Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.

1. Copyright © 2014 Splunk Inc.
Guy Weaver
Senior System Engineer

2. 2
Agenda
What is the Splunk App for Enterprise Security?
Guided Tour
– General Overview
– Data Ingest and Common Information Model
– Risk and Threat Intel
– Incident Response Exercise
– Creating a Correlation Search

3. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

4. Platform for Operational Intelligence
The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP
IoT
Devices
Network
Wire Data
Hadoop

5. 5
ES Fast Facts
● Current version: 4.0
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses

6. ES Guided Tour

7. 7
Other Items To Note
Items to Note
Navigation - How to Get
Here
Description of what to click on
Click

8. Logging In and
Security Posture

9. 9
Security Posture
9
How do you start and end your day?

10. 10

11. 11
Instance URL Username Password
1 https://od-sl-detroit01.splunkoxygen.com Demo_user Splunk4ES
2 https://od-sl-detroit02.splunkoxygen.com Demo_user Splunk4ES
3 https://od-sl-detroit03.splunkoxygen.com Demo_user Splunk4ES
4 https://od-sl-detroit04.splunkoxygen.com Demo_user Splunk4ES
5 https://od-sl-detroit05.splunkoxygen.com Demo_user Splunk4ES
6 https://od-sl-detroit06.splunkoxygen.com Demo_user Splunk4ES
7 https://od-sl-detroit07.splunkoxygen.com Demo_user Splunk4ES
8 https://od-sl-detroit08.splunkoxygen.com Demo_user Splunk4ES

12. 12
Log in with your credentials. Use
any modern web browser (works
better with non-IE).
Main Login Page from Link

13. 13
13
Click on Enterprise Security
After Logging In

14. 14
ES Content dropdowns
Splunk app context
Click on Security Posture
Main ES Page (from App
upper left hand side)

15. 15
Key Security Indicators (build your own!)
Sparklines
Editable
Security Posture link in Nav

16. Data Ingest and the
Common Information
Model (CIM)

17. 17
Data Ingest + Common Information Model
17
● You’ve got a ton of systems
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● Splunk + CIM is Easy

18. 18 18
Click Add Data, under Settings
Settings, from any page in
Splunk

19. 19 19
Bringing Data into Splunk
is easy!
Data Normalized to Common
Information Model
Under Settings (upper right
side), Add Data
Click the Cisco app
icon

20. 20
CIM Compliant!
Close The Tab
Splunkbase.com
Search for Cisco

21. 21
Data Models
21
Click on Data models
Click on Pivot
next to Malware

22. 22
Click Malware Attacks to PivotClick
From Search Nav Menu,
select Pivot then Malware
Nested Models – easily distinguish
subsets of data

23. 23
Filter Timeframe to Last 60 Minutes
Change
Total count of attacks
Change to Area Chart to show
Attacks over Time
Click
From Search Nav Menu, select Pivot,
then Malware, then Malware Attacks

24. 24
The time range we selected
Split out by Vendor with “Add
Color”
Click
SCROLL to
vendor_product
CIM has many
usable attributes

25. 25
For as many vendors as you have,
pivot and report across any field!

26. 26
How Does This Apply?
Let’s Open the Malware Center to See
Under Security Domains, under Endpoint,
open Malware Center

27. 27
Various ways to filter data
Malware-Specific KSIs and Reports
Security Domains ->
Endpoint -> Malware Center

28. 28
Searches that rely on
this data model
How Complete is my ES?
What else could I onboard?
Instructor Only

29. Risk Analysis

30. 30
What To Do First?
30
● Risk provides context
● Risk helps direct analysts
“Risk Analysis is my favorite dashboard
for my SOC Analysts!”

31. 31
Click “Risk Analysis”
Under “Advanced Threat”
Click

32. 32
Filterable
KSIs specific to Risk
Risk assigned to system,
user or other
Under Advanced Threat,
select Risk Analysis

33. 33
(Scroll Down)
Recent Risk Activity
Under Advanced Threat,
select Risk Analysis

34. 34
Notable Event Risk Preview!
34
From Notable Events
More on this later…
…Or Ad-Hoc from Risk
Analysis Dashboard

35. Threat Activity

36. 36 36Attack Map
The Challenge:
• Industry says Threat Intel is
key to APT Protection
• Management wants all
threat intel checked against
every system, constantly
• Don’t forget to keep your
15+ threat feeds updated
The Solution:

37. 37
Click “Threat Activity”
Under “Advanced Threat”
Click

38. 38
Filterable, down to IoC
KSIs specific to Threat
Most active threat source
Scroll down…
Scroll
Under Advanced Threat,
select Threat Activity

39. 39
Specifics about recent threat matches
Under Advanced Threat,
select Threat Activity

40. 40
To add threat intel go to:
Configure -> Data Enrichment ->
Threat Intelligence Downloads
Click

41. 41
Threat Intel Downloads

42. 42
Click “Threat Artifacts”
Under “Advanced Threat”
Click

43. 43
Artifact Categories –
click different tabs…
STIX feed
Custom feed
Under Advanced Threat,
select Threat Artifacts
The Threat Artifacts dashboard provides a
single location to explore and review threat
content sourced from all configured threat
download sources.

