SlideShare uma empresa Scribd logo

Splunk live nyc_2017_sec_buildinganalyticsdrivensoc

‱Transferir como PPTX, PDF‱
‱
R
Rene Aguero

NYC SL Building an Analytics Driven SOC

Tecnologia
1 de 66
© 2017 SPLUNK INC.© 2017 SPLUNK INC. JULY 11, 2017 | NYC
© 2017 SPLUNK INC. Building the Analytics-Driven SOC Rene Aguero | Security Strategist JULY 11, 2017 | NYC
© 2017 SPLUNK INC. 3 3 > RenĂ© AgĂŒero raguero@splunk.com ‱ 2 years at Splunk – Security Strategist ‱ 18 years in security – MCSE NT3.51 ‱ CISSP, MSBA – Information Assurance (forensics, auditing and security) ‱ IT and Security Director ‱ Offensive Security ‱ Exploitation – Metasploit, Web attacks ‱ Rapid7 SE Director $whoami
© 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Safe Harbor Statement
© 2017 SPLUNK INC. 1. A look at traditional security operations 2. Best practices and emerging trends 3. The security ops technology stack 4. How to use Splunk solutions for an Analytics-Driven SOC 5. Customer Successes Agenda
© 2017 SPLUNK INC. Source : EY Global Information Security Survey 2015
© 2017 SPLUNK INC. Source : EY Global Information Security Survey 2015
© 2017 SPLUNK INC. Traditional Security Operations
© 2017 SPLUNK INC. How-to guides

© 2017 SPLUNK INC. Security Programs: The Big Picture [13] https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 [14] http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/
© 2017 SPLUNK INC. [13] https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 [14] http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ Security Programs: The Big Picture It’s complicated

© 2017 SPLUNK INC. 12 What do we see? A Traditional Security Critical Path 12 Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC) Security Operations: part of the bigger picture

© 2017 SPLUNK INC. ▶ Virtual SOC (VSOC) ▶ Multifunction NOC/SOC ▶ Command SOC ▶ Co-Managed SOC ▶ Crew SOC? (This one’s ours) Types of Traditional SOCs
 [1] https://www.gartner.com/doc/3479617
© 2017 SPLUNK INC. “A perception of the SOC as a big alert pipeline is outdated and does not allow the organization to make use of more active processes such as internal TI generation and threat hunting.” – [1] Anton Chuvakin https://www.gartner.com/doc/3479617 Traditional SOC Alert Pipeline?
© 2017 SPLUNK INC. Three Interrelated Components of Security Process PeopleTechnology
© 2017 SPLUNK INC. Bottom Line Technology exists to serve people and processes.
© 2017 SPLUNK INC. Traditional SOC Challenges (1) Efficacy
© 2017 SPLUNK INC. Traditional SOC Challenges (2) Staffing
© 2017 SPLUNK INC. Challenges with the traditional SOC (3) Remember this? Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC)
© 2017 SPLUNK INC. Challenges with the traditional SOC (3) Silo-ization
© 2017 SPLUNK INC. Challenges with the traditional SOC (4) 
 and opportunity cost COST
© 2017 SPLUNK INC. Trends in Security Operations
© 2017 SPLUNK INC. ▶ Security Analytics Center ▶ Cyber Fusion Center ▶ Cyber Defense Center ▶ Threat Defense Center ▶ Detection and Response Team A SOC By Any Other Name

