Mais conteĂșdo relacionado Semelhante a SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and Automation (20) SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and Automation1. © 2017 SPLUNK INC.
Use Splunk for Incident Response,
Orchestration and Automation
14:45
Udo Götzen | Staff Sales Engineer, CISSP
20.03.2018 | MĂŒnchen
2. © 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
3. © 2017 SPLUNK INC.
Incident Response
Slow
Alert Noise
Tools Problem
Many tools
Disparate tools
Skills
Lack of skills
Retention
Training
Scale
Horizontal and Vertical
Orchestration
Automation
Security Operations Need to Change
5. © 2017 SPLUNK INC.
5
Incident Response Takes Significant Time
5
Source: SANS 2017 Incident Response Survey
6. © 2017 SPLUNK INC.
Where Does Your Time Go?
When working an incident which phase generally takes the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.
7. © 2017 SPLUNK INC.
Time-to-Contain + Time-to-Respond = 72%
When working an incident which phase generally takes the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.
10. © 2017 SPLUNK INC.
Tools and Technologies Galore
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
13. © 2017 SPLUNK INC.
Orchestration
ⶠBrings together or integrates different
technologies and tools
ⶠSecurity-specific or non-security-
specific
ⶠProvides the ability to coordinate
informed decision making, formalize
and automate responsive actions
Automation
ⶠFocus is on how to make machines do
task-oriented "human workâ
ⶠAllows multiple tasks or "playbooks" to
potentially execute numerous tasks
ⶠAutomation is a subset of orchestration
Orchestration vs Automation
15. © 2017 SPLUNK INC.
Adaptive Response
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall
Mission:
Deeper
integrations across
the best security
technologies to
help combat
advanced attacks
together.
Approach:
Gather / analyze,
share, take action
based on end-to-end
context, across
security domains.
16. © 2017 SPLUNK INC.
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
18. © 2017 SPLUNK INC.
Leverages Existing Splunk Common Action Model
âą A CIM for alert actions
âą Not a data model
Existing Actions
âą Information: Give/Get (i.e. additional context)
âą Permission: Grant/Revoke (e.g. user, host, etc)
âą Control: Change (e.g. firewall rules)
Metadata
âą Category - Information gathering, Information conveyance, Permissions control
âą Task - Create, Update, Delete, Allow, Block
âą Subject â what will be acted upon (network, endpoint, etc)
âą Vendor â providing the action.
Adaptive Response Framework (Within ES)
19. © 2017 SPLUNK INC.
How To Interact With AR
Suggest Next StepsAutomatically With Notables Run Ad-Hoc
20. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Automatically With Notables
21. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Category - Information gathering, Information conveyance, Permissions control
Task - Create, Update, Delete, Allow, Block
Subject â what will be acted upon (network, endpoint, etc)
Vendor â providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc
22. © 2017 SPLUNK INC.
Adaptive Response Actions (Examples)
AUTOMATIO
N
Run Ad-Hoc
25. © 2017 SPLUNK INC.
Adaptive Response Benefits
âą Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
âą Improve operational efficiency using workflow-based
context with automated and human-assisted decisions.
Measure efficacy
âą Extract new insight by leveraging context, sharing data
and taking actions between Enterprise Security and
Adaptive Response partners
26. © 2017 SPLUNK INC.
Accelerate Detection, Investigation & Response
â Use the correlation search builder to
configure and automate and attach
the results to notable events
â In incident review, configure and
execute ad-hoc responses and
queries across the security
ecosystem
â Use the actions dashboard to
search and review responses taken
and their results
28
27. © 2017 SPLUNK INC.
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
29. © 2017 SPLUNK INC.
ⶠBlocked over two million security threats
ⶠOrchestrated threat intelligence across 20 security
technologies sitting within its internal Threat
Intelligence System
ⶠAutomated threat detection, response and 90% of its
security metrics process in just two months
Automating Threat Detection With
Splunk Adaptive Response
âSince implementing Splunk ES as the brain in our security nerve
center, we have found Splunk to be the right solution to quickly
and effectively create and implement security analytics across a
wide array of data sources and security use cases.â
â Senior Vice President, Chief Global Security Officer, Aflac
30. © 2017 SPLUNK INC.
Case Study: Symantec
Sample of Symantec AR Actions*:
âą Isolate Endpoint
âą Rejoin Endpoint
âą Query File for Disposition
Symantec ATP helps detect
and remediate complex attacks
across endpoint, email, network,
and web from a single console
Splunk Adaptive Response has the power to help reduce workload
on customer SOC teams by speeding up decision making and
associated actions through automation.
- Peter Doggart, Vice President of Business Development, Symantec
31. © 2017 SPLUNK INC.
1. Adaptive Response helps accelerate
Incident Detection, Investigation and
Response
2. Use Adaptive Response framework for
multi-vendor security workflow
orchestration and automation
3. Use with IT and Security domains to
solve a range of security use cases
Mitigate Incident
Response Challenges
with Orchestration and
Automation
Key
Takeaways
32. © 2017 SPLUNK INC.
Search and
Investigate
Analytics-Driven Security
Index Untapped Data:
Any Source, Type, Volume
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Splunk
Enterprise Security
600+
Security Apps
Splunk User
Behavior Analytics
Monitoring,
Correlations,
Alerts
Dashboards
and Reports
Analytics and
Virtualization
Adaptive
Response
Employee
Info
Asset and
CMDB
Threat
Intelligence
Applications Data Stores
External Lookups
Platform for Operational Intelligence
33. © 2017 SPLUNK INC.
Machine Learning
Roundtable
Splunk Live Munich
20. MĂ€rz 2018
ⶠRaum Schwabing 1-3 (IT Ops
Track Room) 15:00 â 16:00
ⶠJoin our Machine Learning
experts from Splunk to learn
more about Roadmap and
discuss your questions
âą Andrew Stein, Global Analytics
Architect, Data Scientist
âą Iman Makaremi, Data Scientist
âą Philipp Drieger, EMEA ML SME
34. Save the Date 2018
ORLANDO FLORIDA
Walt Disney World Swan and Dolphin Hotels
.conf18:
Monday, October 1 â Thursday, October 4
Splunk University:
Saturday, September 29 â Monday, October 1
35. © 2017 SPLUNK INC.
Take the Survey on Pony Poll
https://ponypoll.com/8vue6qh
Complete the survey for
your chance to win a
.conf18 pass
36. © 2017 SPLUNK INC.
Q&A
Thank you
Join:
Our Community with
Apps, Ask Questions or
join a SplunkLive! event
https://www.splunk.com/en_us/community.html
Try:
Splunk Security Online
Experience (No Download)
https://www.splunk.com/en_us/solutions/solution-
areas/security-and-fraud/security-
investigation/getting-started.html
Explore:
Download the CIS Critical
Security Controls App
https://splunkbase.splunk.com/app/3064/