A presentation from the Splunk Phantom roundtable on Security Orchestration, Automation, & Response (SOAR) Security. September 2018

1. © 2018 SPLUNK INC.© 2018 SPLUNK INC.
SOAR Roundtable
Angelo Brancato | Kai-Ping Seidenschnur
Donnerstag, 13. September 2018, Splunk München

2. © 2018 SPLUNK INC.
SOAR
Security Orchestration, Automation, & Response

3. © 2018 SPLUNK INC.
Who we are
Kai-Ping Seidenschnur
Staff Sales Engineer,
DACH
Angelo Brancato
Security Specialist,
EMEA

4. © 2018 SPLUNK INC.
•13:30 - Ankunft & Willkommens-Drinks / Snacks
•14:00 - Präsentation & Diskussion
• Offener Workshop Charakter
• Interaktion während des gesamten Workshops gewünscht
• Splunk Phantom funktionale Übersicht
• Orchestration & Automation
• Collaboration & Case Management
• Visualisaztion & Reporting
• Live Demo
• Exemplarische Playbooks
• Zusammenarbeit SIEM & SOAR
•17:00 - Closing & Drinks
Agenda

5. © 2018 SPLUNK INC.
Asymmetry
is
a
b#*+#!
We have to protect
all ways in.
The adversary must
Discover only one…

6. © 2018 SPLUNK INC.

7. THREATS
ARE MORE
COMPLEX AND
FAR REACHING
NOT CLOSING
THE SKILLS GAP
SECURITY TO
ENABLE BUSINESS
AND THE MISSION

8. © 2018 SPLUNK INC.
Theodore Roosevelt

9. © 2017 SPLUNK INC.
„By year-end 2020, 15% of organizations with a security team
larger than five people will leverage SOAR tools for orchestration and
automation reasons, up from less than 1% today.“
Gartner, November 2017, SOAR Report

10. © 2018 SPLUNK INC.
▶ Automation
• Playbook definition that makes use of the ecosystem orchestration
• Machine-based playbook execution and decision-making workflow
(with- and without human interaction)
SOAR = Security Orchestration, Automation, and Response
▶ Orchestration
• Machine-based integration connectors into the IT ecosystem
• Feature rich and bi-directional API integration
• Integration abstraction - ease of use and extensibility
▶ Response
• Policy-based coordination of human and machine-based activities
for event/case/incident workflows
• Reporting, Collaboration, Case Management

11. © 2018 SPLUNK INC.
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED MANUAL (TODAY)
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
SOAR for Security Operations
Faster execution through the loop yields better security

12. © 2018 SPLUNK INC.
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED AUTOMATED WITH PHANTOM
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
SOAR for Security Operations
Faster execution through the loop yields better security
ACTION RESULTS /
FEEDBACK LOOP

13. © 2017 SPLUNK INC.
When should I look into SOAR?
- Risk unknown
- In denial of breach
- No Incident
Response (IR) plans
- Ad-Hoc / Reactive
- Limited resources
- custom tools
- Basic alarming
- IR on roadmap
- Limited resources
- Risk understood
- SIEM in place
- Basic run books
- Some integrations
- Internal & external
resourcing
- Assume breached
- Formal run books
- SOAR
- Formal and (annually)
tested IR plan
- Panel of specialists
- Proactive threat hunting
- Continuous improvement
- IR plans tested regularly (agile)
- Holistic security view
- Forensic investigation and
legal agreement to share IR data
- Integration and Automation
- Internal and external resources

14. © 2018 SPLUNK INC.
Splunk in a Security Operation Center

15. © 2017 SPLUNK INC.
Splunk Security Portfolio
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping
Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall
Detail
Records
Energy MetersFirewall
Intrusion
Prevention Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing / Schema-on-Read
Splunk Processing Language (SPL)
Machine Data:
Any Location, Type, Volume
SIEM
UEBA
SOAR
SIEM: Security Information and Event Management
UEBA: User and Entity Behavior Analytics
SOAR: Security Orchestration, Automation and Response
API: Application Programming Interface
SDK: Software Development Kit
* Besides Security also IT-Operations, IoT,
Business Analytics, Application Analytics
Rich Ecosystem of
Splunk-built and community
Apps & Add-Ons
Premium Apps
Log Management
...
Platform for
Operational
Intelligence
-
One Platform, all
Use Cases*

16. © 2018 SPLUNK INC.
Analytics-Driven Security
Enterprise
Developer Platform (REST API, SDKs)
On-Premise, Cloud, Hybrid
Splunk App for
PCI Compliance
Machine Learning
Toolkit
CIS Top 20
Critical Security Controls
Add-Ons
Stream
Splunkbase
Apps for Security
User and Entity
Behavior Analytics
Analytics Driven
SIEM
Security
Essentials Family
Ransomware
Anti-Fraud
etc.
DGA
App
AWS
Some App suggestions:
Security Orchestration,
Automation and Response

