Splunk, profile picture
Uploaded bySplunk
PPTX, PDF6,998 views

Splunk Phantom SOAR Roundtable

The document presents an overview of a workshop on Security Orchestration, Automation, and Response (SOAR) hosted by Splunk, detailing the agenda, key topics such as orchestration, automation, and incident response. It emphasizes the increasing complexity of security threats and the importance of using SOAR tools for more efficient security operations. The document highlights various case studies showcasing successful implementations of the Splunk Phantom platform in enhancing security workflows and team collaboration.

Technology
In this document
Powered by AI

Introduction to the SOAR Roundtable event hosted by Splunk, outlining the agenda and key speakers.

Identification of asymmetric security threats and the complexities of modern threats requiring enhanced cybersecurity measures.

Gartner's prediction on the adoption of SOAR tools; 15% of organizations with larger security teams using SOAR by 2020.

Definition of SOAR (Security Orchestration, Automation, and Response) and its components including automation, orchestration, and incident response.

Framework for decision-making in security operations, including when organizations should consider SOAR implementation based on risk assessment.

Overview of how Splunk integrates into Security Operation Centers (SOCs) and its comprehensive security portfolio catering to varied environments.

Overview of how Splunk integrates into Security Operation Centers (SOCs) and its comprehensive security portfolio catering to varied environments.

Key features of Splunk's automation capabilities with Phantom, focusing on improved efficiency in event management and case management processes.

Key features of Splunk's automation capabilities with Phantom, focusing on improved efficiency in event management and case management processes.

Key features of Splunk's automation capabilities with Phantom, focusing on improved efficiency in event management and case management processes.

Testimonials from various organizations highlighting the impact of Phantom on their security operations through automation and integration.

Closing remarks about the presentation and invitation to a demo showcasing the discussed tools and methodologies.

