SlideShare une entreprise Scribd logo

Make Your SOC Work Smarter, Not Harder

Télécharger en tant que PPTX, PDF
Splunk
Splunk

The volume and complexities of today’s security incidents can tax even the largest security teams. This leaves big gaps in incident detection and response workflows that can put organisations at great risk. Your team can’t scale to manually catch and address every incident, so which ones should you focus on and which ones should you ignore? You shouldn’t be forced to make a choice. In this session, find out how Splunk’s SIEM and SOAR technologies deliver security analytics, machine learning, and automation capabilities to increase the efficiency of security teams and reduce the enterprise’s exposure to risk. Learn how to achieve big results from intelligently streamlined incident detection and response workflows—accelerating your actions, scaling your resources, and optimizing your security operations.

Technologie
1  sur  33
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Make Your SOC Work Smarter, Not Harder with Splunk Security Operations Suite Robert Farnod | Security Specialist David Gamer | Senior Sales Engineer June 2019
© 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
© 2019 SPLUNK INC. Agenda z Accelerate your detection and response workflows Optimize your security operations Scale your resources
© 2019 SPLUNK INC. Security Operations Today
© 2019 SPLUNK INC. Today’s SOC ! ! ! ! ! ! ! !! !! ! ! ! ! ! ! ! ! ! ! ! ! !! !! !
© 2019 SPLUNK INC. Today’s Security Operations Workflow A process that doesn’t scale FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION TIER 1 TIER 2 NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES SIEM
© 2019 SPLUNK INC. Experience Needed ► Hard & Soft Skills TIER 1 TIER 2 • Security Knowledge • Networking • Application Layer Protocols • Database and Query Languages • Unix • Windows • Basic Parsing • Command Line Familiarity • Security Monitoring Tools • Coding/Scripting • Regulatory Compliance • Vulnerability Scanning • Investigations • Troubleshooting • Security Clearance • Communication & Writing • Critical Thinking • Creativity & Curiosity
© 2019 SPLUNK INC. But…security people are hard to find… SKILL SHORTAGE 3.5 Million Unfilled cybersecurity jobs by 2021 75% YOY increases Cybersecurity Ventures, Cybersecurity Jobs Report, 2017
© 2019 SPLUNK INC. Optimizing Security Operations
© 2019 SPLUNK INC. Shifting Focus and Role for SOCs Situational Awareness LEGACY Operation / Monitoring Center Human Authored Human Speed Operations Analysis and Decision-Making REQUIRED Nerve Center / Command Center Human — Machine Learning Machine-Speed Cycle Times
© 2019 SPLUNK INC. TIER 1 TIER 2 FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION SIEM SOAR Security Operations Workflow NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES
© 2019 SPLUNK INC. Investigate Analyze Monitor Act Security Nerve Center Endpoints Threat Intelligence Network Web Proxy Firewall Identity and Access WAF and App Security Cloud Security Mobile SOAR SIEM
© 2019 SPLUNK INC. Security Operations Suite P L A T F O R M D A T A S O U R C E S U S E C A S E S A P P L I C A T I O N S Security ContentUpdates Security Monitoring Logs Business Context Threat Intelligence + Compliance & Data Privacy Advanced Threat Detection Incident Investigation & Forensics Insider Threat Detection Incident Response Fraud Analytics & Detection SOC Automation
© 2019 SPLUNK INC. How it Works
© 2019 SPLUNK INC. Combat Threats with Advanced Analytics Powered by Security Information Event Management (SIEM) NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES SECURITY ANALYTICS SIEM Correlate and Sequence Events Validate Alerts Prioritize, Review and Investigate Decide Best Path to Resolution Monitor Security Activity
© 2019 SPLUNK INC. Splunk Enterprise Security (ES) Analytics-Driven Security Information Event Management (SIEM)  Know Your Security Posture  Investigate with Speed and Flexibility  Scale to Petabytes of Data
