The document discusses using the Splunk Universal Forwarder to monitor endpoints for security purposes. It outlines how the Universal Forwarder can collect a variety of log and system data from endpoints to gain visibility into potential attacks or malware. Specific examples are provided of how the Universal Forwarder was used by large companies to monitor millions of endpoints and detect security issues and fraud.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an agenda and overview for an Enterprise Security guided tour session using the Splunk platform. It introduces the Splunk App for Enterprise Security and demonstrates its key capabilities for security monitoring, incident response, and threat hunting. These include a common information model, predefined dashboards and reports, and the ability to create correlation searches to detect security events of interest. The guided tour showcases how the app integrates security-relevant data from various sources and allows users to investigate, triage, and collaborate on security incidents.
This document provides instructions for a hands-on security analytics session using Splunk. The session will use Splunk to investigate a Zeus malware infection across network, endpoint, asset, and threat intelligence data sources. Participants will begin by searching for new threat intelligence, then investigate the infection to identify the complete adversary kill chain. They will access a shared Splunk instance and work through exercises discovering the attacker's kill chain, producing new threat intelligence, and performing incident investigation across the security stack.
David Veuve, SE, Splunk, walks the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain.
Learn from our Security Expert on how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Level Up Your Security Skills in Splunk EnterpriseSplunk
During this advanced Splunk webinar, Splunk security experts covered the following security scenarios:
- Automated threat intelligence response
- Behavior profiling
- Anomaly detection
- Tracking an attack against the “kill chain”
You can watch a recording of the webinar here: https://splunkevents.webex.com/splunkevents/lsr.php?RCID=8163d71e6fa0646beb8f8354bfac61a1
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
The document discusses how Splunk can help users manage and analyze Internet of Things (IoT) data. Splunk provides tools to collect data from various sources, search and correlate the data, and build applications and visualizations. This allows users to harness IoT data from devices, sensors, and industrial systems. Splunk also offers developer tools like APIs and SDKs to build custom IoT applications on its platform.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an overview and guided tour of the Splunk Enterprise Security (ES) application. It begins with an introduction to ES and highlights some of its key capabilities like the Common Information Model (CIM) and pre-built reports. It then walks through a mock incident response exercise using the ES app to investigate a potential malware infection. This includes reviewing security indicators, pivoting through event data, assigning ownership/status, and updating the incident timeline. Finally, it demonstrates how to create a custom correlation search to further analyze related security events. The document provides a high-level yet comprehensive tour of the major functional areas and workflows within the ES app.
This document provides an agenda for an Enterprise Security hands-on guided tour using Splunk software. The tour will demonstrate the Splunk App for Enterprise Security and cover topics including data ingestion, the common information model, risk analysis, threat intelligence, incident response exercises, and correlation searches. It encourages participants to bring a laptop and notes several break periods for providing feedback via text message or online survey for a chance to win gift cards.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an agenda and overview for an Enterprise Security guided tour session using the Splunk platform. It introduces the Splunk App for Enterprise Security and demonstrates its key capabilities for security monitoring, incident response, and threat hunting. These include a common information model, predefined dashboards and reports, and the ability to create correlation searches to detect security events of interest. The guided tour showcases how the app integrates security-relevant data from various sources and allows users to investigate, triage, and collaborate on security incidents.
This document provides instructions for a hands-on security analytics session using Splunk. The session will use Splunk to investigate a Zeus malware infection across network, endpoint, asset, and threat intelligence data sources. Participants will begin by searching for new threat intelligence, then investigate the infection to identify the complete adversary kill chain. They will access a shared Splunk instance and work through exercises discovering the attacker's kill chain, producing new threat intelligence, and performing incident investigation across the security stack.
David Veuve, SE, Splunk, walks the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain.
Learn from our Security Expert on how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Level Up Your Security Skills in Splunk EnterpriseSplunk
During this advanced Splunk webinar, Splunk security experts covered the following security scenarios:
- Automated threat intelligence response
- Behavior profiling
- Anomaly detection
- Tracking an attack against the “kill chain”
You can watch a recording of the webinar here: https://splunkevents.webex.com/splunkevents/lsr.php?RCID=8163d71e6fa0646beb8f8354bfac61a1
QCon London 2015 - Wrangling Data at the IOT RodeoDamien Dallimore
The document discusses how Splunk can help users manage and analyze Internet of Things (IoT) data. Splunk provides tools to collect data from various sources, search and correlate the data, and build applications and visualizations. This allows users to harness IoT data from devices, sensors, and industrial systems. Splunk also offers developer tools like APIs and SDKs to build custom IoT applications on its platform.
Hands-On Security Breakout Session- ES Guided TourSplunk
This document provides an overview and guided tour of the Splunk Enterprise Security (ES) application. It begins with an introduction to ES and highlights some of its key capabilities like the Common Information Model (CIM) and pre-built reports. It then walks through a mock incident response exercise using the ES app to investigate a potential malware infection. This includes reviewing security indicators, pivoting through event data, assigning ownership/status, and updating the incident timeline. Finally, it demonstrates how to create a custom correlation search to further analyze related security events. The document provides a high-level yet comprehensive tour of the major functional areas and workflows within the ES app.
This document provides an agenda for an Enterprise Security hands-on guided tour using Splunk software. The tour will demonstrate the Splunk App for Enterprise Security and cover topics including data ingestion, the common information model, risk analysis, threat intelligence, incident response exercises, and correlation searches. It encourages participants to bring a laptop and notes several break periods for providing feedback via text message or online survey for a chance to win gift cards.
This document summarizes a presentation about operationalizing advanced threat defense. It discusses how advanced threat actors have established a mature economy of cyber threats with global reach. It then outlines an approach to combat these threats by connecting all security and operational data sources to gain comprehensive visibility, and leveraging threat intelligence and security analytics to detect threats across the entire kill chain. The presentation also demonstrates Enterprise Security 3.x software for continuous monitoring and advanced threat detection.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
The document is an agenda for a security session presentation by Splunk. It includes an introduction to Splunk for security use cases, a demo of the Zeus security product, and a discussion of enterprise security and user behavior analytics solutions from Splunk. Key points include how Splunk can provide a unified platform for security data from multiple sources, detect advanced threats that are difficult to find, and help connect related security events to better understand security incidents.
Getting Started with Splunk Enterprise Hands-OnSplunk
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session, you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
This document provides information for an introductory Splunk security workshop, including:
- Details about the workshop agenda, which covers basic posture and monitoring in the first section and an introduction to investigation in the second section.
- Instructions for accessing the workshop environment and materials.
- A legend explaining the visual guides that will be used during the hands-on portions of the workshop.
- Overviews of the four key data sources - endpoint, identity, network, and threat intelligence - that will be analyzed to improve security posture and monitoring.