Embed presentation

Downloaded 439 times
© 2018 SPLUNK INC.© 2018 SPLUNK INC. SOAR Roundtable Angelo Brancato | Kai-Ping Seidenschnur Donnerstag, 13. September 2018, Splunk München
© 2018 SPLUNK INC. SOAR Security Orchestration, Automation, & Response
© 2018 SPLUNK INC. Who we are Kai-Ping Seidenschnur Staff Sales Engineer, DACH Angelo Brancato Security Specialist, EMEA
© 2018 SPLUNK INC. •13:30 - Ankunft & Willkommens-Drinks / Snacks •14:00 - Präsentation & Diskussion • Offener Workshop Charakter • Interaktion während des gesamten Workshops gewünscht • Splunk Phantom funktionale Übersicht • Orchestration & Automation • Collaboration & Case Management • Visualisaztion & Reporting • Live Demo • Exemplarische Playbooks • Zusammenarbeit SIEM & SOAR •17:00 - Closing & Drinks Agenda
© 2018 SPLUNK INC. Asymmetry is a b#*+#! We have to protect all ways in. The adversary must Discover only one…
© 2018 SPLUNK INC.
THREATS ARE MORE COMPLEX AND FAR REACHING NOT CLOSING THE SKILLS GAP SECURITY TO ENABLE BUSINESS AND THE MISSION
© 2018 SPLUNK INC. Theodore Roosevelt
© 2017 SPLUNK INC. „By year-end 2020, 15% of organizations with a security team larger than five people will leverage SOAR tools for orchestration and automation reasons, up from less than 1% today.“ Gartner, November 2017, SOAR Report
© 2018 SPLUNK INC. ▶ Automation • Playbook definition that makes use of the ecosystem orchestration • Machine-based playbook execution and decision-making workflow (with- and without human interaction) SOAR = Security Orchestration, Automation, and Response ▶ Orchestration • Machine-based integration connectors into the IT ecosystem • Feature rich and bi-directional API integration • Integration abstraction - ease of use and extensibility ▶ Response • Policy-based coordination of human and machine-based activities for event/case/incident workflows • Reporting, Collaboration, Case Management
© 2018 SPLUNK INC. Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics SOAR for Security Operations Faster execution through the loop yields better security
© 2018 SPLUNK INC. Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED AUTOMATED WITH PHANTOM FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics SOAR for Security Operations Faster execution through the loop yields better security ACTION RESULTS / FEEDBACK LOOP
© 2017 SPLUNK INC. When should I look into SOAR? - Risk unknown - In denial of breach - No Incident Response (IR) plans - Ad-Hoc / Reactive - Limited resources - custom tools - Basic alarming - IR on roadmap - Limited resources - Risk understood - SIEM in place - Basic run books - Some integrations - Internal & external resourcing - Assume breached - Formal run books - SOAR - Formal and (annually) tested IR plan - Panel of specialists - Proactive threat hunting - Continuous improvement - IR plans tested regularly (agile) - Holistic security view - Forensic investigation and legal agreement to share IR data - Integration and Automation - Internal and external resources
© 2018 SPLUNK INC. Splunk in a Security Operation Center
© 2017 SPLUNK INC. Splunk Security Portfolio On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing / Schema-on-Read Splunk Processing Language (SPL) Machine Data: Any Location, Type, Volume SIEM UEBA SOAR SIEM: Security Information and Event Management UEBA: User and Entity Behavior Analytics SOAR: Security Orchestration, Automation and Response API: Application Programming Interface SDK: Software Development Kit * Besides Security also IT-Operations, IoT, Business Analytics, Application Analytics Rich Ecosystem of Splunk-built and community Apps & Add-Ons Premium Apps Log Management ... Platform for Operational Intelligence - One Platform, all Use Cases*
© 2018 SPLUNK INC. Analytics-Driven Security Enterprise Developer Platform (REST API, SDKs) On-Premise, Cloud, Hybrid Splunk App for PCI Compliance Machine Learning Toolkit CIS Top 20 Critical Security Controls Add-Ons Stream Splunkbase Apps for Security User and Entity Behavior Analytics Analytics Driven SIEM Security Essentials Family Ransomware Anti-Fraud etc. DGA App AWS Some App suggestions: Security Orchestration, Automation and Response
© 2018 SPLUNK INC. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access The thought process The intuition The reflexes Machine Learning & Adaptive Response & Analytics Driven Security & Splunk Security Nerve Center https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-vision.html
© 2018 SPLUNK INC. Threat Splunk for the SOC - Overview Business
© 2018 SPLUNK INC. Threat Splunk for the SOC - Overview Business Infrastructure / Business Functions SOC Network, Server, Security, Endpoint, Cloud, Database, Facility / DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc. IR KPI Data Source Business Context/Risk Security Context Playbooks IR: Incident Response KPI: Key Performance Indicator or also KSI: Key Security Indicator
© 2018 SPLUNK INC. Threat Splunk for the SOC - Overview Business Infrastructure / Business Functions SOC Network, Server, Security, Endpoint, Cloud, Database, Facility / DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc. Data Source Business Context/Risk IR KPI Security Context Data Monitor Detect Investigate Respond
© 2018 SPLUNK INC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. Automation Phantom enables you to work smarter by executing normalized actions across your entire infrastructure in seconds, versus hours or more if performed manually. Codify your workflows into automated playbooks using our visual editor (no coding required) or the integrated Python development environment.
© 2018 SPLUNK INC. Orchestration 200+ Phantom APPS & GROWING 1900+ Actions & GROWING Phantom’s flexible app model supports hundreds of apps and thousands of APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions. many! Community APPS & Playbooks
© 2018 SPLUNK INC. Collaboration In-context collaboration allows you to stay focused on your current mission. From integrated chat to shared case notes, Phantom helps you increase situational awareness and drive efficient communications across your team. Mission Guidance and Mission Experts augment your team with helpful suggestions.
© 2018 SPLUNK INC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
© 2018 SPLUNK INC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
© 2018 SPLUNK INC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
© 2018 SPLUNK INC. Case Management Confirmed events can be aggregated and escalated to Cases within Phantom. Customize one of our Case Templates or create your own that model your standard operating procedures, allowing you to efficiently track and monitor case status and progress.
© 2018 SPLUNK INC. Reports & Metrics Reporting and Metrics provide human oversight and auditing capabilities. Dashboards consolidate all critical information needed to understand the current state of your security operations. Reports provide executive level and detailed technical reporting for any event or case.
© 2018 SPLUNK INC. SplunkSANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT Automated Malware Investigation “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO, Blackstone A Phantom Case Study
© 2018 SPLUNK INC. ”The Phantom security platform has been a valuable addition at Suncoast. It’s helped improve collaboration across the team, integrate our security tools to automate repetitive tasks, and better manage cases according to our defined policies.” John Raymond Vice President, Information Security “Uber’s security response team began looking for a better way to triage and respond to security alerts in real time. We surveyed the market and decided to work with Phantom.” Hudson Thrift Security Operations Lead “Phantom helped us automate a process that used up to 10 different security products and took an analyst 90 minutes or more to complete manually.” David Neuman Vice President & Chief Information Security Officer “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO “Phantom’s open, extensible apps have made it easy to integrate nearly every technology in our stack, and we’re automating a range of use cases with playbooks from initial response to threat hunting.” Matthew Brunckhorst Lead Security Consultant “Phantom enables us to automate routine tasks in the SOC. Simple processes that could take 45 minutes, or even longer, now run in seconds.” Jessica Ferguson Director of Information Security Architecture
© 2018 SPLUNK INC. Demo
© 2018 SPLUNK INC.© 2017 SPLUNK INC. Thank You!

