The document is a presentation by Rene Aguero on building an analytics-driven security operations center (SOC) using Splunk solutions. It discusses challenges with traditional SOCs, emerging trends like threat hunting and automation, and the key components of a SOC technology stack including log management, asset tracking, threat intelligence, and case management. It then outlines how Splunk solutions can help address these issues by providing a platform for centralized data collection, correlation with threat intelligence, and advanced analytics including machine learning.
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
Threat hunting has been primarily a playground for security experts in surfacing unknown threats. It is a proactive security approach where the hunt starts with a hypothesis about a hidden threat that may be already in the enterprise network. According to 2017 survey on threat hunting by the SANS Institute, nearly 45% of organizations hunt on an ad hoc basis. The ad hoc approach is ineffective and does not yield sufficient results to cover the cost of threat hunting. Considering the scarcity of security analysts, the ad hoc threat hunting becomes a costly and expensive process. Also, threat hunting is typically performed by doing outlier detection of the data. For example, analysts usually do outlier detection to find suspicious processes out of Windows process logs. The outlier detection can be done using simple box plots, control charts, or using more sophisticated unsupervised machine learning techniques. However, the output of all the outlier detection techniques is outliers/anomalies that still need to be audited/investigated by the security analysts. This adds more workload to the already overwhelmed security analyst.
The fusion of data science and deceive security provides an opportunity to validate many alerts automatically and therefore provides an automated approach from threat hunting. Deceptive defense system offers a way to confirm an adversary presence with nearly 0% false alarms when the adversary bumps onto one of the deceptions. The modern set of deceptions is the reincarnation of honeypots, honeytokens, honeynets, and honey files that blends well within the network and can dynamically change their configurations. When an adversary access a deception, it raises a positive affirmation of a threat. In this approach, one needs to use alerts and contextual security events along with deceptive security to rank the existing alerts. It takes away a lot of manual verification of various security alerts.
The document discusses building a lean security operations center (SOC) at Travis Perkins Group. It describes challenges with their complex IT environment and the need for a flexible security information and event management (SIEM) solution. An initial "big bang" SIEM implementation was unsuccessful. The new approach takes an incremental, lean approach using Splunk Cloud to provide flexible alerting and meet multiple stakeholder needs. This has helped improve security incident response and provided benefits like reduced infrastructure management. Future plans include expanding the use of Splunk analytics and machine learning.
Build a Security Portfolio That Strengthens Your Security PostureSplunk
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate.
- The Security Posture dashboard provides a near real-time overview of an organization's security posture by displaying notable security events.
- The analyst can pivot from this dashboard to the Incident Review dashboard to begin investigating critical notable events.
- Drilling into a notable event on the Incident Review dashboard provides important context about the event such as the affected systems, compliance data, and location to assist the analyst's investigation.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and the cyber kill chain model. It provides an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also covers advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
Join our Security Experts and learn about our Analytics-Driven SIEM, Splunk Enterprise Security (ES) in a live, hands-on session. You will start off with a hands-on tour of Splunk's award-winning SIEM, Splunk Enterprise Security and understand its key frameworks and its unique capabilities. Then, you will work on hands-on exercises that involve threat detection, incident investigation and how to take rapid responses using data from a range of sources such as threat list intelligence feeds, endpoint activity logs, e-mail logs, and web logs. This session is a must session for all security practitioners.
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate. In this session, you will learn how to: - Leverage your data across silos with analytics-driven security - Operationalise all relevant data to gain greater visibility of your environment to make more informed decisions - Optimise incident response to more clearly understand an attack and the sequential relationship between events to quickly determine the appropriate next steps - Improve investigation and remediation times by automating decisions or by using human-assisted decisions with full context from adaptive response - Utilise Splunk User Behavior Analytics and verify privileged access and detect unusual activity by using UBA anomalies
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunk
This document provides a summary of an event held by Splunk Inc. on May 23, 2017 in Paris. It recognizes clients who spoke at the event and sponsors. It highlights Splunk's leadership position in Gartner reports and as the market share leader in IDC reports. It discusses how data is everywhere across many industries and the value companies can realize from machine data through improved security, IT operations, business analytics and more.
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
Threat hunting has been primarily a playground for security experts in surfacing unknown threats. It is a proactive security approach where the hunt starts with a hypothesis about a hidden threat that may be already in the enterprise network. According to 2017 survey on threat hunting by the SANS Institute, nearly 45% of organizations hunt on an ad hoc basis. The ad hoc approach is ineffective and does not yield sufficient results to cover the cost of threat hunting. Considering the scarcity of security analysts, the ad hoc threat hunting becomes a costly and expensive process. Also, threat hunting is typically performed by doing outlier detection of the data. For example, analysts usually do outlier detection to find suspicious processes out of Windows process logs. The outlier detection can be done using simple box plots, control charts, or using more sophisticated unsupervised machine learning techniques. However, the output of all the outlier detection techniques is outliers/anomalies that still need to be audited/investigated by the security analysts. This adds more workload to the already overwhelmed security analyst.
