SlideShare a Scribd company logo

SplunkLive! Utrecht 2018 - Customer presentation: Dutch Tax Office

Download as PPTX, PDF
Splunk
Splunk

The document discusses near real-time phishing detection using Splunk. It describes how the Dutch Tax and Customs Administration uses Splunk to monitor phishing emails targeting their organization. It provides examples of phishing emails aimed at stealing personal information or money from victims. It then outlines secure email protocols like SPF, DKIM, and DMARC that can be used to validate sending servers and authenticate email senders to help detect phishing attempts.

Technology
1 of 32
© 2018 SPLUNK INC.© 2018 SPLUNK INC. Near Real-Time Phishing Detection with Splunkve! Karl Lovink – Technical Lead SOC Dutch Tax and Customs Administration Arnold Hölzel – Security Analyst SOC Dutch Tax and Customs Administration 2018-11-20
© 2018 SPLUNK INC. Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking tatements, please review our filings with the SEC. The forward-‐ looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
© 2018 SPLUNK INC. Agenda ▶ Who are we ▶ Phishing examples ▶ Secure e-Mail standards ▶ Advanced Sender Policy Framework records ▶ SPF Dashboard and Demo ▶ Questions
© 2018 SPLUNK INC. Who Are We ▶ Karl Lovink ▶ Technical Lead SOC ▶ Linkedin ▶ Arnold Hölzel ▶ Security Analyst SOC ▶ Linkedin
© 2018 SPLUNK INC. Who Are We Working For ▶ Citizens and Businesses ▶ Customers within the Dutch Tax and Customers Organization ▶ Customers outside the Dutch Tax and Customers Organization
© 2018 SPLUNK INC. Some figures 2 DataCenters 35.000+ Notebooks 15.000+ Mobile Devices 250.000 Service Calls per year 150.000.000 Outgoing e- mails 7.3 PetaByte Storage 2 Mainframes 50.000.000 Incoming e- mails
© 2018 SPLUNK INC. Our Splunk Journey 2012 2013 2014 2015 2016 2017 2018 Start proof of Concept, Preso SplunkLive A’dam Tender Security Operations and Operational Intelligence Implementation Splunk Implementation Splunk Enterprise Security Splunk ITSI PoC Adding more devices, developing use cases Growing the Splunk Infra. PIA done on Splunk
© 2018 SPLUNK INC. Splunk configuration 1,5TB Data volume processed per day 2TB+ Data Volume during the Tax Campaign 15000+ Universal Forwarders 1100+ Users in Splunk 3700+ Scheduled Searches per hour 31 Indexers 1800+ Dashboards 15 Search heads Enterprise Security 26000+ Source systems 130 Terabytes of historical logs 100+ Different teams utilizing Splunk
© 2018 SPLUNK INC. Phishing examples ▶ Why is fighting phishing so important: ▶ Damage for citizens and businesses ▶ Losing trust in the relationship between the Taxpayer and the Dutch Tax and Customs Administration ▶ Important to discover phishing campaigns as soon as possible ▶ Break the money circle, it’s all about money!
© 2018 SPLUNK INC. Phishing examples Van: Belastingdienst <belastingaangifte@belastingdienst.nl> Datum:23-08-2015 11:05:10 CEST Aan: xxxxxx@planet.nl Onderwerp: Belastingaangifte 2014 Bij controle van onze administratie hebben wij geconstateerd dat er een betalingsachterstand is ontstaan van uw belastingaangifte 2014. Wij hebben geprobeerd om het openstaande bedrag te incasseren, helaas is dit niet gelukt op het rekeningnummer dat bij ons bekend staat. Het huidige openstaande bedrag bedraagt 83,04 euro. U ontvangt ook een schriftelijke herinnering die vandaag per post is verstuurd. Thans verzoeken wij u vriendelijk om dringend het openstaand bedrag van ... Te betalen u kunt het bedrag overmaken naar bankrekeningnummer NL62ABNA XXXXXXXXX tnv belastingdienst" onder vermelding van betalingskenmerk BTW038372293N Als u deze betaling heeft voldaan kunt u de brief als niet verzonden beschouwen. Als u binnen acht dagen deze rekening niet heeft voldaan dan verzenden wij geen aanmaning en hierbij worden incasso kosten gerekend Ik hoop u voldoende geinformeerd te hebben. Wij zien uw betaling graag tegemoet en danken u voor uw medewerking. Met vriendelijke groet, Robert Versteegen Directeur Belastingdienst N.B. Dit is een automatisch verzonden e-mail, het is niet mogelijk deze e-mail te beantwoorden.
© 2018 SPLUNK INC. Phishing examples
© 2018 SPLUNK INC. Phishing examples Belastingteruggave Geachte xxxxxxx@xmsnet.nl , Na de laatste jaarlijkse berekeningen van uw fiscale activiteit, hebben wij vastgesteld dat u in aanmerking komt voor belastingteruggave. De belastingteruggave dient u aan te vragen dit wordt binnen 14 werkdagen verwerkt. In uw situatie is geconstateerd dat u belasting ontvangt over het jaar 2016. Om uw belastingteruggave aan te vragen klikt u op de DigiD logo en doorloopt u de stappen. Een teruggave kan worden uitgesteld voor een verscheidenheid van redenen. Bijvoorbeeld het indienen van ongeldige records of toepassen na de deadline. Let op! Bewaar deze brief/e-mail bij uw andere papieren. Zo hebt u belangrijke informatie over de Belastingdienst bij de hand. Met vriendelijke groet, Jos Paal Belastingdienst Afdeling Administratie • Deze e-mail kan niet beantwoord worden. • Dit e-mailbericht is alleen bestemd voor de geadresseerden. • Indien dit bericht niet voor u is bedoeld, wordt u verzocht deze e-mail te negeren. • de afzender hiervan op de hoogte te stellen door het bericht. • te retourneren en de inhoud niet te gebruiken. • Aan dit bericht kunnen geen rechten worden ontleend.
© 2018 SPLUNK INC. Phishing examples
© 2018 SPLUNK INC. 14 What now! What to do? Starting points: ▶ Change may not impact the business ▶ Using standard secure e-mail protocols ▶ Both the sender and the recipient must implement the secure e-mail protocols Four secure e-mail protocols: ▶ STARTTLS ▶ SPF ▶ DKIM ▶ DMARC
© 2018 SPLUNK INC. 15 STARTTLS ▶ STARTTLS is used to upgrade an insecure connection to a secure connection ▶ Adding encryption to the insecure connection ▶ Used between mailservers to communicate over insecure networks Internet Firewall Local SMTP e-mail traffic Unencrypted SMTP e-mail traffic Encrypted SMTP e-mail traffic FirewallFirewall Notebook A Mail Server A Mail Relay B Mail Server B Notebook B Firewall Mail Server C NOTE: STARTTLS is outside the scope of this presentation
