Copyright©2017SplunkInc.

SplunkEnterpriseSecurityAnalytics-DrivenSecurity

EmilBorgelