This session will review Splunk’s two premium solutions - Splunk Enterprise Security (ES) is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams.

1. Copyright © 2016 Splunk Inc.
Splunk Enterprise Security & Splunk UBA Overview
SplunkLive New York City 2016
Anurag Gurtu agurtu@splunk.com
Director, Product Marketing, Splunk Behavioral Analytics
René Agüero raguero@splunk.com
Area Manager, Security Markets

2. 2
2
> Anurag Gurtu agurtu@splunk.com
• 1 year at Splunk – Director, Product Marketing, Splunk
Behavioral Analytics
• 15 years in Security (Caspida, FireEye, Cisco, Tripwire,
Computer Associates) in following roles: Product
Management, Technical Marketing, R&D, Software
Development and Professional Services.
• CISSP and a few Cisco Certifications (Firewall, IPS, Routing,
and Switching)
Who Am I (1/2)

3. 3
3
> René Agüero raguero@splunk.com
• 1 year at Splunk – Security Specialist
• Based in Manhattan
• 18 years in security – MCSE NT4.0
• CISSP, MSBA – Information Assurance (forensics, auditing and
security)
• Offensive Security
• Exploitation – Metasploit, Web attacks
• Rapid7 SE Director
Who Am I (2/2)

4. 4
Legal Notices
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

5. 5
Agenda
Splunk Portfolio Update
Enterprise Security
User Behavior Analytics

6. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

7. 7
All Data is Security Relevant
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional SIEM
Authentication

8. 8
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

9. Splunk for Security, Compliance & Fraud
Platform for Machine Data
Security &
Compliance Reporting
Monitor & Detect
Known/Unknown Threats
Fraud
Detection
Insider
Threat
Incident Investigations
& Forensics
Security
Analytics

10. Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

11. 11
Adaptive Response Initiative – RSA 2016
11
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain

12. Splunk Enterprise Security

13. Splunk Enterprise Security
Incident Investigations & ManagementAlerts & Dashboards & Reports
Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds
13

14. What’s new in Splunk Enterprise Security?

15. 15
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
15
ES 4.1 and UBA 2.2

16. 16
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

17. 17
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

18. 18
Replacing a SIEM @ Cisco
Challenges
• SIEM could not meet security needs
• Very difficult to index non-security or custom app log data
• Serious scale and speed issues. 10GB/day and searches took > 6 minutes
• Difficult to customize, reliance on pre-built rules which generated false positives
Splunk Solution
• Easy to index any type of machine data from any source
• Over 60 simultaneous users, correlations, reporting, advanced threat detection
• Use all data + flexible searches and reporting = empowered team
• 900 GB/day and searches take < minute. 7 global data centers with 350TB store
• Estimated that Splunk is 25% the cost of a traditional SIEM
“We moved to Splunk
from traditional SIEM
as Splunk is designed
and engineered for “big
data” use cases. Our
previous SIEM was not
and simply could not
scale to the data
volumes we have. “
- Gavin Reid, Leader,
Cisco Computer
Security Incident
Response Team

19. Must read for anyone operating a SOC
Cisco CSIRT playbook

20. Splunk User Behavior Analytics

21. 21
Familiar With These Breaches?
January 2015 February 2015 February 2015
Vertical: Finance
730K
PII Records
Vertical: Healthcare
80M
Patient Records
Vertical: Public Sector
22M
PII Records

22. 22
What Is The Problem COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

23. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Cyber Attack Detection Insider Threat Detection Security Analytics
Platform for Machine Data

24. Splunk User Behavioral Analytics
FIVE FOUNDATIONAL Pillars
Platform for Machine Data
Behavior Baseline &
Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Anomaly Detection Threat Detection

25. What’s new in Splunk UBA?

26. 26
Enhanced Insider Threat And Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2

27. 27
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

28. 28
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

29. 29
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
 Risk Percentile & Dynamic Peer Groups
 Support for Additional 3rd Party Devices
UBA 2.2

30. A Few Customer Findings
 Malicious Domain
 Beaconing Activity
 Malware: Asprox
 Webshell Activity
 Pass The Hash Attack
 Suspicious Privileged
Account activity
 Exploit Kit: Fiesta
 Lateral Movement
 Unusual Geo Location
 Privileged Account
Abuse
 Access Violations
 IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

31. 31
What Customers Have To Say About Splunk UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba

32. ES & UBA Demo

33. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

34. Security Workshops
34
ES Benchmark Assessment
• Prescriptive recommendations on operationalizing ES
• Use case and data source prioritization
CSC20 Assessment
• Measure current state against CSC20
• Provide guidance on best route to meet CSC20
Data Science Workshop
• Automating defenses
• Security Algorithms – rules that tune themselves with your data

35. 35
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

36. Thank You!