You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
3. Agenda
• An overview of the Splunk security universe
• Using lookup files to enhance your security posture - A.K.A. threat intelligence
• The Common information model
• 6 windows event ID’s to tackle advanced attacks
• "Best of" Security related splunkbase apps
5. New approach to security operations is needed
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process, &
technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
THREAT Attack Approach Security Approach
5
TECHNOLOGY
PEOPLE
PROCESS
37. • Pivot is an excellent interface to explore a
dataset you don’t know yet – or for a business
user
• Tstats can search distributed .tsidx files
(accelerated DM’s)
• Use the search term – FROM
datamodel=<datamodelname>
• For example:
• | tstats avg(foo) FROM
datamodel=buttercup_games WHERE
bar=valuex
• You should expect dramatically faster search
results using this method
Tstats and/or pivot– use them!
49. • Building block for URL manipulation
• Correctly parse URL’s and complicated TLD’s
• Explore entropy of data
• Also great for DNS investigation
• The domain aaaaa.com has a Shannon
Entropy score of 1.8 (very low)
• The domain google.com has a Shannon
Entropy score of 2.6 (rather low)
• A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-
890209uC.4.com has a Shannon Entropy
score of 3 (rather high)