© 2018 SPLUNK INC. 16 Sender Policy Framework SPF = Sender Policy Framework Validates if an e-mail is sent from an valid IP address or domain. Check is done against TXT records in the DNS. More info: RFC 7208: Sender Policy Framework (SPF), Version 1 Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sent mail to Mail Server B Check if Mail Server A is allowed to sent mal on behalf of A Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A Mail Server B 2 1 3 4a 4b
© 2018 SPLUNK INC. 17 Sender Policy Framework Example: belastingdienst.nl SPF TXT record: v=spf1 mx a:mailer1.belastingdienst.nl a:mailer2.belastingdienst.nl a:smtp11.belastingdienst.nl a:smtp12.belastingdienst.nl –all MX record: Preference Hostname IP Address 10 smtp1.belastingdienst.nl 85.159.97.15 10 smtp2.belastingdienst.nl 85.159.97.15
© 2018 SPLUNK INC. 18 DomainKeys Identified Mail Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sign mail with DKIM private key amd sent mail to Mail Server B Lookup DKIM public key Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A Mail Server B 2 1 3 5 a 5b Check if DKIM signature is valid 4 ▶ DKIM = DomainKeys Identified Mail ▶ Signs body and selected parts of the SMTP header. ▶ Signature is transmitted in a DKIM-signature header ▶ Public DKIM key is stored in the DNS as a TXT record. Multiple DKIM records are possible. ▶ More info: RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
© 2018 SPLUNK INC. 19 DomainKeys Identified Mail Example: belastingdienst.nl:201707 A DKIM selector is needed. Can be found in the header of the e-mail. DKIM TXT record: ▶ Where v is the DKIM version, currently only “1” is defined. ▶ The k tag is the crypto algorithm used. ▶ The p tag contains the Public-key data encoded in base64. v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzXWCOzeB5qswey69WrHNeqdgnNUiFJk T/EMjm78h1zMXkrd6t0VtTB4rAe39/BlwNFC0jKskE3u1nl6whfQX3fT/68xr2SdcOp6j/DTtS6rC1EWFXyawX 6NfxM/Pt8DV5CLDFGHMht63LetGyiQYv+TrBBiATPjfLPgrArx7jaAoPv0Az/ec86rl+Q9jXA0QO7zR6Ih0TIJ YwnzVf/7Dsl4GpsmZsN1oEaXhauuDuynQsHm9iptzKC8IKHaGr9g8qPnh8PDAm0QJSWAq5j1h12j7qjML wOMEwPKwCE9HnWzeUpzxaJDHL2K4dHYkXF6ErRjLhtTU2Mx6/F+7Ku4wQIDAQAB;
© 2018 SPLUNK INC. 20 Domain-based Authentication, Reporting & Conformance ▶ DMARC = Domain-based Authentication, Reporting & Conformance. ▶ With this standard, an e-mail provider can indicate how other (receiving) mail servers should deal with the results of the SPF and / or DKIM checks of received e-mails. ▶ Example policy: "if the DKIM signature is incorrect or missing and the sending mail server does not appear in the list of authorized mail server, then treat this email as SPAM". ▶ More info: RFC 7489: Domain-based Message Authentication, Reporting, and Conformance. Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sent mail to Mail Server B Mail Server B queries for the SPF, DKIM and DMARC records Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A 2 1 3 5a 5b 1 - Check SPF record if Mail Server A is allowed to sent mail on behalf of A 2 - Check DKIM signature 3 - Check DMARC policy 4 – Sent RUA and/or RUF report to published e-mail address 4 Mail Server B
© 2018 SPLUNK INC. 21 Domain-based Authentication, Reporting & Conformance Example: belastingdienst.nl DMARC TXT record: ▶ Where v is the DMARC version, currently only “1” is defined. ▶ The p tag contains the configured policy. Options are: none, quarantine, reject ▶ The rua tag contains the e-mail address where XML feedback can be sent ▶ The sp tag defines what the policy must be for subdomains which are not specifically configured. v=DMARC1; p=reject; rua=mailto:dmarc.rua@belastingdienst.nl; sp=reject; Note: The ruf tag defines the e-mail address where forensics reports can be sent. Be aware of privacy issues. RUF reports can contains parts of the original mailbody
© 2018 SPLUNK INC. 22 DMARC RUA reports and Splunk Do something with the reports Don’t use another tool, use what you already have => SPLUNK The RUA emails are imported in Splunk via Python scripts to use for dashboarding You need ▶ DMARC record in your DNS ▶ Network access to the RUA mail box via POP3(s) or IMAP(s) ▶ UserID and password for the RUA mailbox ▶ Splunk…. ▶ What you get….
© 2018 SPLUNK INC. 23 Splunk DMARC Dashboarding
© 2018 SPLUNK INC. 24 Splunk DMARC Dashboarding
© 2018 SPLUNK INC. 25 Advanced Sender Policy Framework SPF has some advanced features you can use. ▶ The redirect record ▶ belastingdienst.nl: v=spf1 redirect=_spf.belastingdienst.nl ▶ The exists record and Macros ▶ _spf.belastingdienst.nl: v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.belastingdienst.nl -all Combine the above and you have a track-and- trace system.
© 2018 SPLUNK INC. 26 Splunk SPF Dashboarding Now Splunk comes in ▶ We manage our own DNS servers, the query and response log is send to Splunk. ▶ Because of the marco’s in the SPF records we can see: ▶ The IP of the sending server ▶ The HELO (mostly hostname) of the sending server ▶ The domain that was used in the from field.
© 2018 SPLUNK INC. 27 Splunk SPF Dashboarding (the good)
© 2018 SPLUNK INC. 28 Splunk SPF Dashboarding (the bad)
© 2018 SPLUNK INC. 29 Splunk SPF Dashboarding (the evil?)
© 2018 SPLUNK INC. 30 What more Python script to resolve your SPF record and fill lookup table More dashboards ▶ RFC7208, SPF info ▶ RFC7489, DMARC info ▶ DNS record help ▶ DMARC records ▶ (Advanced) SPF record
© 2018 SPLUNK INC. Key Takeaways 1. Investigate where all your mail servers are located. Marketing uses different mail servers for campaigns. 2. Monitor your mail server logs. 3. Test, test, test your SPF policy and DMARC policy. Must be in production! 4. Splunk Dashboard and code can be found on: https://github.com/aholzel
© 2018 SPLUNK INC. © 2018 SPLUNK INC. THANK YOU

