Angelo brancato shares his presentation at Splunk Forum Frankfurt on building SOC with Splunk

1. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
NOVEMBER 15 | FRANKFURT

2. © 2017 SPLUNK INC.
Aufbau eines SOC mit Splunk
Angelo Brancato | CISSP, CISM, CCSK
NOVEMBER 15 | FRANKFURT

3. © 2017 SPLUNK INC.
Splunk for SOCs

4. © 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

5. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business

6. © 2017 SPLUNK INC.
http://www.informationisbeautiful.net
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness
- Risk unknown
- In denial of breach
- No Incident
Response (IR) plans
- Ad-Hoc / Reactive
- Limited resources
- Custom tools
- Basic alarming
- IR on roadmap
- Limited resources
- Risk understood
- SIEM in place
- Basic playbooks
- Some integrations
- Internal & external
resourcing
- Assume breached
- Formal playbooks
- Formal and (annually)
tested IR plan
- Panel of specialists
- Proactive threat hunting
- Continuous improvement
- IR plans tested regularly (agile)
- Holistic security view
- Forensic investigation and
legal agreement to share IR data
- Integration and Automation
- Internal and external resources
2

7. © 2017 SPLUNK INC.
http://www.informationisbeautiful.net
Investigation
How Splunk can
help:
Right decision, at the
right time
Visibility
Automation
Threat Hunting
Situational Awareness
Risk Scoring
SOC Run Books
Adaptive Response
Business
Enablement
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness
2

8. © 2017 SPLUNK INC.
http://www.informationisbeautiful.net
Hunting
How Splunk can
help:
Right decision, at the
right time
Visibility
Automation
Business
Enablement
Risk Scoring
Situational Awareness
Investigation
SOC Playbooks
Adaptive Response
https://www.splunk.com/en_us/solutions/solution-areas/
security-and-fraud/the-state-of-security-operations.html
IDC Security Response Readiness

9. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business

10. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
IR
KPI
Data
Source
Business
Context/Risk
Security
Context
Playbooks
IR: Incident Response
KPI: Key Performance Indicator or also KSI: Key Security Indicator

11. © 2017 SPLUNK INC.
How Splunk can
help
…with Analytics-Driven
Security

12. © 2017 SPLUNK INC.
Avoid the “Medienbruch”
Drawing from independent.co.uk, modified

13. © 2017 SPLUNK INC.
D I F F E R E N T
People
A S K I N G D I F F E R E N T
Questions
O F T H E
Same Data
Enterprise Machine Data Fabric
Business
Analytics
IT
Operations
Security
Operations
Application
Development &
Delivery
Internet of Things
Splunk

14. © 2017 SPLUNK INC.
Structured
RDBMS
SQL Search
Schema at Write Schema at Read
Traditional Splunk
Splunk Approach to Machine Data
Copyright © 2014 Splunk Inc.
ETL
Universal
Indexing
Volume Velocity Variety
Unstructured

15. © 2017 SPLUNK INC.
SOC Playbooks
Splunk for the SOC - Overview
Machine
Data
Monitor Detect Investigate Respond
Schema-On-Read
Adaptive Response
Enterprise
On-Premise, Cloud, Hybrid
Universal Indexing
Tier 1 - Alert Analyst
Notable Event Triage
Tier 2 - Incident Responder
Tier 3 - SME / Hunter
Process
People
Technology
Enterprise Security
Business
Business Functions
SOC
1.
2.
3.
i.e.
i.e. calculate command length standard deviation - stdev

16. © 2017 SPLUNK INC.
SOC Playbooks
Splunk for the SOC - Overview
Machine
Data
Monitor Detect Investigate Respond
Schema-On-Read
Adaptive Response
Enterprise
On-Premise, Cloud, Hybrid
Universal Indexing
Tier 1 - Alert Analyst
Notable Event Triage
Tier 2 - Incident Responder
Tier 3 - SME / Hunter
Process
People
Technology
http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html
Business
Business Functions
SOC
Enterprise Security