© 2019 SPLUNK INC. Augment your SIEM with Behavioral Analytics Powered by Machine Learning Network Activity Application Activity Login Attempts Removable Media Badge Scans Printer Activity User’s activity Departmental activity Region’s activity Company’s activity Data Analyzed Baselining (and more…) Threat Score: 8 Examples: • Data Exfiltration by Suspicious User or Device • Data Storage Attached by Unusual Number of Times • Unusual Printer Usage • Privilege Escalation • Multiple Failed Login Attempts • Malware • Blacklisted IP Address • Compromised Account 4Threat Score: (and more…) Correlation & Detection
© 2019 SPLUNK INC. Splunk User Behavior Analytics (UBA) Detect unknown threats and anomalous user behavior using machine learning  Enhance Threat Visibility  Accelerate Investigation  Increase Productivity
© 2019 SPLUNK INC. Automate Your Incident Response Powered by Security Orchestration, Automation, and Response (SOAR) SECURITY ANALYTICS AUTOMATION ORCHESTRATION SIEM SOAR FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION ML-BASED BEHAVIORAL ANALYTICS UEBA + NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES
© 2019 SPLUNK INC. Splunk Phantom Integrate and Scale Your Team, Processes, and Tools  Respond Faster  Work Smarter  Strengthen Your Defenses
© 2019 SPLUNK INC. Adaptive Operations Framework
© 2019 SPLUNK INC. Security Content Updates  Pre-packaged Searches  Algorithms  Dashboards  Playbooks  …and more! Available for: Splunk Enterprise Security Splunk User Behavior Analytics Splunk Phantom
© 2019 SPLUNK INC. New Roles in Security Operations Security Content Developer Automation Engineer
© 2019 SPLUNK INC. Security Operations in 2020 90% T I E R 1 A N A LY S T W O R K W I L L B E A U T O M AT E D 50% T I M E S P E N T O P T I M I Z I N G D E T E C T I O N & R E S P O N S E L O G I C
© 2019 SPLUNK INC. Beyond the Security Operations (SOC) Splunk Enterprise for Security  Compliance  Data Privacy  Fraud  Risk
© 2019 SPLUNK INC. Splunk in Action
© 2019 SPLUNK INC. City of Los Angeles ▶ Prompt responses to cyberthreats with real-time situational awareness of citywide infrastructure ▶ Timely intelligence sharing with local, state and national law enforcement ▶ Reduced total cost of ownership Sharing Security Intel Across 40+ Agencies
© 2019 SPLUNK INC. Aflac ▶ Blocked over two million security threats ▶ Orchestrated threat intelligence across 20 security technologies sitting within its internal Threat Intelligence System ▶ Automated threat hunting and 90% of its security metrics process in just two months Automating Threat Intelligence System
© 2019 SPLUNK INC. Blackstone ▶ Reduced alert investigation times from 30-45 minutes to less than one minute ▶ Applied a consistent approach to alert management and investigation, eliminating human error ▶ Increased resource efficiency by turning manual, repetitive tasks into automated processes Automating Malware Investigation
© 2019 SPLUNK INC. *Gartner and Forrester are all trademarks from their respective companies. *Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, Dec. 4, 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. *The Gartner Peer Insights Customer Choice Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customer Choice Awards are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here http://www.gartner.com/reviews-pages/peer-insights-customer-choice-awards/ and are not intended in any way to represent the views of Gartner or its affiliates. By Industry Analysts By End Users Recognized in Security Named a Leader in Gartner’s Magic Quadrant for Security Information and Event Management Designated a 2018 Customer’s Choice for Security Information and Event Management
© 2019 SPLUNK INC. Key Takeaways z Accelerate your detection and response workflows Optimize your security operations Scale your resources
© 2019 SPLUNK INC. ► Three real-world scenarios that an analyst might face during the course of the day ► Workshop Logistics • In Your Organization • 3+ Participants • 3-4 Hours, Modular • Ask Your Splunk Contact Person. Don‘t know? Inquery: sales@splunk.com and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Enterprise Security Hands-On Workshop
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You. Don’t forget to rate this session in the SplunkLive! mobile app