SplunkLive! München 2016 - Splunk für SecuritySplunk
This document provides an overview of Splunk's security analytics and user behavior analytics capabilities for detecting threats like cyber attacks and insider threats. It discusses how Splunk uses machine learning and behavioral analytics on large datasets to detect anomalies and threats. Examples are given showing how Splunk can detect suspicious user activities across the cyber kill chain and identify external attacks and insider threats. Key workflows for security analysts and threat hunters using Splunk are also outlined.
The document discusses scaling rugged DevOps practices across many cloud accounts and projects. It recommends centralizing security policies, patterns, and templates and automating processes. Specific suggestions include building a security repository, separating entitlement matrices per project/account, using brokers for IAM roles, keeping code identities in the cloud, designing for data transfer security, automating security logging, and creating "deployment packages" to automatically configure monitoring and alerts on new accounts. The presentation demonstrates automating the configuration of security tools like CloudTrail, CloudWatch, and IAM roles on a new account.
The document discusses security war games and red team/blue team exercises. It provides examples of red team techniques like exploiting unprotected file shares and spear phishing attacks. It also gives examples of blue team detection methods like discovering backdoor command and control servers and tracking attack progression. The document emphasizes that these exercises help measure security, identify gaps, and improve incident response procedures. Running such games establishes baselines and frameworks to inventory damage and identify security investments needed to reduce the time to detect, contain, and recover from attacks.
A Deep Dive into Spring Application EventsVMware Tanzu
Spring application events provide a lightweight way to implement domain events in a modular Spring application. Events are published from aggregate roots using Spring Data, which allows loosely coupled interaction between bounded contexts. Depending on the integration mechanism, events can be externalized to technologies like JMS, AMQP or Kafka to notify other systems. If an event listener or transactional listener fails, the entire transaction will roll back to maintain strong consistency. A registry can be used to retry publishing events if listeners fail. Events help reduce coupling between components by making integration points explicit.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
The document discusses Splunk User Behavior Analytics (UBA) and its capabilities for detecting advanced cyber attacks and insider threats through behavioral threat detection using machine learning. It notes that traditional threat detection focuses only on known threats, while UBA aims to detect unknown threats through automated security analytics and anomaly detection based on establishing user and entity baselines and identifying deviations from normal behavior. The document provides examples of UBA use cases and the types of data sources it can integrate to perform threat detection and security analytics.
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
This document provides a cheat sheet for configuring Windows logging and auditing settings on Windows 7 through Windows 2012 systems. It includes instructions for increasing log sizes, enabling specific audit policies and event logging, and harvesting important security-related events from the logs. The goal is to capture essential system activity like processes, services, authentication events and changes to files, registry keys and more to aid in detecting malicious behavior.
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
Using Simple XML and Splunk Enterprise, learn how to create easy interactive dashboards to explore data. This demo showcases great tools to put ion the hands of Splunk users, help desk users and IT Operations staff.
Splunk for Security: Background & Customer Case StudyAndrew Gerber
Presented at SplunkLive! Denver on August 4, 2015; provides background on the Splunk value proposition for security use cases based on actual experience, a walkthrough of a Splunk engagement at a major national healthcare customer, and examples of three use cases that provided actionable value beyond what was possible with the previous SIEM solution.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
This document discusses how Splunk can help organizations address challenges related to escalating IT complexity. It notes that IT environments have become more complex with disconnected point solutions, over 70% of time spent maintaining rather than innovating, and latency in resolving issues measured in hours or days. Splunk provides a single platform to gather, analyze, and search machine data from various sources in real-time. It allows correlating data across silos for faster problem resolution. The document highlights how Splunk reduced escalations by 90% and mean time to resolution by 67% for one customer. It then discusses how Splunk offers pre-built apps for monitoring different parts of the IT infrastructure and applications.
Understanding Network Insight Integrations to Automate Containment and Kick S...Core Security
Whether it’s the revered single plane of glass view in a SIEM or building an auto containment workflow for compromised devices, Network Insight admins can use built-in integrators to take action quickly or build their own with the API. With SIEM for instance, what if the view is wrong or incomplete? This can cause the response teams to spend invaluable time looking and or chasing the wrong things. It’s critical to understand how to ingest the NI outputs into your SIEM to keep things flowing smoothly. In this session we will cover the two different types of feeds and ideas on how to best incorporate them into your SIEM workflow. This session will help responders understand the Network Insight SIEM output so they can quickly understand the output and how to build SIEM workflows and dashboards to get optimal results. Also covered will be use cases for Next Generation Firewall (NGFW), Network Access Control (NAC) and Proxy integrations.
This document contains a disclaimer stating that any forward-looking statements made during the presentation are based on current expectations and estimates and could differ materially. It also states that the information provided about product roadmaps is for informational purposes only and may change. The document provides an overview of machine learning, including definitions of common machine learning techniques like supervised learning, unsupervised learning, and reinforcement learning. It also describes Splunk's machine learning capabilities, including search commands, the Machine Learning Toolkit, and packaged solutions like Splunk IT Service Intelligence that incorporate machine learning.
The document summarizes a congressional briefing about integrating STEM education and literacy. It discusses how STEM interest declines in early elementary school and proposes creating a blended learning resource called "The Curious Adventures of Sydney and Symon" to engage students in grades 1-3 with literacy and science through storytelling. The resource would align with national science standards and be available in English and Spanish both physically and digitally.
This document summarizes a presentation about operationalizing advanced threat defense. It discusses how advanced threat actors have established a mature economy of cyber threats with global reach. It then outlines an approach to combat these threats by connecting all security and operational data sources to gain comprehensive visibility, and leveraging threat intelligence and security analytics to detect threats across the entire kill chain. The presentation also demonstrates Enterprise Security 3.x software for continuous monitoring and advanced threat detection.
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.
The document is an agenda for a security session presentation by Splunk. It includes an introduction to Splunk for security use cases, a demo of the Zeus security product, and a discussion of enterprise security and user behavior analytics solutions from Splunk. Key points include how Splunk can provide a unified platform for security data from multiple sources, detect advanced threats that are difficult to find, and help connect related security events to better understand security incidents.
Getting Started with Splunk Enterprise Hands-OnSplunk
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session, you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
This document provides information for an introductory Splunk security workshop, including:
- Details about the workshop agenda, which covers basic posture and monitoring in the first section and an introduction to investigation in the second section.
- Instructions for accessing the workshop environment and materials.
- A legend explaining the visual guides that will be used during the hands-on portions of the workshop.
- Overviews of the four key data sources - endpoint, identity, network, and threat intelligence - that will be analyzed to improve security posture and monitoring.
SplunkLive! München 2016 - Splunk für SecuritySplunk
This document provides an overview of Splunk's security analytics and user behavior analytics capabilities for detecting threats like cyber attacks and insider threats. It discusses how Splunk uses machine learning and behavioral analytics on large datasets to detect anomalies and threats. Examples are given showing how Splunk can detect suspicious user activities across the cyber kill chain and identify external attacks and insider threats. Key workflows for security analysts and threat hunters using Splunk are also outlined.
The document discusses scaling rugged DevOps practices across many cloud accounts and projects. It recommends centralizing security policies, patterns, and templates and automating processes. Specific suggestions include building a security repository, separating entitlement matrices per project/account, using brokers for IAM roles, keeping code identities in the cloud, designing for data transfer security, automating security logging, and creating "deployment packages" to automatically configure monitoring and alerts on new accounts. The presentation demonstrates automating the configuration of security tools like CloudTrail, CloudWatch, and IAM roles on a new account.
The document discusses security war games and red team/blue team exercises. It provides examples of red team techniques like exploiting unprotected file shares and spear phishing attacks. It also gives examples of blue team detection methods like discovering backdoor command and control servers and tracking attack progression. The document emphasizes that these exercises help measure security, identify gaps, and improve incident response procedures. Running such games establishes baselines and frameworks to inventory damage and identify security investments needed to reduce the time to detect, contain, and recover from attacks.
A Deep Dive into Spring Application EventsVMware Tanzu
Spring application events provide a lightweight way to implement domain events in a modular Spring application. Events are published from aggregate roots using Spring Data, which allows loosely coupled interaction between bounded contexts. Depending on the integration mechanism, events can be externalized to technologies like JMS, AMQP or Kafka to notify other systems. If an event listener or transactional listener fails, the entire transaction will roll back to maintain strong consistency. A registry can be used to retry publishing events if listeners fail. Events help reduce coupling between components by making integration points explicit.
Splunk Enterpise for Information Security Hands-OnSplunk
Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
The document discusses Splunk User Behavior Analytics (UBA) and its capabilities for detecting advanced cyber attacks and insider threats through behavioral threat detection using machine learning. It notes that traditional threat detection focuses only on known threats, while UBA aims to detect unknown threats through automated security analytics and anomaly detection based on establishing user and entity baselines and identifying deviations from normal behavior. The document provides examples of UBA use cases and the types of data sources it can integrate to perform threat detection and security analytics.
Here’s your chance to get hands-on with Splunk for the first time! Bring your modern Mac, Windows, or Linux laptop and we’ll go through a simple install of Splunk. Then, we’ll load some sample data, and see Splunk in action – we’ll cover searching, pivot, reporting, alerting, and dashboard creation. At the end of this session you’ll have a hands-on understanding of the pieces that make up the Splunk Platform, how it works, and how it fits in the landscape of Big Data. You’ll experience practical examples that differentiate Splunk while demonstrating how to gain quick time to value.
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
This document provides a cheat sheet for configuring Windows logging and auditing settings on Windows 7 through Windows 2012 systems. It includes instructions for increasing log sizes, enabling specific audit policies and event logging, and harvesting important security-related events from the logs. The goal is to capture essential system activity like processes, services, authentication events and changes to files, registry keys and more to aid in detecting malicious behavior.
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
Using Simple XML and Splunk Enterprise, learn how to create easy interactive dashboards to explore data. This demo showcases great tools to put ion the hands of Splunk users, help desk users and IT Operations staff.
Splunk for Security: Background & Customer Case StudyAndrew Gerber
Presented at SplunkLive! Denver on August 4, 2015; provides background on the Splunk value proposition for security use cases based on actual experience, a walkthrough of a Splunk engagement at a major national healthcare customer, and examples of three use cases that provided actionable value beyond what was possible with the previous SIEM solution.
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
This document discusses how Splunk can help organizations address challenges related to escalating IT complexity. It notes that IT environments have become more complex with disconnected point solutions, over 70% of time spent maintaining rather than innovating, and latency in resolving issues measured in hours or days. Splunk provides a single platform to gather, analyze, and search machine data from various sources in real-time. It allows correlating data across silos for faster problem resolution. The document highlights how Splunk reduced escalations by 90% and mean time to resolution by 67% for one customer. It then discusses how Splunk offers pre-built apps for monitoring different parts of the IT infrastructure and applications.
Understanding Network Insight Integrations to Automate Containment and Kick S...Core Security
Whether it’s the revered single plane of glass view in a SIEM or building an auto containment workflow for compromised devices, Network Insight admins can use built-in integrators to take action quickly or build their own with the API. With SIEM for instance, what if the view is wrong or incomplete? This can cause the response teams to spend invaluable time looking and or chasing the wrong things. It’s critical to understand how to ingest the NI outputs into your SIEM to keep things flowing smoothly. In this session we will cover the two different types of feeds and ideas on how to best incorporate them into your SIEM workflow. This session will help responders understand the Network Insight SIEM output so they can quickly understand the output and how to build SIEM workflows and dashboards to get optimal results. Also covered will be use cases for Next Generation Firewall (NGFW), Network Access Control (NAC) and Proxy integrations.
This document contains a disclaimer stating that any forward-looking statements made during the presentation are based on current expectations and estimates and could differ materially. It also states that the information provided about product roadmaps is for informational purposes only and may change. The document provides an overview of machine learning, including definitions of common machine learning techniques like supervised learning, unsupervised learning, and reinforcement learning. It also describes Splunk's machine learning capabilities, including search commands, the Machine Learning Toolkit, and packaged solutions like Splunk IT Service Intelligence that incorporate machine learning.
The document summarizes a congressional briefing about integrating STEM education and literacy. It discusses how STEM interest declines in early elementary school and proposes creating a blended learning resource called "The Curious Adventures of Sydney and Symon" to engage students in grades 1-3 with literacy and science through storytelling. The resource would align with national science standards and be available in English and Spanish both physically and digitally.
SplunkLive! Warsaw 2016 - Getting started with SplunkSplunk
This document provides an overview and introduction to Splunk. It discusses what Splunk is, how to get started with Splunk including installing Splunk, indexing data, performing searches, creating alerts and reports. It also covers deployment and integration topics such as scaling Splunk, forwarding data, enriching data, user authentication and data storage. Support options through the Splunk community are also mentioned.
This session will unveil the power of the Splunk Search Processing Language (SPL). See how to use Splunk's simple search language for searching and filtering through data, charting statistics and predicting values, converging data sources and grouping transactions, and finally data science and exploration. We'll begin with basic search commands and build up to more powerful advanced tactics to help you harness your Splunk Fu!
Splunk Webinar: Mit Splunk SPL Maschinendaten durchsuchen, transformieren und...Georg Knon
This document provides examples of SPL commands for searching, filtering, modifying, visualizing, and exploring data in Splunk. It discusses commands for searching and filtering data, modifying or creating new fields, calculating statistics and charting them over time, converging different data sources, identifying transactions and anomalies, and exploring data relationships. Examples are provided for commands like eval, stats, timechart, lookup, appendcols, transaction, anomalydetection, cluster, correlate, and others.
SplunkLive! Hamburg / München Beginner SessionGeorg Knon
This document provides an agenda and overview for a beginner technical workshop on Splunk. The agenda includes introductions to getting started with Splunk, searching, alerts, dashboards, deployment and integration, and a question and answer session. It also provides background on Splunk's capabilities for searching machine data in real-time, monitoring systems proactively, and gaining operational visibility and real-time business insights. Demo sections are included to illustrate key Splunk functions.
Supporting Enterprise System Rollouts with SplunkErin Sweeney
At Cricket Communications, Splunk started as a way to correlate all of our data into one view to help our operations team keep processes humming. Then we gave secured access to our developers, now they’re addicted. In fact, Splunk is critical in helping us speedup deployment of new systems (like our recent multi-million dollar billing system implementation). Learn how we use Splunk to display key metrics for the business, track overall system health, track transactions, optimize license usage, and support capacity
planning.
Advanced Use Cases for Analytics Breakout SessionSplunk
This document discusses Splunk's analytics capabilities and how to develop analytics for business users. It introduces personas as user types in a Splunk deployment beyond core IT. Requirements should be gathered for each persona, including their business problem, relevant data sources, and how they prefer to consume results. Searches and data models can then be developed and delivered through dashboards, visualizations, or third-party tools. Advanced analytics techniques discussed include anomaly detection, data visualization, predictive analytics, and demos. The document encourages reaching out for help from Splunk technical teams to grow analytics beyond IT.
This document outlines an agenda for an advanced Splunk user training workshop. The workshop covers topics like field aliasing, common information models, event types, tags, dashboard customization, index replication for high availability, report acceleration, and lookups. It provides overviews and examples for each topic and directs attendees to additional documentation resources for more in-depth learning. The workshop also includes demonstrations of dashboard customization techniques and discusses support options through the Splunk community.
SplunkLive! Analytics with Splunk Enterprise - Part 2Splunk
This document discusses Splunk's data modeling capabilities and how they enable faster analytics over raw machine data. It introduces data models, which allow domain knowledge to be shared and reused. Data models map data onto hierarchical structures and enable non-technical users to build reports without using the Splunk search language. The document covers best practices for building data models and how pivot searches are generated from the underlying data model objects. It also discusses managing, securing, and accelerating analytics with data models.
This document provides a summary of new features and enhancements in Splunk Enterprise & Cloud version 6.3. Key highlights include improved performance and scale through search and index parallelization, intelligent job scheduling, expanded support for DevOps and IoT through the new HTTP Event Collector, and enhanced analytics and visualization capabilities such as anomaly detection and geospatial mapping. The documentation was also redesigned to be more user-friendly.
The ongoing cyber-war has a front line and that is the endpoint. In this session, you'll learn various methods to improve endpoint security with the Splunk Universal Forwarder and with commercial endpoint solutions. You can gain critical, timely, detailed information about what's happening on your desktops, laptops, hosts, and POS systems. You can correlate this data to network, threat intel, and other data sources. You'll learn how filesystem details, processes, services, hashes, ports, registry settings and more can be used to detect attackers. This will help any organization using Splunk to greatly improve their security posture.
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunk
This document provides an overview and tips for optimizing searches in Splunk. It discusses how to scope searches more narrowly through techniques like limiting the time range and including specific indexes, sourcetypes, and fields. This helps reduce the amount of data that needs to be scanned to find search results. The document also recommends using inclusionary search terms rather than exclusionary ones when possible to improve performance. Additional optimization strategies covered include using smarter search modes and defining fields on segmented boundaries.
Justin Hardeman is a Unix administrator at Availity LLC, a company that processes over 2 billion healthcare transactions annually. He has over 5 years of experience using Splunk for monitoring Availity's large, multi-datacenter infrastructure consisting of 500+ virtual machines. Splunk has allowed Availity to move from a reactive to proactive approach by providing real-time visibility into issues, transactions, and workflows across their environment.
This document outlines an agenda for a Splunk getting started user training workshop. The agenda includes introducing Splunk functionality like search, alerts, dashboards, deployment and integration. It also covers installing Splunk, indexing data, search basics, field extraction, saved searches, alerting and reporting dashboards. The workshop aims to help users get started with the core Splunk features.
This document provides an overview of scaling Splunk through the horizontal addition of commodity hardware. It discusses starting with a single server installation and then improving search and indexing performance by adding more indexers to spread the load. Search performance improves linearly as more indexers are added. When volumes reach 5-100GB per day, a separate search head should be added to improve performance and offload searching from the indexers. Additional indexers should be added at volumes of 20-200GB and every 100GB thereafter. Multiple search heads can also be added to partition users and searches. Larger volumes over 1TB per day require more indexers and search heads to be added. Long term storage over 30 days can use a SAN. Distributed searches
Splunk provides a platform for operational intelligence that allows users to analyze machine data from any source. The document discusses Splunk products and solutions for IT service management, security intelligence, and Internet of Things applications. Splunk has over 11,000 customers across various industries.
Getting Started With Splunk It Service IntelligenceSplunk
Are you currently using Splunk to troubleshoot and monitor your IT environment? Do you want more out of Splunk but don’t know how? Here’s your chance to learn more about Splunk IT Service Intelligence (Splunk ITSI) and get hands-on with it for the very first time. We’ll kick off this session with a discussion on the concept of services, KPIs and entities and demonstrate how to use them in Splunk IT Service Intelligence. We’ll help you build custom visualizations and dashboards for personalized service-centric views. We’ll teach you how to navigate across multiple KPIs, entities and events with built-in visualizations and intelligently troubleshoot and resolve problems faster using Splunk ITSI. We’ll also show you how to create correlations across KPIs easily and be alerted of “notable events” to catch these emerging problems quickly. At the end of this session, you will leave with an understanding of the unique monitoring approach Splunk ITSI delivers to maximize the value of your data in Splunk and how to accelerate visibility into your critical IT services.
The document is a disclaimer and introduction for a presentation on security correlation in Splunk. It states that any forward-looking statements made during the presentation reflect current expectations and estimates and may differ from actual results. It also notes that information on product roadmaps is subject to change and not binding. The presentation will cover four types of security correlation rules: across many data sources and events, privileged user monitoring, reducing alert fatigue, and threat intelligence hits.
Driving Efficiency with Splunk Cloud at Gatwick AirportSplunk
Gatwick Airport, the busiest single runway airport in the world, needed to ensure a high degree of efficiency for a record-breaking 925 daily flights and 38 million annual passengers. This presentation covers how they:
- Combine historical fact with "in the moment" data and events to predict success or failure, enabling the operation to prevent issues before they occur
- Support other organisations (e.g., airlines and ground handlers) with dashboards to improve their performance
- Moved from "how did we do?" to "how are we doing?" and are on the edge of answering "How will we do?”
