate your team, processes,
and tools together.
§ Work smarter by automating repetitive tasks allowing analysts
to focus on more mission-critical tasks.
§ Respond faster and reduce dwell times with automated detection,
investigation, and response.
§ Strengthen defenses by integrating existing security infrastructure
together so that each part is an active participant.
28. Analytics-Driven Security: Portfolio
Premium Solution
Enterprise Security
3rd Party Apps &
Add-ons (590+)
Premium Solution
User Behavior Analytics
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps & Add-ons
Network data
RDBMS (any) data Windows host data
Exchange data
Analytics for Hadoop
PCI ComplianceSecurity Essentials
App for AWS
ML Toolkit
Google Cloud
Microsoft Cloud
Windows Infrastructure
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Platform for Operational Intelligence
29. Proactive Operations: Start With Top 5 CIS Controls
Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent.
Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
SOURCE: Center for Internet Security
https://www.cisecurity.org/critical-controls.cfm
33. ORLANDO, FLORIDA
Walt Disney World Swan and Dolphin Hotels
.conf18:
Monday, October 1 – Thursday, October 4
Splunk University:
Saturday, September 29 – Monday, October 1