All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate. In this session, you will learn how to: - Leverage your data across silos with analytics-driven security - Operationalize all relevant data to gain greater visibility of your environment to make more informed decisions - Optimize incident response to more clearly understand an attack and the sequential relationship between events to quickly determine the appropriate next steps - Improve investigation and remediation times by automating decisions or by using human-assisted decisions with full context from adaptive response - Utilize Splunk User Behavior Analytics and verify privileged access and detect unusual activity by using UBA anomalies
A fundamental change is going on in the threat landscape. Traditional defenses are no longer enough. While the User Interface might look nice a fundamental shift is undergoing. With more and more cloud and software as a service perimeter security is more and more challenged. Also with the digital transformation new services need to be protected and just protecting systems is no longer enough. Identity becomes the new perimeter that needs to be protected.
<For details, please see next slide. Or read text below- same as next slide>
Faster Access to Wire Data Enhance Detection and Investigation
Simplify protocol and user profiling through pre-built reports for wire data
Enter into workflows and create new reports by leveraging important, pre-extracted fields in protocol data
Expose Hidden Variances Through Historical Analysis
Discover unusual activity through automated base lining of variations over rolling time windows
Improve correlation rule confidence with auto-configuring thresholds
Increase the actionable value of trends and summaries through common language labels instead of numerical values
Gain Deeper and Broader Context
Acquire faster wire data visibility with capture and extractions via alerts or with a single click
Improve wire data context by automatically applying threat intelligence to email envelopes, DNS queries and responses, and SSL certificates
At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials.
If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
Looking at the typical data sources used by legacy SIEMs is not enough. It would be like boxing yourself into a tight space and having to fight against your attackers and defend against your threats from that position.
You need to be able to see outside the box, go beyond your traditional security solutions and gain security insight from all your data – for example e-mail tracking logs to know who got the e-mails, web log to know who
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence.
The insights gained from machine data support a number of use cases and can drive value across your organization. Today we will focus on Security.
Splunk is a Security Intelligence Platform and can address a number of security use cases. We’re more flexible than a SIEM and can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection, faster incident response, hunting malware and advanced threats and identifying insider threat scenarios.
-------------------------------------
Examples below if you want to touch on any:
Faster Investigations
monitor large volumes of NW, FW, IDS, and proxy data and do forensics (Treasury)
analyze evidence in hacking cases and identity theft cases. take digital evidence from multiple sources and present in a timeline (LA County)
Able to identify hacking incident and point tech support to specific desktops needing remediation (DoJ)
Security and Compliance:
With Splunk in place, the auditors are able to observe the necessary reports in real time, check their box, and get on their way (NASA)
Continuous Diagnostics and Mitigation (CFO Audit Act)
NASA JSC is using Splunk as a consolidated, highly scalable logging platform for security, incident response, & compliance. Splunk has saved them hours upon hours by replacing past practices that involved less flexible end point products, relying on custom scripts, grep’ing, and manually searching through vast quantities of logs. JSC is continuing to grow their use of Splunk due to the increased details and insight that Splunk is providing them.
Monitoring endpoint security, monitoring servers for troubleshooting and FISMA compliance (DoI)
SSA is mainly using Splunk for compliance reporting - a main of the CDM program. Their security operations center also uses Splunk to understand their security posture.
monitor security and compliance for all DHS systems in the private cloud/Data Center. (DHS)
Threat detection:
Improves the way they track messages and detect threats via email. Only takes a couple seconds to track messages in Splunk, which used to take hours (Senate)
EOS is using custom searches and dashboards to find security threats that affect the applications running on satellites and ground systems. Once these security threats are identified with Splunk, their IT analysts are able to drill down into the raw data in order to identify the root cause of the threat. (NASA EOS)
Fraud detection
- Splunk’s ability to Map out the incoming IP Addresses has led to quicker resolution on blocking account. The Goal at USPS is to move from reactive fraud detection to Proactive. USPS is currently testing setting up alarms anytime an International order is placed. The goal is to make it so difficult for the bad guys to do business that they go somewhere else. (USPS)
UBA and Insider threat
Splunk is used to monitor employee use of the web during work hours on internal networks (DoJ)
environment where an employee is a Government contractor who has access to sensitive R&D projects and/or supporting Government programs, data leakage is highly possible. An employee can intentionally or unintentionally download any text documents associated to that program/project to a personal laptop, personal email, etc. (NGC SOC)
Splunk has several applications and partnerships that make us especially relevant for the Internet of Things:
Community apps such as modular inputs for REST Endpoints, Kinesis, Kafka, and JMS Messaging Services allow easy connection to and ingestion of the high velocity and volume data available from the web services and from web based messaging queues that are becoming so common in IoT data delivery. Splunk’s DB Connect allows connection to data stored in relational databases, as well as to traditional structured metadata sources which can be used for Splunk lookups. And for the makers in the house, a community supported Splunk Universal Forwarder for ARM architectures runs on platforms like Raspberry Pi for easy access to the data and applications running on those IoT devices.
Strong partnerships with companies well established in the internet of things, including Kepware, CQCloud and DataFlare for industrial data collection, analytics and visualization, and ThingWorx and MachineShop for IoT platforms integration in the Enterprise.
To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos.
The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider.
The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
We at Splunk not just have great Software. We want to ensure customer success in all we do with your organization. We know how amazing our dashboards look like and there are no limits yet we have experienced on the technical side with our strong platform foundation.
However no limits and not putting you in a pre-definied box can from time to time be challenging – so knowing your security use cases is key. What is the final goal of the solution you’re looking for? Your use case will lead that you get more then nice dashboards – the use case ensures that you have actionable information and findings. The better the use case the more successful you will be! We can help and guide you to the journey to collect your use cases. We have a use case discovery workshop available as well as many inspirational customer stories to share! We can map them out together with you, apply them to your organization, scope the volume and costs as well as organizational processes to establish – then we can prioritize them and start our joint Journey!
Are you looking to learn, share, and participate with other Splunk users? Visit usergroups.splunk.com, search for <<City Name>>, and join the local user group to receive updates on upcoming meetings!
We will also provide you with a link to the group in the SplunkLive! Follow-up email.
And of course, the live expression of our community is our users conference. Journalists last year said it was more like a family reunion than a technology conference, and we take that as a compliment. It’s the best place to share best practices, new ideas and learn directly from the smartest people in the Splunk ecosystem. Doesn’t matter if you’re just getting started with Splunk or are a veteran user, everyone learns something and gets reenergized at .conf.
4 inspired Keynotes
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION IS OPEN, sessions will be posted by end of June
Are you looking to learn, share, and participate with other Splunk users? Visit usergroups.splunk.com, search for <<City Name>>, and join the local user group to receive updates on upcoming meetings!
We will also provide you with a link to the group in the SplunkLive! Follow-up email.