O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 60 Anúncio

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

Traditional security operations centres (SOCs) often focus too narrowly on alert triage or on meeting simplistic checkbox compliance requirements. This approach can leave the organisation with critical cybersecurity blind spots, and lead to other common problems including low SOC productivity, high analyst turnover, and increased operational costs. Ultimately, this traditional approach to running a SOC can cause the security team to fail to achieve its mission of detecting, responding to, and mitigating true threats in the environment. This session will cover how to build a modern analytics-driven security operations capability for your organisation. The analytics-driven SOC leverages technology innovations to serve human analysts by fusing advanced analytics, threat intelligence, automated response/orchestration, threat hunting, deep investigation, and incident response. This approach helps the security team to consistently deliver fast, effective threat detection and response.

Traditional security operations centres (SOCs) often focus too narrowly on alert triage or on meeting simplistic checkbox compliance requirements. This approach can leave the organisation with critical cybersecurity blind spots, and lead to other common problems including low SOC productivity, high analyst turnover, and increased operational costs. Ultimately, this traditional approach to running a SOC can cause the security team to fail to achieve its mission of detecting, responding to, and mitigating true threats in the environment. This session will cover how to build a modern analytics-driven security operations capability for your organisation. The analytics-driven SOC leverages technology innovations to serve human analysts by fusing advanced analytics, threat intelligence, automated response/orchestration, threat hunting, deep investigation, and incident response. This approach helps the security team to consistently deliver fast, effective threat detection and response.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (19)

Anúncio

Semelhante a SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security (20)

Mais de Splunk (20)

Anúncio

Mais recentes (20)

