Copyright  ©  2015  Splunk  Inc.  

The  Splunk  App  for  Enterprise  Security      Holger  Sesterhenn,  Sen.  Sales  Engineer,  CISSP    MaChias  Maier,    Security  Product  MarkeEng,  EMEA        

2  

Ihr  Webcast  Team  

Ma#hias  Maier  Security  Product  MarkeEng,  EMEA  

mmaier@splunk.com  

Holger  Sesterhenn  Sen.  Sales  Engineer  

hsesterhenn@splunk.com  

Copyright  ©  2015  Splunk  Inc.  

Safe  Harbor  Statement  During   the   course   of   this   presentaEon,   we  may  make   forward   looking   statements   regarding   future  events  or  the  expected  performance  of  the  company.  We  cauEon  you  that  such  statements  reflect  our  current  expectaEons  and  esEmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made  in  this  presentaEon  are  being  made  as  of  the  Eme  and  date  of  its  live  presentaEon.  If  reviewed  aSer  its  live  presentaEon,  this  presentaEon  may  not  contain  current  or  accurate  informaEon.    We  do  not  assume  any  obligaEon  to  update  any  forward  looking  statements  we  may  make.  In  addiEon,  any  informaEon  about  our  roadmap  outlines  our  general  product  direcEon  and  is  subject  to  change  at  any  Eme  without  noEce.   It   is   for   informaEonal  purposes  only  and  shall  not  be   incorporated   into  any  contract   or   other   commitment.   Splunk   undertakes   no   obligaEon   either   to   develop   the   features   or  funcEonality  described  or  to  include  any  such  feature  or  funcEonality  in  a  future  release.  

Copyright  ©  2015  Splunk  Inc.  

How  Can  Splunk  Help?  

Roadmap  Security  Strategy  

Security  Posture  

Visual  Security  AnalyEcs  

Advanced  Threats  

Insider  Threat  

Roadmap  Security  Strategy  

Source:  Mandiant  M-­‐Trends  Report  2012/2013/2014  

67%  VicEms  noEfied  by  an  external  

enEty  

100%  Valid  credenEals  

were  used  229  

Median  #  of  days  before  detecEon  

The  Ever-­‐Changing  Threat  Landscape  

Copyright  ©  2015  Splunk  Inc.  

Intrusion    DetecEon  

Firewall  

Data  Loss  PrevenEon  

AnE-­‐Malware  

Vulnerability  Scans  

AuthenEcaEon  

TradiEonal  Security  Strategy  

Copyright  ©  2015  Splunk  Inc.  

Connect  the  Dots  Across  All  Data  

Servers  

Storage  

Desktops  Email   Web  

TransacEon  Records  

Network  Flows  

Hypervisor   Custom  Apps  

Physical  Access  

Badges  

Threat  Intelligence  

Mobile  

CMBD  DHCP/DNS  

Intrusion    DetecEon  

Firewall  

Data  Loss  PrevenEon  

AnE-­‐Malware  

Vulnerability  Scans  

AuthenEcaEon  

Copyright  ©  2015  Splunk  Inc.  

ConnecEng  the  “Data  Dots”  via  MulEple/Dynamic  RelaEonships  

Persist,  Repeat  

Threat  Intelligence  

Auth—User  Roles  

Host    Ac@vity/Security  

Network    Ac@vity/Security  

ACacker,  know  relay/C2  sites,  infected  sites,  IOC,  aCack/campaign  intent  and  aCribuEon  

Where  they  went  to,  who  talked  to  whom,  aCack  transmiCed,  abnormal  traffic,  malware  download  

What  process  is  running  (malicious,  abnormal,  etc.)  Process  owner,  registry  mods,  aCack/malware  arEfacts,  patching  level,  aCack  suscepEbility  

Access  level,  privileged  users,  likelihood  of  infecEon,  where  they  might  be  in  kill  chain    

Delivery,  exploit  installa@on  

Gain  trusted  access  

Exfiltra@on  Data  gathering  Upgrade  (escalate)  lateral  movement  

Persist,  repeat    

AnalyEcs-­‐Driven  Security  

Risk  Based   Context  and  Intelligence  

ConnecEng  Data  and  People  

Copyright  ©  2015  Splunk  Inc.  

