This document discusses how orchestration and automation can accelerate incident response. It notes that incident response currently takes a significant amount of time, with the majority of time spent on containment and remediation. It also states that security operations are challenged by too many alerts, a lack of integration between tools, and difficulties attracting, training and retaining skills at scale. The document argues that orchestration and automation can help address these challenges by coordinating security actions across tools and technologies, and executing repetitive security tasks. It provides an overview of Splunk's security portfolio for operationalizing security, including the Splunk Phantom platform for security orchestration and automation.

1. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Accelerate Incident Response
Using Orchestration and
Automation
Andreas Buis – Senior Sales Engineer
26.03.2019

2. © 2019 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. © 2019 SPLUNK INC.
ANDREAS BUIS
Senior Sales Engineer

4. © 2019 SPLUNK INC.
Incident Response
Too many alerts
Not enough insights
Tools
Too many
No integration
Skills
Attracting
Training
Retaining
Scale
Orchestration & Automation
Horizontal & Vertical
Security Operations Practices Need to Change

5. © 2019 SPLUNK INC.
Incident Response
Challenge

6. © 2019 SPLUNK INC.
Incident Response Takes Significant Time
6
Source: SANS 2017 Incident Response Survey
Time from compromise to detection Time from detection to containment Time from containment to remediation
1-3 months
2–7 days

7. © 2019 SPLUNK INC.
Where Does Your Time Go?
When working an incident, which phase generally takes the
longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.

8. © 2019 SPLUNK INC.
Time-to-Contain + Time-to-Remediate = 86%
When working an incident, which phase generally takes
the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.

9. © 2019 SPLUNK INC.
Tools

10. © 2019 SPLUNK INC.
How many security tools
and technologies does your
company use?
Poll #1
< 10 10 - 25 26 - 50 51 – 75+

11. © 2019 SPLUNK INC.
Tools and Technologies Galore
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
TOO MANY TOOLS
On average, organizations are using
between 25 and 30 different security
technologies and services.

12. © 2019 SPLUNK INC.
Skills and Scale
Orchestration and Automation

13. © 2019 SPLUNK INC.
Orchestration
► Security Orchestration is the
machine-based coordination of
security actions across tools and
technologies.
► Brings together or integrates different
technologies and tools
► Provides the ability to coordinate
informed decision making, formalize
and automate responsive actions
Automation
► Security Automation is the machine-
based execution of security actions.
► Focus is on how to make machines do
task-oriented "human work”
► Improve repetitive work, with high
confidence in the outcome
► Allows multiple tasks or "playbooks" to
potentially execute numerous tasks
Orchestration vs. Automation

14. © 2019 SPLUNK INC.
Do you use
Security Orchestration
Automation and
Response (SOAR) ?
Poll #2

15. © 2019 SPLUNK INC.
SOAR
Maestro
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
Playbook

16. © 2019 SPLUNK INC.
Automation & Orchestration Adoption Growing
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017

17. © 2019 SPLUNK INC.
Security Nerve Center
Overview

18. © 2019 SPLUNK INC.
ANALYTICS
ORCHESTRATION
NETWORK
THREAT
INTELLIGENCE
MOBILE
ENDPOINTS
IDENTITY
AND ACCESS
CLOUD
SECURITY
WAF AND APP
SECURITY
WEB PROXY
FIREWALL
Observe
Decide
Orient
Act
Security Nerve Center

19. © 2018 SPLUNK INC.
Splunk Security Portfolio
DATA
PLATFORM
ANALYTICS OPERATIONS
Platform for Machine Data

20. © 2019 SPLUNK INC.
Adaptive Operations Framework
Partner ecosystem enables the Security Nerve Center
Mission
Deeply integrate with the best
security technologies to improve
cyber defenses and maximize
operational efficiency.
Approach
Gather, analyze, share, and
take action using end-to-end
context across across multiple
security domains.
NETWORK
THREAT
INTELLIGENCE
ENDPOINTS
IDENTITY
AND ACCESS
CLOUD
SECURITY
WAF AND APP
SECURITY
WEB PROXY
FIREWALL
Splunkbase
Apps & Add-Ons
Splunk Enterprise Security
Adaptive Response Actions
Splunk Phantom
Apps & Playbooks
DATA / ANALYTICS
OPERATIONS
240+ INTEGRATIONS / 1,200+ APIS

21. © 2019 SPLUNK INC.
Phantom
Security Operations

22. © 2019 SPLUNK INC.
Operationalizing Security
With Phantom
Integrate your team, processes,
and tools together.
Work smarter by automating repetitive tasks allowing
analysts to focus on more mission-critical tasks.
Respond faster and reduce dwell times with automated
detection, investigation, and response.
Strengthen defenses by integrating existing security
infrastructure together so that each part is an active
participant.

23. © 2019 SPLUNK INC.
Automation
Automate repetitive tasks to force multiply team efforts.
Execute automated actions in seconds versus hours.
Pre-fetch intelligence to support decision making.

24. © 2019 SPLUNK INC.
200+
APPS & GROWING
1000+
API’S
Orchestration
Coordinate complex workflows across your SOC.

25. © 2019 SPLUNK INC.
Create case templates that replicate your SOPs.
Manage your response to threats with precision.
Embed automation within a case task.
Case Management

26. © 2019 SPLUNK INC.
SplunkSANDBOX QUERY RECIPIENTS
USER PROFILE
HUNT FILE
HUNT FILE
FILE REPUTATION
FILE ASSESSMENT
RUN PLAYBOOK
“REMEDIATE"
EMAIL ALERT
A Phantom Case Study
“Automation with Phantom
enables us to process malware
email alerts in about 40 seconds
vs. 30 minutes or more.”
Adam Fletcher
CISO
How it Works
Automated
Malware Investigation

27. © 2019 SPLUNK INC.
DEMO

28. © 2019 SPLUNK INC.
1. Use Phantom with Splunk or Splunk Enterprise
Security to accelerate Incident Investigation
and Response
2. Use Adaptive Operations Framework to realize
your security nerve center
3. Splunk offers market proven, comprehensive
solutions for Incident Response
4. Use with all Security domains and related IT
domains to solve incident response use
cases and more
Splunk offers options to
accelerate incident
response with
orchestration and
automation
Key
Takeaways

29. © 2019 SPLUNK INC.
► Hands-on Workshop
► 4,5 hours
► You will have your
own Phantom AWS
instance
Phantom 4 Rookies - Workshop
abuis@splunk.com

30. © 2019 SPLUNK INC.
https://usergroups.splunk.com/
Check website for
upcoming events
München Area User Group
Connect with Local Splunkers
Get More
Information
Here at the
SplunkZone

31. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Thank You.