This document provides an overview of a hands-on demo of Splunk Enterprise Security (ES) using a free sandbox environment. It discusses creating a sandbox, exploring common ES features like the risk analysis dashboard, threat intelligence, and incident response workflow. The demo shows how to investigate a malware detected event, view asset details, and add context with lookups. It encourages exploring more advanced threat capabilities and additional reports in ES to gain experience with the platform.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
SplunkLive! Tampa: Using Value to Fuel AdoptionSplunk
This document discusses how to drive adoption of Splunk by positioning and documenting business value. It recommends quantifying value using metrics to show how Splunk saves time and money. For example, one customer saved 27,000 hours per year and reduced downtime by 50% while stopping over $10 million in fraud. The document provides best practices for measuring success, aligning with business objectives, and creating an incremental adoption plan across IT operations, security, and other teams by positioning specific value opportunities for each. Challenges to documenting value like lack of benchmarks, tools, and time are also addressed.
This document discusses how organizations can use machine data and real-time analytics to gain insights that allow them to operate with greater commercial intensity and move at market speed. It advocates establishing a hybrid cloud infrastructure with continuous delivery and insights capabilities to provide transparency into key metrics and enable fast feedback loops. With the right culture of continuous improvement, the document argues this approach can give organizations the resources of an enterprise with the agility of a startup.
Splunk IT Service Intelligence for NationwideSplunk
Splunk IT Service Intelligence is a next-generation monitoring and analytics solution that provides new levels of visibility into the health and key performance indicators of IT services.
This document provides an agenda for an Enterprise Security hands-on guided tour using Splunk software. The tour will demonstrate the Splunk App for Enterprise Security and cover topics including data ingestion, the common information model, risk analysis, threat intelligence, incident response exercises, and correlation searches. It encourages participants to bring a laptop and notes several break periods for providing feedback via text message or online survey for a chance to win gift cards.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns. We’ll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems!
IT Service Intelligence Hands On Breakout SessionSplunk
This document provides an overview of IT Service Intelligence (ITSI) using a hands-on demo. It introduces key concepts like services, KPIs, and health scores. It then guides the user through a demo where they configure a new KPI for database network utilization and modify an executive dashboard. Finally, it demonstrates how to use ITSI for troubleshooting by analyzing past events that caused online store outages.
Come and learn from our experts on ways to improve you IT Operational Visibility by using Splunk for monitoring environment health. In this hands-on session we will cover recommended approaches for end to end monitoring, across applications, OSes, and devices. Topics will include: critical services to monitor, use of the Splunk Common Information Model (CIM) for cross-dataset normalization, commonly deployed apps and TAs to gather data for IT infrastructure uses, and use of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
What is Splunk? At the end of this session you’ll have a high-level understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll see practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
SplunkLive! Tampa: Using Value to Fuel AdoptionSplunk
This document discusses how to drive adoption of Splunk by positioning and documenting business value. It recommends quantifying value using metrics to show how Splunk saves time and money. For example, one customer saved 27,000 hours per year and reduced downtime by 50% while stopping over $10 million in fraud. The document provides best practices for measuring success, aligning with business objectives, and creating an incremental adoption plan across IT operations, security, and other teams by positioning specific value opportunities for each. Challenges to documenting value like lack of benchmarks, tools, and time are also addressed.
This document discusses how organizations can use machine data and real-time analytics to gain insights that allow them to operate with greater commercial intensity and move at market speed. It advocates establishing a hybrid cloud infrastructure with continuous delivery and insights capabilities to provide transparency into key metrics and enable fast feedback loops. With the right culture of continuous improvement, the document argues this approach can give organizations the resources of an enterprise with the agility of a startup.
Splunk IT Service Intelligence for NationwideSplunk
Splunk IT Service Intelligence is a next-generation monitoring and analytics solution that provides new levels of visibility into the health and key performance indicators of IT services.
This document provides an agenda for an Enterprise Security hands-on guided tour using Splunk software. The tour will demonstrate the Splunk App for Enterprise Security and cover topics including data ingestion, the common information model, risk analysis, threat intelligence, incident response exercises, and correlation searches. It encourages participants to bring a laptop and notes several break periods for providing feedback via text message or online survey for a chance to win gift cards.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns. We’ll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems!
IT Service Intelligence Hands On Breakout SessionSplunk
This document provides an overview of IT Service Intelligence (ITSI) using a hands-on demo. It introduces key concepts like services, KPIs, and health scores. It then guides the user through a demo where they configure a new KPI for database network utilization and modify an executive dashboard. Finally, it demonstrates how to use ITSI for troubleshooting by analyzing past events that caused online store outages.
Come and learn from our experts on ways to improve you IT Operational Visibility by using Splunk for monitoring environment health. In this hands-on session we will cover recommended approaches for end to end monitoring, across applications, OSes, and devices. Topics will include: critical services to monitor, use of the Splunk Common Information Model (CIM) for cross-dataset normalization, commonly deployed apps and TAs to gather data for IT infrastructure uses, and use of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
Machine Learning and Analytics Breakout SessionSplunk
This document provides an overview of operationalizing machine learning with Splunk. It discusses how machine learning can be used to analyze historical and real-time data to make predictions. Common use cases for machine learning in IT operations, security, and business analytics are described. The document outlines the machine learning process of exploring data, fitting models, applying and validating models, and operationalizing predictions. It promotes Splunk's machine learning toolkit and app for building machine learning workflows and models within Splunk.
Splunk can help customers document business value by providing deliverables like business cases, value realization studies, and adoption roadmaps. It has helped over 700 customers worldwide since 2013. Key value drivers reported by customers include IT operations, application delivery, security, and compliance. Common challenges to documenting value include lack of tools, benchmarks, and time. The document outlines best practices for positioning value at Splunk, including quantifying business value, qualifying pain points, aligning with objectives, and measuring success. It provides examples of value drivers achieved in areas like infrastructure optimization, revenue growth, and risk reduction.
