This document provides an overview of a presentation on Splunk for security. It includes a disclaimer noting that any forward-looking statements are based on current expectations and could differ from actual results. It also notes that information on roadmaps is subject to change without notice. The presentation will provide a hands-on activity using a free 15-day Enterprise Security sandbox trial of Splunk products hosted on AWS.
2. 2
Disclaimer
2
During
the
course
of
this
presentaIon,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cauIon
you
that
such
statements
reflect
our
current
expectaIons
and
esImates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-‐
looking
statements
made
in
the
this
presentaIon
are
being
made
as
of
the
Ime
and
date
of
its
live
presentaIon.
If
reviewed
aRer
its
live
presentaIon,
this
presentaIon
may
not
contain
current
or
accurate
informaIon.
We
do
not
assume
any
obligaIon
to
update
any
forward
looking
statements
we
may
make.
In
addiIon,
any
informaIon
about
our
roadmap
outlines
our
general
product
direcIon
and
is
subject
to
change
at
any
Ime
without
noIce.
It
is
for
informaIonal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligaIon
either
to
develop
the
features
or
funcIonality
described
or
to
include
any
such
feature
or
funcIonality
in
a
future
release.
4. 4
What’s
a
sandbox?
4
• A
100%
free,
fully
featured
15
day
trial
of
Splunk
products:
Cloud,
Light,
or
ES
• Hosted
in
AWS
• AuthenIcates
off
of
your
Splunk
account
• Has
sample
data
for
you
to
play
with
• Supports
onboarding
of
your
own
data
Today’s
session:
A
hands-‐on
ac6vity
with
your
very
own
Enterprise
Security
sandbox!
28. Machine
data
contains
a
definiIve
record
of
all
interacIons
Splunk
is
a
very
effecIve
pladorm
to
collect,
store,
and
analyze
all
of
that
data
Human
Machine
Machine
Machine
29. 29
Mainframe
Data
VMware
Pladorm
for
Machine
Data
Exchange
PCI
Security
RelaIonal
Databases
Mobile
Forwarders
Syslog
/
TCP
/
Other
Sensors
&
Control
Systems
Wire
Data
Mobile
Intel
Splunk
Premium
Apps
Rich
Ecosystem
of
Apps
MINT
Splunk
SoluIons
>
Easy
to
Adopt
Across
Data
Sources,
Use
Cases
&
ConsumpIon
Models
30. 30
Rapid
Ascent
in
the
Gartner
SIEM
Magic
Quadrant*
*Gartner,
Inc.,
SIEM
Magic
Quadrant
2011-‐2015.
Gartner
does
not
endorse
any
vendor,
product
or
service
depicted
in
its
research
publicaIon
and
not
advise
technology
users
to
select
only
those
vendors
with
the
highest
raIngs
or
other
designaIon.
Gartner
research
publicaIons
consist
of
the
opinions
of
Gartner’s
research
organizaIon
and
should
not
be
construed
as
statements
of
fact.
Gartner
disclaims
all
warranIes,
express
or
implied,
with
respect
to
this
research,
including
any
warranIes
of
merchantability
or
fitness
for
a
parIcular
purpose.
2015
Leader
and
the
only
vendor
to
improve
its
visionary
posiIon
2014
Leader
2013
Leader
2012
Challenger
2011
Niche
Player
2015
32. 32
ES
Fast
Facts
● Current
version:
3.3
in
the
sandbox,
4.0
was
released
at
the
end
of
October!
● Two
releases
per
year
● Content
comes
from
industry
experts,
market
analysis,
but
most
importantly
YOU
● The
best
of
Splunk
carries
through
to
ES
–
flexible,
scalable,
fast,
and
customizable
● ES
has
its
own
development
team,
dedicated
support,
services
pracIce,
and
training
courses
4.0
not
in
sandbox…yet
37. 37
Data
comes
from…
You
can
actually
do
this
in
the
sandbox,
if
you
want.
38. 38
Data
Ingest
+
Common
InformaIon
Model
You’ve
got
a
bunch
of
systems…
● How
to
bring
in:
● Network
AV
● Windows
+
OS
X
AV
● PCI-‐zone
Linux
AV
● Network
Sandboxing
● APT
ProtecIon
● CIM
=
Data
Normaliza6on
41. 41
Data
NormalizaIon
is
Mandatory
for
your
SOC
“The
organizaIon
consuming
the
data
must
develop
and
consistently
use
a
standard
format
for
log
normalizaIon.”
–
Jeff
Bollinger
et.
al.,
Cisco
CSIRT
Your
fields
don’t
match?
Good
luck
crea6ng
inves6ga6ve
queries
52. 52
52
Ayack
Map
The
Challenge:
• Industry
says
Threat
Intel
is
key
to
APT
ProtecIon
• Management
wants
all
threat
intel
checked
against
every
system,
constantly
• Don’t
forget
to
keep
your
15+
threat
feeds
updated
The
SoluIon:
53. 53
Verizon
2015
DBIR
“”…the
percentage
of
indicators
unique
to
only
one
(outbound
desInaIon)
feed…is
north
of
97%
for
the
feeds
we
have
sampled…”
Threat
list
aggrega6on
=
more
complete
intelligence
54. 54
54
Under
Advanced
Threat
click
“Threat
Ac6vity”
71. 71
71
STIX/TAXII
feed
Browse
through
the
tabs…
Inves6gate
on
your
own
6me:
Advanced
Threat
capabili6es
worth
your
while…and
all
areas
under
Security
Domains
73. 73
Auditors
/
Management
/
Compliance
Says…
● Can
you
show
me
<Typical
Report>?
● ReporIng
is
easy
in
Splunk
● But
we
have
more
than
300
standard
reports
too
106. 10
6
We
want
to
add
“naughtyuser”
to
this
list
because
it
is
showing
up
in
our
data.
SCROLL
107. 10
7
Select
last
row,
right
click,
and
choose
“Insert
row
below.”
Add
whatever
you
want,
but
make
sure
the
first
column
says
“naughtyuser”
When
done
click
save
Extra
credit:
Check
your
work
in
IdenIty
Center
2
1
108. 10
8
Ayack
&
InvesIgaIon
Timeline
–
New
to
4.0
Methods
to
add
contents
into
Imeline
:
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator
109. 10
9
Next
Steps…
Play
in
your
ES
Sandbox
for
15
days
Explore
some
of
the
areas
we
didn’t
get
to
cover
today
Ask
quesIons
of
your
account
team
An
ES
4.0
sandbox
should
be
available
soon,
help
yourself
to
another
sandbox
to
see
the
new
features
A
two
hour
version
of
this
talk
is
available
at
conf.splunk.com
10