- Plan to expand the use of Splunk Cloud in the future: tracking travel disruption, predicting passenger flow and getting real-time feedback via social media monitoring
Also, learn why a cloud solution gives Gatwick Airport the agility and scalability to achieve what they need.
The document discusses disrupting cyber attacks using Splunk software. It provides an overview of Splunk's security capabilities such as monitoring known and unknown threats, security investigations, and fraud detection. It then demonstrates how to investigate a hypothetical security incident at a company called Buttercup Games. The investigation uses Splunk to trace an attack from initial website exploitation and phishing email through endpoint infection back to the root cause of a user opening a weaponized PDF file. The investigation illustrates how Splunk can disrupt the cyber kill chain by connecting threat indicators from multiple data sources to rapidly uncover attack details and attributes.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
This document summarizes a security investigation using Splunk software to disrupt the cyber kill chain. The investigation began by detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation revealed DNS queries, proxy activity, and suspicious processes on an endpoint. Pivoting to the endpoint data identified a Zeus malware process communicating outbound. Working backwards through process lineage identified an exploited vulnerable application and a weaponized PDF file delivered via email phishing. A search of web logs found the file was obtained from a website via a brute force attack. The root cause was determined to be a targeted spear phishing email containing an exploit.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
The document discusses a security investigation demo using Splunk software to disrupt the cyber kill chain. It begins with detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation using endpoint data from Microsoft Sysmon reveals network connections and process information. This traces the suspicious activity back through parent processes to identify a vulnerable PDF reader application exploited by opening a weaponized file delivered via email phishing. Additional context from web logs shows the file was obtained through a brute force attack on the company's website. The investigation is then able to connect events across various data sources to fully map out the adversary's actions.
Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
The document discusses a security investigation using Splunk software to trace a cyber attack across multiple data sources. The investigation began by identifying communications from an internal IP address to known threats. Examining endpoint data revealed a suspicious svchost.exe process communicating outbound, which was traced back through parent processes to a vulnerable PDF reader opened by an employee. Web logs showed the attacker gained access to a sensitive file via a brute force attack on the company website. By connecting activities across threat intelligence, endpoint, email, web and other sources, the root cause was determined to be a targeted spear phishing email containing a weaponized PDF file.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
Splunk software allows security teams to collect, store, and analyze machine data from various sources to detect threats across the cyber kill chain. This includes reconnaissance, exploitation, and actions on objectives. The presentation demonstrates how to use Splunk to investigate a security incident involving a compromised system communicating with a botnet. The investigation leverages threat intelligence, endpoint data, and process information to trace the adversary's activities, confirm malicious behavior, and work towards a root cause.
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, and early detection and prevention of events. See a live demonstration that will showcase how to operationalize those resources so that your organization can reap the maximum benefit.
This document discusses replacing a legacy security information and event management (SIEM) system with Splunk Enterprise. It outlines 10 common problems with legacy SIEMs, such as an inability to ingest and analyze all relevant log and machine data. Customer case studies show how Splunk can help organizations replace aging SIEMs in a few months to gain scalability, faster security investigations, and the ability to ensure compliance. The presentation covers Splunk's security monitoring and analytics capabilities and migration options from legacy SIEMs to Splunk. Attendees are invited to sign up for a SIEM replacement workshop to discuss their specific needs.
This document provides an overview of a presentation on Splunk for security. It includes a disclaimer noting that any forward-looking statements are based on current expectations and could differ from actual results. It also notes that information on roadmaps is subject to change without notice. The presentation will provide a hands-on activity using a free 15-day Enterprise Security sandbox trial of Splunk products hosted on AWS.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
The document discusses best practices for incident investigation using Splunk, including collecting data from various sources like network traffic, endpoints, user activity, and threat intelligence. Effective investigation requires visibility into who and what communicated on the network, running processes, file system changes, and privileged access on endpoints. The goal is to quickly scope infections and disrupt breaches by understanding attack intent, lateral movement, and exfiltration through correlation of different data sources.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
The document summarizes a security investigation conducted using Splunk software. The investigation began by detecting threat intelligence related network activity from an employee's system. Further investigation across endpoint, email, web, and DNS data sources traced the activity back to a targeted phishing email containing a weaponized PDF file. The file exploited a vulnerable PDF reader and installed Zeus malware. The root cause was determined to be a brute force attack on the company's website that stole the weaponized file. The investigation disrupted the cyber kill chain from reconnaissance to actions on objectives.
The document discusses Splunk security solutions including Splunk Enterprise and Splunk User Behavior Analytics (UBA). It provides an agenda that includes a demo of the Zeus ES security product and a UBA demo. The document contains customer examples and testimonials about how Splunk has helped organizations replace inadequate SIEM tools and meet complex security needs. It highlights features for risk-based security, fast incident review, continuous monitoring, and visual investigations using the cyber kill chain model.
The document discusses Splunk security solutions including Splunk Enterprise and Splunk User Behavior Analytics (UBA). It begins with an agenda that includes a demo of the Zeus ES security product and a UBA demo. The document then provides an overview of challenges in securing against advanced threats and how Splunk addresses these challenges through security analytics and machine data. Examples are given of how Splunk has helped customers including Nasdaq and PostFinance address security issues. The presentation concludes with a discussion of features in Splunk Enterprise Security 4.0.
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk
This document summarizes how Splunk Enterprise Security can help organizations strengthen their security posture and operationalize security processes. It discusses how Splunk ES allows organizations to centralize analysis of endpoint, network, identity, and threat data for improved visibility. It also emphasizes developing an investigative mindset when handling alerts to efficiently determine the root cause. Finally, it explains how Splunk ES can operationalize security processes by providing a single source of truth and integrating security technologies to automate responses.
Hands-On Security - Disrupting the Kill ChainSplunk
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunk
This document provides an overview of a hands-on demo of Splunk Enterprise Security (ES) using a free sandbox environment. It discusses creating a sandbox, exploring common ES features like the risk analysis dashboard, threat intelligence, and incident response workflow. The demo shows how to investigate a malware detected event, view asset details, and add context with lookups. It encourages exploring more advanced threat capabilities and additional reports in ES to gain experience with the platform.
This document discusses operationalizing security intelligence through Splunk. It begins with an overview of security intelligence and what it aims to provide organizations. It then discusses requirements for security intelligence like risk-based analytics, context and intelligence, and connecting data and people. The presentation includes two demos of Splunk capabilities for security use cases. It promotes attending future tech talks and Splunk conferences to learn more.
