The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018

© 2018 SPLUNK INC.© 2018 SPLUNK INC.
from: >event
to: >automated incident response
The Splunk AISecOps Initiative
Angelo Brancato, Security Specialist, EMEA
Juerg Fischer, Senior Sales Engineer
12.12.2018 / Version 1.0

© 2018 SPLUNK INC.
▶ 13:45 - Welcome
▶ 14:00 - End to End Security Operations with Splunk >Portfolio
▶ How to get from machine data to correlation to automation and
collaboration to efficiently defend the attacker
▶ 15:15 - Break
▶ 15:30 - Splunk Security Products Roadmap update - and latest .Conf
2018 Innovation Highlights
▶ 16:30 - End to End Security Operations with Splunk >Demo
▶ 17:15 - Close & Christmas Apero
Agenda

© 2018 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
Forward-Looking Statements

© 2017 SPLUNK INC.
Todays Challenges in Security
Investigation
Splunk Security Products
Portfolio
Enjoy the journey from the
event to an automated Incident
Management System
Agenda

© 2018 SPLUNK INC.
▶ The Whiteboard frame-
work will be used to have
a focused, personalized,
and differentiated
discussion about the
Splunk journey.
▶ It allows to explain the
journey in a consistent
way and integrate the
proof points including
initiatives and
expectations.
Turn machine data into answers

© 2018 SPLUNK INC.
© 2018 SPLUNK INC.
OUR MISSION

© 2017 SPLUNK INC.
Splunk turns machine data into answers
Network
Servers
DevOps
Users
Cloud Security
Databases
O F T H E
Same Data
D I F F E R E N T
People
A S K I N G D I F F E R E N T
Questions

THREATS
ARE MORE
COMPLEX AND
FAR REACHING
NOT CLOSING
THE SKILLS GAP
SECURITY TO
ENABLE BUSINESS
AND THE MISSION

T I E R 1 A N A LY S T
W O R K W I L L B E
A U T O M AT E D
T I M E N O W S P E N T
T U N I N G D E T E C T I O N
A N D R E S P O N S E
L O G I C
P L AT F O R M T O
O R C H E S T R AT E
T H E M A L L
90%
50%
1

© 2018 SPLUNK INC.
Splunk Security Portfolio
DATA
PLATFORM
ANALYTICS OPERATIONS
Platform for Machine Data

© 2018 SPLUNK INC.
Splunk Security Portfolio
DATA
PLATFORM
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
+
Free Apps
125+ Examples, with 180+ Searches
Data Onboarding Guides
Content Mapping (MITRE ATT&CK, Killchain etc.)
Mapping to Premium Apps
On-Prem, Cloud, SaaS or Hybrid
Performance at Scale
Open Ecosystem
Native ML/AI Integration

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
+
Free Apps
...
Many great, free Apps to solve a specific Problem

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
ASSET AND
IDENTITY
CORRELATION
NOTABLE
EVENT &
INVESTIGATION
THREAT
INTELLIGENCE
RISK
ANALYSIS
ADAPTIVE
RESPONSE
CONTENT
UPDATE
+

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
+
ANALYTICS DRIVEN SECURITY
MATHMATICAL
STATISTICAL
CALCULATION
ANOMALIES /
PREDICTION
with ML
Correlations
and notable events
EVENT &
INFORMATION
CORRELATION
RISK

© 2017 SPLUNK INC.
Bad
Likely Bad
Looks Bad
Could Be Bad
What is actionable?
Events from security tools
Typically low fidelity (“could be bad”) and
not intrinsically actionable
Correlated Events
Typically medium fidelity (“looks bad”) and
most of the time not actionable
Behavior-based Correlated Events
High fidelity (“likely bad”) and
requires attention
Behavior- & Risk-based Correlated Events
High fidelity (“bad”) and
requires action

