SlideShare uma empresa Scribd logo

SplunkLive! Amsterdam 2015 - Analytics based security breakout

Splunk
Splunk

Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.

Tecnologia
1 de 35
Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security  –  AKA   Analy>c  based  security   Dominique  Dessy,  CISSP   Niklas  Blomquist,  Security  SME  
2   Today’s  Specials   •  Advanced  Threats  are  hard  to  find   •  How  to  use  Splunk  for  Security?   •  Add  value  to  exis>ng  data   •  Detect  new  threats   •  Splunk  Enterprise  Security  4.0   •  User  Behavior  Analy>cs   15   October  
3   Advanced  Threats  Are  Hard  to  Find   Cyber  Criminals     Na>on  States     Insider  Threats     Source:  Mandiant  M-­‐Trends  Report   100%    Valid  creden>als  were  used   40     Average  #  of  systems  accessed   205   Median  #  of  days  before  detec>on   67%   Of  vic>ms  were  no>fied  by   external  en>ty  
4   Tradi>onal  approaches  are  not  good  enough   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Gather  all  data  in  one  place   •  Enrich  data  with  context   •  Make  it  easy  to  search  in  the  data   •  Make  it  easy  to  do  advanced  analy>cs   4  
5   SPLUNK FOR SECURITY “Connects People and Data with Context and Extended Intelligence”
6   Monitoring,   Correla>ons,   Alerts   Ad  Hoc     Search  &   Inves>gate   Custom     Dashboards   And  Reports   Analy>cs  And   Visualiza>on   Developer   PlaQorm   All  SOC  Needs  &  Personnel   Security  Intelligence  Pla]orm   6       Real-­‐>me   Machine  Data   Cloud     Apps   Servers   Email   Web   Network   Flows   DHCP/  DNS   Custom   Apps   Badges   Intrusion     Detec>on   Firewall   Data  Loss   Preven>on   An>-­‐Malware   Vulnerability   Scans   Authen>ca>on   Storage   Industrial   Control   Mobile   Security  Intelligence  PlaQorm   Threat   Feeds   Asset     Info   Employee   Info   Data   Stores   Applica>ons   External  Lookups  /  Enrichment  
7   Enables  Many  Security  Use  Cases     SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECTING     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Security  Intelligence  PlaQorm   7  
8   Is  there  a  real  danger?   Adding  Value  to  exis>ng  Data  
9   Adding  context   BBQ  vs  house  on  fire  
10   Context  =  Knowledge  around  the  Data   "   Is  this  a  bad  known  ip/domain/e-­‐mail?   "   Should  user  access  the  SQL  server?   "   Should  server  communicate  X?     "   Importance  of  assets  and  iden>>es   "   Make  data  easier  to  understand  
11   Data  from  An>-­‐Virus/An>-­‐Malware   "   No  need  to  act  if  removed   "   But  what  if;   –  The  hosts  are  re-­‐infected?   –  Mul>ple  hosts  are  infected  in  short  >me   –  If  the  CEO/CFO/CSIO  computer  are  infected?   –  Hosts  are  the  web  shop/e-­‐bank/important  system   –  Other  sources  alert  within  short  >meframe     11  
12  
13   Alerts  on  most  cri>cal  events  
14   Inves>gate  the  incident  
15   Visual  Inves>ga>ons  for  All  Users  
Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   16   How  to  find  new  Threats  ?   WEB   Conduct   Business   Create  addi>onal   environment   Gain  Access     to  system  Transac>on   MAIL   .pdf   Svchost.exe  Calc.exe   Events  that     contain  link  to  file   Proxy  log   C2  communica>on     to  blacklist   How  was     process  started?   What  created  the   program/process?   Process  making   C2  traffic   Web   Portal  .pdf  
Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   Command  &  Control  Exploita>on  &  Installa>on  Delivery   MAIL   WEB   WEB   FW   Accomplish  Mission       Start  Anywhere,     Analyze  Up-­‐Down-­‐Across-­‐Backwards-­‐Forward   phishing   Download   from   infected  site   1   2   5   6   7   8   3   4   Iden>ty,  Roles,  Privileges,  Loca>on,  Behavior,  Risk,  Audit  scope,  Classifica>on,  etc.     •  Third-­‐Party  Threat  Intel   •  Open  source  blacklist   •  Internal  threat  intelligence   •  Firewall   •  IDS  /  IPS   •  Vulnerability  scanners   •  Web  Proxy   •  NetFlow   •  Network   •  Endpoint  (AV/IPS/FW)   •  Malware  detec>on   •  PCLM   •  DHCP   •  OS  logs   •  Patching   •  Ac>ve  Directory   •  LDAP   •  CMDB   •  Opera>ng  System   •  Database   •  VPN,  AAA,  SSO  
18   New  Features  in  Enterprise  Security  4.0   Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION   COLLABORATION   •  Inves>gator  Journal   •  Aoack  &  Inves>ga>on  Timeline   •  Open  Solu>ons  Framework   •  Framework  App  :  PCI  