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
Splunk User Behavior Analytics (UBA) 2.2 provides enhanced security analytics and detection capabilities. It uses machine learning to establish baseline behaviors and detect anomalies. UBA analyzes activities across users, hosts, networks, applications and data to identify potential threats. The latest version features expanded visibility metrics, custom threat modeling capabilities, and improved context enrichment through integrations with additional security technologies.
Similar to SplunkSummit 2015 - Splunking the Endpoint (20)
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
This document discusses standardizing security operations procedures (SOPs) to increase efficiency and automation. It recommends storing SOPs in a code repository for versioning and referencing them in workbooks which are lists of standard tasks to follow for investigations. The goal is to have investigation playbooks in the security orchestration, automation and response (SOAR) tool perform the predefined investigation steps from the workbooks to automate incident response. This helps analysts automate faster without wasting time by having standard, vendor-agnostic procedures.
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
.conf Go 2023 presentation:
"Das passende Rezept für die digitale (Security) Revolution zur Telematik Infrastruktur 2.0 im Gesundheitswesen?"
Speaker: Stefan Stein -
Teamleiter CERT | gematik GmbH M.Eng. IT-Sicherheit & Forensik,
doctorate student at TH Brandenburg & Universität Dresden
El documento describe la transición de Cellnex de un Centro de Operaciones de Seguridad (SOC) a un Equipo de Respuesta a Incidentes de Seguridad (CSIRT). La transición se debió al crecimiento de Cellnex y la necesidad de automatizar procesos y tareas para mejorar la eficiencia. Cellnex implementó Splunk SIEM y SOAR para automatizar la creación, remediación y cierre de incidentes. Esto permitió al personal concentrarse en tareas estratégicas y mejorar KPIs como tiempos de resolución y correos electrónicos anal
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
Este documento resume el recorrido de ABANCA en su camino hacia la ciberseguridad con Splunk, desde la incorporación de perfiles dedicados en 2016 hasta convertirse en un centro de monitorización y respuesta con más de 1TB de ingesta diaria y 350 casos de uso alineados con MITRE ATT&CK. También describe errores cometidos y soluciones implementadas, como la normalización de fuentes y formación de operadores, y los pilares actuales como la automatización, visibilidad y alineación con MITRE ATT&CK. Por último, señala retos
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
BMW is defining the next level of mobility - digital interactions and technology are the backbone to continued success with its customers. Discover how an IT team is tackling the journey of business transformation at scale whilst maintaining (and showing the importance of) business and IT service availability. Learn how BMW introduced frameworks to connect business and IT, using real-time data to mitigate customer impact, as Michael and Mark share their experience in building operations for a resilient future.
The document is a presentation on cyber security trends and Splunk security products from Matthias Maier, Product Marketing Director for Security at Splunk. The presentation covers trends in security operations like the evolution of SOCs, new security roles, and data-centric security approaches. It also provides updates on Splunk's security portfolio including recognition as a leader in SIEM by Gartner and growth in the SIEM market. Maier highlights some breakout sessions from the conference on topics like asset defense, machine learning, and building detections.
Data foundations building success, at city scale – Imperial College LondonSplunk
Universities have more in common with modern cities than traditional places of learning. This mini city needs to empower its citizens to thrive and achieve their ambitions. Operationalising data is key to building critical services; from understanding complex IT estates for smarter decision-making to robust security and a more reliable, resilient student experience. Juan will share his experience in building data foundations for a resilient future whilst enabling digital transformation at Imperial College London.
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
Learn how Vodafone has provided end-to-end visibility across services by building an Operational Analytics Platform. In this session, you will hear how Stefan and his team manage legacy, on premise, hybrid and public cloud services, and how they are providing a platform for complex triage and debugging to tackle use cases across Vodafone’s extensive ecosystem.
.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own.
Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo.
So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including:
Top challenges faced in improving security posture
Key KPIs implemented in order to measure success
Strategies and approaches applied in the SOC
How MITRE ATT&CK and Splunk Enterprise Security were utilised
Next steps in their maturity journey ahead
This document summarizes a presentation about observability using Splunk. It includes an agenda introducing observability and why Splunk for observability. It discusses the need for modernization initiatives in companies and the thousands of changes required. It presents that Splunk provides end-to-end visibility across metrics, traces and logs to detect, troubleshoot and optimize systems. It shares a customer case study of Accenture using Splunk observability in their hybrid cloud environment. Finally, it concludes that observability with Splunk can drive results like reduced downtime and faster innovation.
This document contains slides from a Splunk presentation covering the following topics:
- Updated Splunk logo and information about meetings in Zurich and sales engineering leads
- Ideas for confused or concerned human figures in design concepts
- Three buckets of challenges around websites slowing, apps being down, and supply chain issues
- Accelerating mean time to detect, identify, respond and resolve through cyber resilience with Splunk
- Unifying security, IT and DevOps teams
- Splunk's technology vision focusing on customer experience, hybrid/edge, unleashing data lakes, and ubiquitous machine learning
- Gaining operational resilience through correlating infrastructure, security, application and user data with business outcomes
This document summarizes a presentation about Splunk's platform. It discusses Splunk's mission of helping customers create value faster with insights from their data. It provides statistics on Splunk's daily ingest and users. It highlights examples of how Splunk has helped customers in areas like internet messaging and convergent services. It also discusses upcoming challenges and new capabilities in Splunk like federated search, flexible indexing, ingest actions, improved data onboarding and management, and increased platform resilience and security.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
"Financial Odyssey: Navigating Past Performance Through Diverse Analytical Lens"sameer shah
Embark on a captivating financial journey with 'Financial Odyssey,' our hackathon project. Delve deep into the past performance of two companies as we employ an array of financial statement analysis techniques. From ratio analysis to trend analysis, uncover insights crucial for informed decision-making in the dynamic world of finance."
Codeless Generative AI Pipelines
(GenAI with Milvus)
https://ml.dssconf.pl/user.html#!/lecture/DSSML24-041a/rate
Discover the potential of real-time streaming in the context of GenAI as we delve into the intricacies of Apache NiFi and its capabilities. Learn how this tool can significantly simplify the data engineering workflow for GenAI applications, allowing you to focus on the creative aspects rather than the technical complexities. I will guide you through practical examples and use cases, showing the impact of automation on prompt building. From data ingestion to transformation and delivery, witness how Apache NiFi streamlines the entire pipeline, ensuring a smooth and hassle-free experience.
