SlideShare a Scribd company logo

Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk Enterprise Security

Splunk
Splunk

This document summarizes how Splunk Enterprise Security can help organizations strengthen their security posture and operationalize security processes. It discusses how Splunk ES allows organizations to centralize analysis of endpoint, network, identity, and threat data for improved visibility. It also emphasizes developing an investigative mindset when handling alerts to efficiently determine the root cause. Finally, it explains how Splunk ES can operationalize security processes by providing a single source of truth and integrating security technologies to automate responses.

Related slideshows

Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
1 of 33
Download to read offline
Solve Your Security Challenges with Splunk Enterprise Security Michel Oosterhof | Staff Sales Engineer 16 May 2018
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
© 2018 SPLUNK INC. 1. Common Security Challenges 2. Methods to Strengthen Security Posture 3. How Splunk Can Help What Can You Expect From This Session?
Common Security Challenges Cyber Criminals Nation States Insider Threats 100% Valid credentials were used 40 Average # of systems accessed 146 Median # of days before detection 65% Of victims were notified by external entity Source: Mandiant M-Trends Report 2012/2013/2014/2015/2016/2017
Centralize Analysis Investigative Mindset Operationalize Strengthen Your Security Posture
Central Analysis
Endpoint Access/Identity Network Threat Intelligence 4 Ways to Improve Posture Quickly
What You Discover ▶ Frequency of application executions, unique applications ▶ Non-corporate approved applications ▶ Known malicious executables Benefit ▶ Visibility into application executions ▶ Understanding of unknown applications – whom and where and frequency Understanding Your Endpoints Processes, File Info/Access, User Activity Endpoints End Point System: Windows Sysmon, Network, File Info Endpoint Security: Virus, Malware, Spyware, Whitelisting, Behaviors
What You Discover ▶ Credentials used in multiple locations, or shared by users ▶ Admin credential abuse ▶ Login frequencies, users moving around quickly ▶ Users failing authentications trying to discover internal/external resources Benefit ▶ Uncover unusual login patterns ▶ Track user behavior Access and Identity Who, Why and Credential Abuse Access/Identity Windows Security Events: Active Directory and Authentication Logs
What You Discover ▶ Who talked to whom, traffic volumes (in/out) ▶ Malware download/delivery, C2, exfiltration ▶ Horizontal and vertical movement Benefit ▶ Determine how threats got in ▶ Systems and endpoints communicating internally ▶ Detect intellectual property theft, insiders Network Activity Detecting Exfiltration and Unusual Communication Network Network Access: ForeScout Firewall: Cisco, Palo Alto Network: DNS – Splunk Stream, DNS Server
What You Discover ▶ High risk behaviors and patterns ▶ Undetected/unblocked malware and command & control activities ▶ Known indicators of compromise Benefit ▶ Early warning of malicious activity ▶ Detect indication of C2 channels ▶ Confirm whether traffic going to compromised or watch-listed sites ▶ Compromised systems communicating with each other ▶ Compromised endpoints Threat Intelligence Known and Early Warning Indicators Threat Intelligence Threat Feeds: Public, Free, Private, Paid or Custom – ThreatConnect, Anomali Firewall: Cisco, Palo Alto Networks