SplunkLive! Customer Presentation – Dunkin’ Brands, Inc. Splunk
Matt Kraft presents on how Dunkin' Donuts gained real-time visibility into their systems and data using Splunk. Key points:
1) Dunkin' needed a solution to gain visibility into application performance, marketing campaigns, customer support issues, and loyalty programs across their web, mobile, and 11,000+ locations.
2) Splunk provided more control over their data and helped identify issues impacting customers within minutes rather than hours or days.
3) In just 5 months, Splunk helped reduce application downtime, speed up troubleshooting, and improve customer satisfaction and business decisions.
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
This document introduces Splunk Enterprise & Splunk Cloud Release 6.4. It highlights new features including unlimited custom visualizations, enhanced predictive analytics, expanded cloud services monitoring, improved platform security and management, and reduced storage costs for historical data of up to 80% with Splunk Enterprise. The release aims to help users get more value from big data while lowering storage costs.
Building a Security Information and Event Management platform at Travis Per...Splunk
Faced with a complex, heterogeneous IT infrastructure and a ‘Cloud First’ instruction from the board, Nick Bleech, Head of Information Security at building supplies giant Travis Perkins, used Splunk Enterprise Security running on Splunk Cloud to deliver enhanced security for 27,000 employees.
Splunk allowed Travis Perkins to provide real-time security monitoring, faster incident resolution and improved data governance while delivering demonstrable business value to the board.
In this webinar, Nick Bleech discusses:
● The business and security drivers of deploying a cloud-based security incident and event management solution
● The overall benefits of the Splunk solution
● The project’s critical success factors
● How stakeholders and the overall project were managed
● The positive impact on the deployment on the IT operations and IT security teams
● The next steps in the development of a lightweight security operations centre
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingGeorg Knon
This document provides an overview of Splunk's IT operations software. It discusses the challenges facing IT operations, including siloed tools and reactive problem solving. It presents Splunk as a solution, with its ability to index and analyze machine data from any source in real-time. Key benefits highlighted include faster troubleshooting to reduce downtime, proactive monitoring to address issues before they become problems, and increased operational visibility across the IT environment. The document concludes with a demonstration of Splunk's IT service intelligence capabilities.
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
Using Simple XML and Splunk Enterprise, learn how to create easy interactive dashboards to explore data. This demo showcases great tools to put ion the hands of Splunk users, help desk users and IT Operations staff.
Michael Ronnfeldt of NXP discusses implementing an Analytics and Automation Platform using Splunk to address NXP's challenges. Some key points:
- NXP is a large semiconductor company with many products and divisions facing growing IT needs
- The current situation involves manual, slow monitoring and resolution of issues
- The Analytics and Automation Platform (SNA2P) uses Splunk for automated monitoring, incident detection and remediation, discovery, and centralized reporting to provide faster, better service
- Benefits include incidents being resolved before users notice and automation enforcing security and compliance through change control
- Future roadmap includes expanding the CMDB, deployment automation, test automation, and continuous integration
Splunk IT Service Intelligence is a solution that provides end-to-end service visibility, reduces time to problem resolution, and allows for proactive management of IT health. It introduces a data-centric approach to service monitoring and analytics built on the Splunk platform. Key benefits include unified data insights across IT silos, easy access to actionable troubleshooting information through dynamic service models and customizable visualizations, and early warning on deviations through correlated KPI monitoring.
Attend to learn from our experts about ways to improve you IT Operational Intelligence by using Splunk for troubleshooting, monitoring and service-level visibility. In this hands-on session we will cover recommended approaches for end-to-end troubleshooting and monitoring across applications, OSes, and devices to resolve problems faster, reduce downtime and improve user satisfaction and customer retention. Topics will include: monitoring critical services, using commonly deployed apps and TAs to gather data for IT infrastructure uses, and using of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
Building Service Intelligence with Splunk IT Service Intelligence (ITSI) Splunk
Providing transformational impact and insight into key business services while maintaining operational oversight is often difficult in organizations. To effectively communicate business value and alignment organizations must find new methods to bridge the gap between business and operations. This half-day hands on workshop demonstrates how customers can quickly gain insight into high-value services while aligning business and IT Operations using Splunk’s IT Service Intelligence solution. By leveraging the machine data you are already collecting the exercise provides a transformational method to model high-value services and rapidly build custom visualizations and dashboards. From executive leaders to administrators these personalized service-centric views provide powerful analytics and machine learning to transform service intelligence across your organization.
Come experience how you can transform service intelligence in your organization.
The document provides an overview of Splunk for IT operations (ITOps). It discusses how Splunk can help organizations address escalating IT complexity and issues plaguing IT operations. It introduces Splunk IT Service Intelligence, which provides data-driven service insights for root-cause isolation and improved service operations. Key concepts explained include what a service is, key performance indicators (KPIs), and service health scores. The document also highlights capabilities like service analyzer, glass tables, deep dives, multi-KPI alerts and notable events. Customer stories are presented on how enterprises use Splunk for increased uptime, reduced mean time to resolution, optimized capacity and more.
The document provides an overview of Splunk IT Service Intelligence (ITSI). Some key points:
- ITSI makes Splunk "service-aware" and provides insights into IT services to help accelerate customers' path to operational intelligence.
- ITSI provides search-based KPIs, full-fidelity service health monitoring, and leverages Splunk's universal data platform to provide a data-driven approach.
- Core concepts in ITSI include services, KPIs, health scores, service analyzers for monitoring services, glass tables dashboards, and deep dives for investigation.
