3. The Ever-Changing Threat Landscape
3
53%
Victims notified by
external entity
100%
Valid credentials
were used
143
Median # of days
before detection
Source: Mandiant M-Trends Report 2012-2016
5. Security Intelligence
6
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Threat
Intelligence
Asset
& CMDB
Employee
Info
Data
Stores
Applications
Online
Services
Web
Services
Security
GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
Applications
Messaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
Firewall
Authentication
Threat
Intelligence
Servers
Endpoint
External Lookups
6. Connecting the “data-dots” via multiple/dynamic relationships
Persist, Repeat
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
Attacker, know relay/C2 sites, infected sites, file
hashes, IOC, attack/campaign intent and attribution
Where they went, who talked to whom, attack
transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware
artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
Delivery, exploit
installation
Gain trusted
access
ExfiltrationData GatheringUpgrade (escalate)
Lateral movement
Persist, Repeat
7
7. Security Intelligence Use Cases
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
Complement, replace and go beyond traditional SIEMs
8
8. Splunk Enterprise Security
Risk-Based Analytics Visualize and Discover
Relationships
Enrich Security Analysis with
Threat Intelligence
9
Splunk Enterprise Security is an advanced SIEM and Security Intelligence Platform
that empowers SecOps to monitor, detect, investigate and respond to attacks and
threats while minimizing risk and safeguarding your business.
21. Investigator Journal
Feature Benefits
Focus on tracking attack activities while the system tracks the investigation
Streamline the process of investigating advanced threats
23
Solution
• Track searches and activities to understand actions taken, information seen
• Review activities at any point in the investigation
• Return to any prior activity to follow a different path to complete the investigation
22. Investigation Timeline
Feature Benefits
Better understand, visualize and communicate attack details and investigative
actions of multi-step threats
24
Solution
• Combine raw events, actions, and annotation notes (Search, Views, Filters, Event status)
• See time relationship between events
• Create and manage investigation reports
23. Enterprise Security Framework
Feature Benefits
Address constantly changing security requirements by expanding ecosystem
Further enhance the abilities, allowing organizational knowledge object sharing
25
Solution
• Create, access, and extend ES functionality with apps that can run within
ES
• Able to easily utilize ES framework features (Risk, Threat, Notable Events,
Identity & Asset)
• Modular ways to export import rules, views, configurations, key indicator
searches and other contents via easy import/export user experience.
25. Behavioral Analytics Brought to SIEM Workflow
• All UBA anomalies available in ES
• Manager – UBA Reporting within ES – pre-built, customizable
• SOC analyst – UBA Anomaly data available for correlation – alerts, threat intel, domain data
• Hunter/Investigator- Perform ad-hoc searching/pivoting for Incident Response and Breach Analysis
27
ES 4.1 and UBA 2.2
Detect and Investigate faster using ML integrated with SIEM
26. Prioritize, Speed Investigations – Risk Score, Searches
• Use the new risk scores and quick
searches to determine the impact of an
incident quickly
• Use risk scores to generate actionable
alerts to respond on matters that require
immediate attention.
28
Streamlines Incident Review and Response
27. Facebook ThreatExchange
• Provides domain names, IPs, hash threat
indicators
• Use with ad hoc searches and investigations
29
• Need an app ID and secret from Facebook
• Config Splunk add-on for FB ThreatExchange
• Customers already use !
34. Analytics via SIEM in the Cloud
Challenges
• Detect, investigate and remediate threats and attacks using a Cloud
platform – strategy alignment
• Reduce TCO of security operations – minimize CapEx and OpEx
• Secure, scalable infrastructure to support a range of security use cases
Customer Solution : SIEM in the Cloud
• Malware Protection, User Account Protection and DLP
• Search across all data sets in the Cloud and/or on-premise data by using a
single pane of glass
• Insight from all security relevant data by use of ready to use Splunk Apps
and partner add-ons.