Recommended

SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
SplunkLive! Utrecht 2018 - Customer presentation: Irdeto SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
Splunk
 
Partner Exec Summit 2018 - Frankfurt: AIOps
Partner Exec Summit 2018 - Frankfurt: AIOpsPartner Exec Summit 2018 - Frankfurt: AIOps
Partner Exec Summit 2018 - Frankfurt: AIOps
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoTPartner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Splunk
 
SplunkLive! Stockholm 2018 - Customer presentation: Telia
SplunkLive! Stockholm 2018 - Customer presentation: Telia SplunkLive! Stockholm 2018 - Customer presentation: Telia
SplunkLive! Stockholm 2018 - Customer presentation: Telia
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow BetaPartner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Splunk
 
How a Leading Saudi Bank Matured Security to Better Partner the Business
How a Leading Saudi Bank Matured Security to Better Partner the BusinessHow a Leading Saudi Bank Matured Security to Better Partner the Business
How a Leading Saudi Bank Matured Security to Better Partner the Business
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Gartner Symposium 2018: BMW Group Presentation
Gartner Symposium 2018: BMW Group PresentationGartner Symposium 2018: BMW Group Presentation
Gartner Symposium 2018: BMW Group Presentation
Splunk
 

Recommended

SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
SplunkLive! Utrecht 2018 - Customer presentation: Irdeto SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
SplunkLive! Utrecht 2018 - Customer presentation: Irdeto
Splunk
 
Partner Exec Summit 2018 - Frankfurt: AIOps
Partner Exec Summit 2018 - Frankfurt: AIOpsPartner Exec Summit 2018 - Frankfurt: AIOps
Partner Exec Summit 2018 - Frankfurt: AIOps
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoTPartner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Partner Exec Summit 2018 - Frankfurt: Splunk for Industrial IoT
Splunk
 
SplunkLive! Stockholm 2018 - Customer presentation: Telia
SplunkLive! Stockholm 2018 - Customer presentation: Telia SplunkLive! Stockholm 2018 - Customer presentation: Telia
SplunkLive! Stockholm 2018 - Customer presentation: Telia
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow BetaPartner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Splunk
 
How a Leading Saudi Bank Matured Security to Better Partner the Business
How a Leading Saudi Bank Matured Security to Better Partner the BusinessHow a Leading Saudi Bank Matured Security to Better Partner the Business
How a Leading Saudi Bank Matured Security to Better Partner the Business
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Gartner Symposium 2018: BMW Group Presentation
Gartner Symposium 2018: BMW Group PresentationGartner Symposium 2018: BMW Group Presentation
Gartner Symposium 2018: BMW Group Presentation
Splunk
 
Travis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit EuropeTravis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable BernSplunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk
 
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML TechnologiesAIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
Splunk
 
SplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk OverviewSplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
Splunk
 
Splunk at Airbus
Splunk at AirbusSplunk at Airbus
Splunk at Airbus
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir NichtPartner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Splunk
 
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
Splunk
 
Clear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with SplunkClear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with Splunk
Splunk
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and LogsSplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
Splunk
 
Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015
Georg Knon
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk OverviewSplunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
Splunk
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
Splunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of ThingsSplunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of Things
aliciasyc
 
TAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-WorthTAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG
 
Investor deck march 2017 sidoti
Investor deck march 2017 sidotiInvestor deck march 2017 sidoti
Investor deck march 2017 sidoti
synacor2016ir
 

More Related Content

What's hot

Travis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit EuropeTravis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable BernSplunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk
 
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML TechnologiesAIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
Splunk
 
SplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk OverviewSplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
Splunk
 
Splunk at Airbus
Splunk at AirbusSplunk at Airbus
Splunk at Airbus
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir NichtPartner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Splunk
 
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
Splunk
 
Clear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with SplunkClear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with Splunk
Splunk
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and LogsSplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
Splunk
 
Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015
Georg Knon
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk OverviewSplunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
Splunk
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
Splunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of ThingsSplunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of Things
aliciasyc
 

What's hot (20)

Travis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit EuropeTravis Perkins at Gartner Risk and Security Management Summit Europe
Travis Perkins at Gartner Risk and Security Management Summit Europe
 
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable BernSplunk IT Service Intelligence Overview - AIOps Roundtable Bern
Splunk IT Service Intelligence Overview - AIOps Roundtable Bern
 
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML TechnologiesAIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
AIOps Roundtable Munich 2018: Intro to Splunk's ML Technologies
 
SplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk OverviewSplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk Overview
 
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
SplunkLive! Utrecht 2018 - Customer presentation: POST Luxembourg
 
Splunk at Airbus
Splunk at AirbusSplunk at Airbus
Splunk at Airbus
 
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir NichtPartner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
Partner Exec Summit 2018 - Frankfurt: Partner Brauchen Wir Nicht
 
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
SplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary SessionSplunkLive! Paris 2018: Plenary Session
SplunkLive! Paris 2018: Plenary Session
 
Clear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with SplunkClear the Mist from your Clouds with Splunk
Clear the Mist from your Clouds with Splunk
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and LogsSplunkLive! Paris 2018: Integrating Metrics and Logs
SplunkLive! Paris 2018: Integrating Metrics and Logs
 
Splunk for ITOA Breakout Session
Splunk for ITOA Breakout SessionSplunk for ITOA Breakout Session
Splunk for ITOA Breakout Session
 
Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015Splunk Internet of Things Roundtable 2015
Splunk Internet of Things Roundtable 2015
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys SplunkLive! Stockholm 2019 - Customer presentation: Norlys
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
 
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk OverviewSplunk Discovery: Milan 2018 - Splunk Overview
Splunk Discovery: Milan 2018 - Splunk Overview
 
SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser SplunkLive! Frankfurt 2019: Splunk at Dachser
SplunkLive! Frankfurt 2019: Splunk at Dachser
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
 
Splunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of ThingsSplunk for Industrial Data and the Internet of Things
Splunk for Industrial Data and the Internet of Things
 

Similar to SplunkLive! Utrecht 2018 - Customer presentation: Dutch Tax Office

TAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-WorthTAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG
 
Investor deck march 2017 sidoti
Investor deck march 2017 sidotiInvestor deck march 2017 sidoti
Investor deck march 2017 sidoti
synacor2016ir
 
Investor deck march 2017 final
Investor deck march 2017 finalInvestor deck march 2017 final
Investor deck march 2017 final
synacor2016ir
 
Investor deck march 2017 sidoti
Investor deck march 2017 sidotiInvestor deck march 2017 sidoti
Investor deck march 2017 sidoti
synacor2016ir
 
Investor deck march 2017 sidoti v2
Investor deck march 2017 sidoti v2Investor deck march 2017 sidoti v2
Investor deck march 2017 sidoti v2
synacor2016ir
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
Splunk
 
DLT registration process and documents list.pdf
DLT registration process and documents list.pdfDLT registration process and documents list.pdf
DLT registration process and documents list.pdf
Shree Tripada
 
IRC Section 6039 - Are you ready to comply?
IRC Section 6039 - Are you ready to comply?IRC Section 6039 - Are you ready to comply?
IRC Section 6039 - Are you ready to comply?
Mary Pat Wood
 
Investor deck november 2017 final
Investor deck november 2017 finalInvestor deck november 2017 final
Investor deck november 2017 final
synacor2016ir
 
Investor deck may 2017 v5
Investor deck may 2017 v5Investor deck may 2017 v5
Investor deck may 2017 v5
synacor2016ir
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
Splunk
 
symantec 4Q08_CombinedScript
symantec 4Q08_CombinedScriptsymantec 4Q08_CombinedScript
symantec 4Q08_CombinedScript
finance40
 
Fi dev fs_84_rcm liability
Fi dev fs_84_rcm liabilityFi dev fs_84_rcm liability
Fi dev fs_84_rcm liability
ANILKUMARPULIPATI1
 
GDPR Complaince: Don't Let SIEM BE Your Downfall
GDPR Complaince: Don't Let SIEM BE Your DownfallGDPR Complaince: Don't Let SIEM BE Your Downfall
GDPR Complaince: Don't Let SIEM BE Your Downfall
Splunk
 
What you will take away from this session
What you will take away from this sessionWhat you will take away from this session
What you will take away from this session
Digital Transformation EXPO Event Series
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
Satnam Singh
 
Longview Tax for Insurance
Longview Tax for InsuranceLongview Tax for Insurance
Longview Tax for Insurance
Longview
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
Accountancy Seminar
Accountancy SeminarAccountancy Seminar
Accountancy Seminar
CompaniesHouse
 
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, CapgeminiBizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
R3
 

Similar to SplunkLive! Utrecht 2018 - Customer presentation: Dutch Tax Office (20)

TAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-WorthTAG | Bill Pay Services for the Family Office & High-Net-Worth
TAG | Bill Pay Services for the Family Office & High-Net-Worth
 
Investor deck march 2017 sidoti
Investor deck march 2017 sidotiInvestor deck march 2017 sidoti
Investor deck march 2017 sidoti
 
Investor deck march 2017 final
Investor deck march 2017 finalInvestor deck march 2017 final
Investor deck march 2017 final
 
Investor deck march 2017 sidoti
Investor deck march 2017 sidotiInvestor deck march 2017 sidoti
Investor deck march 2017 sidoti
 
Investor deck march 2017 sidoti v2
Investor deck march 2017 sidoti v2Investor deck march 2017 sidoti v2
Investor deck march 2017 sidoti v2
 
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1
 
DLT registration process and documents list.pdf
DLT registration process and documents list.pdfDLT registration process and documents list.pdf
DLT registration process and documents list.pdf
 
IRC Section 6039 - Are you ready to comply?
IRC Section 6039 - Are you ready to comply?IRC Section 6039 - Are you ready to comply?
IRC Section 6039 - Are you ready to comply?
 
