On your marks, get set GO! Take a more in-depth look at the automation and orchestration journey and the future of SOAR. Watch the SOCtails video here: https://www.youtube.com/watch?v=YzsGQzqaDYw&t=2s

1. © 2 0 1 9 S P L U N K I N C .
Lessons for a fast start
in Automation and
Orchestration
Security Breakout
George Panousopoulos, Security Strategist
March 16, 2020

2. During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk
Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their
respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
© 2 0 1 9 S P L U N K I N C .

3. © 2 0 1 9 S P L U N K I N C .
#whoarewe
Global Security Strategist
George Panousopoulos
Senior Sales Engineer
Chris Harazinski

4. © 2 0 1 9 S P L U N K I N C .
- Introduction
- The Automation & Orchestration journey
- Case Study: Norlys
- Case Study: EY
- The future of SOAR is here
- Epilogue
Agenda

5. © 2 0 1 9 S P L U N K I N C .
Cloud Security Endpoints
OrchestrationWAF & App Security
Threat Intelligence
Network
Web Proxy Firewall
Identity and Access
Splunk as the Security Nerve Center
Optimize People, Process and Technology
Operations
Analytics
Data Platform

6. CUSTOMER DELIVERY
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPLATFORM
APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins
SOLUTIONS
Mission Control
Cloud-Based Unified Security Operations
+
Security Operations Suite Architecture

7. I N G E S TD E T E C T
P R E D I C T A U T O M AT E
O R C H E S T R AT ER E C O M M E N D
C O L L A B O R AT E I N V E S T I G AT E
M A N A G E C A S E S
R E P O R T
Artificial
Intelligence
Content
Machine
Learning
Placeholders
Mark what the talk focuses on

8. © 2 0 1 9 S P L U N K I N C .
Automation is (not) easy. And neither is
Orchestration.

9. © 2 0 1 9 S P L U N K I N C .

10. © 2 0 1 9 S P L U N K I N C .
Use Case Best Practices
The best automation scenarios are easy to
understand.
 Known procedures
 They are documented
 The return is quantifiable and
 Undocumented
 White-board it out
 Document in a standardized widely accepted format

11. © 2 0 1 9 S P L U N K I N C .
Machine vs Human
Analytically consistent – not instinctive
Significantly faster – effective only when the analysis is focused
Visual and instinctive - experienced
Slower and prone to cognitive bias

12. © 2 0 1 9 S P L U N K I N C .
Use case vs Playbook
PlaybookUse Case

13. Playbook Methodology
Compact playbooks that quickly
perform common independent
functions.
Introducing utility playbooks:
• Ingest alert
• Collect evidence
• Create ticket
• Notify IR team
• Investigate evidence
• Scope event
• Contain asset
INTERACTION
ACTION ARTIFACTS
INPUT
Source(s) Events, Process,
Information Expected
The expected output of actions
performed by the process or
function
The transformation(s), duties,
actions to be performed by a
person, tool, analysis or
correlation to a function
Owner, Actioner, Supporter,
Consulted, Involved/Informed
between teams, technology or
events

14. Ingest
Ingested events are
brought infrom
sources and are
defined by the
capability of the
input source rather
than the asset built.

15. Notify
Notify playbook is
the scenario where
a party is informed
or notified of atask.

17. The Norlys
journey.
Automating 3 common use-cases at
SOARing heights.
https://www.slideshare.net/Splunk/splunklive-stockholm-2019-customer-presentation-norlys

18. Their Story ▶ Situation:
▶ Had to build log analytics and incident
response capabilities from the ground up for a
relatively big company in Denmark.
▶ Struggling with:
▶ Repetitive tasks, myriad of tools, slow webUIs,
creating and maintaining internal processes
▶ Wanted:
▶ A central screen for investigations with in-depth
documentation and automation capabilities.
▶ Enter Phantom:
▶ With Phantom we are now able to automate the
boring tasks and document every step, it
doesn’t matter if it’s automated or manual

19. Their 5 Step
Journey with
Splunk
Phantom
1. Using Phantom for documentation and adding everything
manually
2. Using applications in Phantom for semi-automated
investigation processes
3. Chaining applications/actions together for creating
playbooks
4. Customizing the playbooks with some custom code, if
needed
5. Connecting Splunk and Phantom for more closer
integration
 Most notable alerts from Splunk ES are now
forwarded to Phantom – automated ticket creation
 Most of the tickets are automatically initiating
enrichment actions – automated ticket enrichment
 Advanced incident handling capabilities: Mission
Control allows us to document and maintain our
processes inside Phantom

20. Use Cases at Norlys
Production server group
containment with 4 eyes
principle
Grab quarantined file
from an endpoint and
upload it to the malware
sandbox for analysis
Grab browsing history
from endpoint

21. © 2 0 1 9 S P L U N K I N C .
Use case 1: Production server group containment
with 4 eyes principle (2018)
▶ Same analyst can actually approve the "contain" action twice
▶ No 2-factor authentication
▶ Early, but working version of a great idea

22. © 2 0 1 9 S P L U N K I N C .
Use case 1: Production server group containment
with 4 eyes principle (2019)
▶ Cannot bypass logical decision
▶ DUO 2FA has been introduced

23. © 2 0 1 9 S P L U N K I N C .
Use case 2: Grab quarantined file from an endpoint and
upload it to the malware sandbox for analysis

24. © 2 0 1 9 S P L U N K I N C .
Use case 2: Grab quarantined file from an endpoint and
upload it to the malware sandbox for analysis (2018)
▶ This playbook required too many resources and used a lot of custom code
▶ Hard to maintain and to debug, but possible
▶ Is there a better and more automated way?

