2. 2
Safe Harbor Statement
During thecourseof this presentation, we may makeforward looking statementsregarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectationsand estimatesbased onfactors currently known to us and thatactual eventsor resultscould
differ materially. For importantfactors that may cause actualresults to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
10. 10 1
0
Example Patterns of Fraud in Machine Data
Industry Type of Fraud/Theft/Abuse Pattern
Financial Services Account takeover
Abnormally high number or dollar amounts of wire transfer
withdrawals
Healthcare Physician billing Physician billing for drugs outside their expertise area
E-Tailing Account takeover Many accounts accessed from one IP
Telecoms Calling plan abuse
Customer making excessive amount of international calls
on an unlimited plan
Online Education Student loan fraud
Student receiving federal loan has IP in “high-risk” overseas
country and is absent from online classrooms and forums
11. 11
Insider Threat
What To Look For Data Source
Abnormally high number of file transfers to USB or CD/DVD OS
Abnormally large amount of data going to personal webmail account or uploaded to external
file hosting site
Email / web server
Unusual physical access attempts(after hours, accessing unauthorized area, etc) Physical badge records / AD
Above actions + employee is on an internal watchlist as result of transfer / demotion / poor
review / impending layoff
HR systems / above
User name of terminated employee accessing internal system AD / HR systems
11
57. 57
INSIDER THREAT
5
7
USER ACTIVITIES RISK/THREAT DETECTION AREAS
John logs in via VPN from 1.0.63.14
Unusual Geo (China)
Unusual Activity Time3:00 PM
Unusual Machine Access
(lateral movement; individual +
peer group)
3:15 PMJohn (Admin) performs an ssh as root to a new
machine from the BizDev department
Unusual Zone (CorpàPCI) traversal
(lateral movement)3:10 PM
John performs a remote desktop on a system as
Administrator on the PCI network zone
3:05 PM Unusual Activity Sequence
(AD/DC Privilege Escalation)
John elevates his privileges for the PCI network
Excessive Data Transmission
(individual + peer group)
Unusual Zone combo (PCIàcorp)
6:00 PM
John (Adminàroot) copies all the negotiation docs
to another share on the corp zone
Unusual File Access
(individual + peer group)3:40 PM
John (Adminàroot) accesses all the excel and
negotiations documents on the BizDev file shares
Multiple Outgoing Connections
Unusual VPN session duration (11h)11:35 PMJohn (Adminàroot) uses a set of Twitter handles to
chop and copy the data outside the enterprise
58. 58
EXTERNAL ATTACK
5
8
USER ACTIVITIES RISK/THREAT DETECTION AREAS
Peter and Sam access a malicious website. A
backdoor gets installed on their computers
Malicious Domain (AGD)
Unusual Browser HeaderNov 15
Unusual Machine Access for Peter
(lateral movement; individual + peer group)Dec 10The attacker logs on to Domain Controller via
VPN with Peter’s stolen credentials from 1.0.63.14
Unusual Browser Header for Peter
and SamNov 16
The attacker uses Peter and Sam’s backdoors to
download and execute WCE to crack their password
Nov 16 Beacons for Peter and Sam to
www.byeigs.ddns.com
Peter and Sam’s machines are communicating
with www.byeigs.ddns.info
Unusual Machine Access for Sam
Unusual File Access for Sam
(individual + peer group))
Dec 10
The attacker logs in as Sam and accesses all excel
and negotiations docs on the BizDev shares
Unusual Activity Sequence of Admin for
Sam (AD/DC Privilege Escalation)Dec 10
The attacker steals the admin Kerberos ticket from
admin account and escalates the privileges for
Sam.
Excessive Data Transmission for Peter
Unusual VPN session durationJan 14The attacker VPNs as Peter, copies the docs to an
external staging IP and then logs out after 3 hours.