Recommandé

Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
Don Murdoch GSE CyberGuardian CISSP
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 

Recommandé

Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
Don Murdoch GSE CyberGuardian CISSP
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK FrameworkLeveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Leveraging Splunk Enterprise Security with the MITRE’s ATT&CK Framework
Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINALPPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
Splunk
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
 
Splunk Enterprise Security
Splunk Enterprise Security Splunk Enterprise Security
Splunk Enterprise Security
Md Mofijul Haque
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
Anton Chuvakin
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
Splunk
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
Splunk
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
Splunk
 

Contenu connexe

Tendances

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

Tendances (20)

Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
 
Splunk Enterprise Security
Splunk Enterprise Security Splunk Enterprise Security
Splunk Enterprise Security
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Security Automation & Orchestration
Security Automation & OrchestrationSecurity Automation & Orchestration
Security Automation & Orchestration
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT Operations
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 

Similaire à Make Your SOC Work Smarter, Not Harder

Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 

Similaire à Make Your SOC Work Smarter, Not Harder (20)

Accelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & AutomationAccelerate Incident Response with Orchestration & Automation
Accelerate Incident Response with Orchestration & Automation
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation Accelerate incident Response Using Orchestration and Automation
Accelerate incident Response Using Orchestration and Automation
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident ResponseSplunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
Drive More Value from your SOC Through Connecting Security to the Business
Drive More Value from your SOC Through Connecting Security to the BusinessDrive More Value from your SOC Through Connecting Security to the Business
Drive More Value from your SOC Through Connecting Security to the Business
 
Splunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und AutomationSplunk Incident Response, Orchestrierung und Automation
Splunk Incident Response, Orchestrierung und Automation
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics MethodsSpliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
 
SplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk OverviewSplunkLive! Paris 2018: Splunk Overview
SplunkLive! Paris 2018: Splunk Overview
 
Using Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden ThreatsUsing Deception to Detect and Profile Hidden Threats
Using Deception to Detect and Profile Hidden Threats
 
Adventures in Monitoring and Troubleshooting
Adventures in Monitoring and Troubleshooting Adventures in Monitoring and Troubleshooting
Adventures in Monitoring and Troubleshooting
 
Adventures in Monitoring and Troubleshooting
Adventures in Monitoring and Troubleshooting Adventures in Monitoring and Troubleshooting
Adventures in Monitoring and Troubleshooting
 
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSIVorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
Vorausschauendes, proaktives und collaboratives Machine Learning mit Splunk ITSI
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
 
Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015Mission possible splunk+paloaltonetworks_6_2015
Mission possible splunk+paloaltonetworks_6_2015
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
 
Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML Get more from your Machine Data with Splunk AI and ML
Get more from your Machine Data with Splunk AI and ML
 

Plus de Splunk

Plus de Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Inside SecOps at bet365
Inside SecOps at bet365 Inside SecOps at bet365
Inside SecOps at bet365
 
Best of .conf22 Session Recommendations
Best of .conf22 Session RecommendationsBest of .conf22 Session Recommendations
Best of .conf22 Session Recommendations
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Make Your SOC Work Smarter, Not Harder

