This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
2. 2
LEGAL NOTICES
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.
4. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
5. 5
All Data is Security Relevant = Big Data
Servers
Storage
DesktopsEmail Web
Transaction
Records
Network
Flows
DHCP/ DNS
Hypervisor
Custom
Apps
Physical
Access
Badges
Threat
Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional
Authentication
7. 7
Splunk Solutions > Easy to Adopt
VMware
Platform for Machine Data
Exchange PCISecurity
Across Data Sources, Use Cases & Consumption Models
IT Svc Int
Splunk Premium Solutions Rich Ecosystem of Apps
ITSI UBA
UBA
Mainframe
Data
Relational
Databases
MobileForwarders Syslog/TCP IoT
Devices
Network
Wire Data
Hadoop
& NoSQL
9. Market Leader in Gartner’s SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
10. More Honors – March 2016
● Best SIEM Solution
● Best Fraud Prevention Solution
11. Platform for Machine Data
Splunk Enterprise Security
Advancing analytics-driven security
Security and
Compliance Reporting
Monitor and
Detect
Investigate Threats
and Incidents
Analyze and
Optimize Response
15. 15
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
15
ES 4.1 and UBA 2.2
16. 16
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1
17. 17
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework
18. • Continuously Protect the
business against:
Data Breaches
Malware
Fraud
IP Theft
• Comply with audit requirements
• Provide enterprise Visibility
18
Why Splunk for Security and Compliance
Top Splunk Benefits
• 70% to 90% improvement with
detection and research of events
• 70% to 95% reduction in security
incident investigation
• 10% to 30% reduction in risks
associated with data breaches,
fraud and IP theft
• 70% to 90% reduction in
compliance labor
Top Goals
23. 23
FAMILIAR WITH THESE BREACHES?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Pentagon Unclassified
Email System
4K
PII Records
24. 24
WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?
25. Splunk User Behavioral Analytics
Automated Detection of INSIDER THREATS AND CYBER ATTACKS
Platform for Machine Data
ANOMALY DETECTION THREAT
DETECTION
UNSUPERVISED
MACHINE LEARNING
BEHAVIOR MODELINGREAL TIME & BIG DATA
ARCHITECTURE
26. CUSTOMER THREATS UNCOVERED
ACCOUNT TAKEOVER
• Privileged account compromise
• Data loss
LATERAL MOVEMENT
• Pass-the-hash kill chain
• Privilege escalation
INSIDER THREATS
• Misuse of credentials
• IP theft
MALWARE ATTACKS
• Hidden malware activity
• Advanced Persistent Threats (APTs)
BOTNET, C&C
• Malware beaconing
• Data exfiltration
USER & ENTITY BEHAVIOR ANALYTICS
• Login credential abuse
• Suspicious behavior
27. 27
WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than
the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this
solution as it makes the life of our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider
threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk
UBA to be one of the most advanced technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba
28. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011
30. 30
Enhanced Insider Threat and Cyber Attack Detection
DETETION
Threat Detection Framework
• Custom threat modeling with anomalies
Expanded Attack Coverage
• Data access and physical data loss
New Viewpoint
• Precision, prioritization and correlation of alerts with anomalies
UBA 2.2
31. 31
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2
32. 32
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2
33. 33
Context Enrichment
Citrix NetScaler (AppFlow)
FireEye Email (EX)
Symantec DLP
Bit9/Carbon Black
Digital Guardian
And many more….
Improved Precision and Prioritization of Threats
Risk Percentile & Dynamic Peer Groups
Support for Additional 3rd Party Devices
UBA 2.2
35. 35
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigate them, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.
Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything.
. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – log search and analytics for small IT environments
Hunk – for analytics on data in Hadoop
The products can pull in data from virtually any source to support multiple use cases.
Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
So our vision was to create flexible, yet powerful.
Of course open frameworks where we can nurture and embrace our overall eco-system
which includes, customer, resellers, technology partners and even students who wants to develop cools features, rules, intelligent feeds etc. on top of ES.
the community can easily share the knowledge or provide a mechanism to accelerate the innovation trends.
Customers, vendors and third parties can create and extend the functionality of ES,
and run the contents within the ES framework.
The content can be imported and exported.
Developers can share new apps and modules internally, / or distribute them to the Splunk community on splunkbase
Content packs have access to ES specific functionality, / including notable events, the risk framework, and the identity framework.
All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows.
Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity
Manage and investigate incidents by correlating event data and contextual information from any data source
Pre-built statistical capabilities identify unusual activity and reduce false positives
Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations
Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management
Operational issues and challenges. Use dashboards, alert (correlation), correlate against observables