© 2017 SPLUNK INC. ▶ Alert Management ▶ Incident Response ▶ Toolchain engineering ▶ Threat intelligence (consumption and creation) ▶ Threat hunting ▶ Vulnerability management ▶ Red team New Capabilities in the SOC Security Operations Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
© 2017 SPLUNK INC. SOC Persona Responsible for the technology, product, upgrades SIEM Admin, Tools Engineer Security Analyst Hunter, Incident Responder SecOps / SOC Manager / Director CISO / VP / Head InfoSec Responsible for investigating alerts, incidents and triage Responsible for SOC process, initiatives, often budget Proactively/reactively hunts for threats. Details investigations, determine scope of incident, breach and takes actions Head or Exec of Info Security, Security
© 2017 SPLUNK INC. ▶ Tier-1 ▶ Off hours ▶ Toolchain ops ▶ Outside Help With Specialties ‱ Reverse Engineering ‱ Forensics ‱ Advanced IR ‱ Red team Managed Security Services are Common
© 2017 SPLUNK INC. ▶ Seeking to “Automate Tier 1” ▶ What do you automate? ‱ Context gathering/enrichment – definitely ‱ Configuration changes – maybe ‱ Evidence collection – probably ▶ High premium on toolchain integration ▶ Security engineers are quickly becoming programmers Automation in the SOC
© 2017 SPLUNK INC. Improved Processes in the SOC https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
© 2017 SPLUNK INC. ▶ Threat list + raw log feed = Noise ▶ Alert enriched by threat intel = Insight ▶ High maturity: ‱ Gather your own threat intel ‱ Share threat intel meaningfully Maturing Use of Threat Intelligence “Beware the threat list wind tunnel” – Splunk Customer
© 2017 SPLUNK INC. 30 Network (Meta)data
© 2017 SPLUNK INC. 31 Network (Meta)data NetFlow (or variant) Succinct 5-tuple + traffic size Easytm to analyze Cost effective No payload PCAP Voluminous Ground truth Ultimate context Full payload Lots of storage / overhead Splunk Stream Succinct 5-tuple + traffic size Easily searchable! Tuneable Adaptive fidelity Additional context Payload elements
© 2017 SPLUNK INC. Threat hunting is what happens just past the horizon of automated detection capabilities. What you learn while hunting should extend that horizon. − Paraphrased from Robert M. Lee SANS Forensics 578 Threat Hunting – Where Does it Fit?
© 2017 SPLUNK INC. The Security Operations Toolchain
© 2017 SPLUNK INC. ▶ Single source of truth ▶ Retention and integrity ▶ Any data source ▶ Easy correlation ▶ Automation / integration ▶ Performant and scalable ▶ Full fidelity ▶ Normalized? ▶ Hunting ▶ Forensic investigation ▶ Alerting ▶ Dashboards ▶ Visualization ▶ Analytics (ML?) Log Data Platform
© 2017 SPLUNK INC. “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries. Data Normalization is Mandatory for your SOC
© 2017 SPLUNK INC. ▶ Often multiple sources of record – that’s OK ‱ CMDB, Vuln scans, Passive detection, DHCP, NAC ‱ Active directory, LDAP, IAM ▶ Network diagrams ▶ Categorization ‱ PCI, ICS, Administrative, Default ▶ Comprehensive yet lightweight and easy to maintain ▶ Must be easy to correlate to log data Asset Inventory and Identity Data
© 2017 SPLUNK INC. 1. Ticketing system 2. Workflow 3. Supports prioritization 4. Supports collaborative investigation 5. Provides metrics 6. Supports automation 7. Auditable Case and Investigation Management
© 2017 SPLUNK INC. 1. Assets and Identities 2. Threat intel 3. Firewall 4. Network metadata 5. Authentication 6. Server (Windows / Linux) 7. Endpoint 8. IDS / IPS 9. VPN 10.Application 11.Vulnerability Common SOC Data Sources
© 2017 SPLUNK INC. Splunk for Analytics-Driven SOC
© 2017 SPLUNK INC. ▶ Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources ▶ Support for STIX/TAXII, OpenIOC, Facebook ▶ Build your own data to create your own Threat Intel ▶ Out of the box Activity and Artifact dashboards 1. Threat Intelligence – ES Threat Intel Framework ▶ Determine impact on network, assets ▶ Use for analysis / IR ▶ Collect / provide forensics ▶ Use to hunt / uncover / link events ▶ Share info with partners Law Enforcement Feeds ISAC Feeds Agency Feed Commercial Service Community Feed Open-Source Feed Other Enrichment Services
© 2017 SPLUNK INC. Data Management Threat Activity Correlation Data / Notable Events Data Search Threat Intelligence Framework Collect, Manage Categorize Correlate Search
© 2017 SPLUNK INC. ▶ Simplify detection and focus on real alerts ▶ Accelerate anomaly and threat detection – minimize attacks and insider threat ▶ Use machine learning toolkit - solutions to suit your workflow ▶ Premium machine learning solution - User Behavior Analytics ‱ Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM 2. Use Advanced Analytics – Native ML and UBA
© 2017 SPLUNK INC. Statistical Analysis Advanced Analytics and Machine Learning 101111101010010001000001 111011111011101111101010 010001000001111011111011 workflow Threats Anomalies UBA-based Machine Learning (Threat/Anomalies) UBA-based identity context Entity Resolution DIY Machine Learning DIY Statistical Analysis Alert driven detection On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention UBA Machine Learning + Data Science UBA-based Machine Learning (Threat/Anomalies) Packaged UBA-based ML + DS (Custom Threats)
© 2017 SPLUNK INC. ▶ Use rules to automate routine aspects of detection and investigation ▶ Extract insights from existing security stack by use of common interface ▶ Take actions with confidence for faster decisions and response ▶ Automate any process along the continuous monitoring, response and analytics cycle 3. Automate When Feasible Splunk Adaptive Response Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall
© 2017 SPLUNK INC. ▶ Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation times ▶ Improve operational efficiency using workflow- based context with automated and human-assisted decisions ▶ Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners Adaptive Response: Analytics-Driven Decisions, Automation
© 2017 SPLUNK INC. 4. Proactively Hunt and Investigate - Considerations ▶ Organizational maturity ▶ Domain and product experience ▶ Tools: Network, Endpoint, Threat Intel, Access ▶ Security relevant data, historical, raw data ▶ Flexibility and ad hoc HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
