© 2017 SPLUNK INC.© 2017 SPLUNK INC.

20. SEPTEMBER 2017 | DÜSSELDORF

© 2017 SPLUNK INC.

AgendaDiscovery Düsseldorf | 20. September 2017

Presentation Speaker

09:00 – 09:15 Splunk Überblick Frank Böning | Vice President Central Europe, Splunk

09:15 – 09:30 Buttercup Games Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk

09:30 – 10:00 Splunk @ Vodafone Eugen Rogoza | Integration Lead mCommerce, Vodafone

10:00 – 11:00 Daten-getriebene Einblicke in Ihre IT Operations René Siekermann | IT Markets Specialist EMEA, Splunk

11:00 – 11:30 Break

11:30 – 12:30 Best Practices für Ihre Security Strategie Angelo Brancato | Security Markets Specialist EMEA, Splunk

12:30 – 13:00 Operational Intelligence Demo Kai-Ping Seidenschnur | Senior Sales Engineer, Splunk

13:00 – 14:00 Mittagessen

14:00 Ende der Veranstaltung

© 2017 SPLUNK INC.

Who am I

Angelo Brancato

Splunker, Security Specialist

angelo@splunk.com

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

The State of Security Operations 2017

© 2017 SPLUNK INC.

http://www.informationisbeautiful.net

https://www.splunk.com/en_us/solutions/solution-areas/

security-and-fraud/the-state-of-security-operations.html

IDC Security Response Readiness

- Risk unknown

- In denial of breach

- No Incident

Response (IR) plans

- Ad-Hoc / Reactive

- Limited resources

- custom tools

- Basic alarming

- IR on roadmap

- Limited resources

- Risk understood

- SIEM in place

- Basic run books

- Some integrations

- Internal & external

resourcing

- Assume breached

- Formal run books

- Formal and (annually)

tested IR plan

- Panel of specialists

- Proactive threat hunting

- Best Practices & continuous improvement

- IR plans tested regularly (agile)

- Holistic security view

- Forensic investigation and

legal agreement to share IR data

- Integration and Automation

- Internal and external resources

2

© 2017 SPLUNK INC.

http://www.informationisbeautiful.net

Investigation

How Splunk can

help:

Right decision, at the

right time

Visibility

Automation

Threat Hunting

Situational Awareness

Risk Scoring

SOC Run Books

Adaptive Response

Business

Enablement

https://www.splunk.com/en_us/solutions/solution-areas/

security-and-fraud/the-state-of-security-operations.html

IDC Security Response Readiness

2

© 2017 SPLUNK INC.

http://www.informationisbeautiful.net

Hunting

How Splunk can

help:

Right decision, at the

right time

Visibility

Automation

Business

Enablement

Risk Scoring

Situational Awareness

Investigation

SOC Playbooks

Adaptive Response

https://www.splunk.com/en_us/solutions/solution-areas/

security-and-fraud/the-state-of-security-operations.html

IDC Security Response Readiness

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Splunk Vision & Strategy

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

© 2017 SPLUNK INC.

Avoid the “Medienbruch”

Drawing from independent.co.uk, modified

© 2017 SPLUNK INC.

D I F F E R E N T

People

A S K I N G D I F F E R E N T

Questions

O F T H E

Same Data

Enterprise Machine Data Fabric

Business Analytics

IT Operations

Security Operations

Application Development &Delivery

Internet of ThingsSplunk

© 2017 SPLUNK INC.

SOC Playbooks

Analytics-Driven Security

Machine Data

Monitor Detect Investigate Respond

Schema-On-Read

Adaptive Response

EnterpriseOn-Premise, Cloud, Hybrid

Universal Indexing

Tier 1 - Alert Analyst Tier 2 - Incident ResponderTier 3 - SME / Hunter

Process

People

Technology

Enterprise Security & UEBA

http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html

© 2017 SPLUNK INC.

IT Operations

Application Delivery

Industrial Data & IoT

Business Analytics, Future Markets

IT Security, Compliance & Fraud

Analytics-Driven Security

Monitor Detect Investigate Respond

EnterpriseOn-Premise, Cloud, Hybrid

Machine Data

Enterprise Security & UEBA

Different people asking different questions…

…of the same data.

© 2017 SPLUNK INC.

Avoid the “Medienbruch”

Drawing from independent.co.uk, modified

© 2017 SPLUNK INC.

Reactive

Proactive

Searchand

Investigate

ProactiveMonitoring

and Alerting

Security Situational Awareness

Real-time Risk

Insight

Security Operations

Maturity

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Journey to SOC Maturity

(with live-demo)

© 2017 SPLUNK INC.