19   Aoack  &  Inves>ga>on  Timeline   Same  events  can  have  different  security  meanings,  based  on  sequence:   Track Actions 1" 3"2" Analyst / Investigator Event 1 … 13:01:21 Event 2 … 13:42:17 Action 3 Note “Windows event” What happened? If event 1, then event 2, then… Ah – ha, that’s how they got in. Now what infected the host? Brute  Force   = Exfiltration Login  Failure   Proxy  Event   Brute  Force   = Recon, Lateral Movement Login  Failure   Login  Failure   Brute  Force   = Forgotten Password
20   Aoack  &  Inves>ga>on  Timeline   Methods  to  add  contents  into  >meline  :   Action History Actions : •  Search Run •  Dashboard Viewed •  Panel Filtered •  Notable Status Change •  Notable Event Suppressed Investigator Memo Notes: Investigator’s notes inserted in timeline Track Actions 1" 3"2" Incident Review Incident : Notable events from Incident Review Analyst / Investigator
21   Aoack  &  Inves>ga>on  Timeline   Allows  collabora>on  between  mul>ple  analysts   UI Action History : Search UI Action History : Viewed Dashboard Edit Entry : Analyst’s Memo Collaborator entry Tier 1 Tier 2 Analyst Tier 2 Analyst Collaborate One Holistic view from Collective Knowledge
PLAY  DEMO   22  
23   Open  Solu>ons  Framework   Supports critical security related management framework features Enterprise Security Framework •  Notable Events Framework •  Thereat Intelligence Framework •  Risk Scoring Framework •  Identity & Asset Framework Customer Apps APPs / Contents Partner Apps APPs / Contents Splunk Apps APPs / Contents •  Export •  Import •  Share Collaborate •  Summarization Framework •  Alerting & Scheduling •  Visualization Framework •  Application Framework External" Instance
24   Extensible  Analy>cs  &  Collabora>on   Open Solutions Framework •  Create, access and extend ES functionality –  Notable event framework –  Risk framework –  Threat intelligence framework –  Identity & asset framework •  Apps and content can be imported and exported at any time 24   Collaborate
PLAY  DEMO   25  
Copyright  ©  2015  Splunk  Inc.   Splunk  User   Behavior  Analy>cs   (UBA)     Powered  by  Caspida  
DATA-­‐SCIENCE  DRIVEN   BEHAVIORAL  ANALYTICS   BIG  DATA     DRIVEN   SECURITY   ANALYTICS   MACHINE   LEARNING   A  NEW  PARADIGM  
MAPPING  RATs     TO       ACTIONABLE  KILL-­‐CHAIN   A W N O M A L I E S H R E A T
29   CYBER  ATTACK   29   USER ACTIVITIES! RISK/THREAT DETECTION AREAS! Mark and Fred access a malicious website. A backdoor gets installed on their computers! Malicious Domain (AGD)! Unusual Browser Header!Nov 15! Unusual Machine Access for Mark! (lateral movement; individual + peer group)!Dec 10!The attacker logs on to Domain Controller via VPN with Mark’s stolen credentials from 1.0.63.14 ! Unusual Browser Header for Mark and Fred!Nov 16! The attacker uses Mark and Fred's backdoors to download and execute WCE to crack their password! Nov 16! Beacons for Mark and Fred to www.byeigs.ddns.com! Mark and Fred's machines are communicating with www.byeigs.ddns.info! Unusual Machine Access for Fred! Unusual File Access for Fred ! (individual + peer group))! Dec 10! The attacker logs in as Fred and accesses all excel and negotiations docs on the BizDev shares! Unusual Activity Sequence of Admin for Fred (AD/DC Privilege Escalation)!Dec 10! The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Fred.! Excessive Data Transmission for Mark" Unusual VPN session duration!Jan 14!The attacker VPNs as Mark, copies the docs to an external staging IP and then logs out after 3 hours.!
30   Splunk  User  Behavior  Analy>cs  (formerly  Caspida)   Advanced  Security  Analy0cs   UBA  SPLUNK   Data  Science  &   Decision  Engine   Automated  Threat   Detec>on   AD,  SSO   App,  DB  logs   Firewall,  IPS,   DLP   Ne]low,   PCAP   Threat  Feeds   UBA  threat  results  fed  into  Splunk  ES   Security  Analy>cs  &   Event  Repository  
31  
32  
33   UBA  vs  ES  4.0   UBA  Enterprise  Security   •  Keep  all  data   •  Will  require  tuning   •  Easy  to  create  new  searches,   dashboards,  correla>ons  etc   •  Will  require  analy>c  resources  to   map  events  to  threats   •  Possible  to  further  inves>gate     •  Only  keep  data  around  anomaly   •  Automa>cally  baseline   •  Not  possible  to  customize  in  the  same   way  as  Enterprise  Security   •  Will  map  anomalies  to  threats   •  Limited  possibility  to  do  further   inves>ga>on   33  
34   Key  takeaways   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Splunk  can  help   –  Faster   –  Easier   –  More   –  Less  labor   34  
Thank  You  