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

  1. 1. © 2017 SPLUNK INC. Building the Analytics-Driven SOC James Hanlon, Security Markets Specialist, EMEA Johan Bjerke, Security Staff Engineer, UK MAY 11, 2017 | LONDON
  2. 2. © 2017 SPLUNK INC. 1. A look at traditional security operations 2. Security operations emerging trends 3. How to use Splunk for an Analytics- Driven SOC Agenda
  3. 3. © 2017 SPLUNK INC. Traditional Security Operations
  4. 4. © 2017 SPLUNK INC. A SOC By Any Other Name… ▶ Security Analytics Center ▶ Cyber Fusion Center ▶ Cyber Defense Center ▶ Threat Defense Center ▶ Detection and Response Teams A centralized unit that deals with security on an organizational & technical level Security Operations Center (SOC) Cyber Defense Center (CDC) A team composed primarily of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents
  5. 5. © 2017 SPLUNK INC. “A perception of the SOC as a big alert pipeline is outdated and does not allow the organization to make use of more active processes such as internal Threat Intelligence generation and Threat Hunting.” – [1] Anton Chuvakin https://www.gartner.com/doc/3479617 Traditional SOC Alert Pipeline?
  6. 6. © 2017 SPLUNK INC. Hybrid OutsourceInsource Types of Traditional SOCs… 10 Strategies of a World Class Cybersecurity Operations Center, Mitre 2014 Virtual Small Large Tiered National Choices?
  7. 7. © 2017 SPLUNK INC. Should or Can I build a SOC? ▶ Objectives & Business Alignment ▶ Motivation >> Cost ▶ Industry Guidance ▶ Data Visibility ▶ Staff Acquisition & Retention ▶ Sourcing Models ▶ Automation & Efficiency ▶ Service Catalogue Expansion Challenges of traditional Security Operations Security Operations Objectives & Business Alignment Cost Industry Guidance Data Visibility Staffing Sourcing Models Automation & Efficiency Service Catalogue Expansion
  8. 8. © 2017 SPLUNK INC. Many how-to guides…but little prescriptive guidance
  9. 9. © 2017 SPLUNK INC. The Critical Challenge: Balancing Security Priorities & Business Alignment Security Operations: only part of the bigger picture… Security Architecture Risk and Compliance Security Engineering Security Operations Includes SOC https://www.sans.org/security-resources/posters/leadership/security-leadership- poster-135
  10. 10. © 2017 SPLUNK INC. Emerging Trends in Security Operations
  11. 11. © 2017 SPLUNK INC. To meet the challenges of the new "detection and response" paradigm, an intelligence- driven SOC also needs to move beyond traditional defenses, with an adaptive architecture and context-aware components. To support these required changes in information security programs, the traditional SOC must evolve to become the intelligence- driven SOC (ISOC) with automation and orchestration of SOC processes being a key enabler. Gartner, 2016 The desire for a better SOC is clear.. http://www.gartner.com/newsroom/id/3347717 Splunk EMEA CISO SOC RoundTable  Know what your SOC needs to achieve!  Align to business!  Build business support  Build a strategic roadmap  Address people challenges and cost strategies early  Define data sources for SOC insights  Select technology wisely Splunk CISO’s, 2016
  12. 12. © 2017 SPLUNK INC. Three Interrelated Components of Security Process PeopleTechnology [2017 FOCUS] [2017 FOCUS] [Automation & Analytics is the Driving Force]
  13. 13. © 2017 SPLUNK INC. 1. Threat Monitoring 2. Incident Investigation 3. Incident Response Defining the SOC Service Catalogue “What do you need to achieve?” 4. Operational Reporting 5. Business Reporting! Mapping the Service Catalogue Splunk SOC Optimisation Workshop
  14. 14. © 2017 SPLUNK INC. Example Documented Service Catalogue Services Catalogue ● Announcements & advisories ● Alerts & warnings ● Incident response, support & analysis ● Artefact analysis ● Cyber threat intelligence ● IDS & log management ● Vulnerability assessment
  15. 15. © 2017 SPLUNK INC. ▶ Tier-1Triage ▶ Off hours ▶ Tool Engineering ▶ Outside Help With Specialties • Reverse Engineering • Forensics • Advanced IR • Red/Purple teaming Hybrid Models (i.e. Int SOC platform + MSS) are becoming more common
  16. 16. © 2017 SPLUNK INC. ▶ Big Data Log Platform (BLDP) ▶ User Behavior Analytics (UBA) ▶ Threat intelligence (TI) (consumption, creation & sharing) ▶ Threat Hunting (TH) ▶ Threat & Vulnerability Management (TVM) ▶ Security Incident Response (SIR) ▶ Security Operations Automation (SOA) New Automation & Tooling Opportunities in the SOC Security Operations Big Data Log Platform (BDLP) User Behavior Analytics (UBA) Threat intelligence (TI) Threat Hunting (TH) Threat & Vulnerability Management (TVM) Security Incident Response (SIR) Security Operations Automation (SOA)