44. 44
Review the Advanced Threat
content
Click

45. Additional Reports

46. 46
Auditors / Management / Compliance Says…
46
● Can you show me <Typical Report>?
● Reporting is easy in Splunk
● But we have more than
300 standard reports too

47. 47
Click “Reports”
Click

48. 48
Over 330 reports to
use or customize
Under Search, select Reports

49. Incident Response
Workflow

50. 50 50
Go to Incident ReviewClick
Sort by UrgencyClick
Find Event with Your Persona
Finally, click the adjacent “>”
Status of All Tickets
Filter on owner, urgency,
status, tag, and more
Explore and Analyze Incidents
Incident Review

51. 51
View Raw Event
Data from asset framework
Incident Review, expand
incident with your persona

52. 52
Drill down on
“10.116.240.105”
and select Domain Dossier
Click
Click
Pivot off of everything. Go
internal or external.
Customize.
Incident Review, expand
incident with your persona

53. 53
Review information from
external lookup
Incident Review Tab is still open.
Click back to it Incident Review
In your Incident, hit Drop
Down next to Destination
and then “Domain Dossier”

54. 54
Drill down on
“10.116.240.105” and select
“Intrusion Search (as source)”
Click
Click
Incident Review, expand
incident with your persona

55. 55

56. 56
Drill down on the Source field
(10.116.240.105) and select
“Asset Investigator”
Click
Click
Incident Review, expand
incident with your persona

57. 57
Data from asset framework
Configurable Swimlanes
Darker=more events
All happened around same time
Change to
“Today” if needed
Asset Investigator, enter
“10.116.240.105”

58. 58
Select “All Authetication”
vertical bar
Asset Investigator, enter
“10.116.240.105”

59. 59
Asset Investigator, enter
“10.116.240.105”

60. 60 60
Click Incident Review
Click

61. 61
Click
Incident Review, expand
incident with your persona
Click Reimage Workstation Click
Instructor Only

62. 62
Click
Totally fake! But also
totally possible.
Instructor Only

63. 63
Select your Notable
Event
Click
Then click
“Edit all selected”

64. 64
Fill out Status: Pending. Urgency: Low.
Owner: <your persona>. Comment:
<whatever you want>.
Populate
Click
Incident Review, expand
incident with your persona

65. 65
Click to Add to Investigation
Select Event

66. 66

67. 67
Click
Click

68. 68
Click
Add Items

69. 69

70. 70
Click “Incident
Review Audit”
Click

71. 71
Click a reviewer name
Under Audit menu, select
Incident Review Audit

72. 72
Detailed review activity
scoped to the reviewer
you clicked on.
Under Audit menu, select
Incident Review Audit

73. Creating a
Correlation Search

74. 74
They Got You Once, Never Again
74
● Chris opened PDF because it was
legitimate (before weaponizing)
● They brute forced portal to get PDF
● You successfully find the attack
● How do you alert moving forward?

75. 75
Select
“Zeus Demo”
Click

76. 76
In App Menu (upper left),
select Zeus Demo

77. 77
Returns data if we see a lot of
logon attempts and then access
to portal admin pages from a
single IP on a known threat list
In Find menu (upper right)
type “Portal Brute Force”

78. 78
We COULD select this text,
copy it, and use it in a
correlation search…but let’s
make it easy.

79. 79
Go back to the Enterprise
Security app

80. 80
Select “Custom Searches”
under Configure -> General
In App Menu (upper left),
select Enterprise Security

81. 81
~200 correlation searches,
KSIs, Swimlanes, etc
Click “New”
In ES, select Configure ->
General -> Custom Searches

82. 82
Click “Correlation Search”
Select Configure -> General
-> Custom Searches -> New

83. 83
Click the link!
Then click save…
Select Configure -> General -> Custom
Searches -> New -> Correlation Search
Explore Risk settings!

84. 84
Return to Incident
Review

85. 85
Search for events
owned by you
(remove All)
Note custom description
Incident Review

86. Wrap Up

87. 87 87
Bringing Data into Splunk
is easy!
Data Normalized till
Common Information Model

88. 88
For as many vendors as you have,
pivot and report across any field!

89. 89
Filterable
KSIs specific to Risk
Risk assigned to system,
user or other

90. 90

91. 91
Over 330 reports to
use or customize

92. 92 92
Status of All Tickets
Filter on owner, urgency,
status, tag, and more
Explore and Analyze Incidents

93. 93

94. 94

95. 95
Note custom description

96. Copyright © 2014 Splunk Inc.
• September 26-29, 2016
• The Disney Swan and Dolphin, Orlando
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 3 days of Splunk University
• Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and
• Security Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control Room &
Clinic, and MORE!
Visit conf.splunk.com for more information
.conf2016: The 7th Annual
Splunk Worldwide Users’ Conference

97. Thank You