The fusion of data science and deceive security provides an opportunity to validate many alerts automatically and therefore provides an automated approach from threat hunting. Deceptive defense system offers a way to confirm an adversary presence with nearly 0% false alarms when the adversary bumps onto one of the deceptions. The modern set of deceptions is the reincarnation of honeypots, honeytokens, honeynets, and honey files that blends well within the network and can dynamically change their configurations. When an adversary access a deception, it raises a positive affirmation of a threat. In this approach, one needs to use alerts and contextual security events along with deceptive security to rank the existing alerts. It takes away a lot of manual verification of various security alerts.
The document discusses building a lean security operations center (SOC) at Travis Perkins Group. It describes challenges with their complex IT environment and the need for a flexible security information and event management (SIEM) solution. An initial "big bang" SIEM implementation was unsuccessful. The new approach takes an incremental, lean approach using Splunk Cloud to provide flexible alerting and meet multiple stakeholder needs. This has helped improve security incident response and provided benefits like reduced infrastructure management. Future plans include expanding the use of Splunk analytics and machine learning.
Build a Security Portfolio That Strengthens Your Security PostureSplunk
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate.
- The Security Posture dashboard provides a near real-time overview of an organization's security posture by displaying notable security events.
- The analyst can pivot from this dashboard to the Incident Review dashboard to begin investigating critical notable events.
- Drilling into a notable event on the Incident Review dashboard provides important context about the event such as the affected systems, compliance data, and location to assist the analyst's investigation.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics, data sources for threat hunting, knowing your endpoint, and the cyber kill chain model. It provides an agenda that includes a hands-on walkthrough of an attack scenario using Splunk's core capabilities. It also covers advanced threat hunting techniques and tools, enterprise security walkthroughs, and applying machine learning and data science to security.
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
Join our Security Experts and learn about our Analytics-Driven SIEM, Splunk Enterprise Security (ES) in a live, hands-on session. You will start off with a hands-on tour of Splunk's award-winning SIEM, Splunk Enterprise Security and understand its key frameworks and its unique capabilities. Then, you will work on hands-on exercises that involve threat detection, incident investigation and how to take rapid responses using data from a range of sources such as threat list intelligence feeds, endpoint activity logs, e-mail logs, and web logs. This session is a must session for all security practitioners.
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate. In this session, you will learn how to: - Leverage your data across silos with analytics-driven security - Operationalise all relevant data to gain greater visibility of your environment to make more informed decisions - Optimise incident response to more clearly understand an attack and the sequential relationship between events to quickly determine the appropriate next steps - Improve investigation and remediation times by automating decisions or by using human-assisted decisions with full context from adaptive response - Utilise Splunk User Behavior Analytics and verify privileged access and detect unusual activity by using UBA anomalies
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunk
This document provides a summary of an event held by Splunk Inc. on May 23, 2017 in Paris. It recognizes clients who spoke at the event and sponsors. It highlights Splunk's leadership position in Gartner reports and as the market share leader in IDC reports. It discusses how data is everywhere across many industries and the value companies can realize from machine data through improved security, IT operations, business analytics and more.
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
Agenda:
Ransomware overview
How do we log in?
Hands-On: Detection by watching the endpoints
Hands-On: A diversion over to forensics
Hands-On: Ideas for prevention
Ransomware detection, cybersecurity, data analytics and application.
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
This document outlines an agenda and presentation for a Splunk workshop on reactive to proactive troubleshooting and monitoring. The agenda includes an introduction to Splunk for IT operations, hands-on IT operations exercises, an overview of relevant Splunk apps, an introduction to Splunk IT Service Intelligence, and customer stories. The presentation discusses how Splunk can help transform IT from reactive problem solving to proactive monitoring and operational intelligence. It highlights key Splunk capabilities like searching, monitoring, alerting and visualizing machine data from various sources to improve troubleshooting, uptime, and IT productivity. [/SUMMARY]
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
This document discusses using Splunk software to build a security operations center (SOC) and monitor for threats and compliance. It provides an overview of Splunk's capabilities for security analytics, incident response, and compliance reporting. Specific applications mentioned include monitoring privileged user access, detecting data breaches, and ensuring compliance with the GDPR. The presentation emphasizes how Splunk allows flexible data collection and analysis across IT operations, security, and other domains to gain visibility and protect sensitive data.