More Related Content

PPTX
Splunk Enterprise Security
bySplunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
bySplunk
 
PPTX
Getting Started with Splunk (Hands-On)
bySplunk
 
PPTX
Insight into SOAR
byDNIF
 
PDF
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
byElasticsearch
 
PPTX
QRadar, ArcSight and Splunk
byM sharifi
 
PPTX
Splunk Enterprise Security
byMd Mofijul Haque
 
PPTX
SplunkLive 2011 Beginners Session
bySplunk
 
Splunk Enterprise Security
bySplunk
 
Exploring Frameworks of Splunk Enterprise Security
bySplunk
 
Getting Started with Splunk (Hands-On)
bySplunk
 
Insight into SOAR
byDNIF
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
byElasticsearch
 
QRadar, ArcSight and Splunk
byM sharifi
 
Splunk Enterprise Security
byMd Mofijul Haque
 
SplunkLive 2011 Beginners Session
bySplunk
 

What's hot

PDF
Splunk-Presentation
byPrasadThorat23
 
PPTX
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
PPTX
SOAR and SIEM.pptx
byAjit Wadhawan
 
PDF
Threat Hunting
bySplunk
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
SIEM Architecture
byNishanth Kumar Pathi
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PDF
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PPTX
SOC and SIEM.pptx
bySandeshUprety4
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
The Elastic Stack as a SIEM
byJohn Hubbard
 
PDF
Elastic SIEM (Endpoint Security)
byKangaroot
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
PPTX
IBM QRadar BB & Rules
byMuhammad Abdel Aal
 
PDF
Cyber Threat Intelligence
byseadeloitte
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PPTX
What is SIEM
byPatten John
 
Splunk-Presentation
byPrasadThorat23
 
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
SOAR and SIEM.pptx
byAjit Wadhawan
 
Threat Hunting
bySplunk
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
SIEM Architecture
byNishanth Kumar Pathi
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
SOC and SIEM.pptx
bySandeshUprety4
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
The Elastic Stack as a SIEM
byJohn Hubbard
 
Elastic SIEM (Endpoint Security)
byKangaroot
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
IBM QRadar BB & Rules
byMuhammad Abdel Aal
 
Cyber Threat Intelligence
byseadeloitte
 
Cyber Threat Intelligence
bymohamed nasri
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
What is SIEM
byPatten John
 

Similar to Splunk Phantom SOAR Roundtable

PPTX
Security Automation & Orchestration
bySplunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
bySplunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
bySplunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
bySplunk
 
PPTX
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
byNiketNilay
 
PPTX
Accelerate incident Response Using Orchestration and Automation
bySplunk
 
PPTX
Splunk Incident Response, Orchestrierung und Automation
bySplunk
 
PPTX
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
bySplunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
PDF
2007_Intro to SOAR......................
byAntonioIsipJr1
 
PPTX
Accelerate Incident Response with Orchestration & Automation
bySplunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
bySplunk
 
PPTX
Make Your SOC Work Smarter, Not Harder
bySplunk
 
PPTX
Accelerate incident Response Using Orchestration and Automation
bySplunk
 
PDF
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
bySplunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
byAdam Tice
 
PDF
Splunk Webinar Best Practices für Incident Investigation
byGeorg Knon
 
PPTX
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
bySplunk
 
PPTX
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
byHarry McLaren
 
Security Automation & Orchestration
bySplunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
bySplunk
 
Exploring Frameworks of Splunk Enterprise Security
bySplunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
bySplunk
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
byNiketNilay
 
Accelerate incident Response Using Orchestration and Automation
bySplunk
 
Splunk Incident Response, Orchestrierung und Automation
bySplunk
 
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
bySplunk
 
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
2007_Intro to SOAR......................
byAntonioIsipJr1
 
Accelerate Incident Response with Orchestration & Automation
bySplunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
bySplunk
 
Make Your SOC Work Smarter, Not Harder
bySplunk
 
Accelerate incident Response Using Orchestration and Automation
bySplunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
bySplunk
 