  • 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Make Your SOC Work Smarter, Not Harder with Splunk Security Operations Suite Robert Farnod | Security Specialist David Gamer | Senior Sales Engineer June 2019
  • 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 3. © 2019 SPLUNK INC. Agenda z Accelerate your detection and response workflows Optimize your security operations Scale your resources
  • 4. © 2019 SPLUNK INC. Security Operations Today
  • 5. © 2019 SPLUNK INC. Today’s SOC ! ! ! ! ! ! ! !! !! ! ! ! ! ! ! ! ! ! ! ! ! !! !! !
  • 6. © 2019 SPLUNK INC. Today’s Security Operations Workflow A process that doesn’t scale FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION TIER 1 TIER 2 NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES SIEM
  • 7. © 2019 SPLUNK INC. Experience Needed ► Hard & Soft Skills TIER 1 TIER 2 • Security Knowledge • Networking • Application Layer Protocols • Database and Query Languages • Unix • Windows • Basic Parsing • Command Line Familiarity • Security Monitoring Tools • Coding/Scripting • Regulatory Compliance • Vulnerability Scanning • Investigations • Troubleshooting • Security Clearance • Communication & Writing • Critical Thinking • Creativity & Curiosity
  • 8. © 2019 SPLUNK INC. But…security people are hard to find… SKILL SHORTAGE 3.5 Million Unfilled cybersecurity jobs by 2021 75% YOY increases Cybersecurity Ventures, Cybersecurity Jobs Report, 2017
  • 9. © 2019 SPLUNK INC. Optimizing Security Operations
  • 10. © 2019 SPLUNK INC. Shifting Focus and Role for SOCs Situational Awareness LEGACY Operation / Monitoring Center Human Authored Human Speed Operations Analysis and Decision-Making REQUIRED Nerve Center / Command Center Human — Machine Learning Machine-Speed Cycle Times
  • 11. © 2019 SPLUNK INC. TIER 1 TIER 2 FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION SIEM SOAR Security Operations Workflow NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES
  • 12. © 2019 SPLUNK INC. Investigate Analyze Monitor Act Security Nerve Center Endpoints Threat Intelligence Network Web Proxy Firewall Identity and Access WAF and App Security Cloud Security Mobile SOAR SIEM
  • 13. © 2019 SPLUNK INC. Security Operations Suite P L A T F O R M D A T A S O U R C E S U S E C A S E S A P P L I C A T I O N S Security ContentUpdates Security Monitoring Logs Business Context Threat Intelligence + Compliance & Data Privacy Advanced Threat Detection Incident Investigation & Forensics Insider Threat Detection Incident Response Fraud Analytics & Detection SOC Automation
  • 14. © 2019 SPLUNK INC. How it Works
  • 15. © 2019 SPLUNK INC. Combat Threats with Advanced Analytics Powered by Security Information Event Management (SIEM) NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES SECURITY ANALYTICS SIEM Correlate and Sequence Events Validate Alerts Prioritize, Review and Investigate Decide Best Path to Resolution Monitor Security Activity
  • 16. © 2019 SPLUNK INC. Splunk Enterprise Security (ES) Analytics-Driven Security Information Event Management (SIEM)  Know Your Security Posture  Investigate with Speed and Flexibility  Scale to Petabytes of Data
  • 17. © 2019 SPLUNK INC. Augment your SIEM with Behavioral Analytics Powered by Machine Learning Network Activity Application Activity Login Attempts Removable Media Badge Scans Printer Activity User’s activity Departmental activity Region’s activity Company’s activity Data Analyzed Baselining (and more…) Threat Score: 8 Examples: • Data Exfiltration by Suspicious User or Device • Data Storage Attached by Unusual Number of Times • Unusual Printer Usage • Privilege Escalation • Multiple Failed Login Attempts • Malware • Blacklisted IP Address • Compromised Account 4Threat Score: (and more…) Correlation & Detection