  17. 17. © 2017 SPLUNK INC. … effort by analysts who purposely set out to identify and counteract adversaries that may already be in the environment. https://www.sans.org/reading-room/whitepapers/analyst/ who-what-where-when-effective-threat-hunting-36785 “Threat Hunting”
  18. 18. © 2017 SPLUNK INC. ▶ Start with a hypothesis that considers: • Situational Awareness (often crown jewels focused) • Threat Intelligence • Domain experience • Best Results > all 3! ▶ Requires lots of data ▶ Flexible platform to ask/answer questions ▶ Process Automation ▶ Data science / ML / Analytics increasingly used How are SOC Teams Hunting? https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
  19. 19. © 2017 SPLUNK INC. SOC Persona Responsible for the operations, technology, team and leadership Responsible for the technology, product, upgrades SIEM Admin, Tools Engineer Security Analyst Hunter, Incident Responder SecOps / SOC Manager / Director CISO / Head InfoSec Responsible for investigating alerts, incidents and triage Responsible for SOC process, initiatives, often budget Proactively/reactively hunts for threats. Head or Exec of Info Security, Security Considerations: Hiring & Retention Shift Rotations & Coverage Skills Development Business Engagement
  20. 20. © 2017 SPLUNK INC. Calculating the Staff Requirements & Costs Mapping the Staffing Requirements & Costs Splunk SOC Optimisation Workshop
  21. 21. © 2017 SPLUNK INC. ✓ Fast data onboarding ✓ Any data source ✓ Easy correlation ✓ Automation / integration ✓ Performant and scalable ✓ Full fidelity ✓ Retention and integrity ✓ Normalized ✓ Enables Hunting ✓ Forensic investigation ✓ Alerting ✓ User access controls ✓ Flexible Visualization ✓ Advanced Analytics (ML?) Critical Characteristics for Log Data Platforms
  22. 22. © 2017 SPLUNK INC. 1. Assets and Identities 2. Threat intel 3. Firewall 4. Network metadata 5. Authentication 6. Server (Windows / Linux) 7. Endpoint 8. IDS / IPS 9. VPN 10.Application 11.Vulnerability Common SOC Data Sources Mapping the Data source Requirements Splunk Security Data Source Assessment
  23. 23. © 2017 SPLUNK INC. Challenges to building you own custom cyber data lake: ▶ Dirty data ▶ Debugging custom big data collectors ▶ Accessing data ▶ Little value beyond collection ▶ Little value beyond keyword searching ▶ Little threat detection value ▶ Ability to find, retain & integrate skills needed Build your own custom cyber security data lake? http://blogs.gartner.com/anton-chuvakin/2017/04/11/why-your-security-data-lake-project-will-fail/
  24. 24. © 2017 SPLUNK INC. Splunk for Analytics-Driven SOC
  25. 25. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  26. 26. © 2017 SPLUNK INC. Splunk as the Nerve Center Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall
  27. 27. © 2017 SPLUNK INC. Splunk Security Portfolio • Risky behavior detection • Advanced attacks & insider • Entity & kill chain profiling Enterprise Security Response • Security analytics (SOC) platform • Incident response workflow • Adaptive response • OOB key security metrics Splunk Enterprise Detection Realm of Known Human-driven Splunk Security Essentials/UBA Detection Realm of Unknown ML-driven • Any data log aggregation • Rules, statistics, correlation • Search, visualize & hunt
  28. 28. © 2017 SPLUNK INC. Splunk Enterprise Security A collection of orchestration frameworks for SOC Operations NOTABLE EVENT THREAT INTELLIGENCE ASSET AND IDENTITY CORRELATION ADAPTIVE RESPONSE RISK ANALYSIS Platform for Operational Intelligence
  29. 29. © 2017 SPLUNK INC. A Recipe for the Security Analytics Driven SOC Event Aggregation Incident Creation Investigation & Response Investigative Platform ▶ Flexible Analyst Visualisation ▶ Provide automation with security solutions & tooling ▶ Security operations orchestration & threat hunting Simple Detection ▶ Rules & Statistics ▶ Quick development ▶ Easy for analysts Advanced Detection ▶ Detect unknown ▶ New vectors ▶ Machine learning Event Management ▶ Fast data onboarding ▶ Manage High Volume ▶ Track Entity Relationships Alert Management Incident Contextualization (Enrichment) Decrease MTTR
  30. 30. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  31. 31. © 2017 SPLUNK INC. 1. Select an Appropriate SOC Sourcing Strategy 1 2 3 4 On Premise Cloud Only Hybrid Spilt Technology & SOC Provider Model ▶ To Prevent, Detect, Respond and Predict
