Splunk provides enterprise security solutions that leverage machine data for threat detection and user behavior analytics. The platform enhances operational efficiency through automated response actions and enables organizations to detect various security threats using advanced analytics and machine learning. Splunk's enterprise security has been recognized as a leader in the SIEM space, continuously evolving with new features to improve monitoring and analysis capabilities.

1. Copyright © 2015 Splunk Inc.Copyright © 2016 Splunk Inc.
Splunk for Enterprise Security featuring
User Behavior Analytics
Anurag Gurtu, Director Product Marketing
Nimish Doshi, Principal Sales Engineer
David Veuve, Principal Security Strategist

2. 22
Agenda
 Splunk Enterprise Security (10 minutes)
 Splunk ES Demo (20 minutes)
 Splunk User Behavior Analytics (10 minutes)
 Splunk UBA Demo (20 minutes)
 Q&A

3. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

4. VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

5. Copyright © 2015 Splunk Inc.Copyright © 2016 Splunk Inc.
Enterprise Security
5

6. 66
Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant
for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases

7. SplunkEnterpriseSecuritysupportsall SIEM usecases
MONITOR
REPORT
ANALYZE
INVESTIGATE
RESPOSE
COLLABORATE
DETECT
ALERT
ReportAd hoc
Search
Analyz
e
Collect Store
Pre-defined
views and
rules
Correlation
rules,
thresholds
Analysis
investigation
& context
enrichment
Enterprise-
wide
coordination
& response
SIEM
Security Ops Management
Alert & incident management,
policy based rules, out-of-box
security rules & analysis
Data Platform
Collect, Index data for search and
analysis, visualization. Dynamic
adhoc and statistical analysis
FUNCTIONS

8. 1010
VISUALIZATION
What’s new in Enterprise Security 4.5?

9. 1111
Adaptive Response: Analytics-driven Decisions
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
• Extract new insight by leveraging context, sharing data and
taking actions between Enterprise Security and Adaptive
Response partners

10. 1313
Insight from Across Ecosystem
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel

11. 1414
Glass Tables to Enhance Visual Analytics
• Simplify analysis by understanding the impact of security
metrics within a logical or physical Glass Table view
• Improve response times with nested views to display what’s
important or relevant
• Optimize workflow with drill-down to the supporting criteria
of the metric

12. ES Demo

13. 1616
Splunk Premium Security Solutions
Extensible Analytics &
Collaboration
Enable Rapid
Investigations
Advanced Threat Detection
Using Machine Learning
SPLUNK
ENTERPRISE SECURITY
SPLUNK USER
BEHAVIOR ANALYTICS

14. Copyright © 2015 Splunk Inc.Copyright © 2016 Splunk Inc.
Splunk User Behavior Analytics

15. 1818
WHAT IS SPLUNK UBA?
Splunk User Behavior Analytics
(Splunk® UBA) is an out-of-the-
box solution that helps
organizations find known,
unknown, and hidden threats
using data science, machine
learning, behavior baseline and
peer group analytics.

16. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
Behavior Baselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics

17. A Few CUSTOMER FINDINGS
 Malicious Domain
 Beaconing Activity
 Malware: Asprox
 Webshell Activity
 Pass The Hash Attack
 Suspicious Privileged
Account activity
 Exploit Kit: Fiesta
 Lateral Movement
 Unusual Geo Location
 Privileged Account
Abuse
 Access Violations
 IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

18. 2121
WHAT WILL I DEMO
INGEST DATA
FROM SECURITY PRODUCTS
OBSERVE ANOMALY
GENERATION
OBSERVE THREAT GENERATION AND
TRANSFORMATION
KEY TAKEAWAYS
DATA INGESTION IS STRAIGHTFORWARD
AND FAST
ML ALGO’S PROCESS RAW EVENTS AND
GENERATE ANOMALIES (REAL-TIME)
ML ALGO’S STITCH ANOMALIES INTO
THREATS (REAL-TIME)
ML ALGO’S TRANSFORM THREAT INTO A
NEW STATE

19. 2222
 INGEST DATA: FIREWALL EAST-WEST
 INGEST DATA: FIREWALL NORTH-SOUTH
 INGEST DATA: VPN CONCENTRATOR
SWITCH
SWITCH
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
NETWORK
TOPOLOGY
1
2
3
2
3
1

20. 2323
 INGEST DATA: FIREWALL EAST-WEST
INGEST FIREWALL
EAST-WEST LOGS
1
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH

21. 2424
 INGEST DATA: FIREWALL NORTH-SOUTH
INGEST FIREWALL
NORTH-SOUTH LOGS
2
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH
40.1K

22. 2525
 INGEST DATA: EDGE ROUTER w/ VPN CON.
INGEST VPN LOGS
3
80.9K
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH

23. 2626
WHAT WOULD HAPPEN IF
SPLUNK UBA INGESTED DATA
FROM ONLY ONE DEVICE?

24. 2727
FIREWALL
EAST-WEST
EVENTS
30K
INSIDER: LATERAL
MOVEMENT (BILL)
INSIDER: LATERAL
MOVEMENT (ROD)
UNUSUAL NETWORK
ACTIVITY (17)
EDGE ROUTER w/
VPN CONCENTRATOR
EVENTS
80.8K
UNUSUAL ACTIVITY TIME (1)
LAND SPEED VIOLATION (1)
ANOMALY
THREAT
FIREWALL
NORTH-SOUTH
EVENTS
40.1K
UNUSUAL GEO LOCATION
OF COMMUNICATION
DESTINATION (13)
EXCESSIVE DATA
TRANSMISSION (2)
DATA EXFILTRATION BY
SUSPICIOUS DEVICE
DATA EXFILTRATION BY
SUSPICIOUS DEVICE
ADDITIONAL DATA
SOURCES ENRICH
THREAT DETECTION

25. 2828
LET’S SUMMARIZE

26. 2929
INSIDER: LATERAL
MOVEMENT (BILL)
INSIDER: LATERAL
MOVEMENT (ROD)
INSIDER: DATA
EXFILTRATION by
SUSPICIOUS USER or
DEVICE (BILL & ROD)
EXTERNAL: DATA EXFILTRATION by COMPROMISED ACCOUNT (BILL & ROD)
THREAT CONTINUED TO EVOLVE WITH ADDITIONAL DATA SOURCES
ML PROCESSED RAW EVENTS AND
GENERATED MANAGEABLE
ALERTS
>> >>
100% ML DRIVEN

27. 3030
EXPLORE SPLUNK UBA
WITH
YOUR OWN DATA.
CONTACT: UBA-SALES@SPLUNK.COM

28. 3131
Mark Your Calendars!
• .conf2017 is going to DC!
• Sept 25-28, 2017
• Walter E Washington Convention Center

29. Thank You!