  • 18. © 2019 SPLUNK INC. Splunk User Behavior Analytics (UBA) Detect unknown threats and anomalous user behavior using machine learning  Enhance Threat Visibility  Accelerate Investigation  Increase Productivity
  • 19. © 2019 SPLUNK INC. Automate Your Incident Response Powered by Security Orchestration, Automation, and Response (SOAR) SECURITY ANALYTICS AUTOMATION ORCHESTRATION SIEM SOAR FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETECTION ML-BASED BEHAVIORAL ANALYTICS UEBA + NETWORK TRAFFIC INTRUSION DATA ENDPOINT THREAT INTEL MALWARE AUTHENTICATION WIRE DATA ASSETS & IDENTITIES
  • 20. © 2019 SPLUNK INC. Splunk Phantom Integrate and Scale Your Team, Processes, and Tools  Respond Faster  Work Smarter  Strengthen Your Defenses
  • 21. © 2019 SPLUNK INC. Adaptive Operations Framework
  • 22. © 2019 SPLUNK INC. Security Content Updates  Pre-packaged Searches  Algorithms  Dashboards  Playbooks  …and more! Available for: Splunk Enterprise Security Splunk User Behavior Analytics Splunk Phantom
  • 23. © 2019 SPLUNK INC. New Roles in Security Operations Security Content Developer Automation Engineer
  • 24. © 2019 SPLUNK INC. Security Operations in 2020 90% T I E R 1 A N A LY S T W O R K W I L L B E A U T O M AT E D 50% T I M E S P E N T O P T I M I Z I N G D E T E C T I O N & R E S P O N S E L O G I C
  • 25. © 2019 SPLUNK INC. Beyond the Security Operations (SOC) Splunk Enterprise for Security  Compliance  Data Privacy  Fraud  Risk
  • 26. © 2019 SPLUNK INC. Splunk in Action
  • 27. © 2019 SPLUNK INC. City of Los Angeles ▶ Prompt responses to cyberthreats with real-time situational awareness of citywide infrastructure ▶ Timely intelligence sharing with local, state and national law enforcement ▶ Reduced total cost of ownership Sharing Security Intel Across 40+ Agencies
  • 28. © 2019 SPLUNK INC. Aflac ▶ Blocked over two million security threats ▶ Orchestrated threat intelligence across 20 security technologies sitting within its internal Threat Intelligence System ▶ Automated threat hunting and 90% of its security metrics process in just two months Automating Threat Intelligence System
  • 29. © 2019 SPLUNK INC. Blackstone ▶ Reduced alert investigation times from 30-45 minutes to less than one minute ▶ Applied a consistent approach to alert management and investigation, eliminating human error ▶ Increased resource efficiency by turning manual, repetitive tasks into automated processes Automating Malware Investigation
  • 30. © 2019 SPLUNK INC. *Gartner and Forrester are all trademarks from their respective companies. *Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, Dec. 4, 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. *The Gartner Peer Insights Customer Choice Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customer Choice Awards are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here http://www.gartner.com/reviews-pages/peer-insights-customer-choice-awards/ and are not intended in any way to represent the views of Gartner or its affiliates. By Industry Analysts By End Users Recognized in Security Named a Leader in Gartner’s Magic Quadrant for Security Information and Event Management Designated a 2018 Customer’s Choice for Security Information and Event Management
  • 31. © 2019 SPLUNK INC. Key Takeaways z Accelerate your detection and response workflows Optimize your security operations Scale your resources
  • 32. © 2019 SPLUNK INC. ► Three real-world scenarios that an analyst might face during the course of the day ► Workshop Logistics • In Your Organization • 3+ Participants • 3-4 Hours, Modular • Ask Your Splunk Contact Person. Don‘t know? Inquery: sales@splunk.com and we will route Want to learn more? Hands-On Workshop: Advanced APT Hunting Enterprise Security Hands-On Workshop
  • 33. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You. Don’t forget to rate this session in the SplunkLive! mobile app

