SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

4. © 2017 SPLUNK INC. A SOC By Any Other Name… ▶ Security Analytics Center ▶ Cyber Fusion Center ▶ Cyber Defense Center ▶ Threat Defense Center ▶ Detection and Response Teams A centralized unit that deals with security on an organizational & technical level Security Operations Center (SOC) Cyber Defense Center (CDC) A team composed primarily of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents

5. © 2017 SPLUNK INC. “A perception of the SOC as a big alert pipeline is outdated and does not allow the organization to make use of more active processes such as internal Threat Intelligence generation and Threat Hunting.” – [1] Anton Chuvakin https://www.gartner.com/doc/3479617 Traditional SOC Alert Pipeline?

7. © 2017 SPLUNK INC. Should or Can I build a SOC? ▶ Objectives & Business Alignment ▶ Motivation >> Cost ▶ Industry Guidance ▶ Data Visibility ▶ Staff Acquisition & Retention ▶ Sourcing Models ▶ Automation & Efficiency ▶ Service Catalogue Expansion Challenges of traditional Security Operations Security Operations Objectives & Business Alignment Cost Industry Guidance Data Visibility Staffing Sourcing Models Automation & Efficiency Service Catalogue Expansion

9. © 2017 SPLUNK INC. The Critical Challenge: Balancing Security Priorities & Business Alignment Security Operations: only part of the bigger picture… Security Architecture Risk and Compliance Security Engineering Security Operations Includes SOC https://www.sans.org/security-resources/posters/leadership/security-leadership- poster-135

11. © 2017 SPLUNK INC. To meet the challenges of the new "detection and response" paradigm, an intelligence- driven SOC also needs to move beyond traditional defenses, with an adaptive architecture and context-aware components. To support these required changes in information security programs, the traditional SOC must evolve to become the intelligence- driven SOC (ISOC) with automation and orchestration of SOC processes being a key enabler. Gartner, 2016 The desire for a better SOC is clear.. http://www.gartner.com/newsroom/id/3347717 Splunk EMEA CISO SOC RoundTable  Know what your SOC needs to achieve!  Align to business!  Build business support  Build a strategic roadmap  Address people challenges and cost strategies early  Define data sources for SOC insights  Select technology wisely Splunk CISO’s, 2016

13. © 2017 SPLUNK INC. 1. Threat Monitoring 2. Incident Investigation 3. Incident Response Defining the SOC Service Catalogue “What do you need to achieve?” 4. Operational Reporting 5. Business Reporting! Mapping the Service Catalogue Splunk SOC Optimisation Workshop

14. © 2017 SPLUNK INC. Example Documented Service Catalogue Services Catalogue ● Announcements & advisories ● Alerts & warnings ● Incident response, support & analysis ● Artefact analysis ● Cyber threat intelligence ● IDS & log management ● Vulnerability assessment

15. © 2017 SPLUNK INC. ▶ Tier-1Triage ▶ Off hours ▶ Tool Engineering ▶ Outside Help With Specialties • Reverse Engineering • Forensics • Advanced IR • Red/Purple teaming Hybrid Models (i.e. Int SOC platform + MSS) are becoming more common

16. © 2017 SPLUNK INC. ▶ Big Data Log Platform (BLDP) ▶ User Behavior Analytics (UBA) ▶ Threat intelligence (TI) (consumption, creation & sharing) ▶ Threat Hunting (TH) ▶ Threat & Vulnerability Management (TVM) ▶ Security Incident Response (SIR) ▶ Security Operations Automation (SOA) New Automation & Tooling Opportunities in the SOC Security Operations Big Data Log Platform (BDLP) User Behavior Analytics (UBA) Threat intelligence (TI) Threat Hunting (TH) Threat & Vulnerability Management (TVM) Security Incident Response (SIR) Security Operations Automation (SOA)

17. © 2017 SPLUNK INC. … effort by analysts who purposely set out to identify and counteract adversaries that may already be in the environment. https://www.sans.org/reading-room/whitepapers/analyst/ who-what-where-when-effective-threat-hunting-36785 “Threat Hunting”

18. © 2017 SPLUNK INC. ▶ Start with a hypothesis that considers: • Situational Awareness (often crown jewels focused) • Threat Intelligence • Domain experience • Best Results > all 3! ▶ Requires lots of data ▶ Flexible platform to ask/answer questions ▶ Process Automation ▶ Data science / ML / Analytics increasingly used How are SOC Teams Hunting? https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

19. © 2017 SPLUNK INC. SOC Persona Responsible for the operations, technology, team and leadership Responsible for the technology, product, upgrades SIEM Admin, Tools Engineer Security Analyst Hunter, Incident Responder SecOps / SOC Manager / Director CISO / Head InfoSec Responsible for investigating alerts, incidents and triage Responsible for SOC process, initiatives, often budget Proactively/reactively hunts for threats. Head or Exec of Info Security, Security Considerations: Hiring & Retention Shift Rotations & Coverage Skills Development Business Engagement