© 2017 SPLUNK INC.
Bad
Likely Bad
Looks Bad
Could Be Bad
What is actionable?My Team is overwhelmed!
Facts :
• Not enough time to review alerts
• Not enough staff to review alerts
Results :
• Critical Incidents not reviewed
• Breaches and damages
Correlated Events
requires attention
requires action

© 2017 SPLUNK INC.
Bad
Likely Bad
Looks Bad
Could Be Bad
What is actionable?My Team’s Focus should be here!
What’s Needed?
• Instead of “Matching Events”,
need to detect changes with
objects and groups
How?
• Analytics + Risk based approach
• Calculate risks using analytics
Correlated Events
requires attention
requires action

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
+ +

© 2017 SPLUNK INC.
How Does Splunk UEBA Work?
Anomaly
classifications and
Custom Anomalies
Threat
Classifications
Machine
Learning
Suspicious Data
Movement
Unusual Machine
Access
Flight Risk User
Unusual Network
Activity
Machine Generated
Beacon
Machine
Learning
Lateral Movement
Suspicious Behavior
Compromised
Account
Data Exfiltration
Malware Activity
PROXY SERVER
FIREWALL
DNS, DHCP
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
Optional:
VPN, Endpoint, DLP
… …
Specialized
Threat Models
Kill-chain
Analysis
Graph
Analysis
Custom
Threats
Batch
Models
Streaming
Models

© 2017 SPLUNK INC.
Search
and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk
Insight &
Automation
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
DATA
PLATFORM
+ +
Optional
Optional

Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED MANUAL (TODAY)
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
SOAR for Security Operations
Faster execution through the loop yields better security

Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED AUTOMATED WITH PHANTOM
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
SOAR for Security Operations
Faster execution through the loop yields better security
ACTION RESULTS /
FEEDBACK LOOP

© 2017 SPLUNK INC.
What is the analytics driven approach in security?
MATHMATICAL
STATISTICAL
CALCULATION
ANOMALIES /
PREDICTION
with ML
ANALYTICS DRIVEN SECURITY
Correlations
and notable events
EVENT &
INFORMATION
CORRELATION
RISK AUTOMATION

© 2017 SPLUNK INC.
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
The thought process
The intuition
The reflexes
Machine
Learning &
Adaptive
Operations &
Analytics
Driven
Security &
Splunk as the Security Nerve Center

© 2017 SPLUNK INC.
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
The thought process
The intuition
The reflexes
Machine
Learning &
Adaptive
Operations &
Analytics
Driven
Security &
T I E R 1 A N A LY S T
W O R K W I L L B E
A U T O M AT E D
T I M E N O W S P E N T
T U N I N G D E T E C T I O N
A N D R E S P O N S E
L O G I C
P L AT F O R M T O
O R C H E S T R AT E
T H E M A L L
90%
50%
1

© 2017 SPLUNK INC.
Splunk Positioned as a Leader in Gartner 2018 Magic Quadrant for
Security Information and Event Management*
▶ Six Years in a Row as a Leader
▶ Highest Overall in “Ability to
Execute”
Gartner disclaimer: Gartner, Inc., 2018 Magic Quadrant for Security Information and Event Management, and Critical
Capabilities for Security Information and Event Management, Kelly M. Kavanagh, Toby Bussa. 10 August 2018. This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire
document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or
service depicted in its research publications, and does not advise technology users to select only those vendors with the highest
ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should
not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a particular purpose.

© 2018 SPLUNK INC.
Splunk in a Security Operation Center

© 2018 SPLUNK INC.
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
The thought process
The intuition
The reflexes
Machine
Learning &
Adaptive
Response &
Analytics
Driven
Security &

© 2018 SPLUNK INC.
Power a
Collaborative
SOC AUTOMATION AND
ORCHESTRATION
INTERCONNECTED
SECURITY STACK
MACHINE LEARNING TO
AUGMENT HUMAN SKILLS
Adaptive
Response
ML

