O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Use Splunk for Incident Response,
Orchestration and Automation
Kai Seidenschnur | Staff Security Engineer
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected per...
Incident
Response
Slow Alert Noise
Tools
Problem
Many tools
Disparate tools
Skills
Lack of skills
Retention
Training
Scale...
Incident Response
Challenge
Incident Response Takes Significant Time
5
Source: SANS 2017 Incident Response Survey
Where Does Your Time Go?
When working an incident, which phase generally takes the
longest to complete in your organizatio...
Time-to-Contain + Time-to-Respond = 72%
When working an incident, which phase generally takes
the longest to complete in y...
Time = Risk => The Need for Speed!
Tools
Tools and Technologies Galore
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
Scale
Orchestration and Automation
Let us define these terms first.
Orchestration
▶ Brings together or integrates different technologies and tools
▶ Security-specific or non-security-specifi...
Automation & Orchestration Adoption Growing
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
Adaptive Response
Overview
Adaptive Response
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intellige...
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Acce...
Adaptive Response
Technology
▶ Leverages Existing Splunk Common Action Model
• A CIM for alert actions
• Not a data model
▶ Existing Actions
• Informat...
How To Interact With AR
Suggest Next StepsAutomatically With Notables Run Ad-Hoc
Adaptive Response Actions (Examples)
AUTOMATIO
N
Automatically With Notables
Adaptive Response Actions (Examples)
AUTOMATIO
NCategory – Information gathering, Information conveyance, Permissions cont...
Adaptive Response Actions (Examples)
AUTOMATIO
N
Run Ad-Hoc
▶ Catalog of latest AR
Actions
▶ Categorized by Use Case
and Security Domain
▶ Auto-update from
Splunkbase.com
▶ Showcase ...
Adaptive Response
Benefits
▶ Centrally automate retrieval, sharing and response
action, resulting in improved detection, investigation and
remediatio...
Accelerate Detection, Investigation &
Response
▶ Use the correlation search builder
to configure, automate and attach
the ...
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Acce...
Customer Success
Adaptive Response
© 2018 SPLUNK INC.
▶ Blocked over two million security threats
▶ Orchestrated threat intelligence across 20 security
techn...
Sample of Symantec AR Actions*:
• Isolate Endpoint
• Rejoin Endpoint
• Query File for Disposition
Case Study: Symantec
Sym...
Sample of ForeScout AR Actions*:
• Redirect endpoint to specific
web browser
• Send email messages to users
• Kill peer-to...
© 2018 SPLUNK INC.
1. Adaptive Response helps accelerate
Incident Detection, Investigation and
Response
2. Use Adaptive Re...
Search and
Investigate
Analytics-Driven Security
Index Untapped Data:
Any Source, Type, Volume
On-
Premises
Private
Cloud
...
Q&A
Thank you
Join:
Our Community, with
Apps, ask questions or
join a SplunkLive! event
https://www.splunk.com/en_us/commu...
ORLANDO FLORIDA
Walt Disney World Swan and Dolphin Hotels
.conf18:
Monday, October 1 – Thursday, October 4
Splunk Universi...
© 2018 SPLUNK INC.
Don't forget to rate this session in the
SplunkLive! mobile app
THANK YOU
https://ponypoll.com/frankfurt
Próximos SlideShares
Carregando em…5
×

de

SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 1 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 2 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 3 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 4 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 5 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 6 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 7 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 8 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 9 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 10 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 11 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 12 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 13 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 14 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 15 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 16 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 17 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 18 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 19 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 20 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 21 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 22 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 23 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 24 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 25 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 26 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 27 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 28 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 29 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 30 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 31 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 32 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 33 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 34 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 35 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 36 SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation Slide 37
Próximos SlideShares
What to Upload to SlideShare
Avançar
Transfira para ler offline e ver em ecrã inteiro.

2 gostaram

Compartilhar

Baixar para ler offline

SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation

Baixar para ler offline

Presented at SplunkLive! Frankfurt 2018:

Incident Response Challenge
Tools
Scale
Adaptive Response
Customer Success
Key Takeaways

SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation

  1. 1. Use Splunk for Incident Response, Orchestration and Automation Kai Seidenschnur | Staff Security Engineer
  2. 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. 3. Incident Response Slow Alert Noise Tools Problem Many tools Disparate tools Skills Lack of skills Retention Training Scale Horizontal and Vertical Orchestration Automation Security Operations Need to Change
  4. 4. Incident Response Challenge
  5. 5. Incident Response Takes Significant Time 5 Source: SANS 2017 Incident Response Survey
  6. 6. Where Does Your Time Go? When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  7. 7. Time-to-Contain + Time-to-Respond = 72% When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  8. 8. Time = Risk => The Need for Speed!
  9. 9. Tools
  10. 10. Tools and Technologies Galore Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
  11. 11. Scale Orchestration and Automation
  12. 12. Let us define these terms first.
  13. 13. Orchestration ▶ Brings together or integrates different technologies and tools ▶ Security-specific or non-security-specific ▶ Provides the ability to coordinate informed decision-making, formalize and automate responsive actions Orchestration vs. Automation
  14. 14. Automation & Orchestration Adoption Growing Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
  15. 15. Adaptive Response Overview
  16. 16. Adaptive Response Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy FirewallMission Deeper integrations across the best security technologies to help combat advanced attacks together. Approach Gather/analyze, share, take action based on end-to-end context, across security domains.
  17. 17. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  18. 18. Adaptive Response Technology
  19. 19. ▶ Leverages Existing Splunk Common Action Model • A CIM for alert actions • Not a data model ▶ Existing Actions • Information: Give/Get (i.e., additional context) • Permission: Grant/Revoke (e.g., user, host, etc.) • Control: Change (e.g., firewall rules) ▶ Metadata • Category – Information gathering, Information conveyance, Permissions control • Task – Create, Update, Delete, Allow, Block • Subject – What will be acted upon (network, endpoint, etc.) • Vendor – Providing the action Adaptive Response Framework (Within ES)
  20. 20. How To Interact With AR Suggest Next StepsAutomatically With Notables Run Ad-Hoc
  21. 21. Adaptive Response Actions (Examples) AUTOMATIO N Automatically With Notables
  22. 22. Adaptive Response Actions (Examples) AUTOMATIO NCategory – Information gathering, Information conveyance, Permissions control Task – Create, Update, Delete, Allow, Block Subject – What will be acted upon (network, endpoint, etc.) Vendor – Providing the action. Ex.: Splunk, Ziften, Palo Alto Networks, etc.
  23. 23. Adaptive Response Actions (Examples) AUTOMATIO N Run Ad-Hoc
  24. 24. ▶ Catalog of latest AR Actions ▶ Categorized by Use Case and Security Domain ▶ Auto-update from Splunkbase.com ▶ Showcase of key AR actions (AWS, PAN, etc.) Adaptive Response Actions Showcase App
  25. 25. Adaptive Response Benefits
  26. 26. ▶ Centrally automate retrieval, sharing and response action, resulting in improved detection, investigation and remediation times ▶ Improve operational efficiency using workflow-based context with automated and human-assisted decisions; Measure efficacy ▶ Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners Adaptive Response Benefits
  27. 27. Accelerate Detection, Investigation & Response ▶ Use the correlation search builder to configure, automate and attach the results to notable events ▶ In incident review, configure and execute ad-hoc responses and queries across the security ecosystem ▶ Use the actions dashboard to search and review responses taken and their results
  28. 28. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  29. 29. Customer Success Adaptive Response
  30. 30. © 2018 SPLUNK INC. ▶ Blocked over two million security threats ▶ Orchestrated threat intelligence across 20 security technologies sitting within its internal Threat Intelligence System ▶ Automated threat detection, response and 90% of its security metrics process in just two months Automating Threat Detection With Splunk Adaptive Response “Since implementing Splunk ES as the brain in our security nerve center have found Splunk to be the right solution to quickly and effectively , we create and implement security analytics across a wide array of data sources and security use cases.” – Senior Vice President, Chief Global Security Officer, Aflac
  31. 31. Sample of Symantec AR Actions*: • Isolate Endpoint • Rejoin Endpoint • Query File for Disposition Case Study: Symantec Symantec ATP helps detect and remediate complex attacks across endpoint, email, network, and web from a single console “Splunk Adaptive Response has the power to help reduce workload on customer SOC teams by speeding up decision-making and associated actions through automation.” - Peter Doggart, Vice President of Business Development, Symantec
  32. 32. Sample of ForeScout AR Actions*: • Redirect endpoint to specific web browser • Send email messages to users • Kill peer-to-peer application Case Study: Brown-Forman “Leveraging the ForeScout Extended Module for Splunk via Adaptive Response will enable us to minimize the time and resources needed to respond to emerging threats.” - Clayton Colwell, Associate Security Engineer, Brown-Forman Corporation ForeScout CounterACT enables its customers to monitor real-time NAC events and respond to security threats at endpoints
  33. 33. © 2018 SPLUNK INC. 1. Adaptive Response helps accelerate Incident Detection, Investigation and Response 2. Use Adaptive Response framework for multi-vendor security workflow orchestration and automation 3. Use with IT and Security domains to solve a range of security use cases Mitigate Incident Response Challenges With Orchestration and Automation Key Takeaways
  34. 34. Search and Investigate Analytics-Driven Security Index Untapped Data: Any Source, Type, Volume On- Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention Splunk Enterprise Security 600+ Security Apps Splunk User Behavior Analytics Monitoring, Correlations, Alerts Dashboards and Reports Analytics and Virtualization Adaptive Response Employee Info Asset and CMDB Threat Intelligence Applications Data Stores External Lookups Platform for Operational Intelligence
  35. 35. Q&A Thank you Join: Our Community, with Apps, ask questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Security Online Experience (No download) https://www.splunk.com/en_us/solutions/solution- areas/security-and-fraud/security- investigation/getting-started.html Explore: Download the CIS Critical Security Controls App https://splunkbase.splunk.com/app/3064/
  36. 36. ORLANDO FLORIDA Walt Disney World Swan and Dolphin Hotels .conf18: Monday, October 1 – Thursday, October 4 Splunk University: Saturday, September 29 – Monday, October 1 Save the Date 2018
  37. 37. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app THANK YOU https://ponypoll.com/frankfurt
  • RomainPerry2

    Nov. 15, 2018
  • KenichiYano1

    Sep. 16, 2018

Presented at SplunkLive! Frankfurt 2018: Incident Response Challenge Tools Scale Adaptive Response Customer Success Key Takeaways

Vistos

Vistos totais

431

No Slideshare

0

De incorporações

0

Número de incorporações

0

Ações

Baixados

60

Compartilhados

0

Comentários

0

Curtir

2

×