This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

1. Copyright © 2016 Splunk Inc.
Enterprise Security &
User Behavior Analytics Overview
SplunkLive Atlanta,2016
Daniel Christiansen, Sr SE Manager
Technical Splunk Guy

2. 2
LEGAL NOTICES
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.

3. 3
Agenda
Splunk Portfolio Update
Enterprise Security Overview and Demo
User Behavior Analytics Overview and Demo

4. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine

5. 5
All Data is Security Relevant = Big Data
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional
Authentication

6. 6
App
Servers
Network
Threat Intelligence
Firewall
Web Proxy
Internal Network
Security
Endpoints
Splunk as the Security Nerve Center
Identity

7. 7
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL

8. What is Splunk ES?

9. Market Leader in Gartner’s SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015

10. More Honors – March 2016
● Best SIEM Solution
● Best Fraud Prevention Solution

11. Platform for Machine Data
Splunk Enterprise Security
Advancing analytics-driven security
Security and
Compliance Reporting
Monitor and
Detect
Investigate Threats
and Incidents
Analyze and
Optimize Response

12. 12
Open Solutions Framework
Supports critical security related management framework features
12
Enterprise
Security
Framework
• Notable Events Framework
• Thereat Intelligence
Framework
• Risk Scoring Framework
• Identity & Asset Framework
Customer Apps
APPs /
Content
Partner Apps
APPs /
Content
Splunk Apps
APPs /
Content
• Export
• Import
• Share
• Summarization Framework
• Alerting & Scheduling
• Visualization Framework
• Application Framework
External
Instance

13. Splunk App for Enterprise Security
Pre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
13
Dashboards & Reports Incident Investigations and
Management
Statistical Outliers & Risk
Scoring
Asset & Identity Aware

14. What’s new in Splunk Enterprise Security 4.1 ?

15. 15
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
15
ES 4.1 and UBA 2.2

16. 16
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

17. 17
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

18. • Continuously Protect the
business against:
 Data Breaches
 Malware
 Fraud
 IP Theft
• Comply with audit requirements
• Provide enterprise Visibility
18
Why Splunk for Security and Compliance
Top Splunk Benefits
• 70% to 90% improvement with
detection and research of events
• 70% to 95% reduction in security
incident investigation
• 10% to 30% reduction in risks
associated with data breaches,
fraud and IP theft
• 70% to 90% reduction in
compliance labor
Top Goals

19. Incident Response
When working an incident which phase generally takes the longest to complete in your
organization?
9%
32%
15%
16%
25%
3%
0% 5% 10% 15% 20% 25% 30% 35%
Preparation
Identification/Scoping
Containment/Mitigation
Eradication/Remediation
Root Cause Analysis
Lessons Learned/Recovery
Column %
Source: © 2016 Enterprise Management Associates, Inc.
N=100

20. 20
Adaptive Response Initiative
20
App workflow
Network
Threat
Intelligence
Firewall
Web Proxy
Internal Network
Security
Identity
Endpoints
Mission: Bring together the best security
technologies to help combat advanced attacks
Challenge: Gather / analyze, share, act based on end-
to-end context, across security domains
Approach: Connect intelligence across best-of-breed:
• improve security posture
• quickly validate threats
• systematically disrupt kill chain

21. Splunk ES Demo

22. What is Splunk UBA?

23. 23
FAMILIAR WITH THESE BREACHES?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Pentagon Unclassified
Email System
4K
PII Records

24. 24
WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?

25. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR MODELINGREAL TIME & BIG DATA
ARCHITECTURE

26. CUSTOMER THREATS UNCOVERED
ACCOUNT TAKEOVER
• Privileged account compromise
• Data loss
LATERAL MOVEMENT
• Pass-the-hash kill chain
• Privilege escalation
INSIDER THREATS
• Misuse of credentials
• IP theft
MALWARE ATTACKS
• Hidden malware activity
• Advanced Persistent Threats (APTs)
BOTNET, C&C
• Malware beaconing
• Data exfiltration
USER & ENTITY BEHAVIOR ANALYTICS
• Login credential abuse
• Suspicious behavior

27. 27
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba

28. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

29. What’s New in UBA 2.2

30. 30
Enhanced Insider Threat and Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2

31. 31
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

32. 32
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

33. 33
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
 Risk Percentile & Dynamic Peer Groups
 Support for Additional 3rd Party Devices
UBA 2.2

34. Splunk UBA Demo

35. 35
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!

36. Thank You!