© 2018 SPLUNK INC.
SOC Playbooks
Splunk for the SOC - Overview
Machine
Data
Monitor Detect Investigate Respond
Schema-On-Read
Enterprise
On-Premise, Cloud, Hybrid
Universal Indexing
Tier 1 - Alert Analyst
Notable Event Triage
Tier 2 - Incident Responder
Tier 3 - SME / Hunter
Process
People
Technology

© 2018 SPLUNK INC.
LIVE DEMO
 Splunk Sear c h
 Same data differ ent lens es

© 2018 SPLUNK INC.
Avoid the “Medienbruch”
Drawing from independent.co.uk, modified

© 2018 SPLUNK INC.
Avoid the “Medienbruch”
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
Drawing from independent.co.uk, modified

© 2018 SPLUNK INC.
Starting with a SIEM solution
Pre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
Dashboards & Reports
Incident Investigations
and Management
Statistical Outliers & Risk Scoring Asset & Identity Aware
• Correlation- and Notable Event
Framework
• Risk Scoring Framework
• Out of the box key Security Metrics,
Dashboards, Use Cases & Analytic
Stories
• Incident Investigation workflow
• Adaptive Response
• Glass Tables,
• etc…
Detect, Investigate & Response

© 2018 SPLUNK INC.
Splunk UBA is an out-of-the-box
solution that helps organizations
find unknown threats and
anomalous behavior with the
use of machine learning
What’s about anomalous behavior?
critical and actionable
unknown threats

© 2018 SPLUNK INC.
Enhanced Investigation with Splunk
Drill down into triggering events
Investigation starts in UBA and continues in core
Targeted hunting using automated SPL
Leverages anomaly data from users and assets
Collect more supporting evidence
Further your investigation with focused timestamps
View relationships across data sources
Map models and anomalies to generated threat
Identify missing data sources
Gain additional scope and context of threats
Drill down into raw events

© 2018 SPLUNK INC.
• Account Takeover
• Suspicious Behavior
• Lateral Movement
• Cloud Security
• External Alarm
• Find malware
• Identify malware patient zero
• Investigating zero-day activity
• Find data exfiltration
• Detect suspicious activity
• Monitor threat activity
• 120+ Security Controls
Target external attackers and
insider threat
• Scales from small to massive
companies
• Can sends results to ES/UBA
Splunk Use Cases
Faster detection with field proved use cases and analytic stories
UBA
Enterprise
Security
Security
Essentials

© 2018 SPLUNK INC.
• Risky behavior detection
• Entity profiling, scoring
• Kill chain, graph analysis
Detect, Investigate &
Respond
Investigate
Realm of
Known
Human-driven
Detect
Realm of
Unknown
Machine Learning -driven
• Log aggregation
• Rules, statistics, correlation
• Ad hoc searches and data pivot
Investigation and Detection >better together
Beyond the Known to the Unknown
• Centralized view
• Security Metrics
• Adaptive Response
• Collaboration
• Risk Analysis

© 2018 SPLUNK INC.
SOC Playbooks
Machine
Data
Adaptive Response / SOAR
Schema-On-Read
Universal Indexing
Process
People
Technology
1.
2.
3.
i.e.
i.e. calculate command length standard deviation - stdev
Enterprise

© 2018 SPLUNK INC.
SOC Playbooks
Machine
Data
Universal Indexing
Orchestrate / Automate
1 2 3
1 Detection
- Correlation
- Statistics
- Machine Learning
- Risk
2 Investigation
- Manual: Forensics / SPL
- Auto: Phantom SOAR
Playbook automation
3 Response
- Basic: Workflow Actions /
ES Adaptive Response
- Advanced: Phantom
SOAR
- Collaboration: Ticketing/
Collaboration Tool
Enterprise