Search and Investigate Start Basic. Other Security-Relevant Data On- Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention Dashboards and Reports Analytics and Virtualization Threat Intelligence Platform for Operational Intelligence Add More Data for More Insights Threat Intelligence Network Endpoint Access/Identity
Splunk Enterprise Security Demo
Investigation
Possibilities: ▶ Data Breach ▶ Infection(s) ▶ Account Takeover ▶ Application Fault ▶ Misconfiguration ▶ Missing patch ▶ User Error ▶ Other (Ignore) Alert Indicator Data Security Technologies Are Designed to Detect Bad/Suspicious Activity Endpoint Network Threat Intelligence Access/Identity
Developing an Investigative Mindset What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT What specific questions do I want answered? Where do I look?What is the logic / methodology to apply? What’s an example?
If each alert takes 10 min to investigate... ▶ Helps anyone handling alerts ▶ Gain control of posture • Old way – “escalate or ignore” • New way – find out what is actually going on Importance of an Investigative Mindset “Investigate” – gather data, analyze, pinpoint digital evidence * assumes 14 – 28 cases in a shift If you reduce to 5 minutes If you handle 100 alerts a month (5 alerts a day, 20 days in month) 100x10 = 1,000 min/60 = 16 hours 100x5 = 500 min/60 = 8 hours You get a day back (8 hours)
Splunk Enterprise Security Investigations Demo
Operationalize
How Do You Operationalize it All? Endpoint Network Threat Intelligence Access/Identity
Single Source of Truth Endpoint Network Threat Intelligence Access/Identity What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it?
Splunk ES Content Updates
Splunk ES Content Updates
Splunk ES Content Updates
Splunk is the Security Nerve Center
© 2018 SPLUNK INC. Splunk Adaptive Response Initiative Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
57 Phantom Security Operations Platform PLATFORMOVERVIEW AUTOMATION ORCHESTRATION COLLABORATION EVENT MANAGEMENT CASE MANAGEMENT REPORTING & METRICS Integrate your team, processes, and tools together. § Work smarter by automating repetitive tasks allowing analysts to focus on more mission-critical tasks. § Respond faster and reduce dwell times with automated detection, investigation, and response. § Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant.
Analytics-Driven Security: Portfolio Premium Solution Enterprise Security 3rd Party Apps & Add-ons (590+) Premium Solution User Behavior Analytics Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps & Add-ons Network data RDBMS (any) data Windows host data Exchange data Analytics for Hadoop PCI ComplianceSecurity Essentials App for AWS ML Toolkit Google Cloud Microsoft Cloud Windows Infrastructure Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Platform for Operational Intelligence
Proactive Operations: Start With Top 5 CIS Controls Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent. SOURCE: Center for Internet Security https://www.cisecurity.org/critical-controls.cfm
CIS Critical Security Controls https://splunkbase.splunk.com/app/3064/#/overview https://www.splunk.com/goto/Top20CSC
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk Enterprise Security
© 2018 SPLUNK INC. 1. Centralize Analysis of Key Activities 2. Use an Investigative Mindset 3. Operationalize Security Processes Strengthen Your Security Posture
ORLANDO, FLORIDA Walt Disney World Swan and Dolphin Hotels .conf18: Monday, October 1 – Thursday, October 4 Splunk University: Saturday, September 29 – Monday, October 1