© 2017 SPLUNK INC. How Splunk Helps You Drive Threat Hunting Maturity Enrichment Automation Search & Visualization Hypotheses Automated Analytics Data Science and Machine Learning Data and Intelligence Enrichment Data Search Visualisation Threat Hunting Enablement Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualize Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology DATA MATURITY
© 2017 SPLUNK INC. ▶ Correlation across all security relevant data ▶ Insights from existing security architectures ▶ Advanced analytics techniques such as machine learning 5. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict – need: 1,000+ Apps and Add-ons Splunk Security Solutions
© 2017 SPLUNK INC. Insight From Across Ecosystem Effectively leverage security infrastructure to gain a holistic view Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall +
© 2017 SPLUNK INC.
© 2017 SPLUNK INC. Splunk Analytics-Driven SIEM MONITOR REPORT ANALYZE INVESTIGATE RESPONSE COLLABORATE DETECT ALERT ReportAd hoc Search AnalyzeCollect Store Pre-defined views and rules Analysis investigation & context enrichment Enterprise- wide coordination & response Correlation rules, thresholds SIEM Security ops management alert & incident management, policy based rules, out-of-box security rules & analysis DATA PLATFORM Collect, Index data for search and analysis, visualization. Dynamic ad hoc and statistical analysis FUNCTIONS
© 2017 SPLUNK INC. Splunk Enterprise Security A collection of Frameworks NOTABLE EVENT THREAT INTELLIGENCE ASSET AND IDENTITY CORRELATION ADAPTIVE RESPONSE RISK ANALYSIS Platform for Operational Intelligence
© 2017 SPLUNK INC. Splunk Enterprise Security: Frameworks Framework Detail Notable Events Identify noteworthy incidents from events and then manage state Asset & Identity performs asset and identity correlation for fields that might be present in an event Threat Intelligence Consume and manage threat feeds, data Risk Analysis Identify actions that raise the risk profile of individuals or assets Adaptive Response Interface for retrieving, sending and running actions by integrating with external applications
© 2017 SPLUNK INC. Splunk Solutions Portfolio Across Data Sources, Use Cases & Consumption Models Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence
© 2017 SPLUNK INC. Threat Activity Dashboard Splunk Quick Start for SIEM Rapidly Determine Advanced Malware and Threat Activity Malware Center Dashboard
© 2017 SPLUNK INC. Customer Success
© 2017 SPLUNK INC. Challenges ▶ Existing SIEM not adequate - struggled to bring in appropriate data ▶ Unable to perform advanced investigations, severe scale/performance issues ▶ Looking to build a new SOC with modern solution Customer Solution ▶ Centralized logging of all required machine data at scale and full visibility ▶ Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users ▶ Tailored advanced correlation searches & IR workflow ▶ Faster and deeper incident investigations ▶ Greater SOC efficiencies - all SOC/CSIRT working off same UI/data ▶ Executive dashboards to measure and manage risk TECHNOLOGY Building an Intelligence Driven SOC
© 2017 SPLUNK INC. Challenges ▶ Slow responses to security incidents ▶ Inadequate situational awareness of security events ▶ Limited threat intelligence ▶ Disparate logs from over 40 departments were difficult to aggregate Customer Solution: Splunk Cloud with Enterprise Security ▶ Real-time, citywide, 24/7 network surveillance ▶ Stronger protection of digital assets and infrastructure ▶ Shared threat intelligence with federal agencies ▶ Reduced headcount and lower operational costs PUBLIC SECTOR Citywide SOC for Situational Awareness
© 2017 SPLUNK INC. Wrapping up
© 2017 SPLUNK INC. FREE CLOUD TRIAL FREE SOFTWARE DOWNLOAD FREE ENTERPRISE SECURITY SANDBOX Get started in minutes – splunk.com 1 2 3
© 2017 SPLUNK INC. SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. .conf2017 The 8th Annual Splunk Conference conf.splunk.com You will receive an email after registration opens with a link to save over $450 on the full conference rate. You’ll have 30 days to take advantage of this special promotional rate! SAVE OVER $450
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Acceleration Workshops ▶ ES Benchmark ‱ Used to help existing customers optimize their Splunk ES investment ▶ Security Readiness Review (CSC 20, SIEM+, SOC) ‱ Designed to accelerate and expand opportunities in the pre-sales phase by providing discovery and guidance in areas of business risk, security goals, use case definition, data source mapping & value realization ▶ Threat Hunting Workshop ‱ Designed to provide thought leadership and hands on experience of threat hunting using Splunk.
© 2017 SPLUNK INC. Take the Survey on Pony Poll ponypoll.com/slny Complete the survey for your chance to win a .conf2017 pass
© 2017 SPLUNK INC. 1. How to Plan, Design, Operate and Evolve a SOC ‱ https://www.gartner.com/doc/3479617 2. Crafting the InfoSec Playbook ‱ https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406 3. Splunk SOC Advisory Services ‱ https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdf 4. Ten Strategies of a World-Class Cybersecurity Operations Center ‱ https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf 5. Maturing Workday’s SOC with Splunk ‱ https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf 6. The Five Characteristics of an Intelligence Driven Security Operations Center ‱ https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-center 7. The Who, What, Where, When, Why and How of Effective Threat Hunting ‱ https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 Resources Cited (1)
© 2017 SPLUNK INC. 8. Exploring the Frameworks of Splunk Enterprise Security ‱ https://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf 9. Recruiting and Retaining Cybersecurity Ninjas ‱ https://www.csis.org/analysis/recruiting-and-retaining-cybersecurity-ninjas 10. Building Threat Hunting Strategies with the Diamond Model ‱ http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/ 11. Using Robots to Fight Bad Guys ‱ https://sroberts.github.io/2014/05/14/using-robots-to-fight-bad-guys/ 12. Building a SOC with Splunk ‱ https://www.splunk.com/pdfs/technical-briefs/building-a-soc-with-splunk-tech-brief.pdf 13. SANS Security Leadership Poster ‱ https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 14. 2016 CISO MindMap – What do InfoSec Professionals Do? ‱ http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ Resources Cited (2)