© 2018 SPLUNK INC.
INEFFICIENT &
INCONSISTENT
PROCESS
STAFFING
CHALLENGES
INCREASING
EXPOSURE
Security Operations Challenges
BEFORE PHANTOM
SITUATION
• Limited & stretched resources
• Complex infrastructure with wide range of
technologies from multiple security vendors
• Alert fatigue
• Expanding/changing attack surface
EFFICIENCY REPEATABLE &
AUDITABLE
DECREASING
DWELL TIMES
Outcomes with Phantom
AFTER PHANTOM
SITUATION
• Resources can focus on strategic security activities
• Faster investigations across complex infrastructure
• Increase SecOps process and team efficiency
• Reduce the attack surface risk through automation
▶ Reduced alert investigation times from 30-45 minutes to less than one minute
▶ Applied a consistent approach to alert management and investigation, eliminating human error
▶ Increased resource efficiency by turning manual, repetitive tasks into automated processes
The SOAR solution

© 2018 SPLUNK INC.
Enterprise SecurityUBA
Notable Events
Triage & Event CockpitSplunk
Scheduled
Searches
SOAR High level Architecture
ITSM
Monitoring
Use Case 1
Monitoring
Use Case 2
Monitoring
Use Case 3
Ticketing
System
Splunk Native
Email SPAM Malware
Monitoring Use Case
SOAR Platform Phantom
Sec. Event >Case Management
Operation Procedures as
“human workflow”
Cockpits, Reporting & KPI
SOC
Event
Handling
CERT
Incident
Handling

© 2018 SPLUNK INC.
Enterprise SecurityUBA
Notable Events
Triage & Event CockpitSplunk
Scheduled
Searches
SOAR High level Architecture
Monitoring
Use Case 1
Monitoring
Use Case 2
Monitoring
Use Case 3
SOAR Platform Phantom
Sec. Event >Case Management
Operation Procedures as
“human workflow”
Cockpits, Reporting & KPI
SOC
Event
Handling
CERT
Incident
Handling
IMAP
Escalation
Case/Incident Drill Down
Analysis & Correlation
- ServiceNow
- Remedy3
Splunk Native
Email SPAM Malware
Monitoring Use Case
4
run
playbooks lookups
and
enrichment
Control
workload
in analysts
teamuse events
to analyze
Create
and maintain
cases
generate
reports
and metrics
Container for
Events
Playbooks
Ticket-System
Back to Splunk ITSM
Ticketing
System

© 2018 SPLUNK INC.
▶ App’s are being used to ingest Data
▶ And App’s are used to respond / connect to a target
System for interaction as Incident Respond.
Phantom APP concept
Data Source
External Data &
analytic tools
SIEM
Threat intel platform
Email
Data lake
APP process
Poll
Normalize data
Phantom
Orchestration & decision making
Playbook / action execution
APP process
Invoke action
Return data
Assets
Security tools &
action targets
Firewall
Endpoint
Malware sandbox
Reputation service
https://www.phantom.us/apps/

© 2018 SPLUNK INC.
Security Use Case Study – Full Automation
Monitor Detect
1
2
3
4
5
6
7
8
9
10
detonate file
url reputation
ip reputation
query other recipients
check user profile
update notable event
potential
phishing
create ticketcollaboration
response
Investigate
Respond

© 2018 SPLUNK INC.
Phantom Automation Insights
Container
Label: xx
Container
Label: xx
Container
Label: xx
Container
Label: splunk
Container
Label: siem
Container to
ingest events
Run
playbook
Notable
Event / Alert
playbook sample
Enrichment
with Actions
and Apps
User Input or
Approval
Action are based
on configured
Apps
Action could
include create or
change Ticket
Number of
containers can
reflect tenants
Containers can
be based on
data sources
Notable
Event / Alert
Notable
Event / Alert

© 2018 SPLUNK INC.
Summary
▶ Incident Response is getting more challenging because the attacks
are more sophisticated
▶ Security processes have to be improved to a higher maturity
▶ A holistic view is the key
▶ Automation is necessary for SOC/CERT to solve the simple
Investigations in seconds
Think about “AISecOPS”

The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018

More Related Content

What's hot

Similar to The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018

More from Splunk

Recently uploaded

The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018