Timothy Spann
https://www.youtube.com/@FLaNK-Stack
https://medium.com/@tspann
https://www.datainmotion.dev/
milvus, unstructured data, vector database, zilliz, cloud, vectors, python, deep learning, generative ai, genai, nifi, kafka, flink, streaming, iot, edge
Build applications with generative AI on Google CloudMárton Kodok
We will explore Vertex AI - Model Garden powered experiences, we are going to learn more about the integration of these generative AI APIs. We are going to see in action what the Gemini family of generative models are for developers to build and deploy AI-driven applications. Vertex AI includes a suite of foundation models, these are referred to as the PaLM and Gemini family of generative ai models, and they come in different versions. We are going to cover how to use via API to: - execute prompts in text and chat - cover multimodal use cases with image prompts. - finetune and distill to improve knowledge domains - run function calls with foundation models to optimize them for specific tasks. At the end of the session, developers will understand how to innovate with generative AI and develop apps using the generative ai industry trends.
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...Social Samosa
The Modern Marketing Reckoner (MMR) is a comprehensive resource packed with POVs from 60+ industry leaders on how AI is transforming the 4 key pillars of marketing – product, place, price and promotions.
2. 2
Disclaimer
During
the
course
of
this
presentation,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
caution
you
that
such
statements
reflect
our
current
expectations
and
estimates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-‐looking
statements
made
in
the
this
presentation
are
being
made
as
of
the
time
and
date
of
its
live
presentation.
If
reviewed
after
its
live
presentation,
this
presentation
may
not
contain
current
or
accurate
information.
We
do
not
assume
any
obligation
to
update
any
forward
looking
statements
we
may
make.
In
addition,
any
information
about
our
roadmap
outlines
our
general
product
direction
and
is
subject
to
change
at
any
time
without
notice.
It
is
for
informational
purposes
only
and
shall
not,
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligation
either
to
develop
the
features
or
functionality
described
or
to
include
any
such
feature
or
functionality
in
a
future
release.
6. 6
Session
Goals
• Understand
why
you
should
Splunk
the
endpoint
• Believe
that
the
Universal
Forwarder
is
awesome
• Learn
about
customer
success
• Get
some
artifacts
you
can
use
• Bring
home
what
you
can
do
today
7. 7
WHY?
1. It
is
relatively
inexpensive
to
Splunk
your
endpoints,
and
it
will
improve
your
security
posture.
2. VISIBILITY!
You
will
have
more
complete
information in
the
case
of
breach.
3. The
information
from
your
endpoints
maps
well
to security
guidance,
including
the
CSC
20
and
the
ASD
top
35.
8. 8
You
may
have
heard…
Endpoint/Server
Vulnerabilities Endpoint-‐Based
Malware
9. 9
So
these
happened
in
2014/2015…
Endpoint/Server
Vulnerabilities Endpoint-‐Based
Malware
….the
endpoints?
Could
we
be
more
secure
if
we
12. 12
The
Endpoint
is
important!
Closest
to
humans Versatile
Underprotected Data-‐rich
13. 13
The
Endpoint
is
important!
Closest
to
humans Versatile
Underprotected Data-‐rich
70%of
successful
breaches
start
on
the
endpoint*
*IDC
study
2014
14. 14
The
UF:
It’s
more
than
you
think
Logs
….your
endpoints.
The
Universal
Forwarder
allows
you
to
19. 19
Splunk
Forwarder
for
ETD*!
• “Free”
• Lightweight
• Secure
• Runs
on
many
versions
of
Windows
&
*NIX
&
OSX
• Flexible
• Centrally
configurable
• SCALE!
*Endpoint
Threat
Detection
(Response?)
Come
on.
Is
anyone
using
the
Universal
Forwarder
in
this
way?
YES.
20. 20
Use
Case
1:
Large
Internet
Company
…x
(Many
indexers)
on
prem dmz
Int.
forwarders
ds
install
config
internet
UF
x10,000!
Individual
certs
• Windows
event
logs
• OSX
/var/log/*
• Carbon
Black
output
• Crash
logs
for
IT
Ops
• Custom
script
for
apps
installed
• UNIX
TA
(upon
request)
• Windows
TA
(upon
request)
• Additional
granularity
for
execs
and
their
admins
• Moving
to
Splunk
Cloud
search
!
22. Proxy
Logs
22
Additional
ways
to
gather
endpoint
data
Integrity
Management
NG
Endpoint
Protection
Whitelisting
Look
for
apps
on
splunkbase!
23. 23
Back
to
these
breaches…
Endpoint-‐Based
Malware
Registry
Entries
System
Event
Logs
New
Services
New
Files
Comms/Running
Proc
Security
Event
Logs
Known
Vulns/Apps
24. 24
Let’s
map
these
to
the
capabilities
of
the
UF…
Registry
Entries
System
Event
Logs
New
Services
New
Files
Comms/Running
Proc
Security
Event
Logs
Known
Vulns/Apps
25. 25
We
configure
the
forwarder
to
give
us
data
of
interestRegistry
Entries
System
Event
Logs
Security
Event
Logs
New
Services
New
Files
Comms/Running
Proc
WinRegMon
WinEventLog:
System
and
WinHostMon
WinEventLog:
Security
+
Auditing
Scripted
Inputs
WinEventLog:
System
WinEventLog:
Security
TA-‐Microsoft-‐Sysmon
Stream,
WinHostMon
Windows
Update
Monitor:
WindowsUpdate.log
Known
Vulns/Apps
Scripted
Inputs
or
WinHostMon
Configuration
examples?
See
demo
&
appendix
26. 26
What
could
we
look
for?
• ANY
new
Windows
services
• Registry
being
written
to
where
it
should
not
• Users
that
shouldn’t
be
used
• Unusual/unapproved
processes
being
launched
and
their
connections/hashes
• Unusual/unapproved
ports/connections
in
use
• Unapproved
USB
devices
being
inserted
• New
files
in
places
they
should
not
be
(WindowsSystem32…)
• Files
that
look
like
one
thing
but
are
really
another
• New
drive
letters
being
mapped
• Lack
of
recent
Windows
updates
• Versions
of
software
known
to
be
vulnerable
• …and
more
INSTANT,
GRANULAR
DATA
ABOUT
COMMON
BEHAVIOR
OF
WINDOWS
MALWARE!
28. 28
Use
Case
2:
UF
for
ATM
Security
+
Fraud
• Bank
uses
ATMs
that
are
Windows-‐based
• Each
ATM
has
a
UF
installed,
securely
sending
data
to
intermediate
forwarder
on
prem and
then
up
to
Splunk
Cloud
• Data
retrieved
from
custom
ATM
logs
– can
understand
what’s
going
on
within
1-‐2
seconds
• Customer
reps
can
see
what
the
problem
is
easily
• Understand
baseline
– when
are
ATMs
popular?
Handle
the
cash
levels
• Understand
fraud
– has
someone
stolen
a
card
+
PIN
and
hitting
ATMs
in
close
clusters?