This document outlines an agenda for a training on threat hunting with Splunk. It discusses threat hunting basics and data sources for threat hunting including network, endpoint, threat intelligence and security information. It provides log in credentials for the hands-on portion and covers topics like the cyber kill chain framework, conducting searches on endpoint data with Sysmon, mapping network communications to processes, and walking through a demo attack scenario across multiple data sources.
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...Splunk
Understanding your security impact enables you to be faster and smarter about how you approach security threats. Whether you're looking to reduce breaches, set up monitoring to anticipate attacks, build more predictive capabilities or need quality reporting for an audit, you will learn how to leverage Splunk's analytics-driven security platform to analyse your data by using the power of our Search Processing Language (SPL). We'll also present how to implement and up-level your security today with actionable searches that can immediately be put to use in your environment. In this session, you will learn how to: - Optimise and make Splunk search work for you, so you can quickly gain insights into your data to identify and describe security impacts and potential threats - Detect unusual and potentially malicious activity threats using Splunk Enterprise statistical and behavorial analysis capabilities - Find unusual activities (using expected alert volume)
This document provides an agenda for a Splunk Discovery Day event being held in Milwaukee on September 14, 2017. The agenda includes sessions on Machine Data 101, delivering new visibility and analytics for IT operations, and strengthening security posture. It notes there will be over 100 attendees, 3 sessions, and a happy hour. Breaks and a closing are also included. [/SUMMARY]
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
The Splunk experience came to Dusseldorf on September 20th 2017! Attendees learnt how to bring together all their different systems to help achieve their security goals.
Danfoss - Splunk for Vulnerability ManagementSplunk
This document summarizes a presentation about Danfoss' use of Splunk for vulnerability management. It provides an overview of Danfoss, the background and experience of the presenter, how Danfoss got started with Splunk in 2008 to meet log collection and retention requirements, and how their use of Splunk has evolved over time to include dashboards, security, automated alerting, and a Sophos antivirus case study. It outlines next steps of expanding Splunk's use to more teams and exploring advanced analytics.
You’re a CIO, CISO or DPO - and you’ve been woken up in the middle of the night because personal data held by your organization has been discovered for sale on the dark web. This disclosure puts the privacy of your customers at risk. What do you do next?
Join this session to learn about the impact of GDPR and go through a breach investigation and response scenario as it would be after GDPR comes into effect in May 2018. You’ll hear from Splunk’s Data Privacy Officer Elizabeth Davies and Splunk’s Security Ninja Matthias Maier.
What you will learn:
- What breach response will look like under the GDPR
- What tools and processes a data privacy officer will rely on in case of a breach
- What departments and entities will be involved beyond IT
- What activities are currently happening within organizations to prepare for the GDPR
- What the consequences of the breach could be
Watch the webinar: http://explore.splunk.com/GDPR_Webinar_EN
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
No matter what business you’re in, your web applications are front-and-center for your customers. Downtime, or even bad performance not only creates a spike in costs, they often translate into loss of customers and revenue. You need immediate insight into the availability, performance and usage of your applications and the infrastructure your applications run on. In this session, you will learn why you need to take a platform approach to full stack application management, whether your applications reside on-premises or in the cloud. Second, we will show you how you can use Splunk to monitor the usage and performance of your applications, and quickly troubleshoot faults by stepping through some of the most common issues our customers experience. Third, we’ll contrast what Splunk does relative to other APM tools you may already have deployed, and even show you how you can bring APM data into Splunk to gain more insight into application performance.
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
The document discusses security analytics methods for detecting threats using Splunk software. It covers common security challenges, types of analytics methods, and applying analytics to stages of an attack. The agenda includes an introduction to analytics methods, an overview of Splunk Security Essentials, a demo scenario of detecting a malicious insider, and next steps involving Enterprise Security and Splunk UBA. The demo scenario shows detecting large file uploads from Box to detect an insider exporting sales proposals. The summary recommends starting with Splunk Security Essentials, then leveraging Enterprise Security and UBA for advanced machine learning detection and automated response.
A Day in the Life of a GDPR Breach - September 2017: France Splunk
You’re a CIO, CISO or DPO - and you’ve been woken up in the middle of the night because personal data held by your organisation has been discovered for sale on the dark web. This disclosure puts the privacy of your customers at risk. What do you do next? Splunk's own Mathieu Dessus and Elizabeth Davies explore the future scenario.
This document provides information for an introductory Splunk security workshop, including:
- Details about the workshop agenda, which covers basic posture and monitoring in the first section and an introduction to investigation in the second section.
- Instructions for accessing the workshop environment and materials.
- A legend explaining the visual guides that will be used during the hands-on portions of the workshop.