Security crawl walk run presentation mckay v1 2017
byAdam Tice
 
Splunk Webinar Best Practices für Incident Investigation
byGeorg Knon
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
bySplunk
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
byHarry McLaren
 

More from Splunk

PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
PDF
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
PPTX
Splunk - BMW connects business and IT with data driven operations SRE and O11y
bySplunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
PDF
Building Resilience with Energy Management for the Public Sector
bySplunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
PDF
.conf Go 2023 - Data analysis as a routine
bySplunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
bySplunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
Building Resilience with Energy Management for the Public Sector
bySplunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
.conf Go 2023 - Data analysis as a routine
bySplunk
 

Recently uploaded

PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 

Splunk Phantom SOAR Roundtable

  • 1.
    © 2018 SPLUNKINC.© 2018 SPLUNK INC. SOAR Roundtable Angelo Brancato | Kai-Ping Seidenschnur Donnerstag, 13. September 2018, Splunk München
  • 2.
    © 2018 SPLUNKINC. SOAR Security Orchestration, Automation, & Response
  • 3.
    © 2018 SPLUNKINC. Who we are Kai-Ping Seidenschnur Staff Sales Engineer, DACH Angelo Brancato Security Specialist, EMEA
  • 4.
    © 2018 SPLUNKINC. •13:30 - Ankunft & Willkommens-Drinks / Snacks •14:00 - Präsentation & Diskussion • Offener Workshop Charakter • Interaktion während des gesamten Workshops gewünscht • Splunk Phantom funktionale Übersicht • Orchestration & Automation • Collaboration & Case Management • Visualisaztion & Reporting • Live Demo • Exemplarische Playbooks • Zusammenarbeit SIEM & SOAR •17:00 - Closing & Drinks Agenda
  • 5.
    © 2018 SPLUNKINC. Asymmetry is a b#*+#! We have to protect all ways in. The adversary must Discover only one…
  • 6.
  • 7.
    THREATS ARE MORE COMPLEX AND FARREACHING NOT CLOSING THE SKILLS GAP SECURITY TO ENABLE BUSINESS AND THE MISSION
  • 8.
    © 2018 SPLUNKINC. Theodore Roosevelt
  • 9.
    © 2017 SPLUNKINC. „By year-end 2020, 15% of organizations with a security team larger than five people will leverage SOAR tools for orchestration and automation reasons, up from less than 1% today.“ Gartner, November 2017, SOAR Report
  • 10.
    © 2018 SPLUNKINC. ▶ Automation • Playbook definition that makes use of the ecosystem orchestration • Machine-based playbook execution and decision-making workflow (with- and without human interaction) SOAR = Security Orchestration, Automation, and Response ▶ Orchestration • Machine-based integration connectors into the IT ecosystem • Feature rich and bi-directional API integration • Integration abstraction - ease of use and extensibility ▶ Response • Policy-based coordination of human and machine-based activities for event/case/incident workflows • Reporting, Collaboration, Case Management
  • 11.
    © 2018 SPLUNKINC. Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics SOAR for Security Operations Faster execution through the loop yields better security
  • 12.
    © 2018 SPLUNKINC. Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED AUTOMATED WITH PHANTOM FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics SOAR for Security Operations Faster execution through the loop yields better security ACTION RESULTS / FEEDBACK LOOP
  • 13.
    © 2017 SPLUNKINC. When should I look into SOAR? - Risk unknown - In denial of breach - No Incident Response (IR) plans - Ad-Hoc / Reactive - Limited resources - custom tools - Basic alarming - IR on roadmap - Limited resources - Risk understood - SIEM in place - Basic run books - Some integrations - Internal & external resourcing - Assume breached - Formal run books - SOAR - Formal and (annually) tested IR plan - Panel of specialists - Proactive threat hunting - Continuous improvement - IR plans tested regularly (agile) - Holistic security view - Forensic investigation and legal agreement to share IR data - Integration and Automation - Internal and external resources
  • 14.
    © 2018 SPLUNKINC. Splunk in a Security Operation Center
  • 15.
    © 2017 SPLUNKINC. Splunk Security Portfolio On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing / Schema-on-Read Splunk Processing Language (SPL) Machine Data: Any Location, Type, Volume SIEM UEBA SOAR SIEM: Security Information and Event Management UEBA: User and Entity Behavior Analytics SOAR: Security Orchestration, Automation and Response API: Application Programming Interface SDK: Software Development Kit * Besides Security also IT-Operations, IoT, Business Analytics, Application Analytics Rich Ecosystem of Splunk-built and community Apps & Add-Ons Premium Apps Log Management ... Platform for Operational Intelligence - One Platform, all Use Cases*
  • 16.