Sample  Nasdaq  -­‐  Heartbleed  

Complement,  replace  and  go  beyond  tradi@onal  SIEMs  

Security  Intelligence  Use  Cases  

13  

SECURITY  &                    COMPLIANCE  REPORTING  

REAL-­‐TIME  MONITORING  OF  KNOWN  THREATS  

MONITORING    OF  UNKNOWN  

THREATS  

INCIDENT  INVESTIGATIONS  &  FORENSICS  

FRAUD    DETECTION  

INSIDER    THREAT  

Roadmap  Security  Strategy  • ConnecEng  Data  and  People  

Security  Posture  

15  

What’s  New  in  Splunk  App  for  Enterprise  Security  3.3  

BeCer  DetecEon  of  Advanced  Threats  

•  STIX/TAXII  &  OpenIOC  threat  intelligence  

•  IOC/arEfacts  research  

Improved  CollaboraEon  

•  Export  correlaEon  searches,  KSIs,  swim  lanes  

BeCer  DetecEon  of  Malicious  Insiders  

•  User  acEvity  monitoring  dashboard  and  swim  lanes  

•  Access  anomalies    

Faster  Incident  Response  

•  Added  funcEonality  to  Incident  Response  page  

Bene

fit  

Feature  

Roadmap  Security  Strategy  • ConnecEng  Data  and  People  

Security  Posture  • SituaEonal  Awareness  

Visual  Security  AnalyEcs  

Roadmap  Security  Strategy  • ConnecEng  Data  and  People  

Security  Posture  • SituaEonal  Awareness  

Visual  Security  AnalyEcs  • Contextual  Analysis  

Advanced  Threats  

Copyright  ©  2015  Splunk  Inc.  

hCp://sExproject.github.io/about/    

Copyright  ©  2015  Splunk  Inc.  

STIX/TAXII  and  Open  IOC  101    •  Info  sharing  across  companies  and    

industries    

•  Standardized  XML  •  Contains  TTPs,  IOCs,  COA  •  IOCs  include  IPs,  web/e-­‐mail    

domains,  hashes,  processes,    registry  key,  cerEficates    

•  hCp://sExproject.github.io/about/  

Copyright  ©  2015  Splunk  Inc.  

Threat  Intelligence  in  Splunk  

Copyright  ©  2015  Splunk  Inc.  

TAXII  Services  

Source:  hCp://hailataxii.com  

Copyright  ©  2015  Splunk  Inc.  

Sample  TAXII  Feeds  User  Community   Organisa@on  

Cyber  Threat  XChange   Health  InformaEon  Trust  Alliance  

Defense  Security  InformaEon  Exchange   Defense  Industrial  Base  InformaEon  and  Sharing  and  Analysis  OrganizaEon  

ICS-­‐ISAC   Industrial  Control  System  InformaEon  Sharing  and  Analysis  Center  

NH-­‐ISAC  NaEonal  Health  Cybersecurity  Intelligence  Planorm  

NaEonal  Health  InformaEon  and  Analysis  Center  

FS-­‐ISAC  /  Soltra  Edge   Financial  Services  InformaEon  Sharing  and  Analyses  Center  (FS-­‐ISAC)  

Retail  Cyber  Intelligence  Sharing  Center,  Intelligence  Sharing  Portal  

Retail  InformaEon  Sharing  and  Analysis  Center  (Retail-­‐ISAC)  

More:  hCp://sExproject.github.io/supporters/  

Roadmap  Security  Strategy  • ConnecEng  Data  and  People  

Security  Posture  • SituaEonal  Awareness  

Visual  Security  AnalyEcs  • Contextual  Analysis  

Advanced  Threats  • Knowledge  Sharing  and  AdopEon  

Insider  Threat  

Copyright  ©  2015  Splunk  Inc.  

DetecEng  Suspicious  User  AcEvity  •  Spot  suspicious  user  acEvity    •  Malicious  insider  or  external  threat  using  stolen  credenEals    •  High  aggregate  risk  score  •  Uploaded  data  to  non-­‐corp  sites    •  Emailed  data  to  non-­‐corp  domains    •  Visits  to  blacklisted  sites    •  Remote  access    •  Anomalous  help  desk  Ecket    

Roadmap  Security  Strategy  • ConnecEng  Data  and  People  

Security  Posture  • SituaEonal  Awareness  

Visual  Security  AnalyEcs  • Contextual  Analysis  

Advanced  Threats  • Knowledge  Sharing  and  AdopEon  

Insider  Threat  • Stop  Data  Breaches  

Copyright  ©  2015  Splunk  Inc.  

Case  Study:  Telenor  "   Challanges:  

–  Millions  of  customers,  thousands  of  servers  and  routers  and  they  had  missing  details  in  operaEve  tasks.  

–  CommunicaEon  between  departments  was  challanging.  –  Errors  and  issues  sporadically  slipped  unnoEced.  

"   Breakthroughs:  –  Team  noEced  WebMail  accounts  being  abused  to  send  

hundreds  of  thousands  of  SMS  messages  abroad  –  Baselining  normal  and  track  DeviaEon  –  Understand  aCackers  and  their  behaviour  to  take  them  

down  proacEve.    

Norway's largest telecom services provider 160 Mio mobile subscribers globally

Copyright  ©  2015  Splunk  Inc.  

Thank  You!    Q&A