This document provides an overview of a presentation on Splunk for security. It includes a disclaimer noting that any forward-looking statements are based on current expectations and could differ from actual results. It also notes that information on roadmaps is subject to change without notice. The presentation will provide a hands-on activity using a free 15-day Enterprise Security sandbox trial of Splunk products hosted on AWS.

1. Copyright
©
2015
Splunk
Inc.
John
Stoner
Security
Strategist
Splunk
for
Security
-­‐
Your
Very
Own
Splunk
ES
Sandbox!

2. 2
Disclaimer
2
During
the
course
of
this
presentaIon,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cauIon
you
that
such
statements
reflect
our
current
expectaIons
and
esImates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-­‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-­‐
looking
statements
made
in
the
this
presentaIon
are
being
made
as
of
the
Ime
and
date
of
its
live
presentaIon.
If
reviewed
aRer
its
live
presentaIon,
this
presentaIon
may
not
contain
current
or
accurate
informaIon.
We
do
not
assume
any
obligaIon
to
update
any
forward
looking
statements
we
may
make.
In
addiIon,
any
informaIon
about
our
roadmap
outlines
our
general
product
direcIon
and
is
subject
to
change
at
any
Ime
without
noIce.
It
is
for
informaIonal
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligaIon
either
to
develop
the
features
or
funcIonality
described
or
to
include
any
such
feature
or
funcIonality
in
a
future
release.

3. 3
What’s
a
sandbox?
3

4. 4
What’s
a
sandbox?
4
• A
100%
free,
fully
featured
15
day
trial
of
Splunk
products:
Cloud,
Light,
or
ES
• Hosted
in
AWS
• AuthenIcates
off
of
your
Splunk
account
• Has
sample
data
for
you
to
play
with
• Supports
onboarding
of
your
own
data
Today’s
session:
A
hands-­‐on
ac6vity
with
your
very
own
Enterprise
Security
sandbox!

5. 5
5

6. Let’s
create
a
sandbox

7. 7
7
hAps://www.splunk.com/getsplunk/es_sandbox

8. 8
8

9. 9
9

10. 10
10

11. 11
11

12. 12
12

13. 13
Let’s
fix
a
few
things!
• Saved
Search
Enablement
• Choose
a
Timezone
(Eastern
Time)
• CorrelaIon
Search
Enablement
13

14. 14
14
Click
Here
We
want
to
fix
this

15. 15
15
Click
Here

16. 16
16
Click
Here
Type
“30m”
and
click
green
magnifying
glass
1
3
Click
Here
2

17. 17
17
Click
Here

18. 18
18
Click
Here

19. 19
19
Pick
“Eastern
Time”,
and
save

20. 20
20

21. 21
21
Click
Here

22. 22
22
Click
Here

23. 23
23
Click
Here

24. 24
24
Type
“High”
to
filter

25. 25
25
Click
“Enable”
for
“High
or
Cri6cal
Priority
Host
with
Malware
Detected”

26. 26
26
Click
Here

27. What’s
ES
anyway?

28. Machine
data
contains
a
definiIve
record
of
all
interacIons
Splunk
is
a
very
effecIve
pladorm
to
collect,
store,
and
analyze
all
of
that
data
Human
Machine
Machine
Machine

29. 29
Mainframe
Data
VMware
Pladorm
for
Machine
Data
Exchange
PCI
Security
RelaIonal
Databases
Mobile
Forwarders
Syslog
/
TCP
/
Other
Sensors
&
Control
Systems
Wire
Data
Mobile
Intel
Splunk
Premium
Apps
Rich
Ecosystem
of
Apps
MINT
Splunk
SoluIons
>
Easy
to
Adopt
Across
Data
Sources,
Use
Cases
&
ConsumpIon
Models

30. 30
Rapid
Ascent
in
the
Gartner
SIEM
Magic
Quadrant*
*Gartner,
Inc.,
SIEM
Magic
Quadrant
2011-­‐2015.
Gartner
does
not
endorse
any
vendor,
product
or
service
depicted
in
its
research
publicaIon
and
not
advise
technology
users
to
select
only
those
vendors
with
the
highest
raIngs
or
other
designaIon.
Gartner
research
publicaIons
consist
of
the
opinions
of
Gartner’s
research
organizaIon
and
should
not
be
construed
as
statements
of
fact.
Gartner
disclaims
all
warranIes,
express
or
implied,
with
respect
to
this
research,
including
any
warranIes
of
merchantability
or
fitness
for
a
parIcular
purpose.
2015
Leader
and
the
only
vendor
to
improve
its
visionary
posiIon
2014
Leader
2013
Leader
2012
Challenger
2011
Niche
Player
2015