17. © 2017 SPLUNK INC.
IT Operations
Application Delivery
Industrial Data & IoT
Business Analytics, Future Markets
IT Security, Compliance & Fraud
Different People ask Different Questions of the
same Data
Monitor Detect Investigate Respond
Enterprise
On-Premise, Cloud, Hybrid
Machine
Data
Different people
asking
different questions…
…of the same data.
Enterprise Security, ITSI (Premium Apps)

18. © 2017 SPLUNK INC.
Avoid the “Medienbruch”
Drawing from independent.co.uk, modified

19. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
Data
Source
Business
Context/Risk
IR
KPI
Security
Context
Data Monitor Detect Investigate Respond

20. © 2017 SPLUNK INC.
Splunk for the SOC – Product Mapping
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security
Context
Security Analytics
Business
Context/Risk
Visualization & Reporting
Incident Response
IR
KPI

21. © 2017 SPLUNK INC.
Enterprise
Developer Platform (REST API, SDKs)
Splunk App for
PCI Compliance
Machine Learning
Toolkit
CIS Top 20
Critical Security Controls
Add-Ons
Stream
Human-driven and Supervised ML-driven Analytics Unsupervised ML-driven AnalyticsAnalytics Driven SIEM
On-Premise, Cloud, Hybrid
Analytics-Driven Security
Security
Essentials Family
Ransomware
Anti-Fraud
etc.
DGA
App
AWS
Some App suggestions:

22. © 2017 SPLUNK INC.
Splunk for the SOC – Product Mapping
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security
Context
Security Analytics
Business
Context/Risk
Visualization & Reporting
Incident Response
IR
KPI

23. © 2017 SPLUNK INC.
“Most mature SIEM users report
that their most valuable use cases
were site-specific, custom or at
least heavily customised”
– Anton Chuvakin, Research VP Gartner
http://blogs.gartner.com/anton-chuvakin/2015/12/02/starting-a-siem-project-from-vendor-use-case-content-win-or-fail/

24. © 2017 SPLUNK INC.
Hunter Use Cases
On Demand APT
Scanning
SSL certificate
analytics
User Agent String
analytics
Some Security Use Case Examples
Security Analyst Use Cases
Privileged user
monitoring
Botnet Detection Fraud detection in E-
Payment
Unauthorized Service
Monitoring
Identify Patient-Zero Vulnerability
Management Posture
Fraud detection
Online Banking
Update Monitoring
Detecting Zero Day
Attacks
Threat Intelligence
Correlation
Fraud detection in
proper service usage
Website defacement
Detect and Stop Data
Exfiltration
User Account Sharing Defense in depth
investigations
Spam to external
Phishing Attacks Incident Investigation
across team’s
Give team’s the
visibility they need
SQL Injections Dynamic Risk and
Pattern Management
Monitoring of expired
user accounts
CISO Use Cases
In the news! Information Driven
Security
Compliance reporting Centralized
Situational
Awareness

25. © 2017 SPLUNK INC.
SOC Use Case Design

26. © 2017 SPLUNK INC.
Questions:
• Where and how are my service accounts
used?
• Does someone use default user accounts?
• Do privileged users work under their admin
account?
• Do privileged users logon to end user
workstations?
• “Keys to the kingdom”
Key Data Sources:
Active Directory, Radius, LDAP, IM Logs, SSO
solutions, CyberArk, PowerBroker, Centrify, etc
Privileged User
Monitoring