- Overviews of the four key data sources - endpoint, identity, network, and threat intelligence - that will be analyzed to improve security posture and monitoring.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics and data sources, the cyber kill chain model, and conducting a hands-on attack scenario investigation using Splunk. It also covers advanced threat hunting techniques and tools, applying machine learning and data science to security, and increasing an organization's threat hunting maturity. The presentation includes examples of using Splunk to investigate a hypothetical attack spanning multiple stages of the cyber kill chain using various security data sources.
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk
This document discusses the EU General Data Protection Regulation (GDPR) and how Splunk can help organizations comply with it. It provides an overview of key GDPR requirements such as fines, data breach notification timelines, and mandatory privacy impact assessments. It then describes a hypothetical scenario where an organization experiences a data breach and must quickly investigate and respond to meet GDPR obligations. Finally, it outlines several Splunk resources that can help organizations use machine data to support GDPR requirements like breach investigation, security monitoring, and personal data processing.
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunk
The document discusses Splunk add-ons and custom alert actions. It describes Splunk add-ons as technical extensions that can contain configurations, scripts, data inputs and field extractions. It also notes that the Splunk Add-on Builder allows users to create and test technical add-ons through a UI workflow. Custom alert actions are described as modules that extend alerts to customize actions and interface with third party systems. The presentation includes demos of the Splunk Add-on Builder and custom alert actions.
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
This document discusses building an analytics-driven security operations center (SOC). It begins with an overview of traditional SOCs and their limitations, such as focusing primarily on alerts. It then discusses emerging trends in security operations that are driving the need for an analytics-driven SOC, such as the focus on detection and response. The document proposes seven enablers for building an analytics-driven SOC using Splunk, including selecting the right sourcing strategy, adopting an adaptive security architecture, optimizing threat intelligence management, deploying advanced analytics like machine learning, enabling proactive threat hunting, promoting automation and efficiency, and driving broader enterprise insights.
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...Splunk
This document discusses using Splunk for incident response, orchestration, and automation. It notes that incident response currently takes significant time, with containment and response phases accounting for 72% of the time spent on incidents. It proposes that security operations need to change through orchestration and automation using adaptive response. Adaptive response aims to accelerate detection, investigation, and response by centrally automating data retrieval, sharing, and response actions across security tools and domains. This improves efficiency and extracts new insights through leveraging shared context and actions.
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
Agenda:
Ransomware overview
How do we log in?
Hands-On: Detection by watching the endpoints
Hands-On: A diversion over to forensics
Hands-On: Ideas for prevention
Ransomware detection, cybersecurity, data analytics and application.
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
This document outlines an agenda and presentation for a Splunk workshop on reactive to proactive troubleshooting and monitoring. The agenda includes an introduction to Splunk for IT operations, hands-on IT operations exercises, an overview of relevant Splunk apps, an introduction to Splunk IT Service Intelligence, and customer stories. The presentation discusses how Splunk can help transform IT from reactive problem solving to proactive monitoring and operational intelligence. It highlights key Splunk capabilities like searching, monitoring, alerting and visualizing machine data from various sources to improve troubleshooting, uptime, and IT productivity. [/SUMMARY]
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
This document discusses using Splunk software to build a security operations center (SOC) and monitor for threats and compliance. It provides an overview of Splunk's capabilities for security analytics, incident response, and compliance reporting. Specific applications mentioned include monitoring privileged user access, detecting data breaches, and ensuring compliance with the GDPR. The presentation emphasizes how Splunk allows flexible data collection and analysis across IT operations, security, and other domains to gain visibility and protect sensitive data.
This document outlines an agenda for a training on threat hunting with Splunk. It discusses threat hunting basics and data sources for threat hunting including network, endpoint, threat intelligence and security information. It provides log in credentials for the hands-on portion and covers topics like the cyber kill chain framework, conducting searches on endpoint data with Sysmon, mapping network communications to processes, and walking through a demo attack scenario across multiple data sources.
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...Splunk
Understanding your security impact enables you to be faster and smarter about how you approach security threats. Whether you're looking to reduce breaches, set up monitoring to anticipate attacks, build more predictive capabilities or need quality reporting for an audit, you will learn how to leverage Splunk's analytics-driven security platform to analyse your data by using the power of our Search Processing Language (SPL). We'll also present how to implement and up-level your security today with actionable searches that can immediately be put to use in your environment. In this session, you will learn how to: - Optimise and make Splunk search work for you, so you can quickly gain insights into your data to identify and describe security impacts and potential threats - Detect unusual and potentially malicious activity threats using Splunk Enterprise statistical and behavorial analysis capabilities - Find unusual activities (using expected alert volume)
This document provides an agenda for a Splunk Discovery Day event being held in Milwaukee on September 14, 2017. The agenda includes sessions on Machine Data 101, delivering new visibility and analytics for IT operations, and strengthening security posture. It notes there will be over 100 attendees, 3 sessions, and a happy hour. Breaks and a closing are also included. [/SUMMARY]
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
The Splunk experience came to Dusseldorf on September 20th 2017! Attendees learnt how to bring together all their different systems to help achieve their security goals.
