3. VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL
5. 5
5
Splunk Security Vision
Security Markets
SIEM & Compliance Security Analytics
(supervised and
unsupervised)
Fraud & Business Risk Managed Security &
Intelligence Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Eco-system brokering
6. 6
Enterprise Security
Provides: support for security operations/command centers
Functions: alert management, detects using correlation rules (pre-
built), incident response, security monitoring, breach response, threat
intelligence automation, statistical analysis, reporting, auditing
Persona service: SOC Analyst, security teams, incident responders,
hunters, security managers
Detections: pre-built advanced threat detection using statistical
analysis, user activity tracking, attacks using correlation searches,
dynamic baselines
6
7. 7
User Behavior Analytics
Provides advanced threat detection using unsupervised machine
learning – complements SIEMs (if any)
Functions: baselines behavior from log data and other data to detect
anomalies and threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
7
9. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
10. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
12. 12
ES Fast Facts
● Current version: 4.1 released at RSA
● One release per quarter (soon)
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses
13. The best part of ES is free!
● You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization
16. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries
17. 17
ES Evolution
Q3 2014 Q4 2014 Q2 2015
ES 3.1
• Risk Framework
• Guided Search
• Unified Search
Editor
• Threatlist Scoring
• Threatlist Audit
ES 4.x
• Breach Analysis
• Integration with
Splunk UBA
• Splunk Security
Framework
• Facebook Threat
ES 3.0
ES 3.2
• Protocol
Intelligence
(Stream capture)
• Semantic Search
(Dynamic
Thresholding)
ES 3.3
• Threat Intel
framework
• User Activity
Monitoring
• Content Sharing
• Data Ingestion
2016
18. 18
What’s THE LATEST?
18
UBA Results Across
SIEM Workflow
Rapid Investigation
of Advanced
Threats
Enhanced Insider
Threat & Cyber
Attack Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
19. 19
Threat Investigation
19
Track Actions
Allow analyst to identify
attacker’s activities
1 32
Collaborate
Leverage Knowledge Silos
Communicate
Share discovered
Information
Adhoc
Searches
Dynamic
Filters
Timely
Memos
Adhoc
Stats
Adhoc
Reports
The investigation analysis and reports must also be dynamic…
22. 22
Adaptive Response Initiative
22
1. Not a product – we have a
framework app to help
2. Generally involve custom
commands and workflow actions
3. Faster, better informed decisions
4. Can carry out automation
manually, with confirmation, or
automatically
37. 37
Administering complex tech=hard.DATA BREACH COST: $154 on average per record.
UBA
Unsupervised Machine Learning +
Data Science
for User/Entity Behavior Analytics
38. 38
Splunk UBA: Main Use Cases
Advanced Cyber-Attacks
Malicious Insider Threats
44. 44
Web Gateway
Proxy Server
Firewall
Box, SF.com,
Dropbox, other SaaS
apps
Mobile Devices
Malware Threat Stream, FS-
ISAC or other
blacklists for
IPs/domains
Active Directory/
Domain Controller
Single Sign-on
HRMS
VPN
Identity/Auth SaaS/MobileSecurity
Products
External Threat
Feeds
Activity
(N-S, E-W)
OPTIONAL
Netflow, PCAP
AWS CloudTrail
End-point
IDS, IPS, AV
DNS, DHCP K E YDLP, File Server/Host
Logs
Data Sources
45. 45
Web Gateway
Proxy Server
Firewall
Box, SF.com,
Dropbox, other SaaS
apps
Mobile Devices
Malware Norse, Threat
Stream, FS-ISAC or
other blacklists for
IPs/domains
Active Directory/
Domain Controller
Single Sign-on
HRMS
VPN
Identity/Auth SaaS/MobileSecurity
Products
External Threat
Feeds
Activity
(N-S, E-W)
OPTIONAL
Netflow, PCAP
AWS CloudTrail
End-point
IDS, IPS, AV
DNS, DHCP K E YDLP, File Server/Host
Logs
Data Sources
Splunk Enterprise & ES preferred, but not
required. UBA can be standalone!
48. 48
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control Room &
Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
#splunkconf2016
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – log search and analytics for small IT environments
Hunk – for analytics on data in Hadoop
The products can pull in data from virtually any source to support multiple use cases.
Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
For the purposes of this discussion we’ll be talking about and seeing Splunk ES 4.1 and UBA 2.2, running on top of our current release of Splunk Enterprise 6.4.
Splunk solutions provide capabilities across the modern security markets – from left to right – Splunk isn’t a traditional SIEM but provides SIEM capabilities via Enterprise Security. Enterprise Security also helps with various compliance regulations, and if you need a more specific approach to PCI we have a separate app just for that. Then we provide various methods for security analytics – nothing in Splunk is set in stone or tied down which is a major advantage over rigid SIEM technology. If you want to hunt through your data and create your own searches for analytics – go right ahead with Core Splunk and ES. If you’d rather have a fully curated, out of the box machine learning driven experience, or also want that – then that’s UBA. We are also finding that customers can and do leverage our platform to analyze for fraud and business risk. And finally, many of our partners are offering managed security services with our platform at the center.
Enterprise Security is a premium app designed to be used in a SOC or incident response group, and it provides SIEM-like functions on top of the Splunk Enterprise or Splunk Cloud platform.
UBA is very different – it is a standalone platform and doesn’t necessarily need the Splunk Enterprise platform to do what it does. We expect it to be used by SOC analysts and hunters. It is specifically designed to surface vetted threats about outside attackers and insiders, and it does this with a software appliance based approach.
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything.
. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
…that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
…we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
Now we understand in order for us to effectively respond to a complex breach incident investigation in a timely manner,
There is constant jumping around to find evidence, / dynamic analysis actions which needs to be well organized.
Because the investigation analysis and reports are so dynamic…
Our goals for delivering “investigator journal and timeline” is to address the very challenges :
1. To be able to track investigator's actions
2. Clearly and accurately communicate the scope of breach / through single aggregated view
3. Leverage collective knowledge of security experienced analysts, / break down the silos, / maximizing capabilities by bringing diverse expertise into one common objective.
So our vision was to create flexible, yet powerful.
Of course open frameworks where we can nurture and embrace our overall eco-system
which includes, customer, resellers, technology partners and even students who wants to develop cools features, rules, intelligent feeds etc. on top of ES.
the community can easily share the knowledge or provide a mechanism to accelerate the innovation trends.
Customers, vendors and third parties can create and extend the functionality of ES,
and run the contents within the ES framework.
The content can be imported and exported.
Developers can share new apps and modules internally, / or distribute them to the Splunk community on splunkbase
Content packs have access to ES specific functionality, / including notable events, the risk framework, and the identity framework.
They have been evolving for years. Go back 15 years and we cared about viruses and worms. Then, phishing and malware and we’re concerned about that too. Malicious insider threats. Now originally we had signature based detection, and the problem there is that things change and morph and come out so quickly that we can’t keep up. There are highly paid groups of people looking to break into our customers organizations and they spend time around the clock every day trying to do that. So we apply a lot of people, process, technology to try and protect ourselves – this is a “defensive” measure.
ASK: Are you running an existing SIEM?
Just about every company invests in a SIEM, sometimes multiple. Do they work? Maybe, if you provide the right care and feeding. SIEM has over promised and under delivered. Why? Basically because SIEMs are programmed by humans to look, mostly, for known events. They use rules, These rules can be complex and quite effective, but they are only as good as the human creating the rules. Think about all of the companies that have been breached in the past few years. Do you think they didn’t have a SIEM?
In the 2014 Verizon Data Breach report, it was found that only 1% of successful breaches were spotted by SIEM systems. That figure hasn’t changed much over the past few years. OWNING a SIEM is not the same as RUNNING a SIEM.
ASK: Are you able to hire good security people?
The latest Bureau of Labor Statistics show that there are about 80,000 individuals in the US with this title. Do you know how many are typically unemployed at any given time? 0%
ASK: Are all of your SOC personnel competent at the same levels?
All of those 80,000 employees are not created equal. Some hit a high bar. Others, not so much.
Even if you have all the money in the world to hire, you often can’t hire the very talented infosec hunters you need to.
It’s really hard to know what normal is…
And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
The great majority of successful breaches occur when a users credentials are compromised and then they are used to infiltrate a network, move laterally, and steal stuff. Problem is, how do you know who the “real” users are as opposed to the imposters? 100% of publicized breaches use compromised credentials. So if we can find users or systems USING these credentials…
Compound all that with the cost of breaches, which on average is $154 in recovery costs per stolen record, and you start to understand the scope of the problem, and realize…
…we’re gonna need a bigger boat. Because the boat we have today ain’t working all that well for us. We don’t have the time. We don’t have the resources. So let’s take a look at a bigger boat.
We bought a company called Caspida right before Blackhat this year. They had only been around for about two years, but we were extremely impressed with their technology and vision. This technology has become Splunk UBA.
Infosec and threat detection solution. Helps you find hidden threats without using rules, signatures, or human analysis.
It uses behavior modeling, peer group analysis, graph models, real time statistical analysis, collaborative filtering, and other machine learning techniques.
UBA isn’t designed to replace anything in your environment today – it supplements. It focuses on two main uses cases – detecting advanced cyber attacks, and detecting malicious insider threats. And it does this with a very high degree of confidence, automatically. Is it going to find every possible threat in your environment? Nope. But what it does find, you can feel confident in the reported results.
I’m pretty old – when I went out for ice cream with my family as a kid we always went to Baskin Robbins.
Now, we do add to these models, but not as quickly as you might think. The reason is – these are all behavior based, and although individual threat patterns and types change frequently, the underlying behavior of the threats does not. So when you have behavior based models you don’t need to constantly update them. We do tweak them and test them though.
Modify? Not yet. But if you do have a team of data scientists that can program in Scalar and understand things like Markov probability graphs extensively, then we offer services to allow for your own models. In the future we will provide an SDK.
When you’re in the product there are two distinct ways to use it, and this is where we have a significant advantage. There’s a wizard-like interface that steps a junior analyst through threats found, and makes recommendations as to what to do. You can click on the findings and see the raw results, too. The interface is beautiful and intuitive. This plays right in line with the need to make life as easy as possible for the tiny number of security analysts that are usually in each account. But for the hardcore geeks that want to pick through the individual anomalies…
There’s the Hunter workflow. This is more hands on, allowing the seasoned security person to view all anomalous users, or traffic, or devices, or what have you, and use that data to hunt. You can of course drill into this data in Splunk to take things as far as you need to.
The standard delivery is via an OVA that you install in your current vmware environment. It scales horizontally – about 5,000 EPS per appliance. You can install it on bare metal Linux if you would like. Or, you can install it as an AMI in AWS.
The data sources that UBA expects to consume are typical, and if you’re an existing Splunk security customer, you are probably putting a lot of this in Splunk today. The more data you feed UBA, the better the analysis will be.
And…you don’t even need to run traditional Splunk to take advantage of UBA. UBA can consume data directly via a few different methods, and connectors exist for a few of the popular SIEM technologies.
Let’s see a quick demo.
We’re headed to the East Coast!
2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!