  32. 32. © 2017 SPLUNK INC. Customer ▶ UK’s largest building and construction supplier ▶ 20+ business units in group & 27,0000 employees Challenges ▶ Failed previous SIEM project ▶ Complex mix of legacy on premise and cloud solutions ▶ Difficult ingesting data sources for visibility ▶ Limited security personnel Customer Solution: Splunk Enterprise & Splunk Enterprise Security) ▶ Fast time from data ingestion to obtaining security insight ▶ Splunk Cloud removes pain from managing host infrastructure ▶ Intrinsic Splunk ES risk scoring has been pivotal in multiple cyber incidents ▶ Architecture design now serving non security use cases (IT Event Monitoring) RETAIL Building a Lean ‘Cloud’ SOC Splunk Security: Fast Time to Value
  33. 33. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  34. 34. © 2017 SPLUNK INC. ▶ Correlation across all security relevant data ▶ Insights from existing security architectures ▶ Advanced analytics techniques such as machine learning 2. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict 1,000+ Apps and Add-ons Splunk Security Solutions
  35. 35. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  36. 36. © 2017 SPLUNK INC. ▶ Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources ▶ Support for STIX/TAXII, OpenIOC, Facebook ▶ Build your own data to create your own Threat Intel ▶ Out of the box Activity and Artifact dashboards 3. Threat Intelligence – ES Threat Intel Framework ▶ Determine impact on network, assets ▶ Use for analysis / IR ▶ Collect / provide forensics ▶ Use to hunt / uncover / link events ▶ Share info with partners Law Enforcement Feeds ISAC Feeds Agency Feed Commercial Service Community Feed Open-Source Feed Other Enrichment Services
  37. 37. © 2017 SPLUNK INC. Customer ▶ EU Intuitions own Computer Emergency Response Team (CERT) ▶ Supports 60 organizations across Europe supporting 100,000 end users Challenges ▶ Ingestion from many sources ▶ Constituents: very high value targets ▶ Complex decentralized, heterogeneous environment ▶ Need to correlate everything with everything: file-less lateral movements, bypassing protection layers, phishing attacks Customer Solution: Splunk Enterprise ▶ Provides common language and conventions to control all data (CIM) ▶ Drives time saving & reduces human error while increased visibility ▶ Enables any data & intelligence correlation. Easily integrates with custom security tooling via open API’s ▶ Two tier architecture with end users in control of their data GOVERNMENT Enabling EU Cyber Response Splunk Security: Trusted vhttps://de.slideshare.net/Splunk/splunk-live-utrecht-2016-cert-eu
  38. 38. © 2017 SPLUNK INC. Demo: Proactively Managing Threat Intelligence [Splunk Enterprise Security Threat Intelligence Management]
  39. 39. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  40. 40. • Accelerate anomaly and unknown threat detection – minimize attacks & insider threat • Use Splunk Security Essentials App – FOC App with 55+ UBA use cases • Premium Machine learning solution – Splunk User Behavior Analytics – Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM 4. Deploy Advanced Analytics – Native ML and UBA To Prevent, Detect, Respond and Predict: Security Essentials App UBA Premium Solution Premium Solution Integration
  41. 41. © 2017 SPLUNK INC. Demo: Deploying Advanced Analytics [Join us at the next security session to see the live demo!]
  42. 42. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  43. 43. © 2017 SPLUNK INC. 5. Proactive Investigation & Threat Hunting Enrichment Automation Search & Visualization Hypotheses Automated Analytics Data Science and Machine Learning Data and Intelligence Enrichment Data Search Visualisation Threat Hunting Enablement Integrated & out of the box automation tooling from artifact query, contextual “swim-lane analysis”, anomaly & time series analysis to advanced data science leveraging machine learning Threat Hunting Data Enrichment Enrich data with context and threat-intel across the stack or time to discern deeper patterns or relationships Search & Visualize Relationships for Faster Hunting Search and correlate data while visually fusing results for faster context, analysis and insight Ingest & Onboard Any Threat Hunting Machine Data Source Enable fast ingestion of any machine data through efficient indexing, a big data real time architecture and ‘schema on the read’ technology DATA MATURITY