- Notable events are also generated by correlation searches to indicate service degradation.
This document provides an overview of a presentation on Splunk for security. It includes a disclaimer noting that any forward-looking statements are based on current expectations and could differ from actual results. It also notes that information on roadmaps is subject to change without notice. The presentation will provide a hands-on activity using a free 15-day Enterprise Security sandbox trial of Splunk products hosted on AWS.
Splunk: How to Design, Build and Map IT ServicesSplunk
This document discusses how to design, build, and map IT and business services in Splunk to gain "service intelligence." It describes a methodology for bringing subject matter experts together to design services top-down before configuration. Specifically, it discusses deconstructing a company's supply chain, online store, and ERP systems into a service map to gain insights on key performance indicators and improve issue resolution, efficiency, and customer satisfaction.
How to Design, Build and Map IT and Business Services in SplunkSplunk
Your IT department supports critical business functions, processes and products. You're most effective when your technology initiatives are closely aligned and measured with specific business objectives. This session covers best practices and techniques for designing and building an effective service model, using the domain knowledge of your experts and capturing and reporting on key metrics that everyone can understand. We will design a sample service model and map them to performance indicators to track operational and business objectives. We will also show you how to make Splunk service-ware with Splunk IT Service Intelligence (ITSI).
Attend to learn from our experts about ways to improve you IT Operational Intelligence by using Splunk for troubleshooting, monitoring and service-level visibility. In this hands-on session we will cover recommended approaches for end-to-end troubleshooting and monitoring across applications, OSes, and devices to resolve problems faster, reduce downtime and improve user satisfaction and customer retention. Topics will include: monitoring critical services, using commonly deployed apps and TAs to gather data for IT infrastructure uses, and using of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
Best Practices For Sharing Data Across The EnteprriseSplunk
The document discusses best practices for sharing data across an enterprise using Splunk. It provides an overview of Splunk's Business Value Consulting services and common value drivers they have identified for IT operations, security and compliance, and application development. These include reducing incident resolution times, improving security event detection and response times, and accelerating development cycles. It also lists many common data sources that are important for realizing these benefits, such as various log files, network devices, databases, and applications.
How to Design, Build and Map IT and Business Services in SplunkSplunk
Your IT department supports critical business functions, processes and products. You're most effective when your technology initiatives are closely aligned and measured with specific business objectives. This session covers best practices and techniques for designing and building an effective service model, using the domain knowledge of your experts and capturing and reporting on key metrics that everyone can understand.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an overview and guided tour of the Splunk Enterprise Security (ES) application. It begins with an introduction to ES and highlights some of its key capabilities like the Common Information Model (CIM) and pre-built reports. It then walks through a mock incident response exercise using the ES app to investigate a potential malware infection. This includes reviewing security indicators, pivoting through event data, assigning ownership/status, and updating the incident timeline. Finally, it demonstrates how to create a custom correlation search to further analyze related security events. The document provides a high-level yet comprehensive tour of the major functional areas and workflows within the ES app.
Machine Learning and Analytics Breakout SessionSplunk
This document provides an overview of operationalizing machine learning with Splunk. It discusses how machine learning can be used to analyze historical and real-time data to make predictions. Common use cases for machine learning in IT operations, security, and business analytics are described. The document outlines the machine learning process of exploring data, fitting models, applying and validating models, and operationalizing predictions. It promotes Splunk's machine learning toolkit and app for building machine learning workflows and models within Splunk.
Splunk can help customers document business value by providing deliverables like business cases, value realization studies, and adoption roadmaps. It has helped over 700 customers worldwide since 2013. Key value drivers reported by customers include IT operations, application delivery, security, and compliance. Common challenges to documenting value include lack of tools, benchmarks, and time. The document outlines best practices for positioning value at Splunk, including quantifying business value, qualifying pain points, aligning with objectives, and measuring success. It provides examples of value drivers achieved in areas like infrastructure optimization, revenue growth, and risk reduction.
SplunkLive! Customer Presentation – Dunkin’ Brands, Inc. Splunk
Matt Kraft presents on how Dunkin' Donuts gained real-time visibility into their systems and data using Splunk. Key points:
1) Dunkin' needed a solution to gain visibility into application performance, marketing campaigns, customer support issues, and loyalty programs across their web, mobile, and 11,000+ locations.
2) Splunk provided more control over their data and helped identify issues impacting customers within minutes rather than hours or days.
3) In just 5 months, Splunk helped reduce application downtime, speed up troubleshooting, and improve customer satisfaction and business decisions.
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
This document introduces Splunk Enterprise & Splunk Cloud Release 6.4. It highlights new features including unlimited custom visualizations, enhanced predictive analytics, expanded cloud services monitoring, improved platform security and management, and reduced storage costs for historical data of up to 80% with Splunk Enterprise. The release aims to help users get more value from big data while lowering storage costs.
Building a Security Information and Event Management platform at Travis Per...Splunk
Faced with a complex, heterogeneous IT infrastructure and a ‘Cloud First’ instruction from the board, Nick Bleech, Head of Information Security at building supplies giant Travis Perkins, used Splunk Enterprise Security running on Splunk Cloud to deliver enhanced security for 27,000 employees.
Splunk allowed Travis Perkins to provide real-time security monitoring, faster incident resolution and improved data governance while delivering demonstrable business value to the board.
In this webinar, Nick Bleech discusses:
● The business and security drivers of deploying a cloud-based security incident and event management solution
● The overall benefits of the Splunk solution
● The project’s critical success factors
● How stakeholders and the overall project were managed
● The positive impact on the deployment on the IT operations and IT security teams
● The next steps in the development of a lightweight security operations centre
Splunk Webinar: IT Operations Demo für Troubleshooting & DashboardingGeorg Knon
This document provides an overview of Splunk's IT operations software. It discusses the challenges facing IT operations, including siloed tools and reactive problem solving. It presents Splunk as a solution, with its ability to index and analyze machine data from any source in real-time. Key benefits highlighted include faster troubleshooting to reduce downtime, proactive monitoring to address issues before they become problems, and increased operational visibility across the IT environment. The document concludes with a demonstration of Splunk's IT service intelligence capabilities.