27. © 2017 SPLUNK INC.
Use Case Design – Privileged
User Monitoring (PUM)
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security Analytics
Business
Context/Risk
Visualization & Reporting
IncidentResponse
IR
KPI
Security
Context
Function Description
/ ES Out-Of-The-Box content
Data Sources Active Directory
Radius
LDAP
IM* logs
etc.
Assets Servers
Hosts
Networks
Files, Databases
User Accounts
User Groups
Infrastructure
Locations, etc.
Audit/GRC (Business) Risk Compliance
Threat Intel. -
Security Analytics CS*- Default Account Activity detected
CS - Brute Force Access behavior
CS - Excessive Failed Login
CS - Concurrent Login detected
CS - Geographically Improbable Access Detected
CS - High or Critical Priority Individual Logging into
Infected Machine
Incident Response Firewall: Quarantine Host
Ticket System: Open Ticket
Visualization &
Reporting
D*– Access – All Dashboards (6)
D – Identity – All Dashboards (3)
D – User Intelligence – All Dashboards (5)
Glass Tables
KSI*: Authorized privileged user access
KSI: Blocked privileged user access
Attackers are increasingly using privileged user credentials to
access corporate resources, sensitive information and exfiltrate
sensitive data. Privileged user accounts are accounts with
elevated privileges, such as users with Domain Administrator
rights or root privileges. Effective privileged user monitoring
(PUM) helps organizations to protect critical assets, meet
compliance requirements and mitigate both external threats and
insider threats.
CS: Correlation Search IM: Identity Management
D: Dashboard KSI: Key Security Indicator

28. © 2017 SPLUNK INC.
ENTERPRISE SECURITY CONTENT UPDATEhttps://splunkbase.splunk.com/app/3449/
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security Analytics
Business
Context/Risk
Visualization & Reporting
Incident Response
IR
KPI
Security
Context
RESEARCH
DRIVEN
ANALYTIC STORIES
HIGH-FREQUENCY
UPDATES

29. © 2017 SPLUNK INC.
Prove GDPR
Security Controls
are enforced
Detect, Prevent
and Investigate
Data Breaches
Search and Report
on Personal Data
Processing
Splunk for GDPR
Threat Detection /
Breach Avoidance
Comply with Data Impact Assessments
Comply with new data subject rights
+
Minimize Risk of Fines
Minimize Risk of Reputation Damage
Competitive Advantage!

30. © 2017 SPLUNK INC.
Prove GDPR
Security Controls
are enforced
Detect, Prevent
and Investigate
Data Breaches
Search and Report
on Personal Data
Processing
Splunk for GDPR

31. © 2017 SPLUNK INC.
Splunk for GDPR
Detect, Prevent
and Investigate
Data Breaches The Forrester Wave:
Security Analytics Platforms, Q1 2017Gartner MQ for SIEM, Aug. 2016
Article 33 - Notification of a personal data breach to the supervisory authority
Article 34 - Communication of a personal data breach to the data subject
Data Breach
Notification
DetectMonitor Investigate Respond
SECURITY
WORKFLOW
SUPPORT
Notable Events
EVENT
CORRELATIONS
Search
Management
SECURITY
ENRICHED
CONTEXT
Asset, Identity,
Others
THREAT
INTELLIGENCE
Threat Info
Management
RISK BASED
ANALYTICS
Risk Scoring
Framework
OUT-OF-BOX
SECURITY
CONTENTS
Views, Reports,
Rules
Collect Store Ad hoc Search Analyze Report

32. © 2017 SPLUNK INC.
Prove GDPR
Security Controls
are enforced
Detect, Prevent
and Investigate
Data Breaches
Search and Report
on Personal Data
Processing
Splunk for GDPR

33. © 2017 SPLUNK INC.
Splunk for GDPR
Prove GDPR
Security Controls
are enforced
Article 32 - Security of processing
Article 58 - Supervisory Investigative Powers
Risk
Minimization
Report
Compliance
DPIA

34. © 2017 SPLUNK INC.
Prove GDPR
Security Controls
are enforced
Detect, Prevent
and Investigate
Data Breaches
Search and Report
on Personal Data
Processing
Splunk for GDPR

35. © 2017 SPLUNK INC.
Splunk for GDPR
Search and Report
on Personal Data
Processing
Article 30 - Records of Processing Activity
Article 5, 15, 17, 18 and 28 - Data Subject Rights
Supply chain
Obligations
Right to be
Forgotten
Right of
rectification
Right of access
Right of data
portability
…

36. © 2017 SPLUNK INC.
Visibility Across the Ops Environment
API
SDKs UI
Server,
Storage. N/W
Server
Virtualization
Operating
Systems
Mobile
Applications
Cloud Services
Other Tools
Ticketing/Help
Desk
No rigid schemas – add in data from any other source.
Custom
Applications
API Services
Infrastructure
Applications
Example Data Sources…
On-Premise, Cloud, Hybrid | Analytics for Hadoop