Notes de l'éditeur

  1. Now, before I begin, our Legal team would like me to make sure I share with you this notice regarding forward-looking statements, which I’ll be making some of today during my presentation. But please, be sure to make any purchasing decisions based on the products and the information that are currently and publicly available to the market.
  2. And for today’s agenda, I’m going to focus on 3 things---and those are how Splunk’s Security Operations Suite helps you: [CLICK] Accelerate your mean time to detect and respond [CLICK] Optimize your security operations, and [CLICK] Scale your resources
  3. Alrighty, so let’s get started---shall we? Let’s do a quick run through the state of Security Operations Today...
  4. Today’s Security Operations Center is under siege. The volume of security alerts is massive, in fact---according to a survey conducted at the 2018 RSA Conference and reported by SC Magazine, 27% of enterprise security teams see more than 1 million alerts per day.
  5. Here’s how that goes: [ANIMATED SEQUENCE] First, you have your data generating tools, all of which are relevant as sources of possible Security data [CLICK] They all issue an alert when something that matches a known threat is found [CLICK] Your tier-1 analysts go through all of those alerts to determine which ones are real and which ones are false positives [CLICK] Once validated, your tier-2 analysts set a response in motion via any of the very tools that first hinted of the possible issue. [CLICK] But then you end up with a process that doesn’t scale---bombarded by millions of alerts, taxing your Tier-1 Analysts by having them separate the wheat from the chaff to determine which threats are worth spending time on and which ones are simply false positives. Now, you may be saying [CLICK] “that’s why I have a SIEM.” But then your SIEM can’t make sense of all these data types, and false positives can’t be validated---leaving your Tier-1 analysts chasing far too many alerts, many that are complete waste of time. You need a better SIEM. As if that wasn’t unproductive enough, your Tier 2 analysts are additionally taxed, having to manually execute a response to remediate every validated incident. Add to that the fact that the average organization runs over 70 security apps, tools, databases, etc. for all sorts of things, and now your Tier-2 analysts are stuck with a swivel-chair approach to Security where they’re toggling between tabs, windows, and screens, all while wasting precious time that’s delaying their ability to detect and respond to incidents. This also adds to the stress of the role, which only helps increase human error or forces analysts to cut corners. And with every second this process is delayed or shortcut that is taken, your organization is at greater risk. How big of a team do you need in order to investigate, validate, and respond to all of those alerts?
  6. [ANIMATED SEQUENCE MEANT TO EMPHASIZE ALL THE SKILLS NEEDED] Well, it’s not only how big of a team, but also how seasoned and experienced that team is. You need a bit of of everything as they need to have the security acumen to know what they’re looking for, where to look for it, and how to solve problems when they’re found, but also, soft skills to write effective reports, document processes, make sharp decisions quickly, and a lot more. Finding a single professional with these skills is already difficult...
  7. ...finding an entire team of them is nearly impossible. Security professionals are indeed so difficult to find, 3.5 million of them will be sought after in 2021, with little to no success, according to Cybersecurity Ventures’ Cybersecurity Jobs Report from 2017.
  8. So we know the problem, and I know most of you feel that problem. Now how do we optimize this process?
  9. Well, we’re seeing a shift in the focus and role for Security Operations Center, where it’s: (1) Going beyond situational awareness, and towards analysis and rapid understanding, decision making, and acting (2) From a passive monitoring approach, to a command center mindset (3) That is less dependent on human-only decisions and processes, and instead, more reliant on a combined human-and-machine learning approach (4) That helps scale the SOC—taking it from human-speed operations to machine-speed execution. A prominent addition I’d like to share is the way organizations are orienting themselves to consider the human trade-off in handling threats, as they reach their limits around investigating, monitoring, analyzing, and acting on them. A sound strategy is to scale the SOC team with technology that can streamline and automate key elements of the response and remediation cycle. These are just some of reasons SOC teams must modernize their security operations to stay ahead of present-day threats.
  10. At Splunk, we see [CLICK] SIEM and [CLICK] SOAR technologies aiding that move to an optimized SOC, helping scale tier-1 and tier-2 resources, and streamlining the security operations workflow to accelerate detection and response.
  11. Splunk is uniquely positioned to address your security challenges—to modernize the SOC and to better detect, respond, and most importantly, adapt at machine speed. This is only possible with an approach to security that turns the SOC into a Nerve Center for security. It is driving an industry shift—delivering the innovation required to power a new generation of Security Operations. With Splunk as the nerve center, you can optimize people, process, and technology. Security teams can leverage statistical, visual, behavioral, and exploratory analytics to drive insights, decisions, and actions. All data from the security technology stack can be used to investigate, monitor, analyze and take rapid, coordinated action in a manual, semi-automated, or automated fashion across the entire organization. Splunk also helps you connect disparate technologies together—their data, their insights, their actions—allowing them to share and gain content, and to leverage analytical, machine learning, and automation capabilities. This ultimately helps make better, faster, and more effective decisions across Security, IT Operations, and every other part of the enterprise and take precise action to defend your network and your business.
  12. And like that, Splunk delivers on the Nerve Center vision with its Security Operations Suite, which features everything a SOC needs to optimize their entire security workflow. I’ll go over each of these components in a bit more detail.
  13. Alright so, how it works...