17. © 2018 SPLUNK INC.
Cloud
Security
Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
The thought process
The intuition
The reflexes
Machine
Learning &
Adaptive
Response &
Analytics
Driven
Security &
Splunk Security Nerve Center
https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/security-vision.html

18. © 2018 SPLUNK INC.
Threat
Splunk for the SOC - Overview
Business

19. © 2018 SPLUNK INC.
Threat
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
IR
KPI
Data
Source
Business
Context/Risk
Security
Context
Playbooks
IR: Incident Response
KPI: Key Performance Indicator or also KSI: Key Security Indicator

20. © 2018 SPLUNK INC.
Threat
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
Data
Source
Business
Context/Risk
IR
KPI
Security
Context
Data Monitor Detect Investigate Respond

21. © 2018 SPLUNK INC.
SOAR
Maestro
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
Playbook

22. © 2018 SPLUNK INC.

23. © 2018 SPLUNK INC.
Automation
Phantom enables you to work smarter by executing
normalized actions across your entire infrastructure in
seconds, versus hours or more if performed manually. Codify
your workflows into automated playbooks using our visual
editor (no coding required) or the integrated Python
development environment.

24. © 2018 SPLUNK INC.
Orchestration
200+
Phantom APPS &
GROWING
1900+
Actions & GROWING
Phantom’s flexible app model supports hundreds of apps and
thousands of APIs, enabling you to connect and coordinate
complex workflows across your team and tools. Powerful
abstraction allows you to focus on what you want to accomplish,
while the platform translates that into tool-specific actions.
many!
Community APPS &
Playbooks

25. © 2018 SPLUNK INC.
Collaboration
In-context collaboration allows you to stay focused on your
current mission. From integrated chat to shared case notes,
Phantom helps you increase situational awareness and
drive efficient communications across your team. Mission
Guidance and Mission Experts augment your team with
helpful suggestions.

26. © 2018 SPLUNK INC.
Event Management
Use Splunk Enterprise Security with Phantom to triage
events or other security objects in an automated, semi-
automated, or manual fashion. You can review event
details, enrich events with contextual information, and act
rapidly.

27. © 2018 SPLUNK INC.
Event Management
Use Splunk Enterprise Security with Phantom to triage
events or other security objects in an automated, semi-
automated, or manual fashion. You can review event
details, enrich events with contextual information, and act
rapidly.

28. © 2018 SPLUNK INC.
Event Management
Use Splunk Enterprise Security with Phantom to triage
events or other security objects in an automated, semi-
automated, or manual fashion. You can review event
details, enrich events with contextual information, and act
rapidly.

29. © 2018 SPLUNK INC.
Case Management
Confirmed events can be aggregated and escalated to
Cases within Phantom. Customize one of our Case
Templates or create your own that model your standard
operating procedures, allowing you to efficiently track and
monitor case status and progress.

30. © 2018 SPLUNK INC.
Reports & Metrics
Reporting and Metrics provide human oversight and auditing
capabilities. Dashboards consolidate all critical information
needed to understand the current state of your security
operations. Reports provide executive level and detailed
technical reporting for any event or case.

31. © 2018 SPLUNK INC.
SplunkSANDBOX QUERY RECIPIENTS
USER PROFILE
HUNT FILE
HUNT FILE
FILE REPUTATION
FILE ASSESSMENT
RUN PLAYBOOK
“REMEDIATE"
EMAIL ALERT
Automated
Malware
Investigation
“Automation with
Phantom enables us to
process malware email
alerts in about 40
seconds vs. 30 minutes
or more.”
Adam Fletcher
CISO, Blackstone
A Phantom Case Study

32. © 2018 SPLUNK INC.
”The Phantom security platform has been a
valuable addition at Suncoast. It’s helped
improve collaboration across the team,
integrate our security tools to automate
repetitive tasks, and better manage cases
according to our defined policies.”
John Raymond
Vice President, Information Security
“Uber’s security response team began
looking for a better way to triage and
respond to security alerts in real time.
We surveyed the market and decided
to work with Phantom.”
Hudson Thrift
Security Operations Lead
“Phantom helped us automate a process
that used up to 10 different security
products and took an analyst 90 minutes
or more to complete manually.”
David Neuman
Vice President & Chief Information
Security Officer
“Automation with Phantom enables us
to process malware email alerts in
about 40 seconds vs. 30 minutes or
more.”
Adam Fletcher
CISO
“Phantom’s open, extensible apps
have made it easy to integrate nearly
every technology in our stack, and
we’re automating a range of use cases
with playbooks from initial response to
threat hunting.”
Matthew Brunckhorst
Lead Security Consultant
“Phantom enables us to automate
routine tasks in the SOC. Simple
processes that could take 45 minutes,
or even longer, now run in seconds.”
Jessica Ferguson
Director of Information Security
Architecture

33. © 2018 SPLUNK INC.
Demo

34. © 2018 SPLUNK INC.© 2017 SPLUNK INC.
Thank You!