2. 2
LEGAL NOTICES
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.
7. 7
Adaptive Response Initiative
7
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain
8. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
9. More Honors – March 2016
● Best SIEM Solution
● Best Fraud Prevention Solution
11. 11
ES Fast Facts
● Current version: 4.1 announced at RSA
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses
12. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
13. The best part of ES is free!
● You’ve got a bunch of systems…
● How to bring in:
● Network Gateway AV
● Windows + OS X + Linux AV
● Network Sandboxing
● Advanced Endpoint Protection
Need: Common Information Model
CIM = Data Normalization
16. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries
17. 17
Splunk Enterprise Security –
Basic, Advanced SIEM Use Cases and Security Intelligence
17
Q3 2014 Q4 2014 Q2 2015
ES 3.1
• Risk Framework
• Guided Search
• Unified Search
Editor
• Threatlist Scoring
• Threatlist Audit
ES 4.0
• Breach Analysis
• Integration
with Splunk
UBA
• Enterprise
Security
Framework
ES 3.2
• Protocol
Intelligence
• Semantic Search
ES 3.3
• Threat Intel
Framework
• User Activity
Monitoring
• Content
Sharing
• Data Ingestion
Q4 2015
ES 4.1
• Behavior
Anomalies
• Risk and Search in
Incident Review
• Facebook
ThreatExchange
Q1 2016
18. 18
New Features in Enterprise Security 4.0
Optimize multi-step
analyses to improve breach
detection and response
Extensible Analytics &
Collaboration
INVESTIGATION COLLABORATION
• Investigator Journal
• Attack & Investigation Timeline
• Open Solutions Framework
• Framework App : PCI
20. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011
21. 21
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
21
ES 4.1 and UBA 2.2
22. 22
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1
23. 23
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework
34. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011
35. 44
THE FOUNDATION
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR
BASELINING &
MODELING
REAL-TIME & BIG DATA
ARCHITECTURE
37. 46
MULTI-ENTITY BEHAVIORAL MODEL
Temporal Window
USER HOST NETWORK APPLICATION DATA
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
Activity A
Activity N
ACTIVITY A ACTIVITY C ACTIVITY F ACTIVITY B ACTIVITY L
38. 47
EVOLUTION
COMPLEXITY
RULES - THRESHOLD
POLICY - THRESHOLD
POLICY - STATISTICS
UNSUPERVISED
MACHINE LEARNING
POLICY - PEER
GROUP STATISTICS
SUPERVISED
MACHINE LEARNING
LARGEST LIBRARY
OF UNSUPERVISED ML ALGORITHMS
40. 49
DESIGNED FOR A
SOC ANALYST
THREAT DETECTION
ML DRIVEN AUTOMATED
ANOMALY CORRELATION
41. 50
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2
42. 51
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2
43. 52
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
Risk Percentile & Dynamic Peer Groups
Support for Additional 3rd Party Device
UBA 2.2
44. 53
INSIDER
THREAT
Day 1
.
.
Day 2
.
.
Day N
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Unusual Machine Access
(Lateral Movement; Individual
& Peer Group)
Unusual Zone (CorpPCI)
traversal (Lateral Movement)
Unusual Activity Sequence
Unusual Zone Combination
(PCICorp)
Unusual File Access
(Individual & Peer Group)
Multiple Outgoing Connections
& Unusual SSL session duration
47. PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
48. 57
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK
UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba
49. 58
WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY
51. 60
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Hunk – for analytics on data in Hadoop
Splunk Mint – to get insights into data from Mobile devices
The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types. Additionally, Splunk and Splunk ecosystem partners have built more than 2,000 apps and add-ons that can be downloaded and used by customers.
We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything.
. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
The Adaptive Response Initiative represents the commitment and collective efforts of best-of-breed security industry vendors
Participant vendors are collaborating to provide a defense strategy for multi-layered heterogeneous security architectures
The strategy enables faster, better-informed decision making across multiple security domains
This decision making efficiency helps SOC teams protect against advanced (multi-vector, multi-phased) attacks
--
Adaptive Response presents users with new context gleaned from the collective intelligence of domain-specific technologies, to verify and/or apply as threat response
Splunk is positioned at the center of Adaptive Response and the resulting coordinated response to advanced threats
--
Adaptive Response enables timely, effective disruption of the kill chain and subsequent increase in cost of attacks to threat actors
Core capabilities include elimination of manual data gathering steps, and ability to apply appropriate actions (or range of actions), specific to each security domain
One key benefit is improved ability to respond and adapt – actions can be manual, approval-triggered, or analytics-driven
--
Adaptive Response was conceived as a result of the successes of existing Splunk customers who compelled Splunk and partners to form the initiative
Launched at RSA 2016, backed initially by Leading Security Domain Vendors: Carbon Black, CyberArk, Fortinet, Palo Alto Networks, Phantom Cyber, Splunk, Tanium, ThreatConnect and Ziften
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
…that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
…we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
Let’s talk about “What’s new in Enterprise Security 4.0”
First Pillar is investigation :
It’s a major release because the design is to
Optimized multi-step analyses, specifically for breach analysis. In order for us to accomplish the goal, we are introducing
Investigator Journal which is a feature that tracks analyst’s action
Attack & Investigation timeline that puts analysis events and notes in timeline to address our plan toward managing kill chain concept.
Second pillar is Collaboration :
We understand that security is coordination of people and expertise which involves team efforts.
So, we believed that it is important to introduce, ES as Open Solutions Framework where analysts and communities can share knowledge objects or ES specific extended features.
As an example, PCI app is re written on top of ES open Solutions Framework, PCI conveniently reuses features in ES, like notable events framework, threat intelligence framework, asset and identity framework.. Etc..
So our vision was to create flexible, yet powerful.
Of course open frameworks where we can nurture and embrace our overall eco-system
which includes, customer, resellers, technology partners and even students who wants to develop cools features, rules, intelligent feeds etc. on top of ES.
the community can easily share the knowledge or provide a mechanism to accelerate the innovation trends.
Customers, vendors and third parties can create and extend the functionality of ES,
and run the contents within the ES framework.
The content can be imported and exported.
Developers can share new apps and modules internally, / or distribute them to the Splunk community on splunkbase
Content packs have access to ES specific functionality, / including notable events, the risk framework, and the identity framework.
Operational issues and challenges. Use dashboards, alert (correlation), correlate against observables
Use them for adhoc searching and swimlanes
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
Highlights…
Custom threat modelling
Data access
Easier
Leadership, innovation
They have been evolving for years. Go back 15 years and we cared about viruses and worms. Then, phishing and malware and we’re concerned about that too. Malicious insider threats. Now originally we had signature based detection, and the problem there is that things change and morph and come out so quickly that we can’t keep up. There are highly paid groups of people looking to break into our customers organizations and they spend time around the clock every day trying to do that. So we apply a lot of people, process, technology to try and protect ourselves – this is a “defensive” measure.
ASK: Are you running an existing SIEM?
Just about every company invests in a SIEM, sometimes multiple. Do they work? Maybe, if you provide the right care and feeding. SIEM has over promised and under delivered. Why? Basically because SIEMs are programmed by humans to look, mostly, for known events. They use rules, These rules can be complex and quite effective, but they are only as good as the human creating the rules. Think about all of the companies that have been breached in the past few years. Do you think they didn’t have a SIEM?
In the 2014 Verizon Data Breach report, it was found that only 1% of successful breaches were spotted by SIEM systems. That figure hasn’t changed much over the past few years. OWNING a SIEM is not the same as RUNNING a SIEM.
ASK: Are you able to hire good security people?
The latest Bureau of Labor Statistics show that there are about 80,000 individuals in the US with this title. Do you know how many are typically unemployed at any given time? 0%
Even if you have all the money in the world to hire, you often can’t hire the very talented infosec hunters you need to.
It’s really hard to know what normal is…
And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
The great majority of successful breaches occur when a users credentials are compromised and then they are used to infiltrate a network, move laterally, and steal stuff. Problem is, how do you know who the “real” users are as opposed to the imposters? 100% of publicized breaches use compromised credentials. So if we can find users or systems USING these credentials…
Remind what UBA
Highlight the pics on right…custom threat
Point out the fact that we now have Rules now with ML. Competitors have rules with Stats
We’re headed to the East Coast!
2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!