Enterprise Security featuring UBA

1. Copyright © 2016 Splunk Inc.
Enterprise Security
and UBA Overview

2. 2
DISCLAIMER
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

3. 3
Agenda
Splunk Portfolio Update
Enterprise Security 4.5
User Behavior Analytics 3.0

4. VMware
Platform for Machine Data
Splunk Solutions > Easy to Adopt
Exchange PCISecurity
Across Data Sources, Use Cases and Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

5. 5
Splunk Releases
5
Splunk Enterprise and Splunk Cloud 6.5
Enterprise Security 4.5
ES
User Behavior Analytics 3.0
UBA

6. 6
6
Splunk Security Vision
Security Markets
SIEM and
Compliance
Security Analytics
(supervised and
unsupervised)
Fraud and
Business Risk
Managed Security
and Intelligence
Services
Splunk Security Intelligence Framework
Workflow/collaboration, case management, content/intelligence syndication and Ecosystem brokering

7. 7
Enterprise Security
Provides: SIEM and Security Nerve Center for security operations/command centers
Functions: alert management, detects using correlation rules (pre-built), incident
response, security monitoring, breach response, threat intelligence automation,
statistical analysis, reporting, auditing
Persona service: SOC Analyst, security teams, incident responders, hunters, security
managers
Detections: pre-built advanced threat detection using statistical analysis, user
activity tracking, attacks using correlation searches, dynamic baselines
7

8. 8
User Behavior Analytics
Provides advanced threat detection using unsupervised machine learning –
enriches Splunk Enterprise Security (SIEM)
Functions: baselines behavior from log data and other data to detect
anomalies and threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
8

9. Copyright © 2016 Splunk Inc.
Enterprise Security
9
Christopher Shobert (Security Engineer/SME)

10. 10
Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant
for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic
was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Four Years in a Row as a Leader
Furthest overall in Completeness
of Vision
Splunk also scores highest in 2016
Critical Capabilities for SIEM
report in all three Use Cases

11. 11
11
Splunk scores highest in 2016 Critical Capabilities for SIEM* report
in all three Use Cases
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and
should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

12. 12
SIEM Use Cases
* Gartner Research Document : 2016 Critical Capabilities for SIEM
Basic Security Monitoring
Advanced Threat Defense
Forensics and Incident
Management
Real-time Monitoring
User monitoring
Incident Response and Management
Advanced Analytics
Threat intelligence & Business Context
Advanced Threat Defense
Data and application monitoring
Deployment and Support Flexibility
Critical Capabilities* ES Frameworks
Notable Events
Asset & Identity
Threat Intelligence
Risk Analysis
Adaptive Response

13. 13
Splunk Enterprise Security: Fast Facts
● Current version: 4.5 released on October 12, 2016
● Two major releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast,
and customizable
● ES has its own development team, dedicated support, services
practice, and training courses

14. 14
Splunk Enterprise Security – SIEM and Security Nerve Center
14
Q2 2015 Q4 2015
ES 4.5
• Adaptive
Response
• Glass Tables
• Adaptive
Response
partner
enablement
ES 4.1
• Behavior
Anomalies
• Risk and Search in
Incident Review
• Facebook
ThreatExchange
ES 3.3
• Threat Intel
Framework
• User Activity
Monitoring
• Content Sharing
• Data Ingestion
ES 4.0
• Breach Analysis
• Integration with
Splunk UBA
• Enterprise
Security
Framework
Q2 2016
ES 4.2
• Adaptive
Response
enablement
• Performance
• Actions
Dashboard
• Search Driven
Lookup
Q3 2016

15. The Frameworks of ES

16. 16
What is Enterprise Security?
16
Enterprise Security
Notable
Event
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response
A collection of Frameworks

17. 17
17
Enterprise Security
Notable Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response

18. 18
Notable Events
18
Where Correlation Searches are Surfaced

19. 19
19
Enterprise Security
Notable
Event
Asset
and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response

20. 20
Asset and Identity
20
System Inventory in ES

21. 21
21
Enterprise Security
Notable Asset and
Inventory
Threat
Intelligence
Risk
Analysis
Adaptive
Response

22. 22
Risk Analysis
22
Adds context…
Risk score displayed in
Incident Review
Risk score displayed in
Incident Review

23. 23
23
Enterprise Security
Notable
Event
Asset and
Inventory
Threat
Intelligence
Risk
Analysis
Adaptive
Response

24. 24
Threat Intelligence
24
indicators everywhere

25. 25
Threat Intelligence
25
Certificates
Domains
Email
File
HTTP
IP addresses
Processes
Registry
Services
Users

26. 26
26
Enterprise Security
Notable
Event
Asset and
Inventory
Adaptive
Response
Risk
Analysis
Threat
Intel

27. 27
Adaptive Response Framework
27
Correlation Search > AlertSearch > Alert
Meta, bro

28. 28
Splunk as the Security Nerve Center
2
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web Proxy Threat Intel