Recomendados

Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
SplunkLive! London 2017 - Travis Perkins
SplunkLive! London 2017 - Travis PerkinsSplunkLive! London 2017 - Travis Perkins
SplunkLive! London 2017 - Travis PerkinsSplunk
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
 
SplunkLive! Paris 2017: Plenary Session - Splunk Overview
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunkLive! Paris 2017: Plenary Session - Splunk Overview
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunk
 

Recomendados

Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
SplunkLive! London 2017 - Travis Perkins
SplunkLive! London 2017 - Travis PerkinsSplunkLive! London 2017 - Travis Perkins
SplunkLive! London 2017 - Travis PerkinsSplunk
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security OperationsSplunk
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
 
SplunkLive! Paris 2017: Plenary Session - Splunk Overview
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunkLive! Paris 2017: Plenary Session - Splunk Overview
SplunkLive! Paris 2017: Plenary Session - Splunk OverviewSplunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...Splunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...Splunk
 
Danfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementDanfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementSplunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachSplunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France Splunk
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018YoungCho50
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunk
 
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
 
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...Splunk
 
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...Splunk
 

Mais conteĂșdo relacionado

Mais procurados

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware EditionSplunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting WorkshopSplunk
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...Splunk
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...Splunk
 
Danfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementDanfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementSplunk
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachSplunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk
 
A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France Splunk
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018YoungCho50
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunk
 
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunk
 
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...Splunk
 

Mais procurados (20)

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with SplunkReactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with SplunkSplunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
 
Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17Splunk Discovery Day Milwaukee 9-14-17
Splunk Discovery Day Milwaukee 9-14-17
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
 
Danfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementDanfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability Management
 
A Day in the Life of a GDPR Breach
A Day in the Life of a GDPR BreachA Day in the Life of a GDPR Breach
A Day in the Life of a GDPR Breach
 
SplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy UsersSplunkLive! London 2017 - Happy Apps, Happy Users
SplunkLive! London 2017 - Happy Apps, Happy Users
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics MethodsSplunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
 
A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France A Day in the Life of a GDPR Breach - September 2017: France
A Day in the Life of a GDPR Breach - September 2017: France
 
Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018Security investigation hands-on workshop 2018
Security investigation hands-on workshop 2018
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVOSplunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
Splunk Forum Frankfurt - 15th Nov 2017 - GDPR / EU-DSGVO
 
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and AlertsSplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
SplunkLive! Zurich 2017 - Splunk Add-ons and Alerts
 
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk EnterpriseSplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
SplunkLive! Zurich 2017 - Getting Started with Splunk Enterprise
 
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
 

Semelhante a Splunk live nyc_2017_sec_buildinganalyticsdrivensoc

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...Splunk
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Adam Tice
 
How security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsHow security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsSplunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARSplunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018Splunk
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarSplunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningDigital Transformation EXPO Event Series
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AISplunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AISplunk
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk
 
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
 
Security investigation hands on workshop 2018-05
Security investigation hands on workshop 2018-05Security investigation hands on workshop 2018-05
Security investigation hands on workshop 2018-05YoungCho50
 
SplunkLive! London 2017 - Splunk Overview
SplunkLive! London 2017 - Splunk OverviewSplunkLive! London 2017 - Splunk Overview
SplunkLive! London 2017 - Splunk OverviewSplunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecuritySplunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Splunk
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 

Semelhante a Splunk live nyc_2017_sec_buildinganalyticsdrivensoc (20)

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
How security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applicationsHow security analytics helps UCAS protect 700,000 student applications
How security analytics helps UCAS protect 700,000 student applications
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOARPartner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 UpdateSplunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
Splunk Forum Frankfurt - 15th Nov 2017 - .conf2017 Update
 
Splunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learningSplunk for AIOps: Reduce IT outages through prediction with machine learning
Splunk for AIOps: Reduce IT outages through prediction with machine learning
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AISplunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine LearningSplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
 
Security investigation hands on workshop 2018-05
Security investigation hands on workshop 2018-05Security investigation hands on workshop 2018-05
Security investigation hands on workshop 2018-05
 
SplunkLive! London 2017 - Splunk Overview
SplunkLive! London 2017 - Splunk OverviewSplunkLive! London 2017 - Splunk Overview
SplunkLive! London 2017 - Splunk Overview
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Splunk live nyc_2017_sec_buildinganalyticsdrivensoc

  • 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. JULY 11, 2017 | NYC
  • 2. © 2017 SPLUNK INC. Building the Analytics-Driven SOC Rene Aguero | Security Strategist JULY 11, 2017 | NYC
  • 3. © 2017 SPLUNK INC. 3 3 > RenĂ© AgĂŒero raguero@splunk.com ‱ 2 years at Splunk – Security Strategist ‱ 18 years in security – MCSE NT3.51 ‱ CISSP, MSBA – Information Assurance (forensics, auditing and security) ‱ IT and Security Director ‱ Offensive Security ‱ Exploitation – Metasploit, Web attacks ‱ Rapid7 SE Director $whoami
  • 4. © 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Safe Harbor Statement
  • 5. © 2017 SPLUNK INC. 1. A look at traditional security operations 2. Best practices and emerging trends 3. The security ops technology stack 4. How to use Splunk solutions for an Analytics-Driven SOC 5. Customer Successes Agenda
  • 6. © 2017 SPLUNK INC. Source : EY Global Information Security Survey 2015
  • 7. © 2017 SPLUNK INC. Source : EY Global Information Security Survey 2015
  • 8. © 2017 SPLUNK INC. Traditional Security Operations
  • 9. © 2017 SPLUNK INC. How-to guides

