© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Automating Incident Response
With Splunk Phantom
by Mark Cooke, General Electric
September 2018 | Version 3.0
© 2018 SPLUNK INC.
$WHOAMI
Mark Cooke
▶ Staff Incident Responder at GE
▶ Worked in IR for 4 years
▶ Python hacker
▶ Phantom playbook developer
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
General Electric Imagination at work
+300K
+300K
1
50
3
24/7
© 2018 SPLUNK INC.
Agenda
Highlights of today’s discussion
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Agenda
▶ Driving factors for automation
▶ Preparing for automation
▶ Implementing automation
▶ Demonstrating automation
Overview
© 2018 SPLUNK INC.
Driving Factors for Automation and Orch.
Goals for automating IR
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Driving Factors for Auto & Orch. Analysts should primarily analyze data, NOT collect and move data around
Automate
Centralize Enrich Guide
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
Analyst Time [CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
Analyst Time
© 2018 SPLUNK INC.
Preparing for Automation and Orch.
Designs and visions for automating IR
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Design and Vision Gathering and moving data
Design Logic:
▶ Consistent fields for automation
▶ Focused searches
▶ Manageable data set
▶ Fewer searches to move data
Correlation
search
Required
fields
Summary
index
Phantom
app
© 2018 SPLUNK INC.
Design and Vision Dividing and segmenting data flows
Semi-Automated ▶ Select playbooks and actions run automatically
▶ Analysts make triage, response and remediation decisions
Manual ▶ Steps and scripts are all completed manually
▶ Analysts make triage, response and remediation decisions
Automated
▶ Select scripts run automatically
▶ All decisions for triage, response and remediation are decided automatically
Response Guidance
▶ Guide analysts through triage,
response and remediation decisions
▶ Builds baseline for required actions
▶ Records incident data and actions
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Design and Vision Putting it all together
▶ Enrich alert
▶ Decide path
▶ Ownership
▶ Triage
▶ Analysis
▶ Disposition
▶ Guided response
▶ Packaged response
▶ Core detection
▶ Summarized index
▶ Forwarding to Phantom
Phantom
Alert Pipeline
Incident Auto
Incident Alert
© 2018 SPLUNK INC.
Implementing Automation and Orch.
Components for making this work
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Playbook Development Developing playbooks
Playbook
Actions
Packaged
responses
Playbooks
Categories
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Consis
tency
Speed
[X VALUE] [X VALUE] [X VALUE] [X VALUE]
host_investigation [X VALUE]
[X VALUE]
[X VALUE] proxy block, [X VALUE]
[X VALUE],
[X VALUE]
[X VALUE]
[X VALUE]
[X VALUE]
0
1
2
3
4
5
6
0 2 4 6 8 10 12 14 16
Playbook Highlights
© 2018 SPLUNK INC.
Demo
Automation and orchestration in action
© 2018 SPLUNK INC.
Demo – Alert Enrichment
Gathering and collecting data
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Demo – Alerting
Triaging our enriched alerts
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Demo – Response
Responding to the threat
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Incident Automation
Automating the response process
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Playbook Impacts
Accomplishments from implementing automation and orchestration
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Ticket creator
Network containment
Domain/IP blocks
Alert history and auto
categorization
Playbook Impacts Estimated hours saved per month
22 Hours
30 Hours
30 Hours
32 Hours
© 2018 SPLUNK INC.
Conclusion
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Conclusion Implementing automation and orchestration
By implementing automation and orchestration through Phantom we’re aiming to:
▶ Focus analysts time on analysis
▶ Focus analysts time on finding threats
▶ Reduce risk through speed and consistency
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
Analyst Time
© 2018 SPLUNK INC.
Don't forget to rate this session
in the .conf18 mobile app
Thank You!