Splunk Enterprise Security - zc.proact.lvzc.proact.lv/wp-content/uploads/2017/03/Splunk Enterprise...
-
Upload
vuonghuong -
Category
Documents
-
view
223 -
download
0
Transcript of Splunk Enterprise Security - zc.proact.lvzc.proact.lv/wp-content/uploads/2017/03/Splunk Enterprise...
Copyright©2017SplunkInc.
SplunkEnterpriseSecurityAnalytics-DrivenSecurity
EmilBorgelin,Sr SalesEngineer
TheEver-ChangingThreatLandscape
53%Victimsnotifiedbyexternalentity
100%Validcredentials
wereused
143Median#ofdaysbeforedetection
Source:MandiantM-TrendsReport2012-2016
SecurityIntelligence
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
ThreatIntelligence
Asset&CMDB
EmployeeInfo
DataStoresApplications
OnlineServices
WebServices
SecurityGPS
Location
Storage
Desktops
Networks
PackagedApplications
CustomApplications
Messaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
Firewall
Authentication
ThreatIntelligence
Servers
Endpoint
ExternalLookups
Connectingthe“data-dots”viamultiple/dynamicrelationships
Persist,Repeat
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,filehashes,IOC, attack/campaignintentandattribution
Wheretheywent,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,exploitinstallation
Gaintrustedaccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
SinglePlatformforSecurityIntelligence
SECURITY&COMPLIANCEREPORTING
REAL-TIMEMONITORINGOFKNOWNTHREATS
DETECTUNKNOWNTHREATS
INCIDENTINVESTIGATIONS&FORENSICS
FRAUDDETECTION
INSIDERTHREAT
SplunkComplements,ReplacesandGoesBeyondExistingSIEMs
SplunkEnterpriseSecurity
Risk-BasedAnalytics VisualizeandDiscoverRelationships
EnrichSecurityAnalysiswithThreatIntelligence
SplunkEnterpriseSecurityisanadvancedSIEMandSecurityIntelligencePlatformthatempowersSecOps tomonitor,detect,investigateandrespondtoattacksand
threatswhileminimizingriskandsafeguardingyourbusiness.
SplunkEnterpriseSecurity
IncidentInvestigations& ManagementAlerts&Dashboards&Reports
StatisticalOutliers&RiskScoring&UserActivity ThreatIntel&Asset&IdentityIntegration
Pre-builtsearches,alerts,reports,dashboards,incidentworkflow,andthreatintelligencefeeds
AppsforSecuritySplunk
EnterpriseSecurity130+
SecurityAppsAdditionalSplunkApps
Sourcefire
CiscoSecuritySuite
ISE
PaloAltoNetworks
FireEye
Symantec
DShield
DNS
OSSEC
VENDOR COMMUNITYCISCO
SPECIFIC
SIEMcomparisontoSplunkLEGACYSIEM SPLUNK
Datasources Limited Anytechnology, device
Custom DeviceSupport Difficult Easy
AddIntelligence Difficult Easy
Customized Reporting Required3rd partyApp Built-in(fromsearch)
SpeedofSearch/Reporting SlowandUnusable Fast andResponsive
Correlation Difficult(rule-based)
Easy(search-based)
Scalability Limited Extensible