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
Using Simple XML and Splunk Enterprise, learn how to create easy interactive dashboards to explore data. This demo showcases great tools to put ion the hands of Splunk users, help desk users and IT Operations staff.
Michael Ronnfeldt of NXP discusses implementing an Analytics and Automation Platform using Splunk to address NXP's challenges. Some key points:
- NXP is a large semiconductor company with many products and divisions facing growing IT needs
- The current situation involves manual, slow monitoring and resolution of issues
- The Analytics and Automation Platform (SNA2P) uses Splunk for automated monitoring, incident detection and remediation, discovery, and centralized reporting to provide faster, better service
- Benefits include incidents being resolved before users notice and automation enforcing security and compliance through change control
- Future roadmap includes expanding the CMDB, deployment automation, test automation, and continuous integration
Splunk IT Service Intelligence is a solution that provides end-to-end service visibility, reduces time to problem resolution, and allows for proactive management of IT health. It introduces a data-centric approach to service monitoring and analytics built on the Splunk platform. Key benefits include unified data insights across IT silos, easy access to actionable troubleshooting information through dynamic service models and customizable visualizations, and early warning on deviations through correlated KPI monitoring.
Attend to learn from our experts about ways to improve you IT Operational Intelligence by using Splunk for troubleshooting, monitoring and service-level visibility. In this hands-on session we will cover recommended approaches for end-to-end troubleshooting and monitoring across applications, OSes, and devices to resolve problems faster, reduce downtime and improve user satisfaction and customer retention. Topics will include: monitoring critical services, using commonly deployed apps and TAs to gather data for IT infrastructure uses, and using of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
Building Service Intelligence with Splunk IT Service Intelligence (ITSI) Splunk
Providing transformational impact and insight into key business services while maintaining operational oversight is often difficult in organizations. To effectively communicate business value and alignment organizations must find new methods to bridge the gap between business and operations. This half-day hands on workshop demonstrates how customers can quickly gain insight into high-value services while aligning business and IT Operations using Splunk’s IT Service Intelligence solution. By leveraging the machine data you are already collecting the exercise provides a transformational method to model high-value services and rapidly build custom visualizations and dashboards. From executive leaders to administrators these personalized service-centric views provide powerful analytics and machine learning to transform service intelligence across your organization.
Come experience how you can transform service intelligence in your organization.
The document provides an overview of Splunk for IT operations (ITOps). It discusses how Splunk can help organizations address escalating IT complexity and issues plaguing IT operations. It introduces Splunk IT Service Intelligence, which provides data-driven service insights for root-cause isolation and improved service operations. Key concepts explained include what a service is, key performance indicators (KPIs), and service health scores. The document also highlights capabilities like service analyzer, glass tables, deep dives, multi-KPI alerts and notable events. Customer stories are presented on how enterprises use Splunk for increased uptime, reduced mean time to resolution, optimized capacity and more.
The document provides an overview of Splunk IT Service Intelligence (ITSI). Some key points:
- ITSI makes Splunk "service-aware" and provides insights into IT services to help accelerate customers' path to operational intelligence.
- ITSI provides search-based KPIs, full-fidelity service health monitoring, and leverages Splunk's universal data platform to provide a data-driven approach.
- Core concepts in ITSI include services, KPIs, health scores, service analyzers for monitoring services, glass tables dashboards, and deep dives for investigation.
- Notable events are also generated by correlation searches to indicate service degradation.
This document provides an overview of a presentation on Splunk for security. It includes a disclaimer noting that any forward-looking statements are based on current expectations and could differ from actual results. It also notes that information on roadmaps is subject to change without notice. The presentation will provide a hands-on activity using a free 15-day Enterprise Security sandbox trial of Splunk products hosted on AWS.
Splunk: How to Design, Build and Map IT ServicesSplunk
This document discusses how to design, build, and map IT and business services in Splunk to gain "service intelligence." It describes a methodology for bringing subject matter experts together to design services top-down before configuration. Specifically, it discusses deconstructing a company's supply chain, online store, and ERP systems into a service map to gain insights on key performance indicators and improve issue resolution, efficiency, and customer satisfaction.
How to Design, Build and Map IT and Business Services in SplunkSplunk
Your IT department supports critical business functions, processes and products. You're most effective when your technology initiatives are closely aligned and measured with specific business objectives. This session covers best practices and techniques for designing and building an effective service model, using the domain knowledge of your experts and capturing and reporting on key metrics that everyone can understand. We will design a sample service model and map them to performance indicators to track operational and business objectives. We will also show you how to make Splunk service-ware with Splunk IT Service Intelligence (ITSI).
Attend to learn from our experts about ways to improve you IT Operational Intelligence by using Splunk for troubleshooting, monitoring and service-level visibility. In this hands-on session we will cover recommended approaches for end-to-end troubleshooting and monitoring across applications, OSes, and devices to resolve problems faster, reduce downtime and improve user satisfaction and customer retention. Topics will include: monitoring critical services, using commonly deployed apps and TAs to gather data for IT infrastructure uses, and using of pre-made dashboard panels to quickly build dashboards for monitoring your environment.
Best Practices For Sharing Data Across The EnteprriseSplunk
The document discusses best practices for sharing data across an enterprise using Splunk. It provides an overview of Splunk's Business Value Consulting services and common value drivers they have identified for IT operations, security and compliance, and application development. These include reducing incident resolution times, improving security event detection and response times, and accelerating development cycles. It also lists many common data sources that are important for realizing these benefits, such as various log files, network devices, databases, and applications.