  • 10. © 2017 SPLUNK INC. Security Programs: The Big Picture [13] https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 [14] http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/
  • 11. © 2017 SPLUNK INC. [13] https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 [14] http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ Security Programs: The Big Picture It’s complicated

  • 12. © 2017 SPLUNK INC. 12 What do we see? A Traditional Security Critical Path 12 Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC) Security Operations: part of the bigger picture

  • 13. © 2017 SPLUNK INC. ▶ Virtual SOC (VSOC) ▶ Multifunction NOC/SOC ▶ Command SOC ▶ Co-Managed SOC ▶ Crew SOC? (This one’s ours) Types of Traditional SOCs
 [1] https://www.gartner.com/doc/3479617
  • 14. © 2017 SPLUNK INC. “A perception of the SOC as a big alert pipeline is outdated and does not allow the organization to make use of more active processes such as internal TI generation and threat hunting.” – [1] Anton Chuvakin https://www.gartner.com/doc/3479617 Traditional SOC Alert Pipeline?
  • 15. © 2017 SPLUNK INC. Three Interrelated Components of Security Process PeopleTechnology
  • 16. © 2017 SPLUNK INC. Bottom Line Technology exists to serve people and processes.
  • 17. © 2017 SPLUNK INC. Traditional SOC Challenges (1) Efficacy
  • 18. © 2017 SPLUNK INC. Traditional SOC Challenges (2) Staffing
  • 19. © 2017 SPLUNK INC. Challenges with the traditional SOC (3) Remember this? Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC)
  • 20. © 2017 SPLUNK INC. Challenges with the traditional SOC (3) Silo-ization
  • 21. © 2017 SPLUNK INC. Challenges with the traditional SOC (4) 
 and opportunity cost COST
  • 22. © 2017 SPLUNK INC. Trends in Security Operations
  • 23. © 2017 SPLUNK INC. ▶ Security Analytics Center ▶ Cyber Fusion Center ▶ Cyber Defense Center ▶ Threat Defense Center ▶ Detection and Response Team A SOC By Any Other Name