Analytics-Driven Security

Risky behavior detection

Entity profiling, scoring

Kill chain, graph analysis

Unsupervised Machine Learning

Human-driven Analytics ML-driven Analytics

Data ingestion, Universal Indexing, Schema-on-Read, Log Aggregation

Search and Report

Monitor and Alert

Splunk Security Essentials (for Ransomware), CIS Top 20, PCI Compliance, Machine Learning Toolkit etc.

Enterprise

• Correlation- and Notable Event Framework

• Risk Scoring Framework

• OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories

• Incident Investigation & Response workflow

• Adaptive Response

• Glass Tables, etc…

Realm of

Known

Realm of

Unknown

© 2017 SPLUNK INC.

Enterprise

Developer Platform (REST API, SDKs)

Security

Essentials

Security Essentials

for Ransomware

Splunk App for

PCI Compliance

Machine Learning

Toolkit

CIS Top 20

Critical Security Controls

Add-Ons

Splunk

Stream

Human-driven Analytics ML-driven AnalyticsSIEM

Cyber Security

Investigator

On-Premise, Cloud, Hybrid

Analytics-Driven Security

© 2017 SPLUNK INC.

Splunk CIS* Top 20 (Best Practice) Critical Controls

https://www.cisecurity.org/controls/

https://splunkbase.splunk.com/app/3064/

CIS Top 20 controls improve risk posture

against real-world threats

The control areas grew out of an

international consortium

Splunk can monitor PCI compliance and

generate Alerts for non-compliance

In case of non-compliance Splunk can carry

out recommended actions

40+ Dashboards

Splunk CIS Top 20

Critical Security Controls

*CIS: Center of Internet Control https://www.cisecurity.org/controls/

© 2017 SPLUNK INC.

Splunk Premium App for PCI Compliancehttps://splunkbase.splunk.com/app/2897/

Compliance Overview

Incident Review and Management Asset and Identity Aware

Scorecards and Reports

Measures effectiveness and status of

PCI compliance technical controls

Meets PCI requirements around log

retention/review, and continuous

monitoring

Fast ability to get to cause of non-

compliance or answer auditor data

requests

Covers up to PCI DSS v3.1 standards

Splunk App for

PCI Compliance

© 2017 SPLUNK INC.

Security Essentials

50+ use cases (common in UEBA products)

Target external attackers and insider threat

Scales from small to massive companies

Can sends results to ES/UBA

https://splunkbase.splunk.com/app/3435/

Security Essentials

Detection Methods

Time series analysis

(with standard deviation)

First time analysis

(powered by stats)

General Splunk

searches

© 2017 SPLUNK INC.

Security Essentials for Ransomwarehttps://splunkbase.splunk.com/app/3593/

Fake Windows Processes

Malicious Command Line Executions

Monitor AutoRun Reported Registry Keys

Monitoring Successful Backups

Monitor Successful Windows Update

Monitoring Unsuccessful Backups

Monitor Successful Windows Update

Ransomware extensions

Ransomware Note Files

Ransomware Vulnerabilities

SMB traffic Allowed

Spike in SMB traffic

Detect TOR Traffic

Office Spawns Unusual Process

Detection via Statistical Analysis

Detection via Windows Registry

Detection via Shannon Entropy

Detection via Fake Windows Processes

Detection via File Encryption EventsDetection via DNS TrafficDetection via Sysmon LogsDetection via Firewall LogsDetection via IDS EventsDetection via Network ActivityDetection via SMB EventsDetection via Deletion of Shadow CopiesForensics via log2timelinePrevention via Lag DetectionPrevention via Vulnerability ManagementPrevention via Backup ActivityPrevention via Automated File Analysis

Security Essentials

for Ransomware

Use Cases Detection Methods

© 2017 SPLUNK INC.

Cyber Security Investigatorhttps://splunkbase.splunk.com/app/3361/

traffic today compared to normal

Email traffic compared to normal

What are the count of windows related alerts over the last

week?

Hourly traffic to China

Which accounts were recently deleted?

Top accounts with failed logins

Show me traffic for app dns

Show me the systems where user ghost exists

How does traffic look during non-business hours compared

to during business hours?

Event count over time by top 10 hosts

What's the average number of vulnerabilities across all of

our systems

Graph the hourly max response time of web requests

Malware signatures on more than 10 distinct hosts

Websites with the most bytes

…

i.e.

Insight Engines

Cyber Security Investigator

for Splunk

© 2017 SPLUNK INC.