Danfoss - Splunk for Vulnerability ManagementSplunk
This document summarizes a presentation about Danfoss' use of Splunk for vulnerability management. It provides an overview of Danfoss, the background and experience of the presenter, how Danfoss got started with Splunk in 2008 to meet log collection and retention requirements, and how their use of Splunk has evolved over time to include dashboards, security, automated alerting, and a Sophos antivirus case study. It outlines next steps of expanding Splunk's use to more teams and exploring advanced analytics.
You’re a CIO, CISO or DPO - and you’ve been woken up in the middle of the night because personal data held by your organization has been discovered for sale on the dark web. This disclosure puts the privacy of your customers at risk. What do you do next?
Join this session to learn about the impact of GDPR and go through a breach investigation and response scenario as it would be after GDPR comes into effect in May 2018. You’ll hear from Splunk’s Data Privacy Officer Elizabeth Davies and Splunk’s Security Ninja Matthias Maier.
What you will learn:
- What breach response will look like under the GDPR
- What tools and processes a data privacy officer will rely on in case of a breach
- What departments and entities will be involved beyond IT
- What activities are currently happening within organizations to prepare for the GDPR
- What the consequences of the breach could be
Watch the webinar: http://explore.splunk.com/GDPR_Webinar_EN
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
No matter what business you’re in, your web applications are front-and-center for your customers. Downtime, or even bad performance not only creates a spike in costs, they often translate into loss of customers and revenue. You need immediate insight into the availability, performance and usage of your applications and the infrastructure your applications run on. In this session, you will learn why you need to take a platform approach to full stack application management, whether your applications reside on-premises or in the cloud. Second, we will show you how you can use Splunk to monitor the usage and performance of your applications, and quickly troubleshoot faults by stepping through some of the most common issues our customers experience. Third, we’ll contrast what Splunk does relative to other APM tools you may already have deployed, and even show you how you can bring APM data into Splunk to gain more insight into application performance.
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
The document discusses security analytics methods for detecting threats using Splunk software. It covers common security challenges, types of analytics methods, and applying analytics to stages of an attack. The agenda includes an introduction to analytics methods, an overview of Splunk Security Essentials, a demo scenario of detecting a malicious insider, and next steps involving Enterprise Security and Splunk UBA. The demo scenario shows detecting large file uploads from Box to detect an insider exporting sales proposals. The summary recommends starting with Splunk Security Essentials, then leveraging Enterprise Security and UBA for advanced machine learning detection and automated response.
A Day in the Life of a GDPR Breach - September 2017: France Splunk
You’re a CIO, CISO or DPO - and you’ve been woken up in the middle of the night because personal data held by your organisation has been discovered for sale on the dark web. This disclosure puts the privacy of your customers at risk. What do you do next? Splunk's own Mathieu Dessus and Elizabeth Davies explore the future scenario.
This document provides information for an introductory Splunk security workshop, including:
- Details about the workshop agenda, which covers basic posture and monitoring in the first section and an introduction to investigation in the second section.
- Instructions for accessing the workshop environment and materials.
- A legend explaining the visual guides that will be used during the hands-on portions of the workshop.
- Overviews of the four key data sources - endpoint, identity, network, and threat intelligence - that will be analyzed to improve security posture and monitoring.
The document is a presentation on threat hunting with Splunk. It discusses threat hunting basics and data sources, the cyber kill chain model, and conducting a hands-on attack scenario investigation using Splunk. It also covers advanced threat hunting techniques and tools, applying machine learning and data science to security, and increasing an organization's threat hunting maturity. The presentation includes examples of using Splunk to investigate a hypothetical attack spanning multiple stages of the cyber kill chain using various security data sources.
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk
This document discusses the EU General Data Protection Regulation (GDPR) and how Splunk can help organizations comply with it. It provides an overview of key GDPR requirements such as fines, data breach notification timelines, and mandatory privacy impact assessments. It then describes a hypothetical scenario where an organization experiences a data breach and must quickly investigate and respond to meet GDPR obligations. Finally, it outlines several Splunk resources that can help organizations use machine data to support GDPR requirements like breach investigation, security monitoring, and personal data processing.
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunk
The document discusses Splunk add-ons and custom alert actions. It describes Splunk add-ons as technical extensions that can contain configurations, scripts, data inputs and field extractions. It also notes that the Splunk Add-on Builder allows users to create and test technical add-ons through a UI workflow. Custom alert actions are described as modules that extend alerts to customize actions and interface with third party systems. The presentation includes demos of the Splunk Add-on Builder and custom alert actions.
