This document discusses using Splunk for incident response, orchestration, and automation. It notes that incident response currently takes significant time, with containment and response phases accounting for 72% of the time spent on incidents. It proposes that security operations need to change through orchestration and automation using adaptive response. Adaptive response aims to accelerate detection, investigation, and response by centrally automating data retrieval, sharing, and response actions across security tools and domains. This improves efficiency and extracts new insights through leveraging shared context and actions.

1. © 2017 SPLUNK INC.
Use Splunk for Incident Response,
Orchestration and Automation
14:00
Juerg Fischer | Senior Sales Engineer | jfischer@splunk.com
08.05.2018 Zuerich

2. © 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. © 2017 SPLUNK INC.
Incident Response
Slow
Alert Noise
Tools Problem
Many tools
Disparate tools
Skills
Lack of skills
Retention
Training
Scale
Horizontal and Vertical
Orchestration
Automation
Security Operations Need to Change

4. © 2017 SPLUNK INC.
Incident Response
Challenge

5. © 2017 SPLUNK INC.
5
Incident Response Takes Significant Time
5
Source: SANS 2017 Incident Response Survey

6. © 2017 SPLUNK INC.
Where Does Your Time Go?
When working an incident which phase generally takes the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.

7. © 2017 SPLUNK INC.
Time-to-Contain + Time-to-Respond = 72%
When working an incident which phase generally takes the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.

8. © 2017 SPLUNK INC.
Time = Risk => The Need for Speed!

9. © 2017 SPLUNK INC.
Tools

10. © 2017 SPLUNK INC.
Tools and Technologies Galore
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017

11. © 2017 SPLUNK INC.
Scale
Orchestration and Automation

12. © 2017 SPLUNK INC.
Let us define these terms first.

13. © 2017 SPLUNK INC.
Orchestration
▶ Brings together or integrates different
technologies and tools
▶ Security-specific or non-security-
specific
▶ Provides the ability to coordinate
informed decision making, formalize
and automate responsive actions
Automation
▶ Focus is on how to make machines do
task-oriented "human work”
▶ Allows multiple tasks or "playbooks" to
potentially execute numerous tasks
▶ Automation is a subset of orchestration
Orchestration vs Automation

14. © 2017 SPLUNK INC.
Adaptive Response
Overview

15. © 2017 SPLUNK INC.
Adaptive Response
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall
Mission:
Deeper
integrations across
the best security
technologies to
help combat
advanced attacks
together.
Approach:
Gather / analyze,
share, take action
based on end-to-end
context, across
security domains.

16. © 2017 SPLUNK INC.
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access

17. © 2017 SPLUNK INC.
Adaptive Response
Technology

18. © 2017 SPLUNK INC.
Leverages Existing Splunk Common Action Model
• A CIM for alert actions
• Not a data model
Existing Actions
• Information: Give/Get (i.e. additional context)
• Permission: Grant/Revoke (e.g. user, host, etc)
• Control: Change (e.g. firewall rules)
Metadata
• Category - Information gathering, Information conveyance, Permissions control
• Task - Create, Update, Delete, Allow, Block
• Subject – what will be acted upon (network, endpoint, etc)
• Vendor – providing the action.
Adaptive Response Framework (Within ES)

19. © 2017 SPLUNK INC.
How To Interact With AR
Suggest Next StepsAutomatically With Notables Run Ad-Hoc

20. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Automatically With Notables

21. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Category - Information gathering, Information conveyance, Permissions control
Task - Create, Update, Delete, Allow, Block
Subject – what will be acted upon (network, endpoint, etc)
Vendor – providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc

22. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Run Ad-Hoc

23. © 2017 SPLUNK INC.
Demo
Adaptive Response

24. © 2017 SPLUNK INC.
Adaptive Response
Benefits

25. © 2017 SPLUNK INC.
Adaptive Response Benefits
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions.
Measure efficacy
• Extract new insight by leveraging context, sharing data
and taking actions between Enterprise Security and
Adaptive Response partners

26. © 2017 SPLUNK INC.
Accelerate Detection, Investigation & Response
● Use the correlation search builder to
configure and automate and attach
the results to notable events
● In incident review, configure and
execute ad-hoc responses and
queries across the security
ecosystem
● Use the actions dashboard to
search and review responses taken
and their results
28

27. © 2017 SPLUNK INC.
Customer Success
Adaptive Response

28. © 2017 SPLUNK INC.
▶ Blocked over two million security threats
▶ Orchestrated threat intelligence across 20 security
technologies sitting within its internal Threat
Intelligence System
▶ Automated threat detection, response and 90% of its
security metrics process in just two months
Automating Threat Detection With
Splunk Adaptive Response
“Since implementing Splunk ES as the brain in our security nerve
center, we have found Splunk to be the right solution to quickly
and effectively create and implement security analytics across a
wide array of data sources and security use cases.”
– Senior Vice President, Chief Global Security Officer, Aflac

