SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Security Posture
•Download as PPTX, PDF•
1 like•284 views
All data is security relevant – whether you are an IT or security professional, it is important to gain context into all your data to understand your environment, quickly hunt for and investigate potential threats in your environment, and take action to remediate. In this session, you will learn how to: - Leverage your data across silos with analytics-driven security - Operationalize all relevant data to gain greater visibility of your environment to make more informed decisions - Optimize incident response to more clearly understand an attack and the sequential relationship between events to quickly determine the appropriate next steps - Improve investigation and remediation times by automating decisions or by using human-assisted decisions with full context from adaptive response - Utilize Splunk User Behavior Analytics and verify privileged access and detect unusual activity by using UBA anomalies
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Security Posture
Similar to SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Security Posture (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Security Posture
- 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. 09. MAY 2017 | ZÜRICH
- 2. © 2017 SPLUNK INC. Splunk for Security Build a Security Portfolio that Strengthens your Security Posture Alain Gutknecht | Staff Sales Engineer 09. MAY 2017 | ZÜRICH
- 3. © 2017 SPLUNK INC. 3 Agenda • Cyber Security Landscape • Splunk’s Data Driven Security Offering • Demo Time • Next Steps / Q&A
- 4. © 2017 SPLUNK INC. 4 TRADITIONAL DEFENSES ARE NO LONGER EFFICENT ENOUGH 4 TRADITIONAL DEFENSES ARE NO LONGER EFFICENT ENOUGH
- 5. © 2017 SPLUNK INC. 100% Valid credentials were used 143 Median # of days before detection 53% Victims notified by external entity The Ever-Changing Threat Landscape
- 6. © 2017 SPLUNK INC. Source: Verizon DBR Attacks often start with an email: 50%CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR 23%OF RECIPENTS OPEN PHISHING MESSAGES 11%OF RECIPENTS CLICK ON ATTACHMENTS
- 7. © 2017 SPLUNK INC. ▶ Phishing Mail: Mailbox reached storage limit... ▶ Outlook Web Access Portal custom design of SOM was rebuilt by attacker ▶ Provide E-Mail, Username, Password and Date of Birth... • To how many Users was the mail delivered? • How many clicked? • How many filled out? ▶ Delivered to 2,800 Employees before being blocked ▶ 155 Employees clicked the link ▶ 144 Employees provided their credentials Source: GISEC 2015 Key Note – Ex CSO Dan Lohrmann True Story: State of Michigan (SOM) User Account Spoofing
- 8. © 2017 SPLUNK INC. Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Authentication All Machine Data is Security Relevant Traditional SIEM
- 9. © 2017 SPLUNK INC. © 2017 SPLUNK INC.
- 10. © 2017 SPLUNK INC. Splunk Approach to Machine Data SQL Search Schema at Write Schema at Read Traditional Splunk ETL Universal Indexing Volume Velocity Variety Unstructured Structured RDBMS
- 11. © 2017 SPLUNK INC. 11 Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics IoT and Industrial Data
- 12. © 2017 SPLUNK INC. Security Intelligence Use Cases Complement, replace and go beyond traditional SIEMs Security & Compliance Reporting Real-time Monitoring of Known Threats Detecting Unknown Threats Fraud Detection Insider Threat Incident Investigations & Forensics
- 13. © 2017 SPLUNK INC. The Splunk Portfolio Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence
- 14. © 2017 SPLUNK INC. 14 API SDKs UI Network Traffic Analysis Identity & Access Control Perimeter Defense Email Payload Analysis Endpoint Behavior Analysis Endpoint Change Tracking DLP Security Analytics Threat Intelligence Cloud Security Security & Compliance Landscape
- 15. © 2017 SPLUNK INC. Splunk Adaptive Response Initiative Insight from Across Ecosystem Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy Firewall +
- 16. © 2017 SPLUNK INC. Splunk Demo
- 17. © 2017 SPLUNK INC. 17 APT Transaction Flow Across Data Sources http (proxy) session to command & control server Remote control Steal data Persist in company Rent as botnet Proxy Conduct Business Create additional environment Gain Access to systemTransaction Threat Intelligence Endpoint Network Email, Proxy, DNS, and Web Data Sources .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exe (malware) Calc.exe (dropper) Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, emails to the target MAIL Read email, open attachment
- 18. © 2017 SPLUNK INC. What is Enterprise Security? Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response A collection of Frameworks
- 19. © 2017 SPLUNK INC. ▶ Four Years in a Row as a Leader ▶ Furthest overall in Completeness of Vision ▶ Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases Splunk Positioned as a Leader Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
- 20. © 2017 SPLUNK INC. 23 Next Step: Discovery Workshop What’s your Security Use Case? • Cost justification against your management • Success measurement • Prioritization • Scoping of data sources / data volume / costs • Establishing organizational processes • Data privacy justification
- 21. © 2017 SPLUNK INC. Get Started Fast! splunk.com/education
- 22. © 2017 SPLUNK INC. Take the Survey on Pony Poll ponypoll.com/zurich2017
- 23. © 2017 SPLUNK INC. SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. .conf2017 The 8th Annual Splunk Conference conf.splunk.com You will receive an email after registration opens with a link to save over $450 on the full conference rate. You’ll have 30 days to take advantage of this special promotional rate! SAVE OVER $450
- 24. © 2017 SPLUNK INC. THANK YOU
Editor's Notes
- A fundamental change is going on in the threat landscape. Traditional defenses are no longer enough. While the User Interface might look nice a fundamental shift is undergoing. With more and more cloud and software as a service perimeter security is more and more challenged. Also with the digital transformation new services need to be protected and just protecting systems is no longer enough. Identity becomes the new perimeter that needs to be protected.