Security Streamhttps://splunkbase.splunk.com/app/1809/

Metadata Collection

Live Interface Collection Option

Commercial App Detection (300+)

NetFlow Collector

Aggregation Mode

Filtering at Endpoint

Out-of-Box Content

Distributed Forwarder Mgt

1GbE and 10GbE link options

Get visibility into

applications

performance and user

experience

Understand database

activity and

performance without

impacting database

operation

Improve security and

application

intelligence with DNS

analytics

Splunk Stream

Layer Examples

7. Application HTTP, SMTP

6. Presentation TLS

5. Session SCP

4. Transport TCP, UDP

3. Network IPv4, IPv6

2. Data Link Ethernet

1. Physical Ethernet, WiFi

Deployment:

• Out-of-band (stub) with tap or SPAN port

• In-line directly on monitored host

Collection:

• Technical Add-On (TA) with Splunk

Universal Forwarder (UF)

• Independent Stream Forwarder

using HTTP Event Collector (HEC)Any Linux Host Splunk

Indexers

TLS/HEC

Splunk

Indexers

Splunk

Forwarder

TLS

© 2017 SPLUNK INC.

MLT – applied example: DGA Analyzer

This is an example a Splunk SE built

It uses the MLT to very reliably detect DGA

generated domain names

Machine Learning

Toolkit

https://splunkbase.splunk.com/app/2890/

© 2017 SPLUNK INC.

Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.

27

Dashboards & Reports Incident Investigations

and Management

Statistical Outliers & Risk Scoring Asset & Identity Aware

• Correlation- and Notable Event Framework

• Risk Scoring Framework

• OTB key Security Metrics, Dashboards, Use Cases & Analytic Stories

• Incident Investigation & Response workflow

• Adaptive Response

• Glass Tables, etc…

© 2017 SPLUNK INC.

WAF & App

SecurityOrchestration

Network

Threat Intelligence

Internal Network

Security

Identity and Access

Endpoints

Firewall

Web Proxy

MONITORING AUTOMATION:

Splunk Adaptive Response Partnerships

Enterprise Security▶ Adaptive Response

© 2017 SPLUNK INC.

HUMAN MACHINE AUTHORING:

Security Machine Learning & Data Science

User and Entity Behavior Analytics

© 2017 SPLUNK INC.

Use machine data to meet

customer expectation

I expect detailed App

usage analytics

I expect 360° visibility into how

my business is performing

I expect security dashboards, reports

and real-time alerts and risk scoring

I expect a secure IT

environment

What do you expect?

I expect network and

equipment uptime I expect you to

protect my data

I expect

compliance

I expect Risk

reduction I expect an effective and

secure App. DevOps

© 2017 SPLUNK INC.

• 5,000+ IT and Business Professionals• 175+ Sessions • 80+ Customer Speakers

PLUS Splunk University• Three days: Sept 23-25, 2017• Get Splunk Certified for FREE!• Get CPE credits for CISSP, CAP, SSCP

SEPT 25-28, 2017Walter E. Washington Convention CenterWashington, D.C.

CONF.SPLUNK.COM

.conf2017: The 8th Annual Splunk Conference

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

THANK YOU

© 2017 SPLUNK INC.

Join:

Our Community with

Apps, Ask Questions or

join a online session!

https://www.splunk.com/en_us/community.html

Try:

Splunk Security Online

Experience (No Download)

https://www.splunk.com/en_us/solutions/solution-

areas/security-and-fraud/security-

investigation/getting-started.html

Explore:

Splunkbase – our online

store of over 1000+ apps

https://splunkbase.splunk.com/

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

GDPR

© 2017 SPLUNK INC.

EVOLUTION:

Splunk for GDPR

© 2017 SPLUNK INC.

Prove GDPR Security Controls

are enforced

Detect, Prevent and Investigate Data Breaches

Search and Reporton Personal Data

Processing

Splunk for GDPR

© 2017 SPLUNK INC.

Splunk for GDPR

Detect, Prevent

and Investigate

Data BreachesThe Forrester Wave:

Security Analytics Platforms, Q1 2017Gartner MQ for SIEM, Aug. 2016

ITOperations

ApplicationDelivery

IndustrialData&IoT

BusinessAnalytics,FutureMarkets

ITSecurity,Compliance&Fraud

Monitor Detect Investigate Respond

Enterprise

ES,UEBA

On-Premise,Cloud,Hybrid|AnalyticsforHadoop

Differentpeopleaskingdifferentquestions…

…of the samedata.

MachineData

Article 33 - Notification of a personal data breach to the supervisory authority

Article 34 - Communication of a personal data breach to the data subject

Data Breach Notification

© 2017 SPLUNK INC.

Splunk for GDPR

Prove GDPR

Security Controls

are enforced

Article 32 - Security of processing

Article 58 - Supervisory Investigative Powers

Risk

Minimization

Report

ComplianceDPIA

© 2017 SPLUNK INC.

Splunk for GDPR

Search and Report

on Personal Data

Processing

Article 30 - Records of Processing Activity

Article 5, 15, 17, 18 and 28 - Data Subject Rights

Supply chain

Obligations

Right to be

Forgotten

Right of

rectificationRight of access

Right of data

portability…

© 2017 SPLUNK INC.

Agile DevSecOps – Real-Time Risk Scoring