  44. 44. © 2017 SPLUNK INC. Customer ▶ Third largest retail bank in Switzerland with 3m+ customer ▶ No 1 online payments provider Challenges ▶ Protecting financial assets & customer is a top priority ▶ Data ingestion and security insight ▶ Highly manual security analysis and reporting ▶ Cultural and organizational barriers to optimal security Customer Solution: Splunk Enterprise ▶ Risk reduction through E-payment & debit card fraud detection ▶ Increased visibility & security automation for online banking, payment processing, customer data protection such as phishing attack workflows FINANCE Connecting Business & Security at a Swiss Bank Splunk Security: Business Value https://conf.splunk.com/session/2015/conf2015_PHoffman_PostFinance_UsingSplunkSearchLanguage_HowSplunkConnectsBusiness.pdf
  45. 45. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  46. 46. © 2017 SPLUNK INC. ▶ Use rules to automate routine aspects of detection and investigation ▶ Extract insights from existing security controls by use of common interface ▶ Take actions with confidence for faster decisions and response ▶ Automate any process along the continuous monitoring, response and analytics cycle 6. Promote Security Automation & Human Efficiency To Prevent, Detect, Respond and Predict: Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall + Splunk Adaptive Response Alliance
  47. 47. © 2017 SPLUNK INC. Demo: Driving Automation [Splunk Enterprise Security Adaptive Response]
  48. 48. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  49. 49. © 2017 SPLUNK INC. SECURITY & RISK IT OPERATIONS BUSINESS ANALYTICS SAME DATA Of theAsking differentDifferent PEOPLE QUESTIONS 40-70%security data that can be re-used for additional non security business value Online Services SplunkCustomer ValueExamples $11m Benefit Increased revenue from higher uptime High Tech $25m Benefit Increased revenue from higher uptime Oil & Gas $200m Benefit Revenues from Preventing APT’s Transportation $1b Benefit Optimisation with Sensor Data 7.From Security to Enterprise Data Insights
  50. 50. © 2017 SPLUNK INC. Customer ▶ Operate in 60 counties with over 45,000 Employees ▶ 29 engineering and project execution centers and 5 fabrication yards Challenges ▶ Needed to gain operational visibility into distributed infrastructure ▶ Unable to meet compliance needs (PCI, ISO27001, SOX, Privacy) ▶ Struggling with governance of IT Operations ▶ Inability to reports holistically across all domains Customer Solution (Splunk Enterprise) ▶ Real time data insights across Security, ITOps & Application Development ▶ LoB security risk & compliance reporting ▶ SIEM & One ‘dashboard’ to rule them all ▶ IT Operations, application, server reboot, software license utilization monitoring… OIL & GAS Drive Enterprise Insights! Splunk Security: Build an Enterprise Data Fabric from Security
  51. 51. © 2017 SPLUNK INC. Demo: Connecting (Visualizing) Security for the Business [Splunk Enterprise Security Glass Tables]
  52. 52. © 2017 SPLUNK INC. 1. Select the right sourcing strategy 2. Adopt an adaptive security architecture 3. Optimise threat intelligence management 4. Deploy advanced analytics 5. Proactive investigation & threat hunting 6. Promote security automation & human efficiency 7. Drive Enterprise ‘Not Just’ Security Insights “7 Enablers” of the Analytics Driven SOC
  53. 53. © 2017 SPLUNK INC. Wrapping up
  54. 54. © 2017 SPLUNK INC. Helping you build your analytics driven SOC Security Nerve Center
  55. 55. Next Step: Splunk Security Workshops SIEM+/SOC Readiness, Security Use Case Definition, Security Data Source Assessment, Security Automation, Security Business & Risk Visualisation…...... • Scope data sources, use cases and volumes • Security Analytics & SOC Building • Adding Machine Learning to SecOps • Learn how to visualize security success for the business • Data privacy & protection Contact your Splunk representative to find out how to schedule
  56. 56. Threat Activity Dashboard Splunk Quick Start for Security Analytics & SOC Rapidly Determine Advanced Malware and Threat Activity Malware Center Dashboard
  57. 57. © 2017 SPLUNK INC. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM .conf2017: The 8th Annual Splunk Conference
  58. 58. © 2017 SPLUNK INC. Rate This Session on Pony Poll ponypoll.com/london17 Complete the survey for your chance to win a .conf2017 pass
  59. 59. Learn: How Travis Perkins built a SOC in the Cloud blogs.splunk.com Learn: Three Tips from Cisco’s CSIRT using Splunk isc2.org Try it yourself: Splunk Enterprise Security in our Sandbox with 50+ Data Sources splunk.com
  60. 60. © 2017 SPLUNK INC. Helping you build your analytics driven SOC Security Nerve Center Thank You

×