25. © 2 0 1 9 S P L U N K I N C .
Use case 2: Grab quarantined file from an endpoint and
upload it to the malware sandbox for analysis (2019)

26. © 2 0 1 9 S P L U N K I N C .
Use case 3: Grab browsing history from endpoint (2018)
▶ Early version, lot of custom code
▶ How can we improve it?

27. © 2 0 1 9 S P L U N K I N C .
Use case 3: Grab browsing history from endpoint (2019)

28. © 2 0 1 9 S P L U N K I N C .
You built the
easy stuff.
Now what?

29. © 2 0 1 9 S P L U N K I N C .
EY Case
Study
From "scary-slow" to "scary-fast" IOC
detection and sharing.
https://conf.splunk.com/files/2019/slides/SEC1280.pdf

30. Their Story

35. © 2 0 1 9 S P L U N K I N C .
"How do we hunt faster and how
do we take the info from this
incident to help others?"
Automation. Powered by Splunk>Phantom.

36. © 2 0 1 9 S P L U N K I N C .

37. © 2 0 1 9 S P L U N K I N C .

38. © 2 0 1 9 S P L U N K I N C .

39. © 2 0 1 9 S P L U N K I N C .

40. © 2 0 1 9 S P L U N K I N C .

41. © 2 0 1 9 S P L U N K I N C .

42. © 2 0 1 9 S P L U N K I N C .

43. © 2 0 1 9 S P L U N K I N C .

44. © 2 0 1 9 S P L U N K I N C .

45. © 2 0 1 9 S P L U N K I N C .
Key
Takeaways
Orchestration for the win
1. Because with Phantom you get:
• Better reporting (combining results from
an endpoint and network sensor)
• More robust orchestration (plugging into
all the tools with one click instead of
forgetting one or two)
• Faster response time(from YARA/SNORT
rule creation to execution in an
environment and results would take
days/weeks or not even be attempted)
2. Analysts did these YARA hunts in VTI in the
past, now EY can do it within a customer's
security data lake.

46. © 2 0 1 9 S P L U N K I N C .
Mobile and
beyond.
IR on the mobile is no longer a movie
thing.

47. © 2 0 1 9 S P L U N K I N C .
Splunk Phantom on your mobile device
• Phantom on Splunk Mobile brings the
power of Phantom security orchestration,
automation, and response (SOAR)
capabilities to your mobile device.
• No need to open your laptop. Orchestrate
security operations from the palm of your
hand.
• Respond faster than ever before, because
you’re reachable from anywhere.
• Run playbooks, triage events, and
collaborate with colleagues – all on-the-go.

48. © 2 0 1 9 S P L U N K I N C .
Phantom 4.8
Python 3 support Slash Commands Zero downtime
backups

49. © 2 0 1 9 S P L U N K I N C .

50. © 2 0 1 9 S P L U N K I N C .
Recommended Further Reads
Getting Started with Security Automation and Orchestration
https://www.splunk.com/en_us/blog/security/getting-started-with-security-automation-and-orchestration.html
Build Automated Decisions for Incident Response with Splunk Phantom (GE)
https://conf.splunk.com/files/2019/slides/SEC1446.pdf
Our Splunk Phantom Journey: Implementation, Lessons Learned, and Playbook Walkthroughs
(NAB)
https://conf.splunk.com/files/2019/slides/SEC1506.pdf
Hacking Your SOEL: SOC Automation and Orchestration
https://static.rainfocus.com/splunk/splunkconf18/sess/1522584681091001dUJr/finalPDF/SEC1233_HackingYourSOEL_Final_1538424831880001SlPY.pdf
Start with Investigation in Splunk Phantom
https://docs.splunk.com/Documentation/Phantom/4.8/User/MC
BONUS - Cops and Robbers: Simulating the Adversary to Test Your Splunk Security Analytics
https://static.rainfocus.com/splunk/splunkconf18/sess/1522696002986001hj1a/finalPDF/Simulating-the-Adversary-Test-1244_1538791048709001YJnK.pdf

51. CUSTOMER DELIVERY
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPLATFORM
APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins
SOLUTIONS
Mission Control
Cloud-Based Unified Security Operations
+
Splunk technology covered in this session

52. © 2 0 1 9 S P L U N K I N C .
Action Plan for next 90 days
Strategy
Schedule a PVP* with a Splunk security
expert.
Document your SOPs
Identify your automation priorities
Hands-On
Register for free at my.phantom.us
Schedule a Phantom Hands-On
workshop
* Prescriptive Value Path

53. Thank You
© 2 0 1 9 S P L U N K I N C .