  14. Most of you are familiar with SIEM, but what’s important to highlight is that not all SIEMs are created equal. At Splunk, we regularly say that “all data is Security relevant.” So a SIEM should be able to derive insight from any type of data from any type of tool. It should be able to ingest volumes of that data, to ensure no activity is flying below the radar of the security organization. This data aggregation and correlation, combined with dashboards that give you a quick snapshot of enterprise activity, help you monitor and understand your security posture---so you can take action if something were to arise, or report on it with confidence. Data and alerts that result in a validated incident become sequenced events after the SIEM takes a closer look at all the activity that took place at the time of that incident or alert. It then connects the dots across all of it to give you a full view of the entire chain of related events, adding depth to your investigation, without wasting time from security analysts who would’ve otherwise had to piece it together manually. Incidents are triaged to help you prioritize those that put your enterprise at greater risk. All the information that is gathered and synthesized for each incident helps you make better decisions regarding the best path to respond and solve incidents. You can trigger those response actions within the application---which we’ll learn more about later on in this presentation.
  15. Splunk Enterprise Security acts as that SIEM---the market-leading SIEM, to be specific--- which can be augmented by other solutions that I’ll cover in just a bit, to provide: Detailed understanding of your Security Posture and everything that could be putting it at risk, so you can take quick action Fast and flexible investigations, that’ll automatically give you everything you need to make educated decisions as to which actions to take next And unbeatable scalability---and this is a key differentiator for Splunk, where not only you can make sense of any type of data, structured or unstructured, to derive insights from all of it, but you can do so at unprecedented volumes, leaving no stone unturned in the investigation process.
  16. Adding to the SIEM is a whole new level of threat detection, powered by machine learning---called User and Entity Behavior Analytics. This technology allows you to detect unknown threats---from external actors or insiders---by applying machine learning to the data and learning from it without assistance. So for example, I’ve listed here some of the types of data that can be analyzed, from: Network activity and application activity (like what your patterns are around using an application) Login attempts (and the opposite, failed login attempts, which could indicate someone without credentials is doing login by trial-and-error, or brute force) Removable media (and whether any critical data has been saved onto it) Badge scans (and this is quite specific, but I still wanted to call it out, as it not only tells you who was were when, but also tracks any deviation to someone’s normal clock-in/clock-out patterns) Printer Activity (to see if someone has printed confidential documents) And many more All of that data is baselined---to determine regular patterns of behavior and activity. Baselines are ran across multiple configurable dimensions, starting with the user’s own activity, but also their department’s regular activity and what’s normal and average at that level, or their region’s regular activity, or the entire company’s activity. Those baselines are used to determine outliers, and those outliers are further correlated to see what other activity took place at the time of that outlier, to determine its threat score---based not only on how much that outlier deviates from the baseline, but also on how severe is the activity that’s connected to that outlier. That threat score helps with prioritization, and that information can be used by the SIEM to augment the intelligence it has on other incidents, and to sequence events for additional investigation.
  17. And that’s exactly what Splunk User Behavior Analytics does. It seamlessly integrates with Splunk Enterprise Security to detect unknown threats and anomalous user behavior. It enhances threat visibility because---unlike threat detection tools that use signatures to detect exact matches of known threats---machine learning helps detect activity without the need for indicators, by simply learning from everything it sees. It also accelerates investigation because, armed with the data from UBA, ES can use the intelligence to quickly arrive at the who, what, where, and when of security incidents. Last, it increases productivity because it automates the stitching of hundreds of anomalies into a single threat to simplify the Tier-1 analyst’s work.
  18. So you have your SIEM---augmented with machine learning and user behavior analytics---investigating, monitoring, and analyzing incidents, but now you need to act. Now, with Splunk ES you can initiate response actions, but if you want to supercharge that process and tremendously increase the efficiency of your SOC, you need [CLICK] SOAR, which stands for Security Orchestration, Automation, and Response. A SOAR solution is designed to integrate with your security stack to automate a response that it can execute through them. It uses playbooks, which are prescriptive collections of repeatable queries that connect to apps in and out of the SOC and that are run against security event data that flow from the integrated sources, determining along the way if/then response paths, and automatically executing orchestrated actions. That way, the moment the SOAR tool receives an alert or an event from the SIEM, it can trigger a set of actions that can accelerate response to merely seconds. Because the process is automated, the SOAR tool can trigger these responses for pretty much any alert or event that’s sent its way. What could’ve taken an hour or more for a tier-1 analyst to validate and triage, and a tier-2 analyst to respond, a SOAR tool can do in a fraction of that time.
  19. And that’s what Splunk Phantom is for. What you’re seeing here is a playbook, and the individual actions this playbook is ready to orchestrate the moment the alert is received. Phantom comes with a number of playbooks out of the box, which are programmed to run responses for a variety of threat types and use cases. And creating your own custom playbooks is pretty simple within the tool. Splunk Phantom’s automated approach to IR helps you respond faster, let’s your team and your SOC work smarter---eliminating all that manual, tedious work out of your workflow---and ultimately strengthens your defenses, by responding immediately and reducing the window of possible compromise to only seconds, if at all.
  20. [ANIMATED SEQUENCE] Now, we know you’ve already invested in various solutions that make up your current security stack and that you want to make sure any new investment can work with what you already have. And not just “work”, but integrate so they make the most out of each other via that integration. That’s why we’ve created the Adaptive Operations Framework---our partner ecosystem. We’ve worked with over 250 vendor apps to support more than 1500 APIs---from firewalls and antivirus tools, endpoint detection and response platforms and malware detection tools, and many more. And we’re constantly adding new tools and APIs to our ecosystem, so this list will keep increasing. Splunk can serve as the connective tissue of your SOC, ingesting the data from these tools and then instructing them to take action.