  • 24. © 2017 SPLUNK INC. ▶ Alert Management ▶ Incident Response ▶ Toolchain engineering ▶ Threat intelligence (consumption and creation) ▶ Threat hunting ▶ Vulnerability management ▶ Red team New Capabilities in the SOC Security Operations Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
  • 25. © 2017 SPLUNK INC. SOC Persona Responsible for the technology, product, upgrades SIEM Admin, Tools Engineer Security Analyst Hunter, Incident Responder SecOps / SOC Manager / Director CISO / VP / Head InfoSec Responsible for investigating alerts, incidents and triage Responsible for SOC process, initiatives, often budget Proactively/reactively hunts for threats. Details investigations, determine scope of incident, breach and takes actions Head or Exec of Info Security, Security
  • 26. © 2017 SPLUNK INC. ▶ Tier-1 ▶ Off hours ▶ Toolchain ops ▶ Outside Help With Specialties ‱ Reverse Engineering ‱ Forensics ‱ Advanced IR ‱ Red team Managed Security Services are Common
  • 27. © 2017 SPLUNK INC. ▶ Seeking to “Automate Tier 1” ▶ What do you automate? ‱ Context gathering/enrichment – definitely ‱ Configuration changes – maybe ‱ Evidence collection – probably ▶ High premium on toolchain integration ▶ Security engineers are quickly becoming programmers Automation in the SOC
  • 28. © 2017 SPLUNK INC. Improved Processes in the SOC https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
  • 29. © 2017 SPLUNK INC. ▶ Threat list + raw log feed = Noise ▶ Alert enriched by threat intel = Insight ▶ High maturity: ‱ Gather your own threat intel ‱ Share threat intel meaningfully Maturing Use of Threat Intelligence “Beware the threat list wind tunnel” – Splunk Customer
  • 30. © 2017 SPLUNK INC. 30 Network (Meta)data
  • 31. © 2017 SPLUNK INC. 31 Network (Meta)data NetFlow (or variant) Succinct 5-tuple + traffic size Easytm to analyze Cost effective No payload PCAP Voluminous Ground truth Ultimate context Full payload Lots of storage / overhead Splunk Stream Succinct 5-tuple + traffic size Easily searchable! Tuneable Adaptive fidelity Additional context Payload elements
  • 32. © 2017 SPLUNK INC. Threat hunting is what happens just past the horizon of automated detection capabilities. What you learn while hunting should extend that horizon. − Paraphrased from Robert M. Lee SANS Forensics 578 Threat Hunting – Where Does it Fit?
  • 33. © 2017 SPLUNK INC. The Security Operations Toolchain
  • 34. © 2017 SPLUNK INC. ▶ Single source of truth ▶ Retention and integrity ▶ Any data source ▶ Easy correlation ▶ Automation / integration ▶ Performant and scalable ▶ Full fidelity ▶ Normalized? ▶ Hunting ▶ Forensic investigation ▶ Alerting ▶ Dashboards ▶ Visualization ▶ Analytics (ML?) Log Data Platform
  • 35. © 2017 SPLUNK INC. “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries. Data Normalization is Mandatory for your SOC
  • 36. © 2017 SPLUNK INC. ▶ Often multiple sources of record – that’s OK ‱ CMDB, Vuln scans, Passive detection, DHCP, NAC ‱ Active directory, LDAP, IAM ▶ Network diagrams ▶ Categorization ‱ PCI, ICS, Administrative, Default ▶ Comprehensive yet lightweight and easy to maintain ▶ Must be easy to correlate to log data Asset Inventory and Identity Data
  • 37. © 2017 SPLUNK INC. 1. Ticketing system 2. Workflow 3. Supports prioritization 4. Supports collaborative investigation 5. Provides metrics 6. Supports automation 7. Auditable Case and Investigation Management
  • 38. © 2017 SPLUNK INC. 1. Assets and Identities 2. Threat intel 3. Firewall 4. Network metadata 5. Authentication 6. Server (Windows / Linux) 7. Endpoint 8. IDS / IPS 9. VPN 10.Application 11.Vulnerability Common SOC Data Sources
  • 39. © 2017 SPLUNK INC. Splunk for Analytics-Driven SOC
  • 40. © 2017 SPLUNK INC. ▶ Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources ▶ Support for STIX/TAXII, OpenIOC, Facebook ▶ Build your own data to create your own Threat Intel ▶ Out of the box Activity and Artifact dashboards 1. Threat Intelligence – ES Threat Intel Framework ▶ Determine impact on network, assets ▶ Use for analysis / IR ▶ Collect / provide forensics ▶ Use to hunt / uncover / link events ▶ Share info with partners Law Enforcement Feeds ISAC Feeds Agency Feed Commercial Service Community Feed Open-Source Feed Other Enrichment Services
  • 41. © 2017 SPLUNK INC. Data Management Threat Activity Correlation Data / Notable Events Data Search Threat Intelligence Framework Collect, Manage Categorize Correlate Search
  • 42. © 2017 SPLUNK INC. ▶ Simplify detection and focus on real alerts ▶ Accelerate anomaly and threat detection – minimize attacks and insider threat ▶ Use machine learning toolkit - solutions to suit your workflow ▶ Premium machine learning solution - User Behavior Analytics ‱ Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM 2. Use Advanced Analytics – Native ML and UBA
  • 43. © 2017 SPLUNK INC. Statistical Analysis Advanced Analytics and Machine Learning 101111101010010001000001 111011111011101111101010 010001000001111011111011 workflow Threats Anomalies UBA-based Machine Learning (Threat/Anomalies) UBA-based identity context Entity Resolution DIY Machine Learning DIY Statistical Analysis Alert driven detection On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention UBA Machine Learning + Data Science UBA-based Machine Learning (Threat/Anomalies) Packaged UBA-based ML + DS (Custom Threats)
  • 44. © 2017 SPLUNK INC. ▶ Use rules to automate routine aspects of detection and investigation ▶ Extract insights from existing security stack by use of common interface ▶ Take actions with confidence for faster decisions and response ▶ Automate any process along the continuous monitoring, response and analytics cycle 3. Automate When Feasible Splunk Adaptive Response Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall
  • 45. © 2017 SPLUNK INC. ▶ Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation times ▶ Improve operational efficiency using workflow- based context with automated and human-assisted decisions ▶ Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners Adaptive Response: Analytics-Driven Decisions, Automation
  • 46. © 2017 SPLUNK INC. 4. Proactively Hunt and Investigate - Considerations ▶ Organizational maturity ▶ Domain and product experience ▶ Tools: Network, Endpoint, Threat Intel, Access ▶ Security relevant data, historical, raw data ▶ Flexibility and ad hoc HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