- <For details, please see next slide. Or read text below- same as next slide> Faster Access to Wire Data Enhance Detection and Investigation Simplify protocol and user profiling through pre-built reports for wire data Enter into workflows and create new reports by leveraging important, pre-extracted fields in protocol data Expose Hidden Variances Through Historical Analysis Discover unusual activity through automated base lining of variations over rolling time windows Improve correlation rule confidence with auto-configuring thresholds Increase the actionable value of trends and summaries through common language labels instead of numerical values Gain Deeper and Broader Context Acquire faster wire data visibility with capture and extractions via alerts or with a single click Improve wire data context by automatically applying threat intelligence to email envelopes, DNS queries and responses, and SSL certificates
- Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
- At GISEC2015 in Dubai – a large Security Show – Michigan‘s Ex CSO Dan Lohrmann hold a keynote and mentioned as one of the top concerns for CIO‘s is sophisticated phishing attempts. He showed a real sample where they faced an targeted attack. To over 2800 users e-mails have been sent that their mailbox reached the size limit and to increase them temporarly they should logon to outlook web access. Within the first hour – 155 employees clicked the link with a faked outlook web access page – even the customer colouring and design they use at the State of Michigan was done. 144 employees provided their credentials. If that type of attack happens – you can‘t avoid it – you need to have the right procedures and technology in place to react quickly.
- Looking at the typical data sources used by legacy SIEMs is not enough. It would be like boxing yourself into a tight space and having to fight against your attackers and defend against your threats from that position. You need to be able to see outside the box, go beyond your traditional security solutions and gain security insight from all your data – for example e-mail tracking logs to know who got the e-mails, web log to know who
- At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
- Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. The insights gained from machine data support a number of use cases and can drive value across your organization. Today we will focus on Security.
- Splunk is a Security Intelligence Platform and can address a number of security use cases. We’re more flexible than a SIEM and can complement or replace existing SIEM deployments, while also addressing more complex security use cases, such as supporting fraud detection, faster incident response, hunting malware and advanced threats and identifying insider threat scenarios. ------------------------------------- Examples below if you want to touch on any: Faster Investigations monitor large volumes of NW, FW, IDS, and proxy data and do forensics (Treasury) analyze evidence in hacking cases and identity theft cases. take digital evidence from multiple sources and present in a timeline (LA County) Able to identify hacking incident and point tech support to specific desktops needing remediation (DoJ) Security and Compliance: With Splunk in place, the auditors are able to observe the necessary reports in real time, check their box, and get on their way (NASA) Continuous Diagnostics and Mitigation (CFO Audit Act) NASA JSC is using Splunk as a consolidated, highly scalable logging platform for security, incident response, & compliance. Splunk has saved them hours upon hours by replacing past practices that involved less flexible end point products, relying on custom scripts, grep’ing, and manually searching through vast quantities of logs. JSC is continuing to grow their use of Splunk due to the increased details and insight that Splunk is providing them. Monitoring endpoint security, monitoring servers for troubleshooting and FISMA compliance (DoI) SSA is mainly using Splunk for compliance reporting - a main of the CDM program. Their security operations center also uses Splunk to understand their security posture. monitor security and compliance for all DHS systems in the private cloud/Data Center. (DHS) Threat detection: Improves the way they track messages and detect threats via email. Only takes a couple seconds to track messages in Splunk, which used to take hours (Senate) EOS is using custom searches and dashboards to find security threats that affect the applications running on satellites and ground systems. Once these security threats are identified with Splunk, their IT analysts are able to drill down into the raw data in order to identify the root cause of the threat. (NASA EOS) Fraud detection - Splunk’s ability to Map out the incoming IP Addresses has led to quicker resolution on blocking account. The Goal at USPS is to move from reactive fraud detection to Proactive. USPS is currently testing setting up alarms anytime an International order is placed. The goal is to make it so difficult for the bad guys to do business that they go somewhere else. (USPS) UBA and Insider threat Splunk is used to monitor employee use of the web during work hours on internal networks (DoJ) environment where an employee is a Government contractor who has access to sensitive R&D projects and/or supporting Government programs, data leakage is highly possible. An employee can intentionally or unintentionally download any text documents associated to that program/project to a personal laptop, personal email, etc. (NGC SOC)