Recomendados

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a BudgetSean D. Goodwin
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 

Recomendados

SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsZivaro Inc
 
IRP on a Budget
IRP on a BudgetIRP on a Budget
IRP on a BudgetSean D. Goodwin
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk Splunk
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSplunk
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz Asia Pte Ltd
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsIBMGovernmentCA
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 
Castle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OSCastle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OSCA Technologies
 
Final Year Project Guidance
Final Year Project GuidanceFinal Year Project Guidance
Final Year Project GuidanceVarad Meru
 

Mais conteúdo relacionado

Mais procurados

Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenSplunk
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz Asia Pte Ltd
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsIBMGovernmentCA
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 

Mais procurados (20)

Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection Netpluz - Managed Firewall & Endpoint Protection
Netpluz - Managed Firewall & Endpoint Protection
 
INTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulip
 

Destaque

Castle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OSCastle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OSCA Technologies
 
Final Year Project Guidance
Final Year Project GuidanceFinal Year Project Guidance
Final Year Project GuidanceVarad Meru
 
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMTWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMNexgen Technology
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating systemAbou Bakr Ashraf
 
Visual and Creative Thinking:What We Learned From Peter Pan and Willy Wonka
Visual and Creative Thinking:What We Learned From Peter Pan and Willy WonkaVisual and Creative Thinking:What We Learned From Peter Pan and Willy Wonka
Visual and Creative Thinking:What We Learned From Peter Pan and Willy WonkaKelsey Ruger
 
CSS Grid Layout for Topconf, Linz
CSS Grid Layout for Topconf, LinzCSS Grid Layout for Topconf, Linz
CSS Grid Layout for Topconf, LinzRachel Andrew
 
iOS Scroll Performance
iOS Scroll PerformanceiOS Scroll Performance
iOS Scroll PerformanceKyle Sherman
 

Destaque (8)

Castle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OSCastle Walls Under Digital Siege: Risk-based Security for z/OS
Castle Walls Under Digital Siege: Risk-based Security for z/OS
 
Final Year Project Guidance
Final Year Project GuidanceFinal Year Project Guidance
Final Year Project Guidance
 