  • 47. © 2017 SPLUNK INC. How Splunk Helps You Drive Threat Hunting Maturity Enrichment Automation Search & Visualization Hypotheses Automated Analytics Data Science and Machine Learning Data and Intelligence Enrichment Data Search Visualisation Threat Hunting Enablement Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualize Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology DATA MATURITY
  • 48. © 2017 SPLUNK INC. ▶ Correlation across all security relevant data ▶ Insights from existing security architectures ▶ Advanced analytics techniques such as machine learning 5. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict – need: 1,000+ Apps and Add-ons Splunk Security Solutions
  • 49. © 2017 SPLUNK INC. Insight From Across Ecosystem Effectively leverage security infrastructure to gain a holistic view Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall +
  • 51. © 2017 SPLUNK INC. Splunk Analytics-Driven SIEM MONITOR REPORT ANALYZE INVESTIGATE RESPONSE COLLABORATE DETECT ALERT ReportAd hoc Search AnalyzeCollect Store Pre-defined views and rules Analysis investigation & context enrichment Enterprise- wide coordination & response Correlation rules, thresholds SIEM Security ops management alert & incident management, policy based rules, out-of-box security rules & analysis DATA PLATFORM Collect, Index data for search and analysis, visualization. Dynamic ad hoc and statistical analysis FUNCTIONS
  • 52. © 2017 SPLUNK INC. Splunk Enterprise Security A collection of Frameworks NOTABLE EVENT THREAT INTELLIGENCE ASSET AND IDENTITY CORRELATION ADAPTIVE RESPONSE RISK ANALYSIS Platform for Operational Intelligence
  • 53. © 2017 SPLUNK INC. Splunk Enterprise Security: Frameworks Framework Detail Notable Events Identify noteworthy incidents from events and then manage state Asset & Identity performs asset and identity correlation for fields that might be present in an event Threat Intelligence Consume and manage threat feeds, data Risk Analysis Identify actions that raise the risk profile of individuals or assets Adaptive Response Interface for retrieving, sending and running actions by integrating with external applications
  • 54. © 2017 SPLUNK INC. Splunk Solutions Portfolio Across Data Sources, Use Cases & Consumption Models Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence
  • 55. © 2017 SPLUNK INC. Threat Activity Dashboard Splunk Quick Start for SIEM Rapidly Determine Advanced Malware and Threat Activity Malware Center Dashboard
  • 56. © 2017 SPLUNK INC. Customer Success
  • 57. © 2017 SPLUNK INC. Challenges ▶ Existing SIEM not adequate - struggled to bring in appropriate data ▶ Unable to perform advanced investigations, severe scale/performance issues ▶ Looking to build a new SOC with modern solution Customer Solution ▶ Centralized logging of all required machine data at scale and full visibility ▶ Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users ▶ Tailored advanced correlation searches & IR workflow ▶ Faster and deeper incident investigations ▶ Greater SOC efficiencies - all SOC/CSIRT working off same UI/data ▶ Executive dashboards to measure and manage risk TECHNOLOGY Building an Intelligence Driven SOC
  • 58. © 2017 SPLUNK INC. Challenges ▶ Slow responses to security incidents ▶ Inadequate situational awareness of security events ▶ Limited threat intelligence ▶ Disparate logs from over 40 departments were difficult to aggregate Customer Solution: Splunk Cloud with Enterprise Security ▶ Real-time, citywide, 24/7 network surveillance ▶ Stronger protection of digital assets and infrastructure ▶ Shared threat intelligence with federal agencies ▶ Reduced headcount and lower operational costs PUBLIC SECTOR Citywide SOC for Situational Awareness
  • 59. © 2017 SPLUNK INC. Wrapping up
  • 60. © 2017 SPLUNK INC. FREE CLOUD TRIAL FREE SOFTWARE DOWNLOAD FREE ENTERPRISE SECURITY SANDBOX Get started in minutes – splunk.com 1 2 3
  • 61. © 2017 SPLUNK INC. SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. .conf2017 The 8th Annual Splunk Conference conf.splunk.com You will receive an email after registration opens with a link to save over $450 on the full conference rate. You’ll have 30 days to take advantage of this special promotional rate! SAVE OVER $450
  • 62. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
  • 63. Acceleration Workshops ▶ ES Benchmark ‱ Used to help existing customers optimize their Splunk ES investment ▶ Security Readiness Review (CSC 20, SIEM+, SOC) ‱ Designed to accelerate and expand opportunities in the pre-sales phase by providing discovery and guidance in areas of business risk, security goals, use case definition, data source mapping & value realization ▶ Threat Hunting Workshop ‱ Designed to provide thought leadership and hands on experience of threat hunting using Splunk.
  • 64. © 2017 SPLUNK INC. Take the Survey on Pony Poll ponypoll.com/slny Complete the survey for your chance to win a .conf2017 pass
  • 65. © 2017 SPLUNK INC. 1. How to Plan, Design, Operate and Evolve a SOC ‱ https://www.gartner.com/doc/3479617 2. Crafting the InfoSec Playbook ‱ https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406 3. Splunk SOC Advisory Services ‱ https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdf 4. Ten Strategies of a World-Class Cybersecurity Operations Center ‱ https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf 5. Maturing Workday’s SOC with Splunk ‱ https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf 6. The Five Characteristics of an Intelligence Driven Security Operations Center ‱ https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-center 7. The Who, What, Where, When, Why and How of Effective Threat Hunting ‱ https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 Resources Cited (1)
  • 66. © 2017 SPLUNK INC. 8. Exploring the Frameworks of Splunk Enterprise Security ‱ https://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf 9. Recruiting and Retaining Cybersecurity Ninjas ‱ https://www.csis.org/analysis/recruiting-and-retaining-cybersecurity-ninjas 10. Building Threat Hunting Strategies with the Diamond Model ‱ http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/ 11. Using Robots to Fight Bad Guys ‱ https://sroberts.github.io/2014/05/14/using-robots-to-fight-bad-guys/ 12. Building a SOC with Splunk ‱ https://www.splunk.com/pdfs/technical-briefs/building-a-soc-with-splunk-tech-brief.pdf 13. SANS Security Leadership Poster ‱ https://www.sans.org/security-resources/posters/leadership/security-leadership-poster-135 14. 2016 CISO MindMap – What do InfoSec Professionals Do? ‱ http://rafeeqrehman.com/2016/10/07/announcing-ciso-mindmap-2016/ Resources Cited (2)