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
This document discusses building an analytics-driven security operations center (SOC). It begins with an overview of traditional SOCs and their limitations, such as focusing primarily on alerts. It then discusses emerging trends in security operations that are driving the need for an analytics-driven SOC, such as the focus on detection and response. The document proposes seven enablers for building an analytics-driven SOC using Splunk, including selecting the right sourcing strategy, adopting an adaptive security architecture, optimizing threat intelligence management, deploying advanced analytics like machine learning, enabling proactive threat hunting, promoting automation and efficiency, and driving broader enterprise insights.
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...Splunk
This document discusses using Splunk for incident response, orchestration, and automation. It notes that incident response currently takes significant time, with containment and response phases accounting for 72% of the time spent on incidents. It proposes that security operations need to change through orchestration and automation using adaptive response. Adaptive response aims to accelerate detection, investigation, and response by centrally automating data retrieval, sharing, and response actions across security tools and domains. This improves efficiency and extracts new insights through leveraging shared context and actions.
How security analytics helps UCAS protect 700,000 student applicationsSplunk
For two weeks a year, UCAS, the UK’s Universities and Colleges Admissions Service, is seen as a critical national service, during which 700,000 students rely on the service to find and secure university placements. If UCAS fails, students won’t get their places confirmed on time and universities won’t fill the spaces they need to. Personal data flows from the point of student application, through UCAS, to the universities. Protecting this data is paramount.
Join this webinar to learn how the UCAS uses Splunk Enterprise Security running on Splunk Cloud to gain real-time end-to-end visibility and reporting across various technology stacks, both on premise and across their AWS environment, and why an analytics-driven approach can enable you to identify anomalies that could indicate potential compromise.
Find out how Splunk helps UCAS:
· Gain centralised visibility into their Security Operations Center (SOC)
· Use incident investigation to prove-negative for breach notification obligation under the Data Protection Act 1988 (soon to be GDPR)
· Proactively detect security risks beyond malware
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARSplunk
This document summarizes a presentation about analytics-driven security and security orchestration, automation and response (SOAR). It discusses how Splunk turns machine data into answers by collecting data from various sources and allowing users to ask different questions of the same data. It also describes Splunk's security portfolio including products for data, analytics, and operations. Key releases from the .conf2018 conference are highlighted for Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk Phantom that focus on accelerating investigation, improving threat detection, and enabling faster remediation through automation.
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
This document discusses Splunk's security vision, strategy, and platform. It outlines Splunk's positioning as a leader in security information and event management. It describes Splunk's security portfolio and how the platform can be used to prevent, detect, respond to and predict security threats. It also provides examples of how Splunk has helped customers in various industries improve their security operations and gain insights from security and other machine data.
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk
Dirk Nitschke presented an update on .conf2017 and new Splunk products and features. Key points included:
- .conf2017 had over 7,100 attendees and 300 technical sessions.
- New security apps for fraud detection and content updates for Splunk Enterprise Security.
- Splunk IT Service Intelligence 3.0 uses AI to simplify operations and prioritize issues.
- Splunk Enterprise 7.0 integrates logs and metrics for improved monitoring, investigation, and intelligence building.
- Enhancements to Splunk Machine Learning Toolkit for guided modeling, forecasting, and custom algorithms.
Splunk’s machine learning framework mixed with Splunk’s Event Management capabilities gives operations teams the opportunity to proactively act and automate on an event before it becomes an IT outage. This session will detail and demonstrate how to predict a health score of your business service, proactively take action based on those predictions and publish to your collaborative messaging and automation solutions.
Splunk for Enterprise Security Featuring UBASplunk
This document provides an overview and summary of Splunk's security products, including Enterprise Security and User Behavior Analytics. It discusses the key capabilities and features of these products, such as detecting advanced cyberattacks, identifying insider threats through machine learning, and integrating UBA with SIEM for improved threat detection. New features in recent versions are highlighted, like custom threat modeling and enhanced visibility into user, device, application, and protocol activity. Customer testimonials praise Splunk UBA's data-science approach to finding hidden threats.
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AISplunk
This document discusses machine learning and artificial intelligence capabilities provided by Splunk. It begins by explaining why organizations are adopting AI and machine learning to improve decision making, uncover hidden trends, forecast incidents, and more using diverse real-time data. It then provides an overview of Splunk's machine learning toolkit and capabilities including search, packaged solutions, algorithms, and commands. Examples of applications include anomaly detection, predictive analytics, dynamic thresholding and more. Customer stories demonstrate how organizations are using Splunk's machine learning for security, operations, and other use cases.