How to Design, Build and Map IT and Business Services in SplunkSplunk
Your IT department supports critical business functions, processes and products. You're most effective when your technology initiatives are closely aligned and measured with specific business objectives. This session covers best practices and techniques for designing and building an effective service model, using the domain knowledge of your experts and capturing and reporting on key metrics that everyone can understand.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an overview and guided tour of the Splunk Enterprise Security (ES) application. It begins with an introduction to ES and highlights some of its key capabilities like the Common Information Model (CIM) and pre-built reports. It then walks through a mock incident response exercise using the ES app to investigate a potential malware infection. This includes reviewing security indicators, pivoting through event data, assigning ownership/status, and updating the incident timeline. Finally, it demonstrates how to create a custom correlation search to further analyze related security events. The document provides a high-level yet comprehensive tour of the major functional areas and workflows within the ES app.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an agenda and overview for an Enterprise Security guided tour session using the Splunk platform. It introduces the Splunk App for Enterprise Security and demonstrates its key capabilities for security monitoring, incident response, and threat hunting. These include a common information model, predefined dashboards and reports, and the ability to create correlation searches to detect security events of interest. The guided tour showcases how the app integrates security-relevant data from various sources and allows users to investigate, triage, and collaborate on security incidents.
Learn from our Security Expert on how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
Splunk User Behavior Analytics (UBA) 2.2 provides enhanced security analytics and detection capabilities. It uses machine learning to establish baseline behaviors and detect anomalies. UBA analyzes activities across users, hosts, networks, applications and data to identify potential threats. The latest version features expanded visibility metrics, custom threat modeling capabilities, and improved context enrichment through integrations with additional security technologies.
Introduction into Security Analytics Methods Splunk
This document provides an overview of security analytics methods available in the Splunk Security Essentials app. It begins with an introduction and agenda for the presentation. It then discusses key concepts in security analytics like different implementation approaches, and common challenges. The document provides an overview of the Splunk Security Essentials app, highlighting the many pre-built searches and analytics methods available out of the box. It demos several example searches in the app, including searches for suspicious file concentrations, authentication against new systems, and detecting spikes or anomalies in time series data. Finally, it discusses how these searches and analytics could be applied to analyze a hypothetical scenario involving a malicious insider.
Introduction into Security Analytics Methods Splunk
This document provides an overview and demo of Splunk Security Essentials. It begins with an introduction to the app and its capabilities for detecting threats both external and internal. It then demonstrates how to install and navigate the app to evaluate security use cases and review analytics methods. A scenario of a malicious insider exfiltrating data is presented and it shows how the app's searches could be used to detect anomalous activity related to Salesforce and Box downloads. The summary concludes by emphasizing how the app teaches detection use cases that can then be customized and integrated with Splunk's security products.
Splunk for Enterprise Security Featuring UBASplunk
This document provides an overview and summary of Splunk's security products, including Enterprise Security and User Behavior Analytics. It discusses the key capabilities and features of these products, such as detecting advanced cyberattacks, identifying insider threats through machine learning, and integrating UBA with SIEM for improved threat detection. New features in recent versions are highlighted, like custom threat modeling and enhanced visibility into user, device, application, and protocol activity. Customer testimonials praise Splunk UBA's data-science approach to finding hidden threats.
Erfahren Sie in dieser Session, wie Sie Ihre Security mit fundierten Searches optimieren, die Sie unmittelbar dafür nutzen können, Sicherheitsprobleme zu identifizieren oder ein Monitoring zur Angriffsvorbeugung aufzusetzen. Sie lernen auch, wie Sie die vorausschauenden Möglichkeiten nutzen können.
The document is a disclaimer and introduction for a presentation on security correlation in Splunk. It states that any forward-looking statements made during the presentation reflect current expectations and estimates and may differ from actual results. It also notes that information on product roadmaps is subject to change and not binding. The presentation will cover four types of security correlation rules: across many data sources and events, privileged user monitoring, reducing alert fatigue, and threat intelligence hits.
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
This document provides an overview of a presentation given by Dave Herrald, a security architect at Splunk, on Splunk's Enterprise Security and User Behavior Analytics solutions. The presentation covered new features in Splunk Enterprise Security 4.1, including enhanced threat intelligence integration, risk-based searching and incident review, and integration with Splunk User Behavior Analytics. It also reviewed capabilities in Splunk User Behavior Analytics 2.2 like custom threat modeling, expanded attack coverage, and context enrichment.
SplunkLive! Munich 2018: Intro to Security Analytics MethodsSplunk
The document provides an introduction and agenda for a presentation on security analytics methods. The agenda includes an intro to analytics methods from 11:40-12:40 followed by a lunch break from 12:40-13:40. The presentation may include forward-looking statements and disclaimers are provided. Information presented is subject to change and any information about product roadmaps is for informational purposes only.
This document discusses replacing a legacy security information and event management (SIEM) system with Splunk Enterprise. It outlines 10 common problems with legacy SIEMs, such as an inability to ingest and analyze all relevant log and machine data. Customer case studies show how Splunk can help organizations replace aging SIEMs in a few months to gain scalability, faster security investigations, and the ability to ensure compliance. The presentation covers Splunk's security monitoring and analytics capabilities and migration options from legacy SIEMs to Splunk. Attendees are invited to sign up for a SIEM replacement workshop to discuss their specific needs.
This summary provides an overview of a presentation about Splunk:
1. The presentation introduces Splunk, an enterprise software platform that allows users to search, monitor, and analyze machine-generated big data for security, IT and business operations.
2. Key components of Splunk include universal forwarders for data collection, indexers for data storage and search heads for data visualization. Splunk supports data ingestion from various sources like servers, databases, applications and sensors.
3. A demo section shows how to install Splunk, ingest sample data, perform searches, set up alerts and reports. It also covers dynamic field extraction, the search command language and Splunk applications.
The document discusses using the Splunk Universal Forwarder to monitor endpoints for security purposes. It outlines how the Universal Forwarder can collect a variety of log and system data from endpoints to gain visibility into potential attacks or malware. Specific examples are provided of how the Universal Forwarder was used by large companies to monitor millions of endpoints and detect security issues and fraud.
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunk
Splunk Security Essentials provides concise summaries in 3 sentences or less that provide the high level and essential information from the document. The document discusses an introductory presentation on security analytics methods. It includes an agenda that covers an introduction to analytics methods, an example scenario, and next steps. It also discusses common security challenges, different analytics methods and types of use cases, and how analytics can be applied to different stages of an attack.
Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
This document summarizes a security investigation using Splunk software to disrupt the cyber kill chain. The investigation began by detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation revealed DNS queries, proxy activity, and suspicious processes on an endpoint. Pivoting to the endpoint data identified a Zeus malware process communicating outbound. Working backwards through process lineage identified an exploited vulnerable application and a weaponized PDF file delivered via email phishing. A search of web logs found the file was obtained from a website via a brute force attack. The root cause was determined to be a targeted spear phishing email containing an exploit.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
The document discusses a security investigation demo using Splunk software to disrupt the cyber kill chain. It begins with detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation using endpoint data from Microsoft Sysmon reveals network connections and process information. This traces the suspicious activity back through parent processes to identify a vulnerable PDF reader application exploited by opening a weaponized file delivered via email phishing. Additional context from web logs shows the file was obtained through a brute force attack on the company's website. The investigation is then able to connect events across various data sources to fully map out the adversary's actions.
Similar to SplunkLive! Tampa: Splunk for Security - Hands-On Session (20)
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
This document discusses standardizing security operations procedures (SOPs) to increase efficiency and automation. It recommends storing SOPs in a code repository for versioning and referencing them in workbooks which are lists of standard tasks to follow for investigations. The goal is to have investigation playbooks in the security orchestration, automation and response (SOAR) tool perform the predefined investigation steps from the workbooks to automate incident response. This helps analysts automate faster without wasting time by having standard, vendor-agnostic procedures.
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
.conf Go 2023 presentation:
"Das passende Rezept für die digitale (Security) Revolution zur Telematik Infrastruktur 2.0 im Gesundheitswesen?"
Speaker: Stefan Stein -
Teamleiter CERT | gematik GmbH M.Eng. IT-Sicherheit & Forensik,
doctorate student at TH Brandenburg & Universität Dresden
El documento describe la transición de Cellnex de un Centro de Operaciones de Seguridad (SOC) a un Equipo de Respuesta a Incidentes de Seguridad (CSIRT). La transición se debió al crecimiento de Cellnex y la necesidad de automatizar procesos y tareas para mejorar la eficiencia. Cellnex implementó Splunk SIEM y SOAR para automatizar la creación, remediación y cierre de incidentes. Esto permitió al personal concentrarse en tareas estratégicas y mejorar KPIs como tiempos de resolución y correos electrónicos anal
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
Este documento resume el recorrido de ABANCA en su camino hacia la ciberseguridad con Splunk, desde la incorporación de perfiles dedicados en 2016 hasta convertirse en un centro de monitorización y respuesta con más de 1TB de ingesta diaria y 350 casos de uso alineados con MITRE ATT&CK. También describe errores cometidos y soluciones implementadas, como la normalización de fuentes y formación de operadores, y los pilares actuales como la automatización, visibilidad y alineación con MITRE ATT&CK. Por último, señala retos
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
BMW is defining the next level of mobility - digital interactions and technology are the backbone to continued success with its customers. Discover how an IT team is tackling the journey of business transformation at scale whilst maintaining (and showing the importance of) business and IT service availability. Learn how BMW introduced frameworks to connect business and IT, using real-time data to mitigate customer impact, as Michael and Mark share their experience in building operations for a resilient future.
The document is a presentation on cyber security trends and Splunk security products from Matthias Maier, Product Marketing Director for Security at Splunk. The presentation covers trends in security operations like the evolution of SOCs, new security roles, and data-centric security approaches. It also provides updates on Splunk's security portfolio including recognition as a leader in SIEM by Gartner and growth in the SIEM market. Maier highlights some breakout sessions from the conference on topics like asset defense, machine learning, and building detections.
Data foundations building success, at city scale – Imperial College LondonSplunk
Universities have more in common with modern cities than traditional places of learning. This mini city needs to empower its citizens to thrive and achieve their ambitions. Operationalising data is key to building critical services; from understanding complex IT estates for smarter decision-making to robust security and a more reliable, resilient student experience. Juan will share his experience in building data foundations for a resilient future whilst enabling digital transformation at Imperial College London.
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
Learn how Vodafone has provided end-to-end visibility across services by building an Operational Analytics Platform. In this session, you will hear how Stefan and his team manage legacy, on premise, hybrid and public cloud services, and how they are providing a platform for complex triage and debugging to tackle use cases across Vodafone’s extensive ecosystem.
.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own.
Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo.
So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including:
Top challenges faced in improving security posture
Key KPIs implemented in order to measure success
Strategies and approaches applied in the SOC
How MITRE ATT&CK and Splunk Enterprise Security were utilised
Next steps in their maturity journey ahead
This document summarizes a presentation about observability using Splunk. It includes an agenda introducing observability and why Splunk for observability. It discusses the need for modernization initiatives in companies and the thousands of changes required. It presents that Splunk provides end-to-end visibility across metrics, traces and logs to detect, troubleshoot and optimize systems. It shares a customer case study of Accenture using Splunk observability in their hybrid cloud environment. Finally, it concludes that observability with Splunk can drive results like reduced downtime and faster innovation.
This document contains slides from a Splunk presentation covering the following topics:
- Updated Splunk logo and information about meetings in Zurich and sales engineering leads
- Ideas for confused or concerned human figures in design concepts
- Three buckets of challenges around websites slowing, apps being down, and supply chain issues
- Accelerating mean time to detect, identify, respond and resolve through cyber resilience with Splunk
- Unifying security, IT and DevOps teams
- Splunk's technology vision focusing on customer experience, hybrid/edge, unleashing data lakes, and ubiquitous machine learning
- Gaining operational resilience through correlating infrastructure, security, application and user data with business outcomes
This document summarizes a presentation about Splunk's platform. It discusses Splunk's mission of helping customers create value faster with insights from their data. It provides statistics on Splunk's daily ingest and users. It highlights examples of how Splunk has helped customers in areas like internet messaging and convergent services. It also discusses upcoming challenges and new capabilities in Splunk like federated search, flexible indexing, ingest actions, improved data onboarding and management, and increased platform resilience and security.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
Codeless Generative AI Pipelines
(GenAI with Milvus)
https://ml.dssconf.pl/user.html#!/lecture/DSSML24-041a/rate
Discover the potential of real-time streaming in the context of GenAI as we delve into the intricacies of Apache NiFi and its capabilities. Learn how this tool can significantly simplify the data engineering workflow for GenAI applications, allowing you to focus on the creative aspects rather than the technical complexities. I will guide you through practical examples and use cases, showing the impact of automation on prompt building. From data ingestion to transformation and delivery, witness how Apache NiFi streamlines the entire pipeline, ensuring a smooth and hassle-free experience.
Timothy Spann
https://www.youtube.com/@FLaNK-Stack
https://medium.com/@tspann
https://www.datainmotion.dev/
milvus, unstructured data, vector database, zilliz, cloud, vectors, python, deep learning, generative ai, genai, nifi, kafka, flink, streaming, iot, edge
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Kaxil Naik
Navigating today's data landscape isn't just about managing workflows; it's about strategically propelling your business forward. Apache Airflow has stood out as the benchmark in this arena, driving data orchestration forward since its early days. As we dive into the complexities of our current data-rich environment, where the sheer volume of information and its timely, accurate processing are crucial for AI and ML applications, the role of Airflow has never been more critical.
In my journey as the Senior Engineering Director and a pivotal member of Apache Airflow's Project Management Committee (PMC), I've witnessed Airflow transform data handling, making agility and insight the norm in an ever-evolving digital space. At Astronomer, our collaboration with leading AI & ML teams worldwide has not only tested but also proven Airflow's mettle in delivering data reliably and efficiently—data that now powers not just insights but core business functions.
This session is a deep dive into the essence of Airflow's success. We'll trace its evolution from a budding project to the backbone of data orchestration it is today, constantly adapting to meet the next wave of data challenges, including those brought on by Generative AI. It's this forward-thinking adaptability that keeps Airflow at the forefront of innovation, ready for whatever comes next.
The ever-growing demands of AI and ML applications have ushered in an era where sophisticated data management isn't a luxury—it's a necessity. Airflow's innate flexibility and scalability are what makes it indispensable in managing the intricate workflows of today, especially those involving Large Language Models (LLMs).
This talk isn't just a rundown of Airflow's features; it's about harnessing these capabilities to turn your data workflows into a strategic asset. Together, we'll explore how Airflow remains at the cutting edge of data orchestration, ensuring your organization is not just keeping pace but setting the pace in a data-driven future.
Session in https://budapestdata.hu/2024/04/kaxil-naik-astronomer-io/ | https://dataml24.sessionize.com/session/667627
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...Aggregage
This webinar will explore cutting-edge, less familiar but powerful experimentation methodologies which address well-known limitations of standard A/B Testing. Designed for data and product leaders, this session aims to inspire the embrace of innovative approaches and provide insights into the frontiers of experimentation!
The Ipsos - AI - Monitor 2024 Report.pdfSocial Samosa
According to Ipsos AI Monitor's 2024 report, 65% Indians said that products and services using AI have profoundly changed their daily life in the past 3-5 years.
2. 2
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
4. 4
What’s a sandbox?
4
• A 100% free, fully featured 15 day trial of
Splunk products: Cloud, Light, or ES
• Hosted in AWS
• Authenticates off of your Splunk account
• Has sample data for you to play with
• Supports onboarding of your own data
Today’s session: A hands-on activity with your very own
Enterprise Security sandbox!
28. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
29. 29
Mainframe
Data
VMware
Platform for Machine Data
Exchange PCISecurity
Relational
Databases
MobileForwarders
Syslog /
TCP / Other
Sensors &
Control Systems
Wire
Data
Mobile Intel
Splunk Premium Apps Rich Ecosystem of Apps
MINT
Splunk Solutions > Easy to Adopt
Across Data Sources, Use Cases & Consumption Models
30. 30
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
32. 32
ES Fast Facts
● Current version: 3.3 in the sandbox, 4.0 was released at the end of
October!
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast, and
customizable
● ES has its own development team, dedicated support, services practice,
and training courses
4.0 not in
sandbox…yet
38. 38
Data Ingest + Common Information Model
You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization
41. 41
Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries
52. 5252 Attack Map
The Challenge:
• Industry says Threat Intel is
key to APT Protection
• Management wants all
threat intel checked against
every system, constantly
• Don’t forget to keep your
15+ threat feeds updated
The Solution:
53. 53
Verizon 2015 DBIR
“”…the percentage of indicators
unique to only one (outbound
destination) feed…is north of 97%
for the feeds we have sampled…”
Threat list aggregation =
more complete intelligence
71. 71 7
STIX/TAXII feed
Browse through the
tabs…
Investigate on your own
time: Advanced Threat
capabilities worth your
while…and all areas
under Security Domains
73. 73
Auditors / Management / Compliance Says…
● Can you show me <Typical Report>?
● Reporting is easy in Splunk
● But we have more than
300 standard reports too
106. 10
6
We want to add
“naughtyuser” to this list
because it is showing up in
our data.
SCROLL
107. 10
7
Select last row, right click,
and choose “Insert row
below.”
Add whatever you want, but
make sure the first column says
“naughtyuser”
When done click save
Extra credit: Check your work in
Identity Center
2
1
108. 10
8
Attack & Investigation Timeline – New to 4.0
Methods to add contents into timeline :
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator
109. 10
9
Next Steps…
Play in your ES Sandbox for 15 days
Explore some of the areas we didn’t
get to cover today
Ask questions of your account team
An ES 4.0 sandbox should be
available soon, help yourself to
another sandbox to see the new
features
A two hour version of this talk is
available at conf.splunk.com
1
Editor's Notes
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – log search and analytics for small IT environments
Hunk – for analytics on data in Hadoop
The products can pull in data from virtually any source to support multiple use cases.
Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
We see Splunk as your security nerve center. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time.
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Start the day like any analyst
Coffee time, or jump into incidents?
End the day like any board member
Are my security KPIs (KSIs) being met?
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Data can come into the Splunk App for Enterprise Security the same way data comes into Splunk. Common ways are via syslog and Splunk forwarders and scripted inputs. Less common ways are via API calls and database queries. For your sandbox, you can upload data in flat-file format via the “add data” link. Note that because you can’t install additional apps in a sandbox, then you may have some trouble onboarding data sources that Splunk ES either doesn’t have TA for built-in, or that require command line access.
Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
…that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
…we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
How do we know what to work on?
Hopefully we have a good idea of what we are protecting and what our threats are. We also should have a good idea about where our sensitive data lies, and who our sensitive users are. As correlation rules fire against users and systems, we will see that they both acrue “risk scores” which then allow our SOC analysts to focus on what matters.
The main reason why this risk framework is important is that it gets you away from writing specific rules for specific threats or assets. You don’t need 1,000 correlation rules anymore – you simply can elevate risk scores on whatever object you want, based on the behavior you’re seeing in the environment. So the idea here is, a correlation rule fires, and then a risk modifier takes effect and changes the risk score based on cumulative scoring of whatever else has happened to that user, or system, or other object.
On the dashboard, we can define filters to find a particular system or user or timeframe.
Note the natural language descriptions (in the screenshot they are medium and low). We track how your overall risk scoring is doing over time, and constantly re-calculate the baseline. Got a lot of activity going on that isn’t “normal” for that timeframe and you might see things going from “increasing minimally” to “extremely increasing” – all based on what the historical norm is.
We can of course see which objects have the highest risk and which correlation rules are contributing the most to the highest risk.
The main reason why this risk framework is important is that it gets you away from writing specific rules for specific threats or assets. You don’t need 1,000 correlation rules anymore – you simply can elevate risk scores on whatever object you want, based on the behavior you’re seeing in the environment. So the idea here is, a correlation rule fires, and then a risk modifier takes effect and changes the risk score based on cumulative scoring of whatever else has happened to that user, or system, or other object.
On the dashboard, we can define filters to find a particular system or user or timeframe.
Note the natural language descriptions (in the screenshot they are medium and low). We track how your overall risk scoring is doing over time, and constantly re-calculate the baseline. Got a lot of activity going on that isn’t “normal” for that timeframe and you might see things going from “increasing minimally” to “extremely increasing” – all based on what the historical norm is.
We can of course see which objects have the highest risk and which correlation rules are contributing the most to the highest risk.
Ad-hoc risk – if you have a system or user that you’ve been warned about and you want to make sure it is getting the proper attention, you could simply apply a bunch of risk to it and suddenly it will come up to the top of the risk dashboards.
Everyone’s favorite buzzword these days. We’re proud to say that we’ve got a robust set of threat intelligence features built into ES. Management will want to know that you’re leveraging threat intelligence, and we have some things built in that make this easy. And of course, we compare incoming data, in real time, to these threat feeds and we keep them updated.
Verizon DBIR said a few interesting things about threat intelligence this year. One is that we aren’t doing enough sharing of threat intelligence in the security community. Another is that infections tend to spread from organization to organization fairly quickly so the quicker we can share threat data the better. But specific to ES, DBIR found that there just isn’t much overlap in the open-source threat feeds when it comes to outbound destination information – so you really have to consume as many threat feeds as you can in order to get the most complete intelligence. One way of doing that is to leverage a commercial threat feed vendor – and we partner with a lot of those. But another way is to consume many community threat feeds and aggregate the IOCs found in them together, and then correlate against that. So ES will help us there…
STIX: officially 1.1.1 at this point. 1.2 planned.
Today in ES the only “official” reports you will find are PCI, and that’s only with ES 4.0 and the appropriate PCI module loaded. While we expect more content to follow, we do have a ton of existing reports in ES that can be copied, renamed, tweaked, etc for you to use to meet compliance/auditing demands.
The analyst complete gets the picture! It’s now easy to add memos, / additional findings to the investigation case.
The elements the Investigator can insert are :
Memo, using Investigator Memo
Incident, from notable events from Incident Review
Actions from “Action History”, like Searches ran, Dashboard viewed, panel filtered, Notable event state changes
Additionally Raw Splunk events resulting from search window.