“Superman”
correlation
• Conversion
Opp:
know
that
a
3rd-‐party
bank
customer
hits
a
bank
ATM
every
Friday
for
$200
Regional
Bank
in
NE,
US
38. 38
Endpoint
info
critical
to
CSC
(SANS)
20
1
&
2:
Log
hardware
info,
running
procs/svcs
3:
Scripted
inputs
to
check
for
config issues
4:
Evaluate
processes/services
for
vulns
5:
Look
for
malicious
new
services/processes
11:
Look
for
malicious
ports/protocols
12:
Look
for
local
use
of
priv accounts
14:
Gather
windows
events/*NIX
logs
16:
Evaluate
use
of
screensaver
locks
17:
Identify
lapses
in
local
encryption
You
could
do
all
of
that
with
the
Universal
Forwarder.
Similar
mappings
to
ASD
35…
41. 41
Remember
this?
shellshock
• Publicly
announced
on
24/9/2014.
• One
Vulnerability
Management
vendor
had
a
plugin
on
25/9.
That’s
pretty
good!
• Others
followed
on
26/9
and
29/9 – not
so
good.
• These
require authenticated scans.
42. 42
Remember
this?
shellshock
• Publicly
announced
on
9/24/2014.
• One
Vulnerability
Management
vendor
had
a
plugin
on
9/25.
That’s
pretty
good!
• Others
followed
on
9/26
and
9/29 – not
so
good.
• These
require authenticated scans.
make
this
process
more
timely?
Could
44. 44
The
Universal
Forwarder
as
self-‐help
guru
• If
you
had
the
Splunk
UF
on
all
of
your
production
*NIX
servers…
• You
could
very
quickly
program
them
to
find
shellshock
(or
ghost,
or
poodle,
or
heartbleed).
• You
avoid
Vulnerability
Management
Vendor
Lag
• You
could
then
report
on
remediation
efforts
over
time.
• And the
data
ingest
would
be
very
small.
45. 45
5
Step
Vulnerability
Tracking
Strategy
1. On
day
one,
become
aware
of
vulnerability
2. Google
“how
to
detect
$vulnerability$”
3. Adopt
code
via
script
(shell,
batch,
etc)
and
place
into
your
Splunk
deployment
server
4. Forwarders
run
code
and
deliver
results
into
Splunk
indexers
5. Report
on
the
results
A
good
step
by
step
46. 46
Use
Case
3:
UF
for
Shellshock
Tracking
“We
wrote
it
on
the
same
day
and
ran
it
– it
was
really
fundamental
to
our
defense.”
– Mark
Graff,
NASDAQ
Shellshock
on
20,000
Linux,
Solaris,
AIX
servers
tracked
in
Splunk
(Large
payment
processing
company)
47. 47
How
about
wire
data?
• Technology
Add-‐on
or
TA
(Splunk_TA_stream)
• Provides
a
new
Data
Input
called
“Wire
Data”
– passively
captures
traffic
using
a
modular
input
– C++
executable
called
“Stream
Forwarder”
(streamfwd)
• Captures
application
layer
(level
7)
attributes
• Automatically
decrypts
SSL/TLS
traffic
using
RSA
keys
Turn
the
UF
into
a
little
network
sniffer
48. 48
Stream
Protocols/Platforms
Supported
• UDP
• TCP
• HTTP
• IMAP
• MySQL
(login/cmd/query)
• Oracle
(TNS)
• PostgreSQL
• Sybase/SQL
Server
(TDS)
• FTP
• SMB
• NFS
• POP3
• SMTP
• LDAP/AD
• SIP
• XMPP
• AMQP
• MAPI
• IRC
Supports
Windows
7
(64-‐bit),
Windows
2008
R2
(64
bit),
Linux
(32-‐bit/64-‐bit)
and
Mac
OSX
(64-‐bit)
• DNS
• DHCP
• RADIUS
• Diameter
• BitTorrent
• SMPP
56. 56
How
much
data?
That’s
more
like
it.
16MB
of
Sysmon,
5.5MB
of
Windows
events
=
21.5MB
per
endpoint.
Coverage
for
1,000 Windows
endpoints?
21.5GBingest,
per
day.
57. 57
Sysmon with
network/image
filtering?
• Start/Stop
of
all
processes
• Process
names
&
full
command
line
args
• Parent/child
relationships
(GUIDs)
between
processes
• Session
IDs
• Hash
and
user
data
for
all
processes
• Filenames
that
have
their
create
times
updated
• Driver/DLL
loads
with
hash
data
• Network
communication
per
process
(TCP
and
UDP)
including
IP
address,
size,
port
data
• Ability
to
map
communication
back
to
process
GUID
and
session
ID
You
still
get…
You
lose…
You
retain
far
more
function
than
you
lose.
58. 58
So
you
can
still
do…
I
surfed
a
whole
lot
in
Chrome
today…listened
to
some
tunes,
too!
59. 59
And
also… I
really
DID
work
on
that
300
slide
powerpoint before
lunch,
I
swear!
60. 60
In
Sum
1. If
you’re
not
Splunking
the
data
from
your
various
endpoints
today,
you
should
be.
2. The
Splunk
Universal
Forwarder
is
a
super-‐powerful
tool
to
use
on
your
endpoints,
free
to
install,
scales
well,
can
be
centrally
configured,
and
data
volumes
are
quite
reasonable.
3. For
Windows,
event
data
is
critical.
Sysmon data
is
great
too,
and
free
to
install.
4. Other
customers
from
many
verticals
are
having
continued
success
with
the
data
they
can
gather
from
endpoints.
65. 65
Sysmon Info
• Blog
post
from
November,
2014
• App
available
on
Splunkbase,
works
with
current
(3.1)
version
of
Sysmon:
• Forwarder
6.2+
needed
to
get
XML
formatted
Sysmon data
(a
good
idea,
cuts
down
on
size)
66. 66
Sysmon Filters
• This
works
for
Sysmon
3.1+
• Add
what
you
need
• If
you
actually
want
Image
and
Network
data,
add
those
stanzas
• Email
brodsky@splunk.com for
links
to
example
files!
Filter
out
all
the
Splunk
activity
67. 67
Sysmon Config List
• sysmon –c
with
no
filename
will
dump
config
Image
and
Network
disabled
68. 68
Sysmon Config Load
• sysmon –c
with
filename
will
load
config
• No
restart
needed
• Ignore
errors
• Run
as
admin
(or
script
as
admin)
75. 75
Registry
Monitoring
config
• Simple
examples
shown
here
• Email
sob@splunk.com
for
an
extensive
registry
monitoring
configbased
on
Autoruns
76. 76
PLACEHOLDER:
Winreg
Will
have
link
and
other
info
here
detailing
how
to
do
windows
registry
with
sample
config of
400+
registry
keys
to
monitor.
If
you
monitor
the
right
reg key
you
can
find
new
USB
insertions.
77. 77
Registry
Results
• USB
inserted
with
BlackPOS malware
• Malware
executed
–
these
are
the
registry
changes
logged