- Splunk has several applications and partnerships that make us especially relevant for the Internet of Things: Community apps such as modular inputs for REST Endpoints, Kinesis, Kafka, and JMS Messaging Services allow easy connection to and ingestion of the high velocity and volume data available from the web services and from web based messaging queues that are becoming so common in IoT data delivery. Splunk’s DB Connect allows connection to data stored in relational databases, as well as to traditional structured metadata sources which can be used for Splunk lookups. And for the makers in the house, a community supported Splunk Universal Forwarder for ARM architectures runs on platforms like Raspberry Pi for easy access to the data and applications running on those IoT devices. Strong partnerships with companies well established in the internet of things, including Kepware, CQCloud and DataFlare for industrial data collection, analytics and visualization, and ThingWorx and MachineShop for IoT platforms integration in the Enterprise.
- To provide a complete, end-to-end view into the environment and to defend against sophisticated threats, including malware and APTs, security solutions must provide broad and deep coverage with the security and infrastructure elements. Organizations need a platform that provides out-of-box support and allows any technology/security/infrastructure device to be supported—this helps unify what has traditionally been silo efforts. Splunk Enterprise is a platform for machine data and provides visibility across these silos. The Splunk platform also provides role–based access control, which allows different people across the organization, including the security team, to access the data they need as part of their jobs, yet allows them to collaborate and see things across the environment. This is critical when orgs need to determine if an issue is a security, IT operations or an application issue.
- One way to answer the question “What is Enterprise Security?”, and the way we’ll look at it today, is to consider the Frameworks that comprise it. Today we’ll focus on these 5, but we’ll do so in little bit different way. Instead of showing you how ES leverages these frameworks together to meet general security problems, we’re going dive deeper and show you how to treat the ES frameworks as building blocks that can be assembled to meet complex use cases in novel, and perhaps non-obvious ways. That might mean using a little-known ES search macro directly in core Splunk; or it might mean making a call to an ES-specific REST endpoint; or it might mean showing a bit of Python code that connects ES to an external service provider. The ES frameworks, along with some very nice dashboards, and of course your organizations security data, make up ES.
- Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
- Verzion Data Breach Report 2015 – Section Phishing – Page 16-18
- We at Splunk not just have great Software. We want to ensure customer success in all we do with your organization. We know how amazing our dashboards look like and there are no limits yet we have experienced on the technical side with our strong platform foundation. However no limits and not putting you in a pre-definied box can from time to time be challenging – so knowing your security use cases is key. What is the final goal of the solution you’re looking for? Your use case will lead that you get more then nice dashboards – the use case ensures that you have actionable information and findings. The better the use case the more successful you will be! We can help and guide you to the journey to collect your use cases. We have a use case discovery workshop available as well as many inspirational customer stories to share! We can map them out together with you, apply them to your organization, scope the volume and costs as well as organizational processes to establish – then we can prioritize them and start our joint Journey!
- Are you looking to learn, share, and participate with other Splunk users? Visit usergroups.splunk.com, search for <<City Name>>, and join the local user group to receive updates on upcoming meetings! We will also provide you with a link to the group in the SplunkLive! Follow-up email.
- And of course, the live expression of our community is our users conference. Journalists last year said it was more like a family reunion than a technology conference, and we take that as a compliment. It’s the best place to share best practices, new ideas and learn directly from the smartest people in the Splunk ecosystem. Doesn’t matter if you’re just getting started with Splunk or are a veteran user, everyone learns something and gets reenergized at .conf. 4 inspired Keynotes 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION IS OPEN, sessions will be posted by end of June
- Are you looking to learn, share, and participate with other Splunk users? Visit usergroups.splunk.com, search for <<City Name>>, and join the local user group to receive updates on upcoming meetings! We will also provide you with a link to the group in the SplunkLive! Follow-up email.