37. © 2017 SPLUNK INC.
Visibility Across the Security Environment
API
SDKs UI
Firewalling IDS/IPS
Vulnerability
Management
DLP
Threat
Intelligence
NBAD
Other Tools
Ticketing/Help
Desk
Proxy / Users
Malware /
Endpoint
proofpoint
Qualys
PAN
ThreatConnect
VectraNetworks
Anomali FireEye
CBlack
Phantom Recorded Future
Example Data Sources…
Bro
TippingPoint
FirePower
Rapid7
On-Premise, Cloud, Hybrid | Analytics for Hadoop
No rigid schemas – add in data from any other source.

38. © 2017 SPLUNK INC.
Visibility Across the Dev Lifecycle
API
SDKs UI
Other Tools
Escalation/
Collaboration
Plan Code Build Test/QA Stage Release MonitorConfig
Example Data Source…
On-Premise, Cloud, Hybrid | Analytics for Hadoop
No rigid schemas – add in data from any other source.

39. © 2017 SPLUNK INC.
Visibility and Enforcement for GDPR
API
SDKs UI
Report Compliance
Detect, Prevent
and Investigate
Data Breaches
Example Data Sources…
On-Premise, Cloud, Hybrid
No rigid schemas – add in data from any other source.
Protect
…
Classify
SDM/ControlPoint
…
Find
Trust Center
…
Prove GDPR
Security Controls
are enforced
Search and Report
on Personal Data
Processing
Govern
Content Manager
…
Securiity
IT-Ops
Cloud
IoT
…

40. © 2017 SPLUNK INC.
Prove GDPR
Security Controls
are enforced
Detect, Prevent
and Investigate
Data Breaches
Search and Report
on Personal Data
Processing
Splunk for GDPR

41. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
THANK YOU

42. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
NOVEMBER 15 | FRANKFURT

43. © 2017 SPLUNK INC.
Splunk CIS* Top 20 (Best Practice) Critical Controls
https://www.cisecurity.org/controls/
https://splunkbase.splunk.com/app/3064/
CIS Top 20 controls improve risk posture
against real-world threats
The control areas grew out of an
international consortium
Splunk can monitor PCI compliance and
generate Alerts for non-compliance
In case of non-compliance Splunk can carry
out recommended actions
40+ Dashboards
Splunk CIS Top 20
Critical Security Controls
*CIS: Center of Internet Control https://www.cisecurity.org/controls/

44. © 2017 SPLUNK INC.
Splunk CIS* Top 20 (Best Practice) Critical Controlshttps://splunkbase.splunk.com/app/3064/
Splunk CIS Top 20
Critical Security Controls

45. © 2017 SPLUNK INC.
Security Essentials
50+ use cases (common in UEBA products)
Target external attackers and insider threat
Scales from small to massive companies
Can sends results to ES/UBA
https://splunkbase.splunk.com/app/3435/
Security Essentials
Detection Methods
Time series analysis
(with standard deviation)
First time analysis
(powered by stats)
General Splunk
searches

46. © 2017 SPLUNK INC.
Security Essentials for Ransomware
https://splunkbase.splunk.com/app/3593/
Detect Journal Clearing
Detect Lateral Movement With WMI
Detect Log Clearing With wevtutil
Fake Windows Processes
Malicious Command Line Executions
Monitor AutoRun Registry Keys
Monitor Successful Backups
Monitor Successful Windows Updates
Monitor Unsuccessful Backups
Monitor Unsuccessful Windows Updates
Ransomware Extensions
Ransomware Note Files
Ransomware Vulnerabilities
SMB Traffic Allowed
Spike in SMB Traffic
TOR Traffic
Windows Event Log Clearing Events
Office Spawns Unusual Process
Detection via Statistical Analysis
Detection via Windows Registry
Detection via Shannon Entropy
Detection via Fake Windows Processes
Detection via File Encryption Events
Detection via DNS Traffic
Detection via Sysmon Logs
Detection via Firewall Logs
Detection via IDS Events
Detection via Network Activity
Detection via SMB Events
Detection via Deletion of Shadow
Copies
Forensics via log2timeline
Prevention via Lag Detection
Prevention via Vulnerability
Management
Prevention via Backup Activity
Prevention via Automated File Analysis
Security Essentials
for Ransomware
17 Use Case Suggestions Detection Methods

