This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

1. Copyright © 2016 Splunk Inc.
Enterprise Security &
UBA Overview
SplunkLive 2016
Jon Harris, Sr SE
Security Splunk Guy

2. 2
> Jon Harris jonharris@splunk.com
• 6 months at Splunk
• Senior SE (focus on security)
• 15+ years in IT and security
• Worked for leading IT Security vendors
• Software development background
whoami

3. 3
LEGAL NOTICES
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

4. 4
Agenda
Splunk Security Update
Enterprise Security 4.2
User Behavior Analytics 2.3

5. 5
Data Breaches in Australia

6. 6
2016 Cost of Data Breach Study
The cost of a data breach continues to rise: $158 per record
The largest component of the total cost of a data breach is lost business
“Time to Identify” and “Time to Contain” a data breach is critical
Average total cost of data breach in Australia is $2.64 million
Key factor to reduce the cost of a data breach is enabling incident response
Source: June 2016

7. 7
Advanced Threats Are Hard to Find
Cyber Criminals
Nation States
Insider Threats
Source: Mandiant M-Trends Report 2012/2013/2014
100%
Valid credentials were used
40
Average # of systems accessed
229
Median # of days before detection
67%
Of victims were notified by
external entity

8. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyse all of that data
Human Machine
Machine Machine

9. 9
App
Servers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center
Identity

10. 10
Splunk Solutions
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

11. 11
Splunk for Security
DETECTION OF
CYBERATTACKS
INVESTIGATION
OF THREATS AND
INCIDENTS
OPTIMISED
INCIDENT
RESPONSE AND
BREACH ANALYSIS
DETECTION OF
INSIDER THREATS
SECURITY &
COMPLIANCE
REPORTING
SPLUNK UBA SPLUNK ES

12. Threat Intelligence Identity and CloudEndpointNetwork
Splunk Security Ecosystem

13. What is Splunk ES?

14. 14
Platform for Machine Data
Splunk Enterprise Security
Advancing analytics-driven security
Security and
Compliance Reporting
Monitor and
Detect
Investigate Threats
and Incidents
Analyze and
Optimize Response

15. What’s New
Splunk Enterprise Security v4

16. 16
Attack and Investigation Timelines
Adding content to timeline:
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator

17. 17
Prioritise and Speed Investigations
Centralised incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

18. 18
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators -domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

19. ES Demo

20. What is Splunk UBA?

21. 21
WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

22. 22
ENTERPRISE SECURITY OPS CHALLENGES
THREATS
RESOURCES
EFFICIENCY
External, Insiders, Hidden
And/Or Unknown
Availability of
Security Expertise
Lack of Alert Prioritisation
& Excessive False Positives

23. 23
Splunk User Behavioural Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
BehaviourBaselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics

24. 24
Splunk UBA: TECHNOLOGY
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOUR
MODELING
REAL TIME & BIG DATA
ARCHITECTURE

25. 25
MULTI-ENTITY BEHAVIOURAL MODEL
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC

26. 26
MULTI-ENTITY BEHAVIOURAL MODEL
APPLICATION
USER
HOST
NETWORK
DATA

27. 27
EVOLUTION
COMPLEXITY
RULES -THRESHOLD
POLICY -THRESHOLD
POLICY -STATISTICS
UNSUPERVISED
MACHINE LEARNING
POLICY -PEER
GROUP STATISTICS
SUPERVISED
MACHINE LEARNING
LARGEST LIBRARY
OF UNSUPERVISED ML ALGORITHMS

28. 28
DESIGNED FOR A
HUNTER
ANALYSTANOMALY DETECTION
APPLYING ML AGAINST
BEHAVIOUR BASELINES

29. 29
DESIGNED FOR A
SOC ANALYST
THREAT DETECTION
ML-DRIVEN AUTOMATED
OR RULES BASED
ANOMALY CORRELATION

30. 30
Web Gateway
Proxy Server
Firewall
Box, Salesforce,
Dropbox, other SaaS
apps
Mobile Devices
Anti-Malware
Threat Intelligence
DATA SOURCES for UBA
Active Directory/
Windows
Single Sign-on
HR - Identity
VPN
DNS, DHCP
Identity/Auth SaaS/MobileSecurity
Controls
External Threat
Feeds
Activity
(N-S, E-W)
K E Y OPTIONAL
DLP
AWS CloudTrail
Endpoint
IDS, IPS, AV

31. 31
Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

32. What’s New in UBA 2.x

33. 33
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

34. 34
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behaviour
UBA 2.2

35. 35
Behavioural Analytics in the SIEM Workflow
• All UBA anomalies now available in ES
• SOC Manager: UBA Reporting within ES
• SOC analyst: UBA anomaly data available for enhanced correlation
• Hunter/Investigator: Ad-hoc searching/pivoting
35
Detect and Investigate faster using ML integrated with SIEM

36. 36
USER CENTRIC
Top-N users by number of transactions
Top-N users by login/logout activity
Login/Logout activity over time
Average daily/weekly/monthly/yearly login/logout count
Number of failed logins (global)
Top-N users for failed logins
Failed logins over time
Average daily/weekly/monthly/yearly failed login counts
Top-N users by data transfer
Average daily/weekly/monthly/yearly data transfer for users
Top-N users by session count
Top-N users by session length
Average session duration of users
DEVICE CENTRIC
APPLICATION / SESSION CENTRICPROTOCOL CENTRIC
Top-N servers by activity (number of transactions )
Top-N servers by login/logout activity
Top-N servers for failed logins
Failed logins over time
Top-N destination devices by data transfer
Top-N servers by data transfer
Average daily/weekly/monthly/yearly data
transfer for servers
Top-N source devices by session count
Total sessions count
Total sessions count over time
Total sessions count by device-type (AD, VPN, SSH)
Average sessions count daily, weekly, monthly, yearly)
Average global session duration
Average sessions duration over time (daily, weekly,
monthly , yearly)
HTTP Traffic by application-type (Protocol)
Top-N domains by traffic
Top-N domains by activity (number of events)
Top-N client machines by traffic
HTTP traffic over time (day, week, month, year)
Average daily, weekly, monthly, yearly http traffic

37. UBA Demo

38. 38
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

39. Thank You!

40. Appendix

41. 41
DesktopsEmail Web
Threat
Intelligence
StorageHypervisor
Badges
Mobile
Servers DHCP/ DNS Physical
Access
CMDB
Transaction
Records
Network
Flows
Custom
Apps
Traditional
Intrusion
Detection
Data Loss
Prevention
Anti-
Malware
Firewall Vulnerability
Scans
Authentication
All Data is Security Relevant
Services
Web
Clickstreams
Cloud
Printers

42. 42
Protect GrowServe
Mission of Government
Defend against and
reduce impact of
external and insider
threats
Meet mission goals
through operational
excellence
Ensure agility and scale
while embracing
innovation

43. 43
Challenges:
• Proactive hunting of cyber adversaries
• Resource (analysts) constraints
• Cumbersome malware detection process
• Myopic visibility into the network
Value Delivered:
• Went from reactive to proactive
• Made Tier 1 analysts immediately effective
• Holistic visibility across network
• Bonus: IT Operations troubleshooting
• Validate security deployment decisions
White House Military Office – From Hunted to Hunter
“Splunk has helped us take Tier 1 security
analysts and make them immediately effective
to defend our network.”