29. 29
Insight from Across Ecosystem
Effectively leverage security infrastructure to gain a holistic view
1. Palo Alto Networks
2. Anomali
3. Phantom
4. Cisco
5. Fortinet
6. Threat Connect
7. Ziften
8. Acalvio
9. Proofpoint
10. CrowdStrike
11. Symantec (Blue Coat)
12. Qualys
13. Recorded Future
14. Okta
15. DomainTools
16. Cyber Ark
17. Tanium
18. Carbon Black
19. ForeScout
Workflow
Identity
Network
Internal
Network
Security
App
Endpoints
Web
Proxy Threat Intel

30. 30
Enterprise Security
30
Enterprise Security
Notable
Asset and
Identity
Risk
Analysis
Threat
Intelligence
Adaptive
Response

31. Demo

32. Copyright © 2016 Splunk Inc.
Splunk User Behavior Analytics
Anurag Gurtu (Dir. Product Marketing)

33. 33
WHAT IS SPLUNK UBA?
Splunk User Behavior Analytics
(Splunk® UBA) is an out-of-the-
box solution that helps
organizations find known,
unknown, and hidden threats
using data science, machine
learning, behavior baseline and
peer group analytics.

34. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
Behavior Baselining
& Modelling
Unsupervised
Machine Learning
Real-Time & Big
Data Architecture
Threat & Anomaly
Detection
Security Analytics

35. A Few CUSTOMER FINDINGS
q Malicious Domain
q Beaconing Activity
q Malware: Asprox
q Webshell Activity
q Pass The Hash Attack
q Suspicious Privileged
Account activity
q Exploit Kit: Fiesta
q Lateral Movement
q Unusual Geo Location
q Privileged Account
Abuse
q Access Violations
q IP Theft
RETAIL HI-TECH MANUFACTURING FINANCIAL

36. 36
WHAT WILL I DEMO
INGEST DATA
FROM SECURITY PRODUCTS
OBSERVE ANOMALY
GENERATION
OBSERVE THREAT GENERATION AND
TRANSFORMATION
KEY TAKEAWAYS
DATA INGESTION IS STRAIGHTFORWARD
AND FAST
ML ALGO’S PROCESS RAW EVENTS AND
GENERATE ANOMALIES (REAL-TIME)
ML ALGO’S STITCH ANOMALIES INTO
THREATS (REAL-TIME)
ML ALGO’S TRANSFORM THREAT INTO A
NEW STATE

37. 37
§ INGEST DATA: FIREWALL EAST-WEST
§ INGEST DATA: FIREWALL NORTH-SOUTH
§ INGEST DATA: VPN CONCENTRATOR
SWITCH
SWITCH
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
NETWORK
TOPOLOGY
1
2
3
2
3
1

38. 38
§ INGEST DATA: FIREWALL EAST-WEST
INGEST FIREWALL
EAST-WEST LOGS
1
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH

39. 39
§ INGEST DATA: FIREWALL NORTH-SOUTH
INGEST FIREWALL
NORTH-SOUTH LOGS
2
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH
40.1K

40. 40
§ INGEST DATA: EDGE ROUTER w/ VPN CON.
INGEST VPN LOGS
3
80.9K
SWITCH
EDGE ROUTER w/
VPN CONCENTRATOR
FIREWALL
EAST-WEST
FIREWALL
NORTH-SOUTH
EDGE ROUTER w/
VPN CONCENTRATOR
1
2
3
SWITCH
SWITCH

41. 41
WHAT WOULD HAPPEN IF
SPLUNK UBA INGESTED DATA
FROM ONLY ONE DEVICE?

42. 42
FIREWALL
EAST-WEST
EVENTS
30K
INSIDER: LATERAL
MOVEMENT (BILL)
INSIDER: LATERAL
MOVEMENT (ROD)
UNUSUAL NETWORK
ACTIVITY (17)
EDGE ROUTER w/
VPN CONCENTRATOR
EVENTS
80.8K
UNUSUAL ACTIVITY TIME (1)
LAND SPEED VIOLATION (1)
ANOMALY
THREAT
FIREWALL
NORTH-SOUTH
EVENTS
40.1K
UNUSUAL GEO LOCATION
OF COMMUNICATION
DESTINATION (13)
EXCESSIVE DATA
TRANSMISSION (2)
DATA EXFILTRATION BY
SUSPICIOUS DEVICE
DATA EXFILTRATION BY
SUSPICIOUS DEVICE
ADDITIONAL DATA
SOURCES ENRICH
THREAT DETECTION

43. 43
LET’S SUMMARIZE

44. 44
INSIDER: LATERAL
MOVEMENT (BILL)
INSIDER: LATERAL
MOVEMENT (ROD)
INSIDER: DATA
EXFILTRATION by
SUSPICIOUS USER or
DEVICE (BILL & ROD)
EXTERNAL: DATA EXFILTRATION by COMPROMISED ACCOUNT (BILL & ROD)
THREAT CONTINUED TO EVOLVE WITH ADDITIONAL DATA SOURCES
ML PROCESSED RAW EVENTS AND
GENERATED MANAGEABLE
ALERTS
>> >>
100% ML DRIVEN

45. 45
EXPLORE SPLUNK UBA
WITH
YOUR OWN DATA.
CONTACT: UBA-SALES@SPLUNK.COM

46. 46
Mark Your Calendars!
• .conf2017 is going to DC!
• Sept 25-28, 2017
• Walter E Washington Convention Center