47. © 2017 SPLUNK INC.
Security Essentials for Fraud Detection
https://splunkbase.splunk.com/app/3693/
Detection Methods
Security Essentials
for Fraud Detection
Machine Learning
First Seen
Adaptive Thresholds

48. © 2017 SPLUNK INC.
Cyber Security Investigator
https://splunkbase.splunk.com/app/3361/
traffic today compared to normal
Email traffic compared to normal
What are the count of windows related alerts over the last
week?
Hourly traffic to China
Which accounts were recently deleted?
Top accounts with failed logins
Show me traffic for app dns
Show me the systems where user ghost exists
How does traffic look during non-business hours compared
to during business hours?
Event count over time by top 10 hosts
What's the average number of vulnerabilities across all of
our systems
Graph the hourly max response time of web requests
Malware signatures on more than 10 distinct hosts
Websites with the most bytes
…
i.e.
Insight Engines
Cyber Security Investigator
for Splunk

49. © 2017 SPLUNK INC.
Splunk Premium App for PCI Compliance
https://splunkbase.splunk.com/app/2897/
Compliance Overview
Incident Review and Management Asset and Identity Aware
Scorecards and Reports
Measures effectiveness and status of
PCI compliance technical controls
Meets PCI requirements around log
retention/review, and continuous
monitoring
Fast ability to get to cause of non-
compliance or answer auditor data
requests
Covers up to PCI DSS v3.1 standards
Splunk App for
PCI Compliance

50. © 2017 SPLUNK INC.
Security Stream
https://splunkbase.splunk.com/app/1809/
Metadata Collection
Live Interface Collection Option
Commercial App Detection (300+)
NetFlow Collector
Aggregation Mode
Filtering at Endpoint
Out-of-Box Content
Distributed Forwarder Mgt
1GbE and 10GbE link options
Get visibility into
applications
performance and user
experience
Understand database
activity and
performance without
impacting database
operation
Improve security and
application
intelligence with DNS
analytics
Splunk Stream
Layer Examples
7. Application HTTP, SMTP
6. Presentation TLS
5. Session SCP
4. Transport TCP, UDP
3. Network IPv4, IPv6
2. Data Link Ethernet
1. Physical Ethernet, WiFi
Deployment:
• Out-of-band (stub) with tap or SPAN port
• In-line directly on monitored host
Collection:
• Technical Add-On (TA) with Splunk
Universal Forwarder (UF)
• Independent Stream Forwarder
using HTTP Event Collector (HEC)
Any Linux Host Splunk
Indexers
TLS/HEC
Splunk
Indexers
Splunk
Forwarder
TLS

51. © 2017 SPLUNK INC.
AWS App
https://splunkbase.splunk.com/app/1274/
AWS
AWS CloudTrail
AWS Config
AWS Config Rules
AWS Billing
Amazon Inspector
Amazon RDS
Amazon CloudWatch
Amazon Kinesis
Amazon VPC Flow Logs
Amazon S3
Amazon EC2
Amazon CloudFront
Amazon EBS
Amazon ELB
Out-Of-The-Box Monitoring:

52. © 2017 SPLUNK INC.
MLT - Machine Learning Toolkit
Machine Learning
Toolkit
https://splunkbase.splunk.com/app/2890/
1 Get
• Collect Machine Data
• Splunk Universal
Indexing
2 Explore
• Feature Engineering
• Field to Predict?
• Field to use for Prediction?
4 Apply
• Publish / Deploy
• Apply Model on
Live Data
… | apply ”model"
Operationalize5
3 Fit
• Algorithm Selection
• Train & Test Model
• Online Learning
f(x)
… | fit ”algorithm"

53. © 2017 SPLUNK INC.
Splunk Machine Learning Toolkit (MLTK) – Free App
1. Get Splunk Enterprise splunk.com
3. Get the free MLTK App from splunkbase.splunk.com
2. Get Machine Data into Splunk

54. © 2017 SPLUNK INC.