    © 2018 SPLUNKINC. Analytics-Driven Security Enterprise Developer Platform (REST API, SDKs) On-Premise, Cloud, Hybrid Splunk App for PCI Compliance Machine Learning Toolkit CIS Top 20 Critical Security Controls Add-Ons Stream Splunkbase Apps for Security User and Entity Behavior Analytics Analytics Driven SIEM Security Essentials Family Ransomware Anti-Fraud etc. DGA App AWS Some App suggestions: Security Orchestration, Automation and Response
  • 17.
    © 2018 SPLUNKINC. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access The thought process The intuition The reflexes Machine Learning & Adaptive Response & Analytics Driven Security & Splunk Security Nerve Center https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-vision.html
  • 18.
    © 2018 SPLUNKINC. Threat Splunk for the SOC - Overview Business
  • 19.
    © 2018 SPLUNKINC. Threat Splunk for the SOC - Overview Business Infrastructure / Business Functions SOC Network, Server, Security, Endpoint, Cloud, Database, Facility / DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc. IR KPI Data Source Business Context/Risk Security Context Playbooks IR: Incident Response KPI: Key Performance Indicator or also KSI: Key Security Indicator
  • 20.
    © 2018 SPLUNKINC. Threat Splunk for the SOC - Overview Business Infrastructure / Business Functions SOC Network, Server, Security, Endpoint, Cloud, Database, Facility / DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc. Data Source Business Context/Risk IR KPI Security Context Data Monitor Detect Investigate Respond
  • 21.
    © 2018 SPLUNKINC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
  • 22.
  • 23.
    © 2018 SPLUNKINC. Automation Phantom enables you to work smarter by executing normalized actions across your entire infrastructure in seconds, versus hours or more if performed manually. Codify your workflows into automated playbooks using our visual editor (no coding required) or the integrated Python development environment.
  • 24.
    © 2018 SPLUNKINC. Orchestration 200+ Phantom APPS & GROWING 1900+ Actions & GROWING Phantom’s flexible app model supports hundreds of apps and thousands of APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions. many! Community APPS & Playbooks
  • 25.
    © 2018 SPLUNKINC. Collaboration In-context collaboration allows you to stay focused on your current mission. From integrated chat to shared case notes, Phantom helps you increase situational awareness and drive efficient communications across your team. Mission Guidance and Mission Experts augment your team with helpful suggestions.
  • 26.
    © 2018 SPLUNKINC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
  • 27.
    © 2018 SPLUNKINC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
  • 28.
    © 2018 SPLUNKINC. Event Management Use Splunk Enterprise Security with Phantom to triage events or other security objects in an automated, semi- automated, or manual fashion. You can review event details, enrich events with contextual information, and act rapidly.
  • 29.
    © 2018 SPLUNKINC. Case Management Confirmed events can be aggregated and escalated to Cases within Phantom. Customize one of our Case Templates or create your own that model your standard operating procedures, allowing you to efficiently track and monitor case status and progress.
  • 30.
    © 2018 SPLUNKINC. Reports & Metrics Reporting and Metrics provide human oversight and auditing capabilities. Dashboards consolidate all critical information needed to understand the current state of your security operations. Reports provide executive level and detailed technical reporting for any event or case.
  • 31.
    © 2018 SPLUNKINC. SplunkSANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT Automated Malware Investigation “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO, Blackstone A Phantom Case Study
  • 32.
    © 2018 SPLUNKINC. ”The Phantom security platform has been a valuable addition at Suncoast. It’s helped improve collaboration across the team, integrate our security tools to automate repetitive tasks, and better manage cases according to our defined policies.” John Raymond Vice President, Information Security “Uber’s security response team began looking for a better way to triage and respond to security alerts in real time. We surveyed the market and decided to work with Phantom.” Hudson Thrift Security Operations Lead “Phantom helped us automate a process that used up to 10 different security products and took an analyst 90 minutes or more to complete manually.” David Neuman Vice President & Chief Information Security Officer “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO “Phantom’s open, extensible apps have made it easy to integrate nearly every technology in our stack, and we’re automating a range of use cases with playbooks from initial response to threat hunting.” Matthew Brunckhorst Lead Security Consultant “Phantom enables us to automate routine tasks in the SOC. Simple processes that could take 45 minutes, or even longer, now run in seconds.” Jessica Ferguson Director of Information Security Architecture
  • 33.
    © 2018 SPLUNKINC. Demo
  • 34.
    © 2018 SPLUNKINC.© 2017 SPLUNK INC. Thank You!