Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Prochain SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Chargement dans…3
×
34 sur 37

SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation

2

Partager

Télécharger pour lire hors ligne

Presented at SplunkLive! Frankfurt 2018:

Incident Response Challenge
Tools
Scale
Adaptive Response
Customer Success
Key Takeaways

SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration and Automation

  1. 1. Use Splunk for Incident Response, Orchestration and Automation Kai Seidenschnur | Staff Security Engineer
  2. 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. 3. Incident Response Slow Alert Noise Tools Problem Many tools Disparate tools Skills Lack of skills Retention Training Scale Horizontal and Vertical Orchestration Automation Security Operations Need to Change
  4. 4. Incident Response Challenge
  5. 5. Incident Response Takes Significant Time 5 Source: SANS 2017 Incident Response Survey
  6. 6. Where Does Your Time Go? When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  7. 7. Time-to-Contain + Time-to-Respond = 72% When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  8. 8. Time = Risk => The Need for Speed!
  9. 9. Tools
  10. 10. Tools and Technologies Galore Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
  11. 11. Scale Orchestration and Automation
  12. 12. Let us define these terms first.
  13. 13. Orchestration ▶ Brings together or integrates different technologies and tools ▶ Security-specific or non-security-specific ▶ Provides the ability to coordinate informed decision-making, formalize and automate responsive actions Orchestration vs. Automation
  14. 14. Automation & Orchestration Adoption Growing Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
  15. 15. Adaptive Response Overview
  16. 16. Adaptive Response Identity and Access Internal Network Security Endpoints OrchestrationWAF & App Security Threat Intelligence Network Web Proxy FirewallMission Deeper integrations across the best security technologies to help combat advanced attacks together. Approach Gather/analyze, share, take action based on end-to-end context, across security domains.
  17. 17. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  18. 18. Adaptive Response Technology
  19. 19. ▶ Leverages Existing Splunk Common Action Model • A CIM for alert actions • Not a data model ▶ Existing Actions • Information: Give/Get (i.e., additional context) • Permission: Grant/Revoke (e.g., user, host, etc.) • Control: Change (e.g., firewall rules) ▶ Metadata • Category – Information gathering, Information conveyance, Permissions control • Task – Create, Update, Delete, Allow, Block • Subject – What will be acted upon (network, endpoint, etc.) • Vendor – Providing the action Adaptive Response Framework (Within ES)
  20. 20. How To Interact With AR Suggest Next StepsAutomatically With Notables Run Ad-Hoc
  21. 21. Adaptive Response Actions (Examples) AUTOMATIO N Automatically With Notables
  22. 22. Adaptive Response Actions (Examples) AUTOMATIO NCategory – Information gathering, Information conveyance, Permissions control Task – Create, Update, Delete, Allow, Block Subject – What will be acted upon (network, endpoint, etc.) Vendor – Providing the action. Ex.: Splunk, Ziften, Palo Alto Networks, etc.
  23. 23. Adaptive Response Actions (Examples) AUTOMATIO N Run Ad-Hoc
  24. 24. ▶ Catalog of latest AR Actions ▶ Categorized by Use Case and Security Domain ▶ Auto-update from Splunkbase.com ▶ Showcase of key AR actions (AWS, PAN, etc.) Adaptive Response Actions Showcase App
  25. 25. Adaptive Response Benefits
  26. 26. ▶ Centrally automate retrieval, sharing and response action, resulting in improved detection, investigation and remediation times ▶ Improve operational efficiency using workflow-based context with automated and human-assisted decisions; Measure efficacy ▶ Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partners Adaptive Response Benefits
  27. 27. Accelerate Detection, Investigation & Response ▶ Use the correlation search builder to configure, automate and attach the results to notable events ▶ In incident review, configure and execute ad-hoc responses and queries across the security ecosystem ▶ Use the actions dashboard to search and review responses taken and their results
  28. 28. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  29. 29. Customer Success Adaptive Response
  30. 30. © 2018 SPLUNK INC. ▶ Blocked over two million security threats ▶ Orchestrated threat intelligence across 20 security technologies sitting within its internal Threat Intelligence System ▶ Automated threat detection, response and 90% of its security metrics process in just two months Automating Threat Detection With Splunk Adaptive Response “Since implementing Splunk ES as the brain in our security nerve center have found Splunk to be the right solution to quickly and effectively , we create and implement security analytics across a wide array of data sources and security use cases.” – Senior Vice President, Chief Global Security Officer, Aflac
  31. 31. Sample of Symantec AR Actions*: • Isolate Endpoint • Rejoin Endpoint • Query File for Disposition Case Study: Symantec Symantec ATP helps detect and remediate complex attacks across endpoint, email, network, and web from a single console “Splunk Adaptive Response has the power to help reduce workload on customer SOC teams by speeding up decision-making and associated actions through automation.” - Peter Doggart, Vice President of Business Development, Symantec
  32. 32. Sample of ForeScout AR Actions*: • Redirect endpoint to specific web browser • Send email messages to users • Kill peer-to-peer application Case Study: Brown-Forman “Leveraging the ForeScout Extended Module for Splunk via Adaptive Response will enable us to minimize the time and resources needed to respond to emerging threats.” - Clayton Colwell, Associate Security Engineer, Brown-Forman Corporation ForeScout CounterACT enables its customers to monitor real-time NAC events and respond to security threats at endpoints
  33. 33. © 2018 SPLUNK INC. 1. Adaptive Response helps accelerate Incident Detection, Investigation and Response 2. Use Adaptive Response framework for multi-vendor security workflow orchestration and automation 3. Use with IT and Security domains to solve a range of security use cases Mitigate Incident Response Challenges With Orchestration and Automation Key Takeaways
  34. 34. Search and Investigate Analytics-Driven Security Index Untapped Data: Any Source, Type, Volume On- Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy Meters Firewall Intrusion Prevention Splunk Enterprise Security 600+ Security Apps Splunk User Behavior Analytics Monitoring, Correlations, Alerts Dashboards and Reports Analytics and Virtualization Adaptive Response Employee Info Asset and CMDB Threat Intelligence Applications Data Stores External Lookups Platform for Operational Intelligence
  35. 35. Q&A Thank you Join: Our Community, with Apps, ask questions or join a SplunkLive! event https://www.splunk.com/en_us/community.html Try: Splunk Security Online Experience (No download) https://www.splunk.com/en_us/solutions/solution- areas/security-and-fraud/security- investigation/getting-started.html Explore: Download the CIS Critical Security Controls App https://splunkbase.splunk.com/app/3064/
  36. 36. ORLANDO FLORIDA Walt Disney World Swan and Dolphin Hotels .conf18: Monday, October 1 – Thursday, October 4 Splunk University: Saturday, September 29 – Monday, October 1 Save the Date 2018
  37. 37. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app THANK YOU https://ponypoll.com/frankfurt

×