55. © 2017 SPLUNK INC.
1 Get
2 Explore
3 Fit

56. © 2017 SPLUNK INC.
3 Fit

57. © 2017 SPLUNK INC.
4 Apply

58. © 2017 SPLUNK INC.
Machine Learning
Toolkit

59. © 2017 SPLUNK INC.
MLT – Applied: DGA Analyzer
This is an example a Splunk SE built
It uses the MLT to very reliably detect DGA
generated domain names
Machine Learning
Toolkit
https://splunkbase.splunk.com/app/2890/

60. © 2017 SPLUNK INC.
Enterprise Security
Pre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
60
Dashboards & Reports Incident Investigations
and Management
Statistical Outliers & Risk Scoring Asset & Identity Aware
• Correlation- and Notable Event
Framework
• Risk Scoring Framework
• OTB key Security Metrics,
Dashboards, Use Cases &
• Analytic Stories
• Incident Investigation workflow
• Adaptive Response
• Glass Tables,
• etc…
Detect, Investigate & Response

61. © 2017 SPLUNK INC.
WAF & App
Security
Orchestration
Network
Threat Intelligence
Internal Network
Security
Identity and Access
Endpoints
Firewall
Web Proxy
MONITORING
AUTOMATION:
Splunk Adaptive Response
Partnerships
Enterprise Security
▶ Adaptive Response

62. © 2017 SPLUNK INC.
▶ Automatically collect,
aggregate and de-duplicate
threat feeds from a broad
set of sources
▶ Support for STIX/TAXII,
OpenIOC, Facebook
▶ Build your own data to
create your own Threat Intel
▶ Out of the box Activity and
Artifact dashboards
Enterprise Security - Threat Intelligence
▶ Determine impact on
network, assets
▶ Use for analysis / IR
▶ Collect / provide
forensics
▶ Use to hunt / uncover
/ link events
▶ Share info with
partners
Law Enforcement
Feeds
ISAC
Feeds
Agency Feed
Commercial Service
Community Feed
Open-Source
Feed
Other Enrichment
Services

63. © 2017 SPLUNK INC.
Enterprise Security –
Glass Tables to Enhance Visual Analytics
• Simplify analysis by understanding the impact of security metrics
within a logical or physical Glass Table view
• Improve response times with nested views to display what’s
important or relevant
• Optimize workflow with drill-down to the supporting criteria of the
metric
Custom visualizations that reflect workflows, topology, detect,
investigate and respond sequences with dashboards, summary
Views with relevant context to suit your needs

64. © 2017 SPLUNK INC.
Enterprise Security –
Glass Tables to Enhance Visual Analytics

65. © 2017 SPLUNK INC.
1 Get
• Collect Machine Data
• Splunk Universal
Indexing
2 Explore
• Feature Engineering
• Field to Predict?
• Field to use for Prediction?
4 Apply
• Publish / Deploy
• Apply Model on
Live Data
… | apply ”model"
Operationalize5
3 Fit
• Algorithm Selection
• Train & Test Model
• Online Learning
f(x)
… | fit ”algorithm"
Splunk UEBA does everything automatically for you!
Splunk User and Entity Behavior Analytics (UEBA)

66. © 2017 SPLUNK INC.
How Does Splunk UEBA Work?
48+ OTB* Anomaly
classifications and
Custom Anomalies
22+ OTB* Threat
Classifications
Machine
Learning
Suspicious Data
Movement
Unusual Machine
Access
Flight Risk User
Unusual Network
Activity
Machine Generated
Beacon
Machine
Learning
Lateral Movement
Suspicious Behavior
Compromised
Account
Data Exfiltration
Malware Activity
Application
logs
Network logs
Endpoint logs
Server logs
Identity logs
*OTB: Out-Of-The-Box, As of UBA 3.3
58+ OTB*
Algorithms
58+ OTB*
Algorithms