31. 31
App
Servers
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
The
image
cannot be
displayed
. Your
computer
may not
have
Splunk
as
the
Security
Nerve
Center

32. 32
ES
Fast
Facts
● Current
version:
3.3
in
the
sandbox,
4.0
was
released
at
the
end
of
October!
● Two
releases
per
year
● Content
comes
from
industry
experts,
market
analysis,
but
most
importantly
YOU
● The
best
of
Splunk
carries
through
to
ES
–
flexible,
scalable,
fast,
and
customizable
● ES
has
its
own
development
team,
dedicated
support,
services
pracIce,
and
training
courses
4.0
not
in
sandbox…yet

33. Security
Posture

34. 34
Security
Posture
34
How
do
you
start
and
end
your
day?

35. 35
Key
Security
Indicators
Sparklines
Editable

36. How
do
we
get
data
in?

37. 37
Data
comes
from…
You
can
actually
do
this
in
the
sandbox,
if
you
want.

38. 38
Data
Ingest
+
Common
InformaIon
Model
You’ve
got
a
bunch
of
systems…
● How
to
bring
in:
● Network
AV
● Windows
+
OS
X
AV
● PCI-­‐zone
Linux
AV
● Network
Sandboxing
● APT
ProtecIon
● CIM
=
Data
Normaliza6on

39. Copyright
©
2015
Splunk
Inc.
NORMALIZATION?!?

40. Copyright
©
2015
Splunk
Inc.
NORMALIZATION?!?
Relax.
This
is
therefore,
CIM
gets
applied
at
SEARCH
TIME.

41. 41
Data
NormalizaIon
is
Mandatory
for
your
SOC
“The
organizaIon
consuming
the
data
must
develop
and
consistently
use
a
standard
format
for
log
normalizaIon.”
–
Jeff
Bollinger
et.
al.,
Cisco
CSIRT
Your
fields
don’t
match?
Good
luck
crea6ng
inves6ga6ve
queries

42. 42

43. 43
Free.
Supported.
Fully
documented.

44. 44
CIM
Compliant!

45. Risk
Analysis

46. 46
What
To
Do
First?
● Risk
provides
context
● Risk
helps
direct
analysts
“Risk
Analysis
is
my
favorite
dashboard
for
my
SOC
analysts!”

47. 47
47
Under
Advanced
Threat
click
“Risk
Analysis”

48. 48
48
KSIs
specific
to
risk
System,
User,
or
Other
SCROLL

49. 49
49
The
source
of
risk
score
The
score
per
object
The
details

50. 50
50
Risk
comes
from
correlaIon
searches
or
from
ad-­‐hoc

51. Threat
Intelligence

52. 52
52
Ayack
Map
The
Challenge:
• Industry
says
Threat
Intel
is
key
to
APT
ProtecIon
• Management
wants
all
threat
intel
checked
against
every
system,
constantly
• Don’t
forget
to
keep
your
15+
threat
feeds
updated
The
SoluIon:

53. 53
Verizon
2015
DBIR
“”…the
percentage
of
indicators
unique
to
only
one
(outbound
desInaIon)
feed…is
north
of
97%
for
the
feeds
we
have
sampled…”
Threat
list
aggrega6on
=
more
complete
intelligence

54. 54
54
Under
Advanced
Threat
click
“Threat
Ac6vity”

55. 55
55
SCROLL
KSIs
specific
to
threat

56. 56
56
Threat
categories
Threat
specifics

57. 57
57
We
know
about
this.
Let
me
tell
you
the
fix.

58. 58
58
Checkbox
any
line
in
the
“Threat
Ac6vity
Details”

59. 59
59
Click
“Advanced
Filter”

60. 60
60
Click
“Save”
Done
on
each
dashboard
with
a
yellow
triangle,
this
will
fix
ANY
dash
with
“ppf”
error.