21. © 2017 SPLUNK INC. ✓ Fast data onboarding ✓ Any data source ✓ Easy correlation ✓ Automation / integration ✓ Performant and scalable ✓ Full fidelity ✓ Retention and integrity ✓ Normalized ✓ Enables Hunting ✓ Forensic investigation ✓ Alerting ✓ User access controls ✓ Flexible Visualization ✓ Advanced Analytics (ML?) Critical Characteristics for Log Data Platforms

22. © 2017 SPLUNK INC. 1. Assets and Identities 2. Threat intel 3. Firewall 4. Network metadata 5. Authentication 6. Server (Windows / Linux) 7. Endpoint 8. IDS / IPS 9. VPN 10.Application 11.Vulnerability Common SOC Data Sources Mapping the Data source Requirements Splunk Security Data Source Assessment

23. © 2017 SPLUNK INC. Challenges to building you own custom cyber data lake: ▶ Dirty data ▶ Debugging custom big data collectors ▶ Accessing data ▶ Little value beyond collection ▶ Little value beyond keyword searching ▶ Little threat detection value ▶ Ability to find, retain & integrate skills needed Build your own custom cyber security data lake? http://blogs.gartner.com/anton-chuvakin/2017/04/11/why-your-security-data-lake-project-will-fail/

25. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC

27. © 2017 SPLUNK INC. Splunk Security Portfolio • Risky behavior detection • Advanced attacks & insider • Entity & kill chain profiling Enterprise Security Response • Security analytics (SOC) platform • Incident response workflow • Adaptive response • OOB key security metrics Splunk Enterprise Detection Realm of Known Human-driven Splunk Security Essentials/UBA Detection Realm of Unknown ML-driven • Any data log aggregation • Rules, statistics, correlation • Search, visualize & hunt

28. © 2017 SPLUNK INC. Splunk Enterprise Security A collection of orchestration frameworks for SOC Operations NOTABLE EVENT THREAT INTELLIGENCE ASSET AND IDENTITY CORRELATION ADAPTIVE RESPONSE RISK ANALYSIS Platform for Operational Intelligence

29. © 2017 SPLUNK INC. A Recipe for the Security Analytics Driven SOC Event Aggregation Incident Creation Investigation & Response Investigative Platform ▶ Flexible Analyst Visualisation ▶ Provide automation with security solutions & tooling ▶ Security operations orchestration & threat hunting Simple Detection ▶ Rules & Statistics ▶ Quick development ▶ Easy for analysts Advanced Detection ▶ Detect unknown ▶ New vectors ▶ Machine learning Event Management ▶ Fast data onboarding ▶ Manage High Volume ▶ Track Entity Relationships Alert Management Incident Contextualization (Enrichment) Decrease MTTR

32. © 2017 SPLUNK INC. Customer ▶ UK’s largest building and construction supplier ▶ 20+ business units in group & 27,0000 employees Challenges ▶ Failed previous SIEM project ▶ Complex mix of legacy on premise and cloud solutions ▶ Difficult ingesting data sources for visibility ▶ Limited security personnel Customer Solution: Splunk Enterprise & Splunk Enterprise Security) ▶ Fast time from data ingestion to obtaining security insight ▶ Splunk Cloud removes pain from managing host infrastructure ▶ Intrinsic Splunk ES risk scoring has been pivotal in multiple cyber incidents ▶ Architecture design now serving non security use cases (IT Event Monitoring) RETAIL Building a Lean ‘Cloud’ SOC Splunk Security: Fast Time to Value

34. © 2017 SPLUNK INC. ▶ Correlation across all security relevant data ▶ Insights from existing security architectures ▶ Advanced analytics techniques such as machine learning 2. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict 1,000+ Apps and Add-ons Splunk Security Solutions

36. © 2017 SPLUNK INC. ▶ Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources ▶ Support for STIX/TAXII, OpenIOC, Facebook ▶ Build your own data to create your own Threat Intel ▶ Out of the box Activity and Artifact dashboards 3. Threat Intelligence – ES Threat Intel Framework ▶ Determine impact on network, assets ▶ Use for analysis / IR ▶ Collect / provide forensics ▶ Use to hunt / uncover / link events ▶ Share info with partners Law Enforcement Feeds ISAC Feeds Agency Feed Commercial Service Community Feed Open-Source Feed Other Enrichment Services

