2. Fill out the Postcard and win a
SONOS Play:1 today
"currentTrack":{
"artist":"College",
"title":"Teenage Color - Anoraak
Remix",
"album":"Nightdrive With You",
"albumArtURI":"/getaa?s=1&u=x-
sonos-
spotify%3aspotify%253atrack%253a
3DjBDQs8ebkxMBo2V8V3SH%3fsid
%3d9%26flags%3d32",
"duration":347,
"uri":"x-sonos-
spotify:spotify%3atrack%3a3DjBDQ
s8ebkxMBo2V8V3SH?sid=9&flags=3
2"
},
4. What are common SecOps problems?
Malicious activities go undetected or are difficult to prevent
All threats look equally ominous
Long cycles to detect and respond
4
Security teams need to quickly identify and remediate issues – from early
warning to breach investigation
5. Why Threat Intelligence?
Difficult to keep up with rapidly evolving threat landscape
Know your adversaries so that you can develop strategies to
remediate attacks
Internal resources – people, tools, process are unable to keep up
Use 3rd party knowledge – collective intelligence ?
Uncover compromised systems and search for advanced threats
Scope and investigate potential threat
5
6. What Does Threat Intelligence Consist Of?
”Feeds” – sources of threat intelligence
Platform or product with ability to ingest feeds
Visualize of threat indicators
Ability to correlate across all context
6
7. Widening the Net
7
Law
Enforcement
Feeds
Broad Coverage
Multiple Threat
Intelligence
Feeds From
Various Sources
ISAC
Feeds
Agency Feed
Commercial
Service
Community
Feed
Open-
Source
Feed
Other
Enrichment
Services
Each feed provides unique perspective on threat
Each feed provides different benefit
Multiple feeds provide better “coverage”
9. Threat Intel feeds
9
Law
Enforcement
Feeds
ISAC
Feed 1 ISAC
Feed 2
Agency Feed
1
Agency Feed
2
Commercial
Service 2
Commercial
Service 1
Community
Feed
Open-
Source
Feed
Other
Enrichment
Services
Other
Enrichment
Services
Focus on using Threat Intel to investigate and remediate
not on how to bring the data in
10. Collect, manage Categorize Correlate Search
Data Management Threat Activity Correlation Data / Notable Events Data Search
Threat Intelligence Framework
Framework built-in Splunk Enterprise Security
12. Threat Data Sources
• Agencies
• Relationships
• Vendor Subscriptions
• ISACs
Customer Success #1
12
Splunk Threat
Intelligence
Framework
• Malicious IP / URLs Blocked
• Compromised Credentials
Remediated
• Impostor and New Domains
Identified
Result: Actionable Intelligence
Summary
• 25% of Threat Intelligence data feeds are actionable
• 90% of infections are blocked, most malware alerts “eliminated” with no impact to use
• Found compromised accounts/activity
13. Threat Data Sources
• 50+ Pre-packaged free feeds
• Own content
Customer Success #2
13
Splunk ES
Threat
Intelligence
Framework
Automated IoC blocking
Summary
• Automated detection and block of indicators of compromise
• Improved efficiency
• Reduced time to remediation
Other 3rd party feeds
Facebook Threat Exchange
14. Splunk helps you to Operationalize Threat Intel
Automatically collect, aggregate and de-duplicate threat feeds from a
broad set of sources.
Integrated support for standards such as STIX/TAXII and OpenIOC
Build your own data to create your own Threat Intelligence
Out of the box Activity and Artifact dashboards
Prioritize, contextualize and analyze threats and remediate faster
14
15. MBDA Germany Drives Security Intelligence
With Splunk Enterprise Security
• Enabling the security operations center (SOC) team to work very efficiently
• Since deploying ES, the average time to analyze a CERT message has been
reduced from an average of 372 minutes to just 15.
• Real-time alerts identify attacks that would previously have gone undetected
• Analysis of historical data informs future security measures, resulting in a more
resilient security posture overall
““Splunk dramatically reduces security risks at MBDA Germany. The software helps us to work much more
efficiently, gain visibility across our entire network, react more quickly to security breaches and use insights
from our data analysis to inform our future security strategy.”.”
— Head of IT and Project Manager Information Technology, MBDA Germany
16. Hands-on: Try the Online Sandobx
7 Day personal environment
www.splunk.com
16
17. Fill out the Postcard and win a
SONOS Play:1 today
"currentTrack":{
"artist":"College",
"title":"Teenage Color - Anoraak
Remix",
"album":"Nightdrive With You",
"albumArtURI":"/getaa?s=1&u=x-
sonos-
spotify%3aspotify%253atrack%253a
3DjBDQs8ebkxMBo2V8V3SH%3fsid
%3d9%26flags%3d32",
"duration":347,
"uri":"x-sonos-
spotify:spotify%3atrack%3a3DjBDQ
s8ebkxMBo2V8V3SH?sid=9&flags=3
2"
},
Malicious Activities are Going Undetected
Compromised systems, APTs, activity with specific patterns or characteristics
Malicious Activities are Difficult to Prevent
Limited actionable intelligence to scope and disrupt threats, how to prioritize actions?
Response Times are Slow
Scoping / closing breach spans SOC tiers, manual steps, difficult to anticipate / mitigate
Lost Time and Resources
Overhead in managing IoCs, multiple sources and people involved
”Prioritize” Threats
Need visibility into a given threat and ability to weigh / assign scores
Long Cycles to Improve Security Posture
Accurate detection requires verifying, key context / actionable data
accuracy and coverage, protect better via context / actionable data
Mention Threat Artifact and Threat Activity
Put the graphics in the next page.
Industry
• Manufacturing
Splunk Use Cases
Security Incident Investigation
Threat Intelligence
Correlation of CERT Tickets
Challenges
Lack of visibility across entire infrastructure
Undetected security threats in the network
Splunk Products
• Splunk Enterprise• Splunk Enterprise Security
Data Sources
Network logs
Endpoint logs
Server logs
Data from switches
Data from gateways
Authentication logs
Case Study
http://www.splunk.com/en_us/customers/success-stories/mbda.html