29. © 2017 SPLUNK INC.
Case Study: Symantec
Sample of Symantec AR Actions*:
• Isolate Endpoint
• Rejoin Endpoint
• Query File for Disposition
Symantec ATP helps detect
and remediate complex attacks
across endpoint, email, network,
and web from a single console
Splunk Adaptive Response has the power to help reduce workload
on customer SOC teams by speeding up decision making and
associated actions through automation.
- Peter Doggart, Vice President of Business Development, Symantec

30. © 2017 SPLUNK INC.
Case Study: Brown-Forman
Sample of ForeScout AR Actions*:
• Redirect endpoint to specific
web browser
• Send email messages to users
• Kill peer-to-peer application
Leveraging the ForeScout Extended Module for Splunk via Adaptive
Response will enable us to minimize the time and resources needed
to respond to emerging threats.
- Clayton Colwell, Associate security engineer, Brown-Forman
Corporation
ForeScout CounterACT
enables its customers to monitor
real-time NAC events and
respond to security threats at
endpoints

31. © 2017 SPLUNK INC.
Adaptive Response
….and what’s about the repetitive tasks

32. © 2017 SPLUNK INC.

33. © 2017 SPLUNK INC.

34. © 2017 SPLUNK INC.
▶ Alert Triage: The objective with alert triage is to validate and prioritize incoming alerts.
▶ Indicator of Compromise (IOC) Hunting: By automating IOC hunting, teams can fully leverage the
threat intelligence they receive instead of limiting the IOCs they hunt for due to resource constraints.
▶ Vulnerability Management: Automating the cycle of identifying, classifying, remediating, and mitigating
vulnerabilities yields not only greater team efficiency.
▶ Network Access Control (NAC): SA&O platforms can augment dynamic access control strategies. One
example is integrating a detection system that previously was not part of the NAC decision making logic.
▶ User Management: Ensuring that users are enabled and disabled accurately, rapidly, and systematically
can eliminate the chance that a user account is used maliciously by a threat actor.
▶ Penetration Testing: Activities like asset discovery, classification, and target prioritization can be
automated, thus increasing the productivity of the pen testing team.
▶ Intelligence Sharing: Organizations that have intelligence sharing initiatives can greatly benefit from an
automation-assisted playbook.
Use Cases

35. © 2017 SPLUNK INC.
• written in Python and define a
series of automation tasks.
• deployment involves setting
up an ingest source to receive
data from SIEMs
• expects to receive correlated
and normalized security events
that would be considered "high
fidelity".
•
• high level primitives that
are used through-out the
Phantom platform.
• Verbs that are used to
execute ACTIONS in
PLAYBOOKS and
manually through the user
interface.
• ACTIONS are vendor
and product agnostic.
Examples include get
process dump, block ip,
suspend vm, and
terminate process.
• extend the Phantom
platform by adding
connectivity to third
party security
technologies in order
to execute actions.
•
• Specific instances
of physical or virtual
devices within your
organization.
• May include
servers, endpoints,
routers, and firewalls
among others.
•
Components
Playbooks Actions Apps Assets

36. © 2017 SPLUNK INC.
• Alert actions from Splunk
initiate playbooks.
• Phantom results
delivered back into
Splunk as indexable
data.
• Launch playbooks in
context from Splunk
search results.
• Update status of Notable
Events in ES from
Phantom results.
How does it integrate with Splunk?

37. © 2017 SPLUNK INC.
Demo
Phantom Integration

38. © 2017 SPLUNK INC.
1. Adaptive Response helps accelerate
Incident Detection, Investigation and
Response
2. Use Adaptive Response framework for
multi-vendor security workflow
orchestration and automation
3. Use with IT and Security domains to
solve a range of security use cases
Mitigate Incident
Response Challenges
with Orchestration and
Automation
Key
Takeaways

39. © 2017 SPLUNK INC.
Search and
Investigate
Analytics-Driven Security
Index Untapped Data:
Any Source, Type, Volume
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Splunk
Enterprise Security
600+
Security Apps
Splunk User
Behavior Analytics
Monitoring,
Correlations,
Alerts
Dashboards
and Reports
Analytics and
Virtualization
Adaptive
Response
Employee
Info
Asset and
CMDB
Threat
Intelligence
Applications Data Stores
External Lookups
Platform for Operational Intelligence

40. © 2017 SPLUNK INC.
▶ Splunk Usergroup Zürich
▶ Regular Splunk User get-togethers
▶ Frequent Splunk Ninja Presentations (D/E)
▶ Meetings throughout all major german
speaking cities (not only Zurich)
▶ Amtssprache deutsch
▶ Not a sales thing
▶ Kick-off soon
▶ Join now:
▶ https://usergroups.splunk.com/group/splunk-
user-group-zurich.html
Splunk Usergroup Zurich
http://bit.do/SPLUGZ

41. © 2017 SPLUNK INC.
Thank You!
Don't forget to rate this session on Pony Poll
https://ponypoll.com/Zurich2018

42. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
THANK YOU