This document provides an overview of a hands-on demo of Splunk Enterprise Security (ES) using a free sandbox environment. It discusses creating a sandbox, exploring common ES features like the risk analysis dashboard, threat intelligence, and incident response workflow. The demo shows how to investigate a malware detected event, view asset details, and add context with lookups. It encourages exploring more advanced threat capabilities and additional reports in ES to gain experience with the platform.
2. 2
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
4. 4
What’s a sandbox?
4
• A 100% free, fully featured 15 day trial of
Splunk products: Cloud, Light, or ES
• Hosted in AWS
• Authenticates off of your Splunk account
• Has sample data for you to play with
• Supports onboarding of your own data
Today’s session: A hands-on activity with your very own
Enterprise Security sandbox!
28. Machine data contains a definitive record
of all interactions
Splunk is a very effective platform to collect,
store, and analyze all of that data
Human Machine
Machine Machine
29. 29
Mainframe
Data
VMware
Platform for Machine Data
Exchange PCISecurity
Relational
Databases
MobileForwarders
Syslog /
TCP / Other
Sensors &
Control Systems
Wire
Data
Mobile Intel
Splunk Premium Apps Rich Ecosystem of Apps
MINT
Splunk Solutions > Easy to Adopt
Across Data Sources, Use Cases & Consumption Models
30. 30
Rapid Ascent in the Gartner SIEM Magic Quadrant*
*Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product
or service depicted in its research publication and not advise technology users to select only
those vendors with the highest ratings or other designation. Gartner research publications
consist of the opinions of Gartner’s research organization and should not be construed as
statements of fact. Gartner disclaims all warranties, express or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
2015 Leader and the only vendor to
improve its visionary position
2014 Leader
2013 Leader
2012 Challenger
2011 Niche Player
2015
32. 32
ES Fast Facts
● Current version: 3.3 in the sandbox, 4.0 was released at the end of
October!
● Two releases per year
● Content comes from industry experts, market analysis, but most
importantly YOU
● The best of Splunk carries through to ES – flexible, scalable, fast, and
customizable
● ES has its own development team, dedicated support, services practice,
and training courses
4.0 not in
sandbox…yet
38. 38
Data Ingest + Common Information Model
You’ve got a bunch of systems…
● How to bring in:
● Network AV
● Windows + OS X AV
● PCI-zone Linux AV
● Network Sandboxing
● APT Protection
● CIM = Data Normalization
41. 41
Data Normalization is Mandatory for your SOC
“The organization consuming the
data must develop and consistently
use a standard format for log
normalization.” – Jeff Bollinger et.
al., Cisco CSIRT
Your fields don’t match? Good luck
creating investigative queries
52. 5252 Attack Map
The Challenge:
• Industry says Threat Intel is
key to APT Protection
• Management wants all
threat intel checked against
every system, constantly
• Don’t forget to keep your
15+ threat feeds updated
The Solution:
53. 53
Verizon 2015 DBIR
“”…the percentage of indicators
unique to only one (outbound
destination) feed…is north of 97%
for the feeds we have sampled…”
Threat list aggregation =
more complete intelligence
71. 71 7
STIX/TAXII feed
Browse through the
tabs…
Investigate on your own
time: Advanced Threat
capabilities worth your
while…and all areas
under Security Domains
73. 73
Auditors / Management / Compliance Says…
● Can you show me <Typical Report>?
● Reporting is easy in Splunk
● But we have more than
300 standard reports too
106. 10
6
We want to add
“naughtyuser” to this list
because it is showing up in
our data.
SCROLL
107. 10
7
Select last row, right click,
and choose “Insert row
below.”
Add whatever you want, but
make sure the first column says
“naughtyuser”
When done click save
Extra credit: Check your work in
Identity Center
2
1
108. 10
8
Attack & Investigation Timeline – New to 4.0
Methods to add contents into timeline :
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Memo :
- Investigator’s memos
inserted in desired timeline
Incident Review
Incident :
- Notable events from
Incident Review
Analyst /
Investigator
109. 10
9
Next Steps…
Play in your ES Sandbox for 15 days
Explore some of the areas we didn’t
get to cover today
Ask questions of your account team
An ES 4.0 sandbox should be
available soon, help yourself to
another sandbox to see the new
features
A two hour version of this talk is
available at conf.splunk.com
1
Notes de l'éditeur
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
The Splunk platform consists of multiple products and deployment models to fit your needs.
Splunk Enterprise – for on-premise deployment
Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud
Splunk Light – log search and analytics for small IT environments
Hunk – for analytics on data in Hadoop
The products can pull in data from virtually any source to support multiple use cases.
Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
We see Splunk as your security nerve center. There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time.
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Start the day like any analyst
Coffee time, or jump into incidents?
End the day like any board member
Are my security KPIs (KSIs) being met?
3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models.
Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless.
Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable.
Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem.
ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
Data can come into the Splunk App for Enterprise Security the same way data comes into Splunk. Common ways are via syslog and Splunk forwarders and scripted inputs. Less common ways are via API calls and database queries. For your sandbox, you can upload data in flat-file format via the “add data” link. Note that because you can’t install additional apps in a sandbox, then you may have some trouble onboarding data sources that Splunk ES either doesn’t have TA for built-in, or that require command line access.
Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
…that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
…we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the…
-Date and Time
-Type of action performed
-Subsystem performing the action
-Identifiers for the object requesting the action
-Identifiers for the object providing the action
-Status, outcome, or result of the action
So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
How do we know what to work on?
Hopefully we have a good idea of what we are protecting and what our threats are. We also should have a good idea about where our sensitive data lies, and who our sensitive users are. As correlation rules fire against users and systems, we will see that they both acrue “risk scores” which then allow our SOC analysts to focus on what matters.
The main reason why this risk framework is important is that it gets you away from writing specific rules for specific threats or assets. You don’t need 1,000 correlation rules anymore – you simply can elevate risk scores on whatever object you want, based on the behavior you’re seeing in the environment. So the idea here is, a correlation rule fires, and then a risk modifier takes effect and changes the risk score based on cumulative scoring of whatever else has happened to that user, or system, or other object.
On the dashboard, we can define filters to find a particular system or user or timeframe.
Note the natural language descriptions (in the screenshot they are medium and low). We track how your overall risk scoring is doing over time, and constantly re-calculate the baseline. Got a lot of activity going on that isn’t “normal” for that timeframe and you might see things going from “increasing minimally” to “extremely increasing” – all based on what the historical norm is.
We can of course see which objects have the highest risk and which correlation rules are contributing the most to the highest risk.
The main reason why this risk framework is important is that it gets you away from writing specific rules for specific threats or assets. You don’t need 1,000 correlation rules anymore – you simply can elevate risk scores on whatever object you want, based on the behavior you’re seeing in the environment. So the idea here is, a correlation rule fires, and then a risk modifier takes effect and changes the risk score based on cumulative scoring of whatever else has happened to that user, or system, or other object.
On the dashboard, we can define filters to find a particular system or user or timeframe.
Note the natural language descriptions (in the screenshot they are medium and low). We track how your overall risk scoring is doing over time, and constantly re-calculate the baseline. Got a lot of activity going on that isn’t “normal” for that timeframe and you might see things going from “increasing minimally” to “extremely increasing” – all based on what the historical norm is.
We can of course see which objects have the highest risk and which correlation rules are contributing the most to the highest risk.
Ad-hoc risk – if you have a system or user that you’ve been warned about and you want to make sure it is getting the proper attention, you could simply apply a bunch of risk to it and suddenly it will come up to the top of the risk dashboards.
Everyone’s favorite buzzword these days. We’re proud to say that we’ve got a robust set of threat intelligence features built into ES. Management will want to know that you’re leveraging threat intelligence, and we have some things built in that make this easy. And of course, we compare incoming data, in real time, to these threat feeds and we keep them updated.
Verizon DBIR said a few interesting things about threat intelligence this year. One is that we aren’t doing enough sharing of threat intelligence in the security community. Another is that infections tend to spread from organization to organization fairly quickly so the quicker we can share threat data the better. But specific to ES, DBIR found that there just isn’t much overlap in the open-source threat feeds when it comes to outbound destination information – so you really have to consume as many threat feeds as you can in order to get the most complete intelligence. One way of doing that is to leverage a commercial threat feed vendor – and we partner with a lot of those. But another way is to consume many community threat feeds and aggregate the IOCs found in them together, and then correlate against that. So ES will help us there…
STIX: officially 1.1.1 at this point. 1.2 planned.
Today in ES the only “official” reports you will find are PCI, and that’s only with ES 4.0 and the appropriate PCI module loaded. While we expect more content to follow, we do have a ton of existing reports in ES that can be copied, renamed, tweaked, etc for you to use to meet compliance/auditing demands.
The analyst complete gets the picture! It’s now easy to add memos, / additional findings to the investigation case.
The elements the Investigator can insert are :
Memo, using Investigator Memo
Incident, from notable events from Incident Review
Actions from “Action History”, like Searches ran, Dashboard viewed, panel filtered, Notable event state changes
Additionally Raw Splunk events resulting from search window.