36
35. Integra
Challenges
• Customers want their data and communications services delivered on a network that has
a level of security that goes beyond what other providers & the public Internet provides
Splunk Solution : Splunk Enterprise Security
• Detecting potentially compromised accounts: Splunk ES alerted security teams when an
employee’s administrative account was attempting to route data through a country in
which Integra does not operate networks.
• Detecting compromised systems: Splunk ES alerted Integra when a laser printer was
sending out SSL traffic and played a critical role as the investigative team isolated the
printer and its network – eventually discovering it had been compromised and needed a
firmware update.
• Detecting malware infections: Integra has detected several instances of malware and
malware attempts.
• Detecting malicious activity missed by other solutions: Splunk has helped Integra to
detect previously unseen suspicious security events in customers’ networks.
“Splunk software is
playing a central role
in helping Integra’s
SOC and our suite of
services set the
highest standards for
protection against
threats”
Steve Fisher, VP of
network planning and
security
36. Risk Driven Security Intelligence Platform
Challenges
• Preventing attacks to process online orders every 4 seconds from 180+ countries.
• Managing security across data centers in the US, UK, Italy, and Asia
• Keeping the trust & high availability in hostile enviroment - Confidentiality, Integrity,
Completeness
• Fragmented security ecosystem
Customer Solution
• Moved from a technology oriented approach to an info-centric approach
• From standard dashboards to real-time dynamic dashboards.
• Moved from a security event to full context-aware security information
38
37. Building an Intelligence Driven SOC
Challenges
• Existing SIEM not adequate - struggled to bring in appropriate data
• Unable to perform advanced investigations, severe scale/performance issues
• Looking to build a new SOC with modern solution
Customer Solution
• Centralized logging of all required machine data at scale and full visibility
• Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users
• Tailored advanced correlation searches & IR workflow
• Faster and deeper incident investigations
• Greater SOC efficiencies - all SOC/CSIRT working off same UI/data
• Executive dashboards to measure and manage risk
39
39. 41
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or
service depicted in its research publication and not advise technology users to select only those
vendors with the highest ratings or other designation. Gartner research publications consist of the
opinions of Gartner’s research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, express or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
Let’s start with today’s ever changing threat landscape:
With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries:
the cyber criminals,
the nation states
and also the malicious Insiders;
All going after major stakes of our life, our company and our nation.
There are three numbers in the cyber security statistics are very telling, and we should pay close attention to:
100% of breaches are done using valid credentials;
And it still takes average 143 days to detect a breach;
With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
People are the most important part of your business. Splunk empowers your security teams with data.
Your security teams perform a number of tasks <next slide>
And use your Splunk environment to collect, analyze and enrich all this data that you are collecting.
You will be well prepared to detect new attacks and quickly respond to the next breach.
The explains the “layers of security” or the “security stack” used to detect different aspects of an attack. This is a common approach and should resonant with the audience customer. Companies, solution providers, product vendors are trying to pull these things together to detection certain aspects of attacks.
Example – WebSense is focusing on webgateway, email gateway and data loss – they focus on the network activity/security
Example – Fireeye – focusing on malware payload analysis, added endpoint (mandiant agent), investigation platform (MIR), and IPS (network intrusion prevention)
Our point is most security solutions can be classified into each of these layers and most companies will bring in 1-several from each layer to combine into a holistic view. Splunk can bring in additional context including the auth/user, environmental via the enrichment/lookup feature, as well as threat intelligence that is becoming important because knowledge about the external threat (attacker) is critical to knowing who is attacking and the attacking infrastructure (C&C servers, infected sites, etc.)
Splunk for Enterprise Security provides the capabilities to run your security operations, combat Fraud and much more!
Customers use Enterprise Security to power their Next Generation Cyber Threat Fusion center to fend off today’s advance threats.
<next slide>…
All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows.
Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity
Manage and investigate incidents by correlating event data and contextual information from any data source
Pre-built statistical capabilities identify unusual activity and reduce false positives
Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations
Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management
Get a library of security posture widgets to place on any dashboard or easily create your own. See security events by location, host, source type, asset groupings and geography. KPIs provide real-time trending and monitoring of your security posture.
The Security Posture dashboard gives you a complete view of what’s going on in your enterprise.
The dashboard objects are customizable – You don’t need to know any custom languages or wait for long development times-
-- you can add/remove new KSI/KPI on the fly.
-- you can change KSI/KPI thresholds on the fly.
-- add/remove/organize dashboard widgets with mouse clicks
Add/remove KSI/KPI with a few clicks
Modify KSI/KPI thresholds on the fly
Pre-built reports and dashboards for Access Protection, Endpoint Protection, Network Protection, Asset and Identity Center
Simplify monitoring and exception analysis
Satisfy compliance and forensics requirements to track activity
Increase the effectiveness of security and IT tools across the enterprise
Risk Based Analytics Align Security Operations With the Business
Use risk scores as a core component of business decision making processes
Use relative terms to describe risk instead of ambiguous numerical values
- Relative terms create consistency of interpretation and action. E.g. what does it mean if a KSI was 451 or 339 ? Is that good? Or bad? Instead if we say, the risk score is ‘high’ or the number of alerts is ‘average’, we know what actions to take or not to take.
Transparently expose the score’s contributing factors
Assign any KSI/KPI to an event to produce a risk score using the Risk Framework
Pre-built correlation searches trigger alerts across the security stack
Alerts are based on baselines of rolling time windows and not static values
- Autoconfiguring thresholds improve threat detection for hard to find attacks and reduce false positives.
Use the Incident Review dashboard to manage alerts, filter, assign, prioritize and comment on alerts.
Incident Review dashboard is the starting point for investigation. Expand the alert tab to get more information.
Use Event Actions to get contextual drill downs and acquire deeper context
Give all users the ability to find relationships visually
Visually organize and fuse any data to discern any context
Create event swim lanes from from the web UI
Drill down to raw events
Use contextual workflow actions to pivot to dashboards and reports
Initiate wire data capture to acquire protocol intelligence during investigations
Automatically integrate any number of open, proprietary or local threat intelligence feeds
Aggregate, de-duplicate and assign weights to all threat intelligence sources/providers
Simplify threat intelligence and make it a core component of your security operations workflow with Pre-built alerts and correlations
Integrate threat intelligence via APIs, Web feeds, Scripts, CSV files or create your own local threat lists
Threat intelligence is applied to all data including wire data protocol information - e.g. email envelopes
New threat intelligence from any source, can be applied to all historical data
Simplify protocol and user profiling using -built reports for wire data
Accelerate workflow and report creation with pre-built reports that expose the most important fields in common protocols
Pre-built reports expose the important fields from protocol data – email headers, ssl certificates and dns
Wire data is essential to understanding your overall security posture and investigating threats and breaches.
- Enterprise security 3.2 makes it easy for your analyst to get value from wire data by exposing the most important fields and making searching and investigation easier.
So the solution we specifically wanted to deliver was, / using investigation timeline
Create and manage investigation reports
Combines raw events, actions, annotation history to the timeline
Track status of event / or suppression history to the timeline
See time relationship between events in the timeline
So we can “Better understand, visualize and communicate attack details”
So the solution we specifically wanted to deliver was, / using investigation timeline
Create and manage investigation reports
Combines raw events, actions, annotation history to the timeline
Track status of event / or suppression history to the timeline
See time relationship between events in the timeline
So we can “Better understand, visualize and communicate attack details”
On top of ES open solutions framework,
users and developers can utilize full ES frameworks (Risk, Threat, Notable, Identity & Asset) even new Investigation timeline.
and modular ways to rapidly expand rules, views, configurations, key indicator searches
This opens doors for new security service or business models.
Our VARs and technology partners will be very excited to hear about potential new opportunities we crate for them.
Over 4000 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.