  21. Knowing how important it is to stay on top of the threat landscape to understand the latest trends in malicious activity and hacking tactics, our Security Research team---who keeps a close eye on all of this stuff---has created the Security Content Updates. Content Updates are a free subscription program that allows Splunk customers who have invested in ES, UBA, and/ or Phantom to receive regular security content, in the form of pre-packaged searches, algorithms, dashboards, response playbooks, analytic stories, and much more. These provide actionable intelligence that you can use to add context to your Splunk deployments, ultimately increasing your ability to defend your enterprise. That way, your investments grow with you. You can learn more at Splunkbase.com
  22. With this move onto more automation, orchestration, and machine learning in the SOC, we see these technologies generating roles in Security Operations, such as the role of the Security Content Developer---tuning logic, creating dashboards and playbooks, and adding context so that the machine can learn better and the automation can be even more effective---and the role of the Automation Engineer, who helps set up the integrations and arrange the orchestration that is automatically triggered via response playbooks.
  23. [ANIMATED SEQUENCE] And we anticipate that by next year, 90% of tier-1 analysts tasks can be automated with SIEM and SOAR solutions, giving them time they can now spend tuning detection and response logic.
  24. But it’s not just all about the SOC. Splunk also addresses use cases and functions that typically sit outside of the SOC, like Compliance, Data Privacy, Fraud, and Risk---with Splunk Enterprise, our data platform (and flagship product). Splunk Enterprise is also a key component of the Security Operations Suite. Splunk Enterprise can ingest and index all of your data, regardless of format, and offers you powerful searching capabilities to help you derive insights in just seconds. While the solutions I shared with you before are designed specifically to help you solve Security challenges, Splunk Enterprise is more agnostic in that it can also help you solve IT Operations, IoT, Business Analytics, and challenges of nearly any other nature. It would all be up to the searches you run against your data. So for example, if you’re a data privacy analyst looking to ensure your organization is compliant with regulations such as GDPR or HIPAA, you can run searches in Splunk Enterprise that’ll give you visibility into the type of data that is relevant for a specific regulation, along with every detail about its usage, to help you determine if that use is indeed compliant. Add Splunk Enterprise Security, and you can monitor this type of activity regularly to keep an eye on anything that could be putting you out of compliance.
  25. So let’s take a look at how these technologies are put to good use by some of our customers.
  26. The City of Los Angeles is a vast metropolis with critical infrastructure like airports, seaports, and water and power, as well as 35,000 employees and over 100,000 endpoints generating 14 million security events daily.   They have more than 40 departments, each with their own security tools, requiring the city to gather and manually correlate logs from each agency for broad views of its network security. This process was cumbersome, imprecise, and slow to address threats. To protect its digital infrastructure, Los Angeles needed situational awareness of its security posture and threat intelligence for its departments and stakeholders. Since deploying Splunk Enterprise Security, the City of Los Angeles has seen benefits including: Creating a citywide security operations center Obtaining real-time threat intelligence, and Reducing operational costs
  27. Aflac, a Fortune 500 company, provides insurance protection to more than 50 million people worldwide. Two years ago, they embarked on a mission to build a custom threat intelligence system in response to the rapid increase in security threats—from malware and spear-phishing, to nation-state compromises—targeting its network of 15,000 worldwide employees.  Aflac needed a more robust threat intelligence system to adequately detect and respond to attacks. And so they chose Splunk Enterprise Security to consume, manage, and operationalize threat intelligence data from distributed sources. They augmented it with Splunk User Behavior Analytics, our machine-learning powered solution, to find unknown threats, identify internal threats and anomalous behavior across users, endpoint devices, and applications. Together, Splunk Enterprise Security and Splunk User Behavior Analytics helped Aflac: Block over two million security threats Orchestrate threat intelligence across 20 security technologies Automate threat hunting and 90% of its security metrics process in just two months, and Give security analysts more than 30 hours a month back to focus on proactive security, instead of spending it on manual data collection and reporting. Aflac is a great example of how our customers leveraging the combined power of Splunk Enterprise Security and Splunk User Behavior Analytics to enhance their overall security posture.
  28. Blackstone, one of the world’s leading investment firms, sees as many as 30-40 malware alerts in a single day, and investigates each malware alert as if a compromise has already occurred---a process that requires 30 to 45 minutes if done manually. Blackstone knew there had to be a better way. They needed a solution that could tie together their existing security products to reduce the response and remediation gap caused by limited resources, a widening attack surface, and a complex technology infrastructure. Blackstone turned to Phantom as their security automation and orchestration solution. After implementing Phantom, Blackstone was able to dramatically reduce the time required to investigate malware alerts, from 45 minutes when done manually, to less than one minute. Automating incident response with Phantom resulted in a number of improvements at Blackstone, ultimately allowing them to spend less time performing tedious, repetitive tasks, and to investigate issues faster, driving consistency to ensure a fast and accurate result.
  29. Last but not least, we are recognized by analyst firms such as Gartner as the leader in the SIEM space, and have been featured in their Magic Quadrant report for six consecutive years. And our customers have also voted us their designated SIEM solution in 2018 via Gartner’s Peer Insights. //////////////////////////////////// *Gartner and Gartner Peer Insights are trademarks of Gartner Inc. *Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, Dec. 4, 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. *Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
  30. Alright---today, we went over how the Splunk Security Operations Suite delivers security analytics, machine learning, and automation capabilities to increase the efficiency of your security teams and reduce your exposure to risk. We also discussed how intelligently streamlined incident detection and response workflows: [CLICK] Accelerate your mean time to detect and respond [CLICK] Optimize your security operations, and [CLICK] Scale your resources