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEMTWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
TWO-FACTOR DATA SECURITY PROTECTION MECHANISM FOR CLOUD STORAGE SYSTEM
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
Visual and Creative Thinking:What We Learned From Peter Pan and Willy Wonka
Visual and Creative Thinking:What We Learned From Peter Pan and Willy WonkaVisual and Creative Thinking:What We Learned From Peter Pan and Willy Wonka
Visual and Creative Thinking:What We Learned From Peter Pan and Willy Wonka
 
CSS Grid Layout for Topconf, Linz
CSS Grid Layout for Topconf, LinzCSS Grid Layout for Topconf, Linz
CSS Grid Layout for Topconf, Linz
 
iOS Scroll Performance
iOS Scroll PerformanceiOS Scroll Performance
iOS Scroll Performance
 
How Google Works
How Google WorksHow Google Works
How Google Works
 

Semelhante a SplunkLive! Amsterdam 2015 - Analytics based security breakout

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunk
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecuritySplunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 

Semelhante a SplunkLive! Amsterdam 2015 - Analytics based security breakout (20)

Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
SplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for SecuritySplunkLive Auckland 2015 - Splunk for Security
SplunkLive Auckland 2015 - Splunk for Security
 
SplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for SecuritySplunkLive Wellington 2015 - Splunk for Security
SplunkLive Wellington 2015 - Splunk for Security
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SplunkLive! Splunk for Security
SplunkLive! Splunk for SecuritySplunkLive! Splunk for Security
SplunkLive! Splunk for Security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
NetWitness
NetWitnessNetWitness
NetWitness
 

Mais de Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTVSplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College LondonSplunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability SessionSplunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - KeynoteSplunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform SessionSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Mais de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