Splunk is a powerful platform for understanding your data. This session will provide an overview of machine learning capabilities available across Splunk’s portfolio. We'll dive deeply into Splunk's Machine Learning Toolkit App, which extends Splunk Enterprise with a rich suite of advanced analytics, machine learning algorithms, and rich visualizations. It also provides customers with a guided model-building and operationalization environment. The demonstration will include the guided model-building UI for tasks such as predictive analytics, outlier detection, event clustering, and anomaly detection. We’ll also review typical use cases and real-world customers who are using the Toolkit to drive business results.
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
Splunk's Naman Joshi and Jon Harris presented the Splunk Data Onboarding overview at SplunkLive! Sydney. This presentation covers:
1. Splunk Data Collection Architecture 2. Apps and Technology Add-ons
3. Demos / Examples
4. Best Practices
5. Resources and Q&A
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate. In this session, you will learn how to: - Leverage your data across silos with analytics-driven security - Operationalize all relevant data to gain greater visibility of your environment to make more informed decisions - Optimize incident response to more clearly understand an attack and the sequential relationship between events to quickly determine the appropriate next steps - Improve investigation and remediation times by automating decisions or by using human-assisted decisions with full context from adaptive response - Utilize Splunk User Behavior Analytics and verify privileged access and detect unusual activity by using UBA anomalies
Security investigation hands on workshop 2018-05YoungCho50
This document provides information for an introductory Splunk security workshop, including:
- Details on accessing the workshop WiFi and materials.
- An agenda that covers basic posture and monitoring using Splunk Enterprise and Splunk Enterprise Security, including hands-on exercises for endpoint, identity, and network data sources.
- Instructions for navigating the hands-on environment and guidance for specific exercises exploring endpoint, login, and network data.
This session will provide an overview and demo of the features of Splunk Cloud and Splunk Enterprise, including machine learning, data analysis, power user productivity and platform management.
Exploring Frameworks of Splunk Enterprise SecuritySplunk
This document discusses Splunk Enterprise Security and its frameworks for addressing security operations challenges. It provides an overview of Splunk's security portfolio and how it can help with issues like slow investigations, limited data ingestion, and inflexible deployments faced by legacy SIEMs. Key frameworks covered include the Notable Events framework for streamlining incident management across the entire lifecycle from detection to remediation. It also discusses the Asset and Identity framework for automatically enriching incidents with relevant context to help with rapid qualification and situational awareness.
Exploring Frameworks of Splunk Enterprise Security Splunk
This document discusses Splunk Enterprise Security and its frameworks for analyzing security data. It begins with an introduction and agenda. It then discusses Splunk's analytics-driven security information and event management (SIEM) capabilities. The main part of the presentation covers Splunk's frameworks for enterprise security, including the Notable Events framework for streamlining incident management and the Asset and Identity framework for automatically mapping context to incidents. It provides examples of how these frameworks enable faster incident review and investigation.
This document discusses Splunk Enterprise Security and its frameworks for analyzing security data. It provides an overview of Splunk's security portfolio and how it addresses challenges with legacy SIEM solutions. Key frameworks covered include Notable Events for streamlining incident management, Asset and Identity for enriching incidents with contextual data, Risk Analysis for prioritizing incidents based on quantitative risk scores, and Threat Intelligence for detecting indicators of compromise in machine data. Interactive dashboards and incident review interfaces are highlighted as ways to investigate threats and monitor the security posture.
Similar to Splunk live nyc_2017_sec_buildinganalyticsdrivensoc (20)
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
63. Acceleration Workshops
▶ ES Benchmark
• Used to help existing customers optimize their Splunk ES investment
▶ Security Readiness Review (CSC 20, SIEM+, SOC)
• Designed to accelerate and expand opportunities in the pre-sales phase by providing discovery and
guidance in areas of business risk, security goals, use case definition, data source mapping & value
realization
▶ Threat Hunting Workshop
• Designed to provide thought leadership and hands on experience of threat hunting using Splunk.
This hour is intended to be educational, and we’re relying heavily on a LOT of great resources like these. Everything from Oreily books to Gartner reports to Splunk conf presentations to blog posts. All these resources are cited both on the slide where they are referenced and at the end of the presentation.
Before we talk about Security Operations, and Security Operations _Centers_, we should understand the big picture. Security Operations is usually just a part of a bigger security program. Here are some examples of popular “CISO Mind Maps”, one from SANS, one from a security blogger Rafeeq Rahman, one created by yours truly (Dave H) for a consulting customer years ago.
When you look at these mind maps, you recognize one thing. Security programs are complicated. Let’s simplify it a bit by describing what we most often see at our customers.
We very often see this type of traditional organizational model for a security program.
Risk and compliance defines what needs to be protected, If they are advanced this is done through a formal risk analysis framework like FAIR, Octave, etc.
