.conf Go Zurich 2022 - Security Session

6. © 2022 SPLUNK INC. The Data-Centric Modern SOC Threat Detection, Investigation and Response Data Platform Intelligence Management Threat Research Analytics Automation and Orchestration Detect/Correlate Predict/Prevent Discover/Prepare Analyze/Investigate Report/Comply Triage/Respond Unparalleled Ecosystem • Apps • Technical architectures • Connections • Partners • Community

8. © 2022 SPLUNK INC. Threat Modeling ● Define Scope and Depth ● Identify and Prioritize Threats ● Structured Process Identify Assets Identify Threats & Risk Understand Line of Business Countermeasure & Gap Analysis Outline Architecture

10. © 2022 SPLUNK INC. Security Monitoring Journey ● End-to-End Structured Process ● Improve Engagement ● Measurable Outcome ● Cloud Migration ● Automation 3 1 5 2 4 6 TM Questionnaire Feasibility Assessment Abuser Detection TM Sessions Log Ingestion Remediation Playbook Abuser Monitoring

16. © 2022 SPLUNK INC. How Does This Look in Practice? With risk-based alerting, these events become context that informs high-fidelity alerts Risk Incident Rule: Generate alert for any user or system that exceeds a risk score of 100 in a 24 hour period Aggregated user risk score >100 ALERT With one click, view all of the risk events that contribute to the alert Potential spearphishing observed 10 pts Suspicious command disabling controls 15 pts Suspicious Powershell observed 20 pts AWS ACLs opened up all access 10 pts AWS user provisioning observed 15 pts AWS buckets created 15 pts AWS permanent creation observed 20 pts 6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM

18. © 2022 SPLUNK INC. Use Case Development CIS Top 20 Controls Recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks Different Frameworks/Process Flows MITRE ATT&CK MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Customer specific use cases To organize use cases, a use case framework should be used. Such frameworks enable control over use cases and provide insight into identify how well an organization is capable of defending against cyber threats. Content Description 01 - Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. 02 - Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. 03 - Secure Configurations for Hardware and Software Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

21. © 2022 SPLUNK INC. Deliver IOC to ES Alert / Inform Employee Change Severity Check EP Search for Mails Approve Block Mails Check URL Real Use Case: Phishing Mail The Investigation Process to solve a Phishing Mail Incident Core Big Data Platform SIEM Incident Anaylst Handling SOAR Automation & Orchestration Ingest Threat Hunting Check for exiist. IOC Check for exist. User OOTB content Analyst driven ML/AI driven Ingest Event Create Ticket Check URL Change Severity Check User Endpoint Search for similar Emails (Human) Approve Process Block incoming Mail Alert Employes Deliver to Splunk Core/ES Ingest Create Ticket Deliver IOC to Core Block Mails Adaptive Response

22. © 2022 SPLUNK INC. Security PVP - Your Security Maturity Index, Search, Monitor & Alert Level 1 ● Use of Pre-built Content ● Centralized Retention and Visibility for all Data ● Security Monitoring Dashboards ● Alerting ● Basic Reporting ● Ad-Hoc Investigation and Incident Response ● Historical Data Analysis 55% Normalize, Correlate & Risk Level 2 ● Data Normalization ● Security Use Case Library ● Risk Awareness and Alert Prioritization ● Threat Intelligence ● Information and Event Correlation ● Notable Event Management ● Triage & Investigation Workflows 50% Collaborate, Hunt & ML Level 3 ● Risk Based Alerting ● Insider Threat Detection ● Semi-Automated Playbooks (Orchestration & Response) ● Pre-Built Machine Learning security content ● Threat Hunting ● Continuous Use Case development ● Incident Collaboration 26% Simulate, Respond & Fully Automate Level 4 ● Risk Reporting ● Full Playbook Automation ● Custom Machine Learning security content ● Stream Processing and stream Analytics ● Attack Simulation ● Effective collaboration & integration with other teams or tools ● Breach Response 36% Security Maturity Reactive Proactive 42% green - implemented | orange - to be implemented medium term | red - highly recommended for the security posture xx% - Maturity today

29. © 2022 SPLUNK INC. Monitoring Net/OS/Virt/App CPU/Mem/Disc Events Logs Metrics Application Traces Databases Networks Servers Virtual Machines Smartphones and Devices Custom Applications Security Web Server Sensors SAP Container IBM OpenWhisk AWS Lambda GCP Functions SIEM SOAR SOC/CERT Triage EDR NDR XDR UEBA Security Operation and Analytics NOC OT CMDB Threat Intel Use Cases ML ML Security Nerve Center Search – Correlate - Investigate – Analyze - Act

30. © 2022 SPLUNK INC. Databases Networks Servers Virtual Machines Smartphones and Devices Custom Applications Security Web Server Sensors SAP Container IBM OpenWhisk AWS Lambda GCP Functions SIEM SOAR SOC/CERT Triage EDR NDR XDR UEBA Security Operation and Analytics NOC OT CMDB Threat Intel Use Cases ML ML Security Nerve Center Search – Correlate - Investigate – Analyze - Act Monitoring Net/OS/Virt/App CPU/Mem/Disc Events Logs Metrics Application Traces

31. © 2022 SPLUNK INC. Databases Networks Servers Virtual Machines Smartphones and Devices Custom Applications Security Web Server Sensors SAP Container IBM OpenWhisk AWS Lambda GCP Functions SIEM SOAR SOC/CERT Triage EDR NDR XDR UEBA Security Operation and Analytics NOC OT CMDB Threat Intel Use Cases ML ML Security Nerve Center Search – Correlate - Investigate – Analyze - Act Monitoring Net/OS/Virt/App CPU/Mem/Disc Events Logs Metrics Application Traces

32. © 2022 SPLUNK INC. Monitoring Net/OS/Virt/App CPU/Mem/Disc Events Logs Metrics Application Traces Databases Networks Servers Virtual Machines Smartphones and Devices Custom Applications Security Web Server Sensors SAP Container IBM OpenWhisk AWS Lambda GCP Functions SIEM SOAR SOC/CERT Triage EDR NDR XDR UEBA Security Operation and Analytics NOC OT CMDB Threat Intel Use Cases ML ML Security Nerve Center Search – Correlate - Investigate – Analyze - Act

.conf Go Zurich 2022 - Security Session

.conf Go Zurich 2022 - Security Session

Recomendados

Mais conteúdo relacionado

Similar a .conf Go Zurich 2022 - Security Session

Similar a .conf Go Zurich 2022 - Security Session(20)

Mais de Splunk

Mais de Splunk(20)

Último

Último(20)

.conf Go Zurich 2022 - Security Session