1. Copyright © 2016 Splunk Inc.
Enterprise Security
and UBA Overview

2. 2
Agenda
Splunk Portfolio Update
Enterprise Security 4.5
User Behavior Analytics 3.0

3. VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

4. 4
Splunk Releases
4
Splunk Enterprise and Splunk Cloud 6.5
Enterprise Security 4.5
ES
User Behavior Analytics 3.0
UBA

5. 5
5
Splunk Security Vision
Security Markets
SIEM and
Compliance
Security Analytics
(supervised and
unsupervised)
Fraud and
Business Risk
Managed Security
and Intelligence
Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Ecosystem brokering

6. 6
Enterprise Security
Provides: SIEM and Security Intelligence Platform for security operations/command
centers
Functions: alert management, detects using correlation rules (pre-built), incident
response, security monitoring, breach response, threat intelligence automation,
statistical analysis, reporting, auditing
Persona service: SOC Analyst, security teams, incident responders, hunters, security
managers
Detections: pre-built advanced threat detection using statistical analysis, user
activity tracking, attacks using correlation searches, dynamic baselines
6

7. 7
User Behavior Analytics
Provides advanced threat detection using unsupervised machine learning –
enriches Splunk Enterprise Security (SIEM)
Functions: baselines behavior from log data and other data to detect
anomalies and threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
7

8. Copyright © 2016 Splunk Inc.
Enterprise Security
8

9. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

10. 10
Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant
for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases

11. 11
11
Splunk scores highest in 2016 Critical Capabilities for SIEM* report
in all three Use Cases
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and
should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

12. 12
App
Servers
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center
Identity

13. 13
Splunk Enterprise Security: Fast Facts
● Current version: 4.5 released on October 12, 2016
● Two major releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses

14. The best part of ES is free!
● You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization

15. Copyright © 2016 Splunk Inc.
NORMALIZATION?!?

16. Copyright © 2016 Splunk Inc.
NORMALIZATION?!?
Relax. This is
therefore, CIM gets applied at SEARCH TIME.

17. Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries

18. 18
Splunk Enterprise Security – SIEM and Security Intelligence
18
Q4 2014 Q2 2015 Q4 2015
ES 3.2
• Protocol
Intelligence
• Semantic
Search
ES 4.1
• Behavior
Anomalies
• Risk and Search in
Incident Review
• Facebook
ThreatExchange
ES 3.3
• Threat Intel
Framework
• User Activity
Monitoring
• Content Sharing
• Data Ingestion
ES 4.0
• Breach Analysis
• Integration with
Splunk UBA
• Enterprise
Security
Framework
Q2 2016
ES 4.2
• Adaptive
Response
enablement
• Performance
• Actions
Dashboard
• Search Driven
Lookup
Q3 2016

19. 19
SIEM Criteria for Enterprises
Logging and Deployment Splunk Solution
Real-time event data collection Splunk Enterprise
Scalable architecture, deployment flexibility A Splunk Enterprise
Log management, Search and Ad hoc Search Splunk Enterprise
SIEM Capabilities Splunk Solution
Incident Response and Management Splunk Enterprise Security
User monitoring Splunk Enterprise Security
Advanced Analytics Splunk Enterprise Security
Threat intelligence and Business Context Splunk Enterprise Security
Real-time Monitoring Splunk Enterprise Security
Advanced Threat Defense Splunk Enterprise Security
Data and application monitoring Splunk Enterprise and Enterprise Security
Deployment and Support Flexibility Splunk Enterprise and Enterprise Security
Based on Gartner Research Document : 2016 Critical Capabilities for SIEM

20. SplunkEnterpriseSecuritysupportsall SIEM usecases
MONITOR
REPORT
ANALYZE
INVESTIGAT
E
RESPOSE
COLLABORATE
DETECT
ALERT
ReportAd hoc
Search
Analyz
e
Collect Store
Pre-defined
views and
rules
Correlation
rules,
thresholds
Analysis
investigation
& context
enrichment
Enterprise-
wide
coordination
& response
SIEM
Security Ops Management
Alert & incident management,
policy based rules, out-of-box
security rules & analysis
Data Platform
Collect, Index data for search and
analysis, visualization. Dynamic
adhoc and statistical analysis
FUNCTIONS

21. 21
AUTOMATION
VISUALIZATION
ISUALIZATION DETECTION
What’s new in Enterprise Security 4.5?
Adaptive Response Glass Tables
Extend Analytics-driven
Decisions and Automation
Enhance Visual Analytics With
Glass Table Views
Use connected intelligence for
security operations to gain full
visibility and responsiveness
across your security ecosystem
Create custom visualizations that
reflect your workflows, topology,
detect, investigate and respond
sequences with dashboards,
summary views with relevant
context to suit your needs