More Related Content

Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk Enterprise Security

  • 1. Solve Your Security Challenges with Splunk Enterprise Security Michel Oosterhof | Staff Sales Engineer 16 May 2018
  • 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
  • 3. © 2018 SPLUNK INC. 1. Common Security Challenges 2. Methods to Strengthen Security Posture 3. How Splunk Can Help What Can You Expect From This Session?
  • 4. Common Security Challenges Cyber Criminals Nation States Insider Threats 100% Valid credentials were used 40 Average # of systems accessed 146 Median # of days before detection 65% Of victims were notified by external entity Source: Mandiant M-Trends Report 2012/2013/2014/2015/2016/2017
  • 7. Endpoint Access/Identity Network Threat Intelligence 4 Ways to Improve Posture Quickly
  • 8. What You Discover ▶ Frequency of application executions, unique applications ▶ Non-corporate approved applications ▶ Known malicious executables Benefit ▶ Visibility into application executions ▶ Understanding of unknown applications – whom and where and frequency Understanding Your Endpoints Processes, File Info/Access, User Activity Endpoints End Point System: Windows Sysmon, Network, File Info Endpoint Security: Virus, Malware, Spyware, Whitelisting, Behaviors
  • 9. What You Discover ▶ Credentials used in multiple locations, or shared by users ▶ Admin credential abuse ▶ Login frequencies, users moving around quickly ▶ Users failing authentications trying to discover internal/external resources Benefit ▶ Uncover unusual login patterns ▶ Track user behavior Access and Identity Who, Why and Credential Abuse Access/Identity Windows Security Events: Active Directory and Authentication Logs
  • 10. What You Discover ▶ Who talked to whom, traffic volumes (in/out) ▶ Malware download/delivery, C2, exfiltration ▶ Horizontal and vertical movement Benefit ▶ Determine how threats got in ▶ Systems and endpoints communicating internally ▶ Detect intellectual property theft, insiders Network Activity Detecting Exfiltration and Unusual Communication Network Network Access: ForeScout Firewall: Cisco, Palo Alto Network: DNS – Splunk Stream, DNS Server
  • 11. What You Discover ▶ High risk behaviors and patterns ▶ Undetected/unblocked malware and command & control activities ▶ Known indicators of compromise Benefit ▶ Early warning of malicious activity ▶ Detect indication of C2 channels ▶ Confirm whether traffic going to compromised or watch-listed sites ▶ Compromised systems communicating with each other ▶ Compromised endpoints Threat Intelligence Known and Early Warning Indicators Threat Intelligence Threat Feeds: Public, Free, Private, Paid or Custom – ThreatConnect, Anomali Firewall: Cisco, Palo Alto Networks
  • 12. Search and Investigate Start Basic. Other Security-Relevant Data On- Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention Dashboards and Reports Analytics and Virtualization Threat Intelligence Platform for Operational Intelligence Add More Data for More Insights Threat Intelligence Network Endpoint Access/Identity
  • 15. Possibilities: ▶ Data Breach ▶ Infection(s) ▶ Account Takeover ▶ Application Fault ▶ Misconfiguration ▶ Missing patch ▶ User Error ▶ Other (Ignore) Alert Indicator Data Security Technologies Are Designed to Detect Bad/Suspicious Activity Endpoint Network Threat Intelligence Access/Identity
  • 16. Developing an Investigative Mindset What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it? ALERT What specific questions do I want answered? Where do I look?What is the logic / methodology to apply? What’s an example?
  • 17. If each alert takes 10 min to investigate... ▶ Helps anyone handling alerts ▶ Gain control of posture • Old way – “escalate or ignore” • New way – find out what is actually going on Importance of an Investigative Mindset “Investigate” – gather data, analyze, pinpoint digital evidence * assumes 14 – 28 cases in a shift If you reduce to 5 minutes If you handle 100 alerts a month (5 alerts a day, 20 days in month) 100x10 = 1,000 min/60 = 16 hours 100x5 = 500 min/60 = 8 hours You get a day back (8 hours)
  • 20. How Do You Operationalize it All? Endpoint Network Threat Intelligence Access/Identity
  • 21. Single Source of Truth Endpoint Network Threat Intelligence Access/Identity What happened? Who was involved? When did it start? Where was it seen? How did it get in? How do I contain it?
  • 22. Splunk ES Content Updates
  • 23. Splunk ES Content Updates
  • 24. Splunk ES Content Updates
  • 25. Splunk is the Security Nerve Center
  • 26. © 2018 SPLUNK INC. Splunk Adaptive Response Initiative Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  • 27. 57 Phantom Security Operations Platform PLATFORMOVERVIEW AUTOMATION ORCHESTRATION COLLABORATION EVENT MANAGEMENT CASE MANAGEMENT REPORTING & METRICS Integrate your team, processes, and tools together. § Work smarter by automating repetitive tasks allowing analysts to focus on more mission-critical tasks. § Respond faster and reduce dwell times with automated detection, investigation, and response. § Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant.
  • 28. Analytics-Driven Security: Portfolio Premium Solution Enterprise Security 3rd Party Apps & Add-ons (590+) Premium Solution User Behavior Analytics Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps & Add-ons Network data RDBMS (any) data Windows host data Exchange data Analytics for Hadoop PCI ComplianceSecurity Essentials App for AWS ML Toolkit Google Cloud Microsoft Cloud Windows Infrastructure Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Platform for Operational Intelligence
  • 29. Proactive Operations: Start With Top 5 CIS Controls Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent. SOURCE: Center for Internet Security https://www.cisecurity.org/critical-controls.cfm
  • 30. CIS Critical Security Controls https://splunkbase.splunk.com/app/3064/#/overview https://www.splunk.com/goto/Top20CSC
  • 32. © 2018 SPLUNK INC. 1. Centralize Analysis of Key Activities 2. Use an Investigative Mindset 3. Operationalize Security Processes Strengthen Your Security Posture
  • 33. ORLANDO, FLORIDA Walt Disney World Swan and Dolphin Hotels .conf18: Monday, October 1 – Thursday, October 4 Splunk University: Saturday, September 29 – Monday, October 1