Investor deck november 2017 final
Investor deck november 2017 finalInvestor deck november 2017 final
Investor deck november 2017 final
 
Investor deck may 2017 v5
Investor deck may 2017 v5Investor deck may 2017 v5
Investor deck may 2017 v5
 
Machine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into InsightMachine Data 101: Turning Data Into Insight
Machine Data 101: Turning Data Into Insight
 
symantec 4Q08_CombinedScript
symantec 4Q08_CombinedScriptsymantec 4Q08_CombinedScript
symantec 4Q08_CombinedScript
 
Fi dev fs_84_rcm liability
Fi dev fs_84_rcm liabilityFi dev fs_84_rcm liability
Fi dev fs_84_rcm liability
 
GDPR Complaince: Don't Let SIEM BE Your Downfall
GDPR Complaince: Don't Let SIEM BE Your DownfallGDPR Complaince: Don't Let SIEM BE Your Downfall
GDPR Complaince: Don't Let SIEM BE Your Downfall
 
What you will take away from this session
What you will take away from this sessionWhat you will take away from this session
What you will take away from this session
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
 
Longview Tax for Insurance
Longview Tax for InsuranceLongview Tax for Insurance
Longview Tax for Insurance
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
 
Accountancy Seminar
Accountancy SeminarAccountancy Seminar
Accountancy Seminar
 
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, CapgeminiBizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
BizDay: Trusted Data Exchange for Corp and Supplier Onboarding, Capgemini
 

More from Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 

Recently uploaded (20)