22. 22
Adaptive Response: Analytics-driven Decisions, Automate
• Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
• Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
• Extract new insight by leveraging context, sharing data and
taking actions between Enterprise Security and Adaptive
Response partners

23. 23
Accelerate Detection, Investigation and Response
• Use the correlation search builder
to configure and automate and
attach the results to notable events
• In incident review, configure and
execute responses and queries
across the security ecosystem
• Use the actions dashboard to
search and review responses taken
and their results

24. 24
Adaptive Response Actions (Examples)
AUTOMATION
Category - Information gathering, Information conveyance, Permissions control
Task - Create, Update, Delete, Allow, Block
Subject – what will be acted upon (network, endpoint, etc)
Vendor – providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc

25. 25
Insight from Across Ecosystem
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout

26. 26
Glass Tables to Enhance Visual Analytics
• Simplify analysis by understanding the impact of security
metrics within a logical or physical Glass Table view
• Improve response times with nested views to display what’s
important or relevant
• Optimize workflow with drill-down to the supporting criteria
of the metric

27. 27
Simplify Analysis with Custom Views of Security Metrics
• Custom visualizations that
reflect workflows,
topology, detect,
investigate and respond
sequences with
dashboards, summary
• Views with relevant
context to suit your needs
Example: Threat KPI Glass Table

28. ES Demo

29. Copyright © 2016 Splunk Inc.
ES Questions?
29

30. Copyright © 2016 Splunk Inc.
Splunk User Behavior Analytics

31. 31
DISCLAIMER
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

32. 32
TECHNOLOGY EVOLUTION
1995
2002
2008
2011
2015
END-POINT SECURITY NETWORK SECURITY EARLY CORRELATION PAYLOAD ANALYSIS BEHAVIOR ANALYSIS

33. 33
SO, WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

34. 34
EXTERNAL
ATTACK
USER ACTIVITY
Peter and Sam access a compromised website -
backdoor gets installed
The attacker uses Peter’s stolen credential and VPNs into
Domain Controller
The attacker uses the backdoors to download and execute
WCE – password cracker
Peter’s and Sam’s devices begin communicating with
CnC
The attacker logs in as Sam and accesses sensitive
documents from a file share
The attacker steals the admin Kerberos ticket and
escalates the privileges for Sam
The attacker uses Peter’s VPN credential to connect,
copies the docs to an external staging server, and logs
out after three hours
Day 1
.
.
Day 2
.
.
Day N

35. 35
INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N

36. 36
Splunk Premium Security Solutions
Extensible Analytics &
Collaboration
Enable Rapid
Investigations
Automated Analysis &
Machine Learning
SPLUNK
ENTERPRISE SECURITY
SPLUNK USER
BEHAVIOR ANALYTICS

37. 37
WHAT IS SPLUNK UBA?
Splunk User Behavior Analytics
(Splunk® UBA) is an out-of-the-
box solution that helps
organizations find known,
unknown, and hidden threats
using data science, machine
learning, behavior baseline and
peer group analytics.

38. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
Behavior Baselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics

39. 39
INSIDER
THREAT
Day 1
.
.
Day 2
.
.
Day N
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Unusual Machine Access
(Lateral Movement; Individual
& Peer Group)
Unusual Zone (CorpPCI)
traversal (Lateral Movement)
Unusual Activity Sequence
Unusual Zone Combination
(PCICorp)
Unusual File Access
(Individual & Peer Group)
Multiple Outgoing Connections
& Unusual SSL session duration

40. A Few CUSTOMER FINDINGS
 Malicious Domain
 Beaconing Activity
 Malware: Asprox
 Webshell Activity
 Pass The Hash Attack
 Suspicious Privileged
Account activity
 Exploit Kit: Fiesta
 Lateral Movement
 Unusual Geo Location
 Privileged Account
Abuse
 Access Violations
 IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

41. PROXY SERVER
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM

42. 42
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
“Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that don’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.”
Mark Grimse, VP IT Security, Rambus
“A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.”
Randolph Barr, CSO, Saba

43. 43
WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY

44. Thank You!

45. 45
• 6000+ IT, Security and Business Professionals
• 3 days of technical content
• 180+ sessions + hands-on labs
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
PLUS Splunk University
• Three days: Sept 23-25, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
#splunkconf2017

46. Thank You!