Use them for adhoc searching and swimlanes
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available
b. Describe the solution. Value of ES, Notable Events…IR. Add context
C. Increasing Threat Intel... Mention leadership and WP. Coverage.
The Adaptive Response Initiative represents the commitment and collective efforts of best-of-breed security industry vendors
Participant vendors are collaborating to provide a defense strategy for multi-layered heterogeneous security architectures
The strategy enables faster, better-informed decision making across multiple security domains
This decision making efficiency helps SOC teams protect against advanced (multi-vector, multi-phased) attacks
--
Adaptive Response presents users with new context gleaned from the collective intelligence of domain-specific technologies, to verify and/or apply as threat response
Splunk is positioned at the center of Adaptive Response and the resulting coordinated response to advanced threats
--
Adaptive Response enables timely, effective disruption of the kill chain and subsequent increase in cost of attacks to threat actors
Core capabilities include elimination of manual data gathering steps, and ability to apply appropriate actions (or range of actions), specific to each security domain
One key benefit is improved ability to respond and adapt – actions can be manual, approval-triggered, or analytics-driven
--
Adaptive Response was conceived as a result of the successes of existing Splunk customers who compelled Splunk and partners to form the initiative
Launched at RSA 2016, backed initially by Leading Security Domain Vendors: Carbon Black, CyberArk, Fortinet, Palo Alto Networks, Phantom Cyber, Splunk, Tanium, ThreatConnect and Ziften
A solution that is real-time, and leverages a big data foundation
The ability to model behavior on a multi-entity basis.
A set of algorithms which can look at the behavior taking an unsupervised machine learning approach
And creating flags for anomalies that are detected.
In addition, a multi-layered ML models stitches these anomalies into different threat patterns.
Let’s break down these components in detail so that you can explain them to customers successfully.
So we mentioned that Splunk UBA uses real time data and is built upon big data architecture. That means that it can scale linerly from analyzing and processing 500 million events per day, per instance to billions and billions of events per day. All you have to do is create a cluster and watch it scale. It can do this because it uses the foundation of big data behind the scenes. There have been a significant amount of patents that have been filed for this technology.
Secondly, an important foundational concept with Splunk UBA is that it can profile multiple entities within the organization. With Splunk UBA, we profile users and all the accounts associated to that user, devices the user is accessing, and behavior of the device. Networks the user is typically on, behavior of data and apps over the network. What sort of applications is this user using, and what sort of data sets is he or she accessing. From an activity perspective, what is an individual doing with the data sets. From an access perspective, what is he or she accessing and not accessing?
And we create similar model for a host. We say: Who is the host talking to? Who are the users logged into this host? Which are the service accounts which have logged into this host? Which network devices has this host communicated with? What is the amount of traffic, viscosity of traffic, volume of traffic that this host is generating, how is it similar or different to other hosts? What sort of applications have I seen on this host or the applications that are consumed by a user that is logged into this host? What sort of data sets exists on this host? What sort of access rights do I see of a user accessing data sets on this host? So what you are looking at is a matrix, a cross correlation matrix which is being built on behavior models. We do this for network, application, and data.
Third advantage Splunk UBA offers is the largest library of un-supervised ML algorithms.
The old rules and policy driven framework cannot detect any unknown threats in any organization. As technologies have evolved, we’ve seen supervised machine learning models. Where you would actually train the machine learning algorithm with labeled data and deploy it on a customer site. The only problem is it completely depends on the data sets you create algorithms with. And it’s almost impossible that the data set is going to be significant enough to train the algorithms effectively. Those algorithms are likely to generate false positives or not trigger on certain scenarios.
From a foundation perspective, Splunk UBA is unique and we actually invested completely on a new thing by leveraging unsupervised machine learning algorithms. Because our philosophy was the data set isn't enough to train the models on. So you let multiple models stream on data sets of an organization and trigger anomalies. The platform has the largest number of algorithms available when compared to any other vendor. And that significantly helps with the depth and efficacy of detection. Because you actually are running multiple unsupervised machine learning algorithms in the same data set, you’re bubbling up different anomalies, and then you are trying to stage those anomalies in different anomalous patterns.
And this is where the next foundation piece comes in. Applying these machine learning algorithms against the behavior baselines you have built. And this is significantly focused towards a hunter centric view. The reason is because customers have a hunting team who need to hunt for anomalous entities, behavior, or patterns within an organization, and they need a starting point. This platform visually explains where the first anomaly has kicked in. And it may not transpire into a threat. But it is a significant improvement in the hunter’s ability to spot the first starting point to start the hunting exercise.
The next component that we have in the platform is threat detection. Now again, the threat detection is completely driven off machine learning technology. There are no correlation rules being defined. We let the machine learning algorithms automatically figure out how to stitch different anomalous events that have been identified within their own organization. So think about it this way: When you are analyzing billions and billions of events on a daily basis, you are bound to see thousands of anomalies. Because anomalies are actually facts. There is nothing wrong with that fact. It’s pretty much a true positive. It’s a deviation from a baseline. You need a second layer of machine learning algorithms (in our case its again unsupervised machine learning algorithms), which actually have to look at these hundreds of thousands of different anomalous patterns and figure out how it can stitch, we use advanced techniques such as graph walks.
And last, but not the least, Security Analytics. The product has over thirty metrics centered around user, device, application, protocol, etc. The goal is to provide visibility and baseline information across numerous elements within your organization. This helps organizations understand operational elements as well as identifying something unusual based on their experience.
Highlights…
Custom threat modelling
Data access
Easier
Leadership, innovation
Remind what UBA
Highlight the pics on right…custom threat
Point out the fact that we now have Rules now with ML. Competitors have rules with Stats
We’re headed to the East Coast!
2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics!
165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE!
30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you!
Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers.
Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja!
REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!