37. © 2017 SPLUNK INC. Customer ▶ EU Intuitions own Computer Emergency Response Team (CERT) ▶ Supports 60 organizations across Europe supporting 100,000 end users Challenges ▶ Ingestion from many sources ▶ Constituents: very high value targets ▶ Complex decentralized, heterogeneous environment ▶ Need to correlate everything with everything: file-less lateral movements, bypassing protection layers, phishing attacks Customer Solution: Splunk Enterprise ▶ Provides common language and conventions to control all data (CIM) ▶ Drives time saving & reduces human error while increased visibility ▶ Enables any data & intelligence correlation. Easily integrates with custom security tooling via open API’s ▶ Two tier architecture with end users in control of their data GOVERNMENT Enabling EU Cyber Response Splunk Security: Trusted vhttps://de.slideshare.net/Splunk/splunk-live-utrecht-2016-cert-eu

40. • Accelerate anomaly and unknown threat detection – minimize attacks & insider threat • Use Splunk Security Essentials App – FOC App with 55+ UBA use cases • Premium Machine learning solution – Splunk User Behavior Analytics – Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM 4. Deploy Advanced Analytics – Native ML and UBA To Prevent, Detect, Respond and Predict: Security Essentials App UBA Premium Solution Premium Solution Integration

43. © 2017 SPLUNK INC. 5. Proactive Investigation & Threat Hunting Enrichment Automation Search & Visualization Hypotheses Automated Analytics Data Science and Machine Learning Data and Intelligence Enrichment Data Search Visualisation Threat Hunting Enablement Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualize Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology DATA MATURITY

44. © 2017 SPLUNK INC. Customer ▶ Third largest retail bank in Switzerland with 3m+ customer ▶ No 1 online payments provider Challenges ▶ Protecting financial assets & customer is a top priority ▶ Data ingestion and security insight ▶ Highly manual security analysis and reporting ▶ Cultural and organizational barriers to optimal security Customer Solution: Splunk Enterprise ▶ Risk reduction through E-payment & debit card fraud detection ▶ Increased visibility & security automation for online banking, payment processing, customer data protection such as phishing attack workflows FINANCE Connecting Business & Security at a Swiss Bank Splunk Security: Business Value https://conf.splunk.com/session/2015/conf2015_PHoffman_PostFinance_UsingSplunkSearchLanguage_HowSplunkConnectsBusiness.pdf

46. © 2017 SPLUNK INC. ▶ Use rules to automate routine aspects of detection and investigation ▶ Extract insights from existing security controls by use of common interface ▶ Take actions with confidence for faster decisions and response ▶ Automate any process along the continuous monitoring, response and analytics cycle 6. Promote Security Automation & Human Efficiency To Prevent, Detect, Respond and Predict: Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall + Splunk Adaptive Response Alliance

49. © 2017 SPLUNK INC. SECURITY & RISK IT OPERATIONS BUSINESS ANALYTICS SAME DATA Of theAsking differentDifferent PEOPLE QUESTIONS 40-70%security data that can be re-used for additional non security business value Online Services SplunkCustomer ValueExamples $11m Benefit Increased revenue from higher uptime High Tech $25m Benefit Increased revenue from higher uptime Oil & Gas $200m Benefit Revenues from Preventing APT’s Transportation $1b Benefit Optimisation with Sensor Data 7.From Security to Enterprise Data Insights

50. © 2017 SPLUNK INC. Customer ▶ Operate in 60 counties with over 45,000 Employees ▶ 29 engineering and project execution centers and 5 fabrication yards Challenges ▶ Needed to gain operational visibility into distributed infrastructure ▶ Unable to meet compliance needs (PCI, ISO27001, SOX, Privacy) ▶ Struggling with governance of IT Operations ▶ Inability to reports holistically across all domains Customer Solution (Splunk Enterprise) ▶ Real time data insights across Security, ITOps & Application Development ▶ LoB security risk & compliance reporting ▶ SIEM & One ‘dashboard’ to rule them all ▶ IT Operations, application, server reboot, software license utilization monitoring… OIL & GAS Drive Enterprise Insights! Splunk Security: Build an Enterprise Data Fabric from Security

55. Next Step: Splunk Security Workshops SIEM+/SOC Readiness, Security Use Case Definition, Security Data Source Assessment, Security Automation, Security Business & Risk Visualisation…...... • Scope data sources, use cases and volumes • Security Analytics & SOC Building • Adding Machine Learning to SecOps • Learn how to visualize security success for the business • Data privacy & protection Contact your Splunk representative to find out how to schedule

56. Threat Activity Dashboard Splunk Quick Start for Security Analytics & SOC Rapidly Determine Advanced Malware and Threat Activity Malware Center Dashboard

57. © 2017 SPLUNK INC. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM .conf2017: The 8th Annual Splunk Conference

59. Learn: How Travis Perkins built a SOC in the Cloud blogs.splunk.com Learn: Three Tips from Cisco’s CSIRT using Splunk isc2.org Try it yourself: Splunk Enterprise Security in our Sandbox with 50+ Data Sources splunk.com

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

Esté a ler uma amostra.

Confira estes a seguir

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (19)

Semelhante a SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security (20)

Mais de Splunk (20)

Mais recentes (20)