SplunkLive! Amsterdam 2015 - Analytics based security breakout

  • 1. Copyright  ©  2015  Splunk  Inc.   Splunk  for  Security  –  AKA   Analy>c  based  security   Dominique  Dessy,  CISSP   Niklas  Blomquist,  Security  SME  
  • 2. 2   Today’s  Specials   •  Advanced  Threats  are  hard  to  find   •  How  to  use  Splunk  for  Security?   •  Add  value  to  exis>ng  data   •  Detect  new  threats   •  Splunk  Enterprise  Security  4.0   •  User  Behavior  Analy>cs   15   October  
  • 3. 3   Advanced  Threats  Are  Hard  to  Find   Cyber  Criminals     Na>on  States     Insider  Threats     Source:  Mandiant  M-­‐Trends  Report   100%    Valid  creden>als  were  used   40     Average  #  of  systems  accessed   205   Median  #  of  days  before  detec>on   67%   Of  vic>ms  were  no>fied  by   external  en>ty  
  • 4. 4   Tradi>onal  approaches  are  not  good  enough   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Gather  all  data  in  one  place   •  Enrich  data  with  context   •  Make  it  easy  to  search  in  the  data   •  Make  it  easy  to  do  advanced  analy>cs   4  
  • 5. 5   SPLUNK FOR SECURITY “Connects People and Data with Context and Extended Intelligence”
  • 6. 6   Monitoring,   Correla>ons,   Alerts   Ad  Hoc     Search  &   Inves>gate   Custom     Dashboards   And  Reports   Analy>cs  And   Visualiza>on   Developer   PlaQorm   All  SOC  Needs  &  Personnel   Security  Intelligence  Pla]orm   6       Real-­‐>me   Machine  Data   Cloud     Apps   Servers   Email   Web   Network   Flows   DHCP/  DNS   Custom   Apps   Badges   Intrusion     Detec>on   Firewall   Data  Loss   Preven>on   An>-­‐Malware   Vulnerability   Scans   Authen>ca>on   Storage   Industrial   Control   Mobile   Security  Intelligence  PlaQorm   Threat   Feeds   Asset     Info   Employee   Info   Data   Stores   Applica>ons   External  Lookups  /  Enrichment  
  • 7. 7   Enables  Many  Security  Use  Cases     SECURITY  &                     COMPLIANCE   REPORTING   REAL-­‐TIME   MONITORING  OF   KNOWN  THREATS   DETECTING     UNKNOWN   THREATS   INCIDENT   INVESTIGATIONS   &  FORENSICS   FRAUD     DETECTION   INSIDER     THREAT   Security  Intelligence  PlaQorm   7  
  • 8. 8   Is  there  a  real  danger?   Adding  Value  to  exis>ng  Data  
  • 9. 9   Adding  context   BBQ  vs  house  on  fire  
  • 10. 10   Context  =  Knowledge  around  the  Data   "   Is  this  a  bad  known  ip/domain/e-­‐mail?   "   Should  user  access  the  SQL  server?   "   Should  server  communicate  X?     "   Importance  of  assets  and  iden>>es   "   Make  data  easier  to  understand  
  • 11. 11   Data  from  An>-­‐Virus/An>-­‐Malware   "   No  need  to  act  if  removed   "   But  what  if;   –  The  hosts  are  re-­‐infected?   –  Mul>ple  hosts  are  infected  in  short  >me   –  If  the  CEO/CFO/CSIO  computer  are  infected?   –  Hosts  are  the  web  shop/e-­‐bank/important  system   –  Other  sources  alert  within  short  >meframe     11  
  • 12. 12  
  • 13. 13   Alerts  on  most  cri>cal  events  
  • 14. 14   Inves>gate  the  incident  
  • 15. 15   Visual  Inves>ga>ons  for  All  Users  
  • 16. Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   16   How  to  find  new  Threats  ?   WEB   Conduct   Business   Create  addi>onal   environment   Gain  Access     to  system  Transac>on   MAIL   .pdf   Svchost.exe  Calc.exe   Events  that     contain  link  to  file   Proxy  log   C2  communica>on     to  blacklist   How  was     process  started?   What  created  the   program/process?   Process  making   C2  traffic   Web   Portal  .pdf  
  • 17. Threat  intelligence   Auth  -­‐  User  Roles,   Corp  Context   Host     Ac>vity/Security   Network     Ac>vity/Security   Command  &  Control  Exploita>on  &  Installa>on  Delivery   MAIL   WEB   WEB   FW   Accomplish  Mission       Start  Anywhere,     Analyze  Up-­‐Down-­‐Across-­‐Backwards-­‐Forward   phishing   Download   from   infected  site   1   2   5   6   7   8   3   4   Iden>ty,  Roles,  Privileges,  Loca>on,  Behavior,  Risk,  Audit  scope,  Classifica>on,  etc.     •  Third-­‐Party  Threat  Intel   •  Open  source  blacklist   •  Internal  threat  intelligence   •  Firewall   •  IDS  /  IPS   •  Vulnerability  scanners   •  Web  Proxy   •  NetFlow   •  Network   •  Endpoint  (AV/IPS/FW)   •  Malware  detec>on   •  PCLM   •  DHCP   •  OS  logs   •  Patching   •  Ac>ve  Directory   •  LDAP   •  CMDB   •  Opera>ng  System   •  Database   •  VPN,  AAA,  SSO  
  • 18. 18   New  Features  in  Enterprise  Security  4.0   Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION   COLLABORATION   •  Inves>gator  Journal   •  Aoack  &  Inves>ga>on  Timeline   •  Open  Solu>ons  Framework   •  Framework  App  :  PCI  