Architecture looks at the risk register and chooses controls to mitigate them. Could be architectural like network segmentation or designing for optimal choosing sensor locations, and often includes choosing products like endpoint protection, firewalls, data collection, SIEM, automated file analysis, sandbox, etc. Defense in depth strategies are usually defined here.
Security engineers install and maintain the security toolchain. They keep the security systems up and running so that Operations can do the day to day work of security.
Security operations.
There are a lot of different types of SOCs. Here are some that Anton Chuvakin dexcribes in his recent Gartner paper. A virtual SOC is made up of remote analysts without a dedicated facility. If you use an MSSP exclusively, you have a VSOC. Some organizations combine operations capabilities like NOC or helpdesk into what you might call a multi-function SOC. A command SOC is a SOC of SOCs, something we at splunk often see in large multi-national organizations. A co-managed SOC is common when an MSSP performs part of the SOC duties.
Splunkers often see “Crew SOCs” which is something of a volunteer fire department. When an incident occurs, we get the crew together to analyze and respond. (yikes?)
We very often see organizations who fall into something we call the Alert Triage trap. Anton Chuvakin included mention of the alert pipeline when discussing common mistakes made by organizations implementing SOCs.
Is this really a bad thing? Yes and no. Certainly every SOC needs the core capability to triage incoming alerts effectively. If, however, the identity of the entire SOC becomes “alert pipeline” it can rob the team of the opportunity to focus on what’s becoming increasingly important in SOCs of the future. We’ll talk more about those as we move through today’s presentation.
This is an old Splunk Slide! And it’s an old security concept. It’s still valid too! Security folks like me talk about People Process and Technology all the time. We don’t need to dwell on this too long, but the one thing to take away from this talk today is this
<click>
The bottom line is that technology exists to serve people and processes. It’s not to say that people will not have learn and to adapt to the chosen toolchain. That’s reality. But what it _does_ mean that if you are spending all your time trying to re-organize around a specific technology-or worse yet-if you are avoiding important detection and response capabilities because the technology cannot support them, then you may have a technology problem. We’ll talk more about how the Splunk security product portfolio(including Splunk Core, Splunk Enterprise Security, the PCI App, and Splunk UBA) can help later. For now let’s talk more about challenges we see in traditional SOCs.
We have plenty of examples in the industry of traditional SOCs simply not getting the job done. In one such high profile case details have surfaced indicating several actual malware events reported from a popular security product were ignored, or triaged improperly. http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712
As we’ve mentioned, a traditional SOC is heavily reliant on people. Good SOC analysts are difficult to find and retain.
Remember this tidy little diagram of the security critical path? Unfortunately we see it often turn into something like this:
Often ends up like this. Silo-ization.
SOCs are expensie to run, and you always have to consider not just the bottom line, but what kind of return are you missing out on by not having those resources invested in revenue generating activity?
One trend we’re seeing with next generation security operations centers is they are no longer called SOCs! Here are a few of the cool new names we’ve run across.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
Splunk & TH:
1. Ingest & Onboard Any Threat Hunting Machine Data Source
Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology
2. Threat Hunting Data Enrichment
Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships
3. Threat Hunting Automation
Integrated out of the box automation tooling from artifact query, ”contextual swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning
4. Search & Visualise Relationships for Faster Hunting
Search and correlate data while visually fusing results for faster context, analysis and insight
One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider.
The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
Today’s enterprise requires big data security solutions that can monitor and investigate advanced threats and attacks and enable rapid incident response. The Splunk Quick Start for SIEM provides a fast approach to get you up and running using Splunk Enterprise Security, an analytics-driven security information and event management solution.
Quickly determine threat and malware activity within your environment
Use the full capability of Splunk Enterprise Security to solve a wide range of SIEM use cases
Use your education credit and .conf event passes to solve additional use cases
Scalable packages available in medium and large sizes to meet your needs
Industry
• Technology
Splunk Use Cases
• Application delivery
• IT operations• Security
Challenges
Needed to create a world-class SOC with superior response and maturity levels
Lacked SIEM solution
Wanted full visibility across silos to rapidly search and analyze security-related events
Seeking agile solution to decrease MTTR
Splunk Products
• Splunk Enterprise• Splunk Enterprise Security
Data Sources
Palo Alto Networks and Juniper firewalls
Sourcefire and Snort intrusion detection systems
Anti-virus systems
McAfee vulnerability scans
Windows and Linux server OS logs
Apache and IIS web server application logs
Active Directory domain controllers
IronPort email security appliance and email/ SMTP servers
Case Study
http://www.splunk.com/en_us/customers/success-stories/saic.html
Don’t forget to complete today’s survey at ponypoll.com/_____ for your chance to win a .conf2017 pass.
A winner will be identified tomorrow through a random drawing from completed surveys and will be notified via email.