Notas do Editor

  1. This hour is intended to be educational, and we’re relying heavily on a LOT of great resources like these. Everything from Oreily books to Gartner reports to Splunk conf presentations to blog posts. All these resources are cited both on the slide where they are referenced and at the end of the presentation.
  2. Before we talk about Security Operations, and Security Operations _Centers_, we should understand the big picture. Security Operations is usually just a part of a bigger security program. Here are some examples of popular “CISO Mind Maps”, one from SANS, one from a security blogger Rafeeq Rahman, one created by yours truly (Dave H) for a consulting customer years ago.
  3. When you look at these mind maps, you recognize one thing. Security programs are complicated. Let’s simplify it a bit by describing what we most often see at our customers.
  4. We very often see this type of traditional organizational model for a security program. Risk and compliance defines what needs to be protected, If they are advanced this is done through a formal risk analysis framework like FAIR, Octave, etc. Architecture looks at the risk register and chooses controls to mitigate them. Could be architectural like network segmentation or designing for optimal choosing sensor locations, and often includes choosing products like endpoint protection, firewalls, data collection, SIEM, automated file analysis, sandbox, etc. Defense in depth strategies are usually defined here. Security engineers install and maintain the security toolchain. They keep the security systems up and running so that Operations can do the day to day work of security. Security operations.
  5. There are a lot of different types of SOCs. Here are some that Anton Chuvakin dexcribes in his recent Gartner paper. A virtual SOC is made up of remote analysts without a dedicated facility. If you use an MSSP exclusively, you have a VSOC. Some organizations combine operations capabilities like NOC or helpdesk into what you might call a multi-function SOC. A command SOC is a SOC of SOCs, something we at splunk often see in large multi-national organizations. A co-managed SOC is common when an MSSP performs part of the SOC duties. Splunkers often see “Crew SOCs” which is something of a volunteer fire department. When an incident occurs, we get the crew together to analyze and respond. (yikes?)
  6. We very often see organizations who fall into something we call the Alert Triage trap. Anton Chuvakin included mention of the alert pipeline when discussing common mistakes made by organizations implementing SOCs. Is this really a bad thing? Yes and no. Certainly every SOC needs the core capability to triage incoming alerts effectively. If, however, the identity of the entire SOC becomes “alert pipeline” it can rob the team of the opportunity to focus on what’s becoming increasingly important in SOCs of the future. We’ll talk more about those as we move through today’s presentation.
  7. This is an old Splunk Slide! And it’s an old security concept. It’s still valid too! Security folks like me talk about People Process and Technology all the time. We don’t need to dwell on this too long, but the one thing to take away from this talk today is this <click>
  8. The bottom line is that technology exists to serve people and processes. It’s not to say that people will not have learn and to adapt to the chosen toolchain. That’s reality. But what it _does_ mean that if you are spending all your time trying to re-organize around a specific technology-or worse yet-if you are avoiding important detection and response capabilities because the technology cannot support them, then you may have a technology problem. We’ll talk more about how the Splunk security product portfolio(including Splunk Core, Splunk Enterprise Security, the PCI App, and Splunk UBA) can help later. For now let’s talk more about challenges we see in traditional SOCs.
  9. We have plenty of examples in the industry of traditional SOCs simply not getting the job done. In one such high profile case details have surfaced indicating several actual malware events reported from a popular security product were ignored, or triaged improperly. http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712
  10. As we’ve mentioned, a traditional SOC is heavily reliant on people. Good SOC analysts are difficult to find and retain.
  11. Remember this tidy little diagram of the security critical path? Unfortunately we see it often turn into something like this:
  12. Often ends up like this. Silo-ization.
  13. SOCs are expensie to run, and you always have to consider not just the bottom line, but what kind of return are you missing out on by not having those resources invested in revenue generating activity?
  14. One trend we’re seeing with next generation security operations centers is they are no longer called SOCs! Here are a few of the cool new names we’ve run across.
  15. It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the
 -Date and Time -Type of action performed -Subsystem performing the action -Identifiers for the object requesting the action -Identifiers for the object providing the action -Status, outcome, or result of the action So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
  16. Splunk & TH: 1. Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology 2. Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships 3. Threat Hunting Automation Integrated out of the box automation tooling from artifact query, ”contextual swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning 4. Search & Visualise Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight
  17. One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider. The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
  18. Today’s enterprise requires big data security solutions that can monitor and investigate advanced threats and attacks and enable rapid incident response. The Splunk Quick Start for SIEM provides a fast approach to get you up and running using Splunk Enterprise Security, an analytics-driven security information and event management solution. Quickly determine threat and malware activity within your environment Use the full capability of Splunk Enterprise Security to solve a wide range of SIEM use cases  Use your education credit and .conf event passes to solve additional use cases Scalable packages available in medium and large sizes to meet your needs
  19. Industry ‱ Technology Splunk Use Cases ‱ Application delivery ‱ IT operations ‱ Security Challenges Needed to create a world-class SOC with superior response and maturity levels Lacked SIEM solution Wanted full visibility across silos to rapidly search and analyze security-related events Seeking agile solution to decrease MTTR Splunk Products ‱ Splunk Enterprise ‱ Splunk Enterprise Security Data Sources Palo Alto Networks and Juniper firewalls Sourcefire and Snort intrusion detection systems Anti-virus systems McAfee vulnerability scans Windows and Linux server OS logs Apache and IIS web server application logs Active Directory domain controllers IronPort email security appliance and email/ SMTP servers Case Study http://www.splunk.com/en_us/customers/success-stories/saic.html
  20. https://fieldenablement.splunk.com/previewhtml.asp?id=100
  21. Don’t forget to complete today’s survey at ponypoll.com/_____ for your chance to win a .conf2017 pass. A winner will be identified tomorrow through a random drawing from completed surveys and will be notified via email.