63. Acceleration Workshops
ⶠES Benchmark
âą Used to help existing customers optimize their Splunk ES investment
ⶠSecurity Readiness Review (CSC 20, SIEM+, SOC)
âą Designed to accelerate and expand opportunities in the pre-sales phase by providing discovery and
guidance in areas of business risk, security goals, use case definition, data source mapping & value
realization
ⶠThreat Hunting Workshop
âą Designed to provide thought leadership and hands on experience of threat hunting using Splunk.
This hour is intended to be educational, and weâre relying heavily on a LOT of great resources like these. Everything from Oreily books to Gartner reports to Splunk conf presentations to blog posts. All these resources are cited both on the slide where they are referenced and at the end of the presentation.
Before we talk about Security Operations, and Security Operations _Centers_, we should understand the big picture. Security Operations is usually just a part of a bigger security program. Here are some examples of popular âCISO Mind Mapsâ, one from SANS, one from a security blogger Rafeeq Rahman, one created by yours truly (Dave H) for a consulting customer years ago.
When you look at these mind maps, you recognize one thing. Security programs are complicated. Letâs simplify it a bit by describing what we most often see at our customers.
We very often see this type of traditional organizational model for a security program.
Risk and compliance defines what needs to be protected, If they are advanced this is done through a formal risk analysis framework like FAIR, Octave, etc.
Architecture looks at the risk register and chooses controls to mitigate them. Could be architectural like network segmentation or designing for optimal choosing sensor locations, and often includes choosing products like endpoint protection, firewalls, data collection, SIEM, automated file analysis, sandbox, etc. Defense in depth strategies are usually defined here.
Security engineers install and maintain the security toolchain. They keep the security systems up and running so that Operations can do the day to day work of security.
Security operations.
There are a lot of different types of SOCs. Here are some that Anton Chuvakin dexcribes in his recent Gartner paper. A virtual SOC is made up of remote analysts without a dedicated facility. If you use an MSSP exclusively, you have a VSOC. Some organizations combine operations capabilities like NOC or helpdesk into what you might call a multi-function SOC. A command SOC is a SOC of SOCs, something we at splunk often see in large multi-national organizations. A co-managed SOC is common when an MSSP performs part of the SOC duties.
Splunkers often see âCrew SOCsâ which is something of a volunteer fire department. When an incident occurs, we get the crew together to analyze and respond. (yikes?)
We very often see organizations who fall into something we call the Alert Triage trap. Anton Chuvakin included mention of the alert pipeline when discussing common mistakes made by organizations implementing SOCs.
Is this really a bad thing? Yes and no. Certainly every SOC needs the core capability to triage incoming alerts effectively. If, however, the identity of the entire SOC becomes âalert pipelineâ it can rob the team of the opportunity to focus on whatâs becoming increasingly important in SOCs of the future. Weâll talk more about those as we move through todayâs presentation.
This is an old Splunk Slide! And itâs an old security concept. Itâs still valid too! Security folks like me talk about People Process and Technology all the time. We donât need to dwell on this too long, but the one thing to take away from this talk today is this
<click>
The bottom line is that technology exists to serve people and processes. Itâs not to say that people will not have learn and to adapt to the chosen toolchain. Thatâs reality. But what it _does_ mean that if you are spending all your time trying to re-organize around a specific technology-or worse yet-if you are avoiding important detection and response capabilities because the technology cannot support them, then you may have a technology problem. Weâll talk more about how the Splunk security product portfolio(including Splunk Core, Splunk Enterprise Security, the PCI App, and Splunk UBA) can help later. For now letâs talk more about challenges we see in traditional SOCs.
We have plenty of examples in the industry of traditional SOCs simply not getting the job done. In one such high profile case details have surfaced indicating several actual malware events reported from a popular security product were ignored, or triaged improperly. http://www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712
As weâve mentioned, a traditional SOC is heavily reliant on people. Good SOC analysts are difficult to find and retain.
Remember this tidy little diagram of the security critical path? Unfortunately we see it often turn into something like this:
Often ends up like this. Silo-ization.
SOCs are expensie to run, and you always have to consider not just the bottom line, but what kind of return are you missing out on by not having those resources invested in revenue generating activity?
One trend weâre seeing with next generation security operations centers is they are no longer called SOCs! Here are a few of the cool new names weâve run across.
It isnât just us that thinks some form of data normalization is a good idea, especially for security analytics. If you havenât checked it out, thereâs a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have theâŠ
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
Splunk & TH:
1. Ingest & Onboard Any Threat Hunting Machine Data Source
Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and âschema on the readâ technology
2. Threat Hunting Data Enrichment
Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships
3. Threat Hunting Automation
Integrated out of the box automation tooling from artifact query, âcontextual swim-lane analysisâ, anomaly & time series analysis to advanced data science leveraging machine learning
4. Search & Visualise Relationships for Faster Hunting
Search and correlate data while visually fusing results for faster context, analysis and insight
One way to answer the question âWhat is Enterprise Security?â, and the way weâll look at it today, is to consider the Frameworks that comprise it. Today weâll focus on these 5, but weâll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, weâre going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider.
The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
Todayâs enterprise requires big data security solutions that can monitor and investigate advanced threats and attacks and enable rapid incident response. The Splunk Quick Start for SIEM provides a fast approach to get you up and running using Splunk Enterprise Security, an analytics-driven security information and event management solution.
Quickly determine threat and malware activity within your environment
Use the full capability of Splunk Enterprise Security to solve a wide range of SIEM use casesÂ
Use your education credit and .conf event passes to solve additional use cases
Scalable packages available in medium and large sizes to meet your needs
Industry
âą Technology
Splunk Use Cases
âą Application delivery
âą IT operationsâą Security
Challenges
Needed to create a world-class SOC with superior response and maturity levels
Lacked SIEM solution
Wanted full visibility across silos to rapidly search and analyze security-related events
Seeking agile solution to decrease MTTR
Splunk Products
âą Splunk Enterpriseâą Splunk Enterprise Security
Data Sources
Palo Alto Networks and Juniper firewalls
Sourcefire and Snort intrusion detection systems
Anti-virus systems
McAfee vulnerability scans
Windows and Linux server OS logs
Apache and IIS web server application logs
Active Directory domain controllers
IronPort email security appliance and email/ SMTP servers
Case Study
http://www.splunk.com/en_us/customers/success-stories/saic.html
Donât forget to complete todayâs survey at ponypoll.com/_____ for your chance to win a .conf2017 pass.
A winner will be identified tomorrow through a random drawing from completed surveys and will be notified via email.