  • 19. 19   Aoack  &  Inves>ga>on  Timeline   Same  events  can  have  different  security  meanings,  based  on  sequence:   Track Actions 1" 3"2" Analyst / Investigator Event 1 … 13:01:21 Event 2 … 13:42:17 Action 3 Note “Windows event” What happened? If event 1, then event 2, then… Ah – ha, that’s how they got in. Now what infected the host? Brute  Force   = Exfiltration Login  Failure   Proxy  Event   Brute  Force   = Recon, Lateral Movement Login  Failure   Login  Failure   Brute  Force   = Forgotten Password
  • 20. 20   Aoack  &  Inves>ga>on  Timeline   Methods  to  add  contents  into  >meline  :   Action History Actions : •  Search Run •  Dashboard Viewed •  Panel Filtered •  Notable Status Change •  Notable Event Suppressed Investigator Memo Notes: Investigator’s notes inserted in timeline Track Actions 1" 3"2" Incident Review Incident : Notable events from Incident Review Analyst / Investigator
  • 21. 21   Aoack  &  Inves>ga>on  Timeline   Allows  collabora>on  between  mul>ple  analysts   UI Action History : Search UI Action History : Viewed Dashboard Edit Entry : Analyst’s Memo Collaborator entry Tier 1 Tier 2 Analyst Tier 2 Analyst Collaborate One Holistic view from Collective Knowledge
  • 23. 23   Open  Solu>ons  Framework   Supports critical security related management framework features Enterprise Security Framework •  Notable Events Framework •  Thereat Intelligence Framework •  Risk Scoring Framework •  Identity & Asset Framework Customer Apps APPs / Contents Partner Apps APPs / Contents Splunk Apps APPs / Contents •  Export •  Import •  Share Collaborate •  Summarization Framework •  Alerting & Scheduling •  Visualization Framework •  Application Framework External" Instance
  • 24. 24   Extensible  Analy>cs  &  Collabora>on   Open Solutions Framework •  Create, access and extend ES functionality –  Notable event framework –  Risk framework –  Threat intelligence framework –  Identity & asset framework •  Apps and content can be imported and exported at any time 24   Collaborate
  • 26. Copyright  ©  2015  Splunk  Inc.   Splunk  User   Behavior  Analy>cs   (UBA)     Powered  by  Caspida  
  • 27. DATA-­‐SCIENCE  DRIVEN   BEHAVIORAL  ANALYTICS   BIG  DATA     DRIVEN   SECURITY   ANALYTICS   MACHINE   LEARNING   A  NEW  PARADIGM  
  • 28. MAPPING  RATs     TO       ACTIONABLE  KILL-­‐CHAIN   A W N O M A L I E S H R E A T
  • 29. 29   CYBER  ATTACK   29   USER ACTIVITIES! RISK/THREAT DETECTION AREAS! Mark and Fred access a malicious website. A backdoor gets installed on their computers! Malicious Domain (AGD)! Unusual Browser Header!Nov 15! Unusual Machine Access for Mark! (lateral movement; individual + peer group)!Dec 10!The attacker logs on to Domain Controller via VPN with Mark’s stolen credentials from 1.0.63.14 ! Unusual Browser Header for Mark and Fred!Nov 16! The attacker uses Mark and Fred's backdoors to download and execute WCE to crack their password! Nov 16! Beacons for Mark and Fred to www.byeigs.ddns.com! Mark and Fred's machines are communicating with www.byeigs.ddns.info! Unusual Machine Access for Fred! Unusual File Access for Fred ! (individual + peer group))! Dec 10! The attacker logs in as Fred and accesses all excel and negotiations docs on the BizDev shares! Unusual Activity Sequence of Admin for Fred (AD/DC Privilege Escalation)!Dec 10! The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Fred.! Excessive Data Transmission for Mark" Unusual VPN session duration!Jan 14!The attacker VPNs as Mark, copies the docs to an external staging IP and then logs out after 3 hours.!
  • 30. 30   Splunk  User  Behavior  Analy>cs  (formerly  Caspida)   Advanced  Security  Analy0cs   UBA  SPLUNK   Data  Science  &   Decision  Engine   Automated  Threat   Detec>on   AD,  SSO   App,  DB  logs   Firewall,  IPS,   DLP   Ne]low,   PCAP   Threat  Feeds   UBA  threat  results  fed  into  Splunk  ES   Security  Analy>cs  &   Event  Repository  
  • 31. 31  
  • 32. 32  
  • 33. 33   UBA  vs  ES  4.0   UBA  Enterprise  Security   •  Keep  all  data   •  Will  require  tuning   •  Easy  to  create  new  searches,   dashboards,  correla>ons  etc   •  Will  require  analy>c  resources  to   map  events  to  threats   •  Possible  to  further  inves>gate     •  Only  keep  data  around  anomaly   •  Automa>cally  baseline   •  Not  possible  to  customize  in  the  same   way  as  Enterprise  Security   •  Will  map  anomalies  to  threats   •  Limited  possibility  to  do  further   inves>ga>on   33  
  • 34. 34   Key  takeaways   •  Preven>on  of  breaches  will  fail!   •  Invest  more  in  detec>on   •  Splunk  can  help   –  Faster   –  Easier   –  More   –  Less  labor   34