61. 61
61
Click
Configure,
“Data
Enrichment”
and
then
“Threat
Intelligence
Downloads”

62. 62
62
Various
community
threat
lists
Local
ones
too
TAXII
support

63. 63
63
Click
“Malware
Domains”

64. 64
64
Various
community
threat
lists
Local
ones
too
TAXII
support
Weight
used
for
risk
scoring
Interval
SCROLL
for
addi6onal
config

65. 65
65
Various
community
threat
lists
Local
ones
too
TAXII
support
Hit
“back”
buAon
twice

66. 66
66
Click
“Threat
Intelligence
Audit”
under
Audit

67. 67
67
Status
of
downloads
Details
including
errors

68. 68
68
Click
“Threat
Ar6facts”
under
Advanced
Threat

69. 69
69
STIX/TAXII
feed
Browse
through
the
tabs…

70. More
Advanced
Threat

71. 71
71
STIX/TAXII
feed
Browse
through
the
tabs…
Inves6gate
on
your
own
6me:
Advanced
Threat
capabili6es
worth
your
while…and
all
areas
under
Security
Domains

72. AddiIonal
Reports

73. 73
Auditors
/
Management
/
Compliance
Says…
● Can
you
show
me
<Typical
Report>?
● ReporIng
is
easy
in
Splunk
● But
we
have
more
than
300
standard
reports
too

74. 74
Click
“Reports”
under
Search

75. 75
Almost
330
reports
to
use/customize

76. Incident
Response
Workflow

77. 77
Click
“High
or
Cri6cal
Priority
Host
with
Malware
Detected”

78. 78
Checkbox
Select
the
first
event
Highly
filterable
and
tag-­‐able

79. 79
Click
“Edit
All
Selected”

80. 80
Fill
out
Status/Owner/
Comment,
Click
Save
Would
contain
all
of
your
users

81. 81
Confirm
that
event
updates
Click
“>”
under
Ac6ons
to
see
what
you
can
do
with
the
event

82. 82
Click
“>”
to
view
more
details
on
the
event

83. 83
Last
comment
and
link
to
review
all
acIvity
Every
field
“pivot-­‐able”

84. 84
AutomaIc
ayribuIon
for
asset
data

85. 85
Pivot
internally
within
ES,
or
externally.
Customizable.
Drill
to
Asset
Inves6gator

86. 86
Asset
data
Customizable
Swimlanes
Selectable
Time

87. 87
Hold
down
CTRL
or
CMD
and
click
mul6ple
bars
aligned
ver6cally

88. 88
Summarized
info
from
“candlesIcks”
selected
Drill
to
search,
make
a
notable
event,
share
a
link

89. 89
Select
one
or
two
red
“Malware
AAacks”
bars

90. 90
Drill
to
search

91. 91
Raw
log
data
in
the
Search
interface
is
only
a
click
away.

92. 92
“Browser
Tab”
back
to
Incident
Review

93. 93
Edit
the
event
again
and
add
some
more
comments…

94. 94
Feel
free
to
add
whatever
you
wish
here…click
save

95. 95
View
the
review
ac6vity
for
the
event

96. 96

97. 97
Click
on
“Incident
Review
Audit”
under
Audit
Many
aspects
of
ES
are
audited
within
the
product

98. 98
More
users
will
make
this
more
interesIng…

99. 99
Click
on
Iden6ty
Inves6gator

100. 10
0
Type
“htrapper”
in
search
and
click
search
Set
to
“Last
24
hours”
2
1

101. 10
1
InformaIon
about
this
idenIty

102. Lookups

103. 10
3
Select
“Data
Enrichment”,
“Lists
and
Lookups”
under
Configure

104. 10
4
Many
lookups
to
provide
addiIonal
context
to
your
data

105. 10
5
Click
on
“Demonstra6on
Iden66es”

106. 10
6
We
want
to
add
“naughtyuser”
to
this
list
because
it
is
showing
up
in
our
data.
SCROLL

107. 10
7
Select
last
row,
right
click,
and
choose
“Insert
row
below.”
Add
whatever
you
want,
but
make
sure
the
first
column
says
“naughtyuser”
When
done
click
save
Extra
credit:
Check
your
work
in
IdenIty
Center
2
1

108. 10
8
Ayack
&
InvesIgaIon
Timeline
–
New
to
4.0
Methods
to
add
contents
into
Imeline
:
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator

109. 10
9
Next
Steps…
Play
in
your
ES
Sandbox
for
15
days
Explore
some
of
the
areas
we
didn’t
get
to
cover
today
Ask
quesIons
of
your
account
team
An
ES
4.0
sandbox
should
be
available
soon,
help
yourself
to
another
sandbox
to
see
the
new
features
A
two
hour
version
of
this
talk
is
available
at
conf.splunk.com
10