Post on 12-Apr-2017
transcript
Copyright©2016SplunkInc.
SplunkforEnterpriseSecurityfeaturing
UserBehaviourAnalytics
SplunkLive Sydney2016VladoVajdic,Sr SE
22
> Vlado Vajdic vlado@splunk.com
• 1 year as a Splunk Sales Engineer• 15+ years in IT security• Trend Micro, RSA, ... , Sun Microsystems • First used Splunk in 2010• GCFA, but don’t take this against me
whoami
3
LEGALNOTICEDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
5
DataBreachesinAustralia
6
2016CostofDataBreachStudyThecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalMaliciousorcriminalattacksweretheprimaryrootcausesofadatabreach.AveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponseDatabreachesinregulatedindustriesaremorecostly
Source: June2016
7
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
Splunk:theSecurityNerveCenterfortheEnterprise
Identity
8
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
9
SplunkforSecurity
9
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMIZEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
WhatisSplunkEnterpriseSecurity?
PlatformforMachineData
SplunkEnterpriseSecurityAnalytics-drivenSecurity
SecurityandComplianceReporting
MonitorandDetectThreats
InvestigateThreatsandIncidents
OptimizeResponseusingWorkflows
13
SecurityIntelligence
13
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
ThreatIntelligence
Asset&CMDB
EmployeeInfo
DataStoresApplications
OnlineServices
WebServices
SecurityGPS
Location
Storage
Desktops
Networks
PackagedApplications
CustomApplications
Messaging
TelecomsOnlineShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
Firewall
Authentication
ThreatIntelligence
Servers
Endpoint
DataEnrichment
Search-timeDataNormalization
14
SplunkESintheGartnerSIEMMagicQuadrant
*Gartner,Inc.,SIEMMagicQuadrant2011-2015.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublicationandnotadvisetechnologyuserstoselectonlythosevendorswiththehighestratingsorotherdesignation.Gartnerresearchpublicationsconsistoftheopinions ofGartner’sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
2015 - Leader(theonlyvendor toimproveitsvisionaryposition)
2014 - Leader
2013 - Leader
2012 - Challenger
2011 - NichePlayer
2015
What’sNewSplunkEnterpriseSecurityv4
16
BehavioralAnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
16
DetectandInvestigatefasterusingMLintegratedwithSIEM
17
AttackandInvestigationTimelines
Addingcontenttotimeline:
17
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
18
SplunkES- MSSPPartnersVerizon“Splunk isenablingournextgenerationplatform.Withthesenewcapabilities,wearearmingourclientswiththetoolsandsystemsnecessarytoshiftthebalanceandmakeitharderforcybercriminalstosucceed.”VinnyLee,DirectorofProductManagement,VerizonEnterpriseSolutions.
HerjavecGroup"Splunk’s solutionsarecuttingedge- changingthewaysecurityteamsoperateateverylevel.ThatiswhySplunk issuchakeycontributortooursecurityoperationscenterandmanagedservicespractice,”RobertHerjavec,FounderandCEO,HerjavecGroup.
Accenture“OuralliancewithSplunk isanotherstrongexampleofhowAccentureisimpactingourclients’businesseswith‘newIT.’”BhaskarGhosh,GroupChiefExecutive,AccentureTechnologyServices.
ESDemo
WhatisSplunkUBA?
21
ENTERPRISE SECURITYOPSCHALLENGES
21
THREATS
PEOPLE
EFFICIENCYExternal,Insiders,Hidden
And/OrUnknown
AvailabilityofSecurityExpertise
FalsePositives vsTruePositives
22
SplunkUBA: TECHNOLOGY
ANOMALYDETECTION THREATDETECTION
UNSUPERVISEDMACHINELEARNING
BEHAVIOURMODELING
REALTIME&BIGDATAARCHITECTURE
23
REAL-TIME,BIGDATAARCHITECTURE
SCALABLEARCHITECTURE
500MEVENTS/NODE/DAY
24
MULTI-ENTITYBEHAVIORALMODEL
APPLICATION
USER
HOST
NETWORK
DATA
25
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
26
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
27
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
THREATSUNCOVERED
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataloss
LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation
INSIDERTHREATS• Misuseofcredentials• IPtheft
2
MALWAREATTACKS• Hiddenmalwareactivity• AdvancedPersistentThreats(APTs)
BOTNETs,C&C• Malwarebeaconing• Dataexfiltration
USER&ENTITYBEHAVIORANALYTICS• Logincredentialabuse• Anomalousbehaviour
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
29
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
30
DataFlows:SplunkES/UBA
APICONNECTOR
SYSLOG
FORWARDER
Explore Visualize ShareAnalyze Dashboards
RESULTS
THREAT &ANOMALYDATA
QUERY UBAREQUEST FOR
ADDITIONAL DETAILS
THREATS & ANOMALIES
RESULTS
QUERY
NOTABLEEVENTS
RISKSCORINGFRAMEWORK
WORKFLOWMANAGEMENT
What’sNewinUBAv2
32
ThreatModelingFramework
Create customthreatsusing60+anomalies.Examples:§ CompromisedAccount:Accessed
blacklisteddomainfollowedbyoutgoingconnection alongwithunusual geolocations
§ CompromisedDevice:Beaconingfollowedbyoutgoingconnections alongwithunusual geolocations
ThreatCustomizationusing MLgeneratedanomalies
EnhancedThreatDetection
32
33
EnhancedThreatDetection
Visibilityandbaselinemetricsforusers,devices,applicationsandprotocols,dynamicpeergroups,assesstheindividualuserrisk,new/enhancedmodels:devicemodel,USBactivity,unusualactivitytime,lateralmovement,andunusualfileaccess
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
33
UBADemo
35
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!