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 

SplunkLive! Utrecht 2018 - Customer presentation: Dutch Tax Office

  • 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Near Real-Time Phishing Detection with Splunkve! Karl Lovink – Technical Lead SOC Dutch Tax and Customs Administration Arnold Hölzel – Security Analyst SOC Dutch Tax and Customs Administration 2018-11-20
  • 2. © 2018 SPLUNK INC. Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking tatements, please review our filings with the SEC. The forward-‐ looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
  • 3. © 2018 SPLUNK INC. Agenda ▶ Who are we ▶ Phishing examples ▶ Secure e-Mail standards ▶ Advanced Sender Policy Framework records ▶ SPF Dashboard and Demo ▶ Questions
  • 4. © 2018 SPLUNK INC. Who Are We ▶ Karl Lovink ▶ Technical Lead SOC ▶ Linkedin ▶ Arnold Hölzel ▶ Security Analyst SOC ▶ Linkedin
  • 5. © 2018 SPLUNK INC. Who Are We Working For ▶ Citizens and Businesses ▶ Customers within the Dutch Tax and Customers Organization ▶ Customers outside the Dutch Tax and Customers Organization
  • 6. © 2018 SPLUNK INC. Some figures 2 DataCenters 35.000+ Notebooks 15.000+ Mobile Devices 250.000 Service Calls per year 150.000.000 Outgoing e- mails 7.3 PetaByte Storage 2 Mainframes 50.000.000 Incoming e- mails
  • 7. © 2018 SPLUNK INC. Our Splunk Journey 2012 2013 2014 2015 2016 2017 2018 Start proof of Concept, Preso SplunkLive A’dam Tender Security Operations and Operational Intelligence Implementation Splunk Implementation Splunk Enterprise Security Splunk ITSI PoC Adding more devices, developing use cases Growing the Splunk Infra. PIA done on Splunk
  • 8. © 2018 SPLUNK INC. Splunk configuration 1,5TB Data volume processed per day 2TB+ Data Volume during the Tax Campaign 15000+ Universal Forwarders 1100+ Users in Splunk 3700+ Scheduled Searches per hour 31 Indexers 1800+ Dashboards 15 Search heads Enterprise Security 26000+ Source systems 130 Terabytes of historical logs 100+ Different teams utilizing Splunk
  • 9. © 2018 SPLUNK INC. Phishing examples ▶ Why is fighting phishing so important: ▶ Damage for citizens and businesses ▶ Losing trust in the relationship between the Taxpayer and the Dutch Tax and Customs Administration ▶ Important to discover phishing campaigns as soon as possible ▶ Break the money circle, it’s all about money!
  • 10. © 2018 SPLUNK INC. Phishing examples Van: Belastingdienst <belastingaangifte@belastingdienst.nl> Datum:23-08-2015 11:05:10 CEST Aan: xxxxxx@planet.nl Onderwerp: Belastingaangifte 2014 Bij controle van onze administratie hebben wij geconstateerd dat er een betalingsachterstand is ontstaan van uw belastingaangifte 2014. Wij hebben geprobeerd om het openstaande bedrag te incasseren, helaas is dit niet gelukt op het rekeningnummer dat bij ons bekend staat. Het huidige openstaande bedrag bedraagt 83,04 euro. U ontvangt ook een schriftelijke herinnering die vandaag per post is verstuurd. Thans verzoeken wij u vriendelijk om dringend het openstaand bedrag van ... Te betalen u kunt het bedrag overmaken naar bankrekeningnummer NL62ABNA XXXXXXXXX tnv belastingdienst" onder vermelding van betalingskenmerk BTW038372293N Als u deze betaling heeft voldaan kunt u de brief als niet verzonden beschouwen. Als u binnen acht dagen deze rekening niet heeft voldaan dan verzenden wij geen aanmaning en hierbij worden incasso kosten gerekend Ik hoop u voldoende geinformeerd te hebben. Wij zien uw betaling graag tegemoet en danken u voor uw medewerking. Met vriendelijke groet, Robert Versteegen Directeur Belastingdienst N.B. Dit is een automatisch verzonden e-mail, het is niet mogelijk deze e-mail te beantwoorden.
  • 11. © 2018 SPLUNK INC. Phishing examples
  • 12. © 2018 SPLUNK INC. Phishing examples Belastingteruggave Geachte xxxxxxx@xmsnet.nl , Na de laatste jaarlijkse berekeningen van uw fiscale activiteit, hebben wij vastgesteld dat u in aanmerking komt voor belastingteruggave. De belastingteruggave dient u aan te vragen dit wordt binnen 14 werkdagen verwerkt. In uw situatie is geconstateerd dat u belasting ontvangt over het jaar 2016. Om uw belastingteruggave aan te vragen klikt u op de DigiD logo en doorloopt u de stappen. Een teruggave kan worden uitgesteld voor een verscheidenheid van redenen. Bijvoorbeeld het indienen van ongeldige records of toepassen na de deadline. Let op! Bewaar deze brief/e-mail bij uw andere papieren. Zo hebt u belangrijke informatie over de Belastingdienst bij de hand. Met vriendelijke groet, Jos Paal Belastingdienst Afdeling Administratie • Deze e-mail kan niet beantwoord worden. • Dit e-mailbericht is alleen bestemd voor de geadresseerden. • Indien dit bericht niet voor u is bedoeld, wordt u verzocht deze e-mail te negeren. • de afzender hiervan op de hoogte te stellen door het bericht. • te retourneren en de inhoud niet te gebruiken. • Aan dit bericht kunnen geen rechten worden ontleend.
  • 13. © 2018 SPLUNK INC. Phishing examples
  • 14. © 2018 SPLUNK INC. 14 What now! What to do? Starting points: ▶ Change may not impact the business ▶ Using standard secure e-mail protocols ▶ Both the sender and the recipient must implement the secure e-mail protocols Four secure e-mail protocols: ▶ STARTTLS ▶ SPF ▶ DKIM ▶ DMARC
  • 15. © 2018 SPLUNK INC. 15 STARTTLS ▶ STARTTLS is used to upgrade an insecure connection to a secure connection ▶ Adding encryption to the insecure connection ▶ Used between mailservers to communicate over insecure networks Internet Firewall Local SMTP e-mail traffic Unencrypted SMTP e-mail traffic Encrypted SMTP e-mail traffic FirewallFirewall Notebook A Mail Server A Mail Relay B Mail Server B Notebook B Firewall Mail Server C NOTE: STARTTLS is outside the scope of this presentation
  • 16. © 2018 SPLUNK INC. 16 Sender Policy Framework SPF = Sender Policy Framework Validates if an e-mail is sent from an valid IP address or domain. Check is done against TXT records in the DNS. More info: RFC 7208: Sender Policy Framework (SPF), Version 1 Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sent mail to Mail Server B Check if Mail Server A is allowed to sent mal on behalf of A Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A Mail Server B 2 1 3 4a 4b
  • 17. © 2018 SPLUNK INC. 17 Sender Policy Framework Example: belastingdienst.nl SPF TXT record: v=spf1 mx a:mailer1.belastingdienst.nl a:mailer2.belastingdienst.nl a:smtp11.belastingdienst.nl a:smtp12.belastingdienst.nl –all MX record: Preference Hostname IP Address 10 smtp1.belastingdienst.nl 85.159.97.15 10 smtp2.belastingdienst.nl 85.159.97.15
  • 18. © 2018 SPLUNK INC. 18 DomainKeys Identified Mail Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sign mail with DKIM private key amd sent mail to Mail Server B Lookup DKIM public key Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A Mail Server B 2 1 3 5 a 5b Check if DKIM signature is valid 4 ▶ DKIM = DomainKeys Identified Mail ▶ Signs body and selected parts of the SMTP header. ▶ Signature is transmitted in a DKIM-signature header ▶ Public DKIM key is stored in the DNS as a TXT record. Multiple DKIM records are possible. ▶ More info: RFC 6376: DomainKeys Identified Mail (DKIM) Signatures
  • 19. © 2018 SPLUNK INC. 19 DomainKeys Identified Mail Example: belastingdienst.nl:201707 A DKIM selector is needed. Can be found in the header of the e-mail. DKIM TXT record: ▶ Where v is the DKIM version, currently only “1” is defined. ▶ The k tag is the crypto algorithm used. ▶ The p tag contains the Public-key data encoded in base64. v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzXWCOzeB5qswey69WrHNeqdgnNUiFJk T/EMjm78h1zMXkrd6t0VtTB4rAe39/BlwNFC0jKskE3u1nl6whfQX3fT/68xr2SdcOp6j/DTtS6rC1EWFXyawX 6NfxM/Pt8DV5CLDFGHMht63LetGyiQYv+TrBBiATPjfLPgrArx7jaAoPv0Az/ec86rl+Q9jXA0QO7zR6Ih0TIJ YwnzVf/7Dsl4GpsmZsN1oEaXhauuDuynQsHm9iptzKC8IKHaGr9g8qPnh8PDAm0QJSWAq5j1h12j7qjML wOMEwPKwCE9HnWzeUpzxaJDHL2K4dHYkXF6ErRjLhtTU2Mx6/F+7Ku4wQIDAQAB;
  • 20. © 2018 SPLUNK INC. 20 Domain-based Authentication, Reporting & Conformance ▶ DMARC = Domain-based Authentication, Reporting & Conformance. ▶ With this standard, an e-mail provider can indicate how other (receiving) mail servers should deal with the results of the SPF and / or DKIM checks of received e-mails. ▶ Example policy: "if the DKIM signature is incorrect or missing and the sending mail server does not appear in the list of authorized mail server, then treat this email as SPAM". ▶ More info: RFC 7489: Domain-based Message Authentication, Reporting, and Conformance. Organisation BOrganisation A Notebook A Mail Server A Notebook B DNS Server A Compose mail and send mail to Mail Server A Sent mail to Mail Server B Mail Server B queries for the SPF, DKIM and DMARC records Mail Server A is allowed to sent mal on behalf of A Mail Server A is not allowed to sent mal on behalf of A 2 1 3 5a 5b 1 - Check SPF record if Mail Server A is allowed to sent mail on behalf of A 2 - Check DKIM signature 3 - Check DMARC policy 4 – Sent RUA and/or RUF report to published e-mail address 4 Mail Server B
  • 21. © 2018 SPLUNK INC. 21 Domain-based Authentication, Reporting & Conformance Example: belastingdienst.nl DMARC TXT record: ▶ Where v is the DMARC version, currently only “1” is defined. ▶ The p tag contains the configured policy. Options are: none, quarantine, reject ▶ The rua tag contains the e-mail address where XML feedback can be sent ▶ The sp tag defines what the policy must be for subdomains which are not specifically configured. v=DMARC1; p=reject; rua=mailto:dmarc.rua@belastingdienst.nl; sp=reject; Note: The ruf tag defines the e-mail address where forensics reports can be sent. Be aware of privacy issues. RUF reports can contains parts of the original mailbody
  • 22. © 2018 SPLUNK INC. 22 DMARC RUA reports and Splunk Do something with the reports Don’t use another tool, use what you already have => SPLUNK The RUA emails are imported in Splunk via Python scripts to use for dashboarding You need ▶ DMARC record in your DNS ▶ Network access to the RUA mail box via POP3(s) or IMAP(s) ▶ UserID and password for the RUA mailbox ▶ Splunk…. ▶ What you get….
  • 23. © 2018 SPLUNK INC. 23 Splunk DMARC Dashboarding
  • 24. © 2018 SPLUNK INC. 24 Splunk DMARC Dashboarding
  • 25. © 2018 SPLUNK INC. 25 Advanced Sender Policy Framework SPF has some advanced features you can use. ▶ The redirect record ▶ belastingdienst.nl: v=spf1 redirect=_spf.belastingdienst.nl ▶ The exists record and Macros ▶ _spf.belastingdienst.nl: v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.belastingdienst.nl -all Combine the above and you have a track-and- trace system.
  • 26. © 2018 SPLUNK INC. 26 Splunk SPF Dashboarding Now Splunk comes in ▶ We manage our own DNS servers, the query and response log is send to Splunk. ▶ Because of the marco’s in the SPF records we can see: ▶ The IP of the sending server ▶ The HELO (mostly hostname) of the sending server ▶ The domain that was used in the from field.
  • 27. © 2018 SPLUNK INC. 27 Splunk SPF Dashboarding (the good)
  • 28. © 2018 SPLUNK INC. 28 Splunk SPF Dashboarding (the bad)
  • 29. © 2018 SPLUNK INC. 29 Splunk SPF Dashboarding (the evil?)
  • 30. © 2018 SPLUNK INC. 30 What more Python script to resolve your SPF record and fill lookup table More dashboards ▶ RFC7208, SPF info ▶ RFC7489, DMARC info ▶ DNS record help ▶ DMARC records ▶ (Advanced) SPF record
  • 31. © 2018 SPLUNK INC. Key Takeaways 1. Investigate where all your mail servers are located. Marketing uses different mail servers for campaigns. 2. Monitor your mail server logs. 3. Test, test, test your SPF policy and DMARC policy. Must be in production! 4. Splunk Dashboard and code can be found on: https://github.com/aholzel
  • 32. © 2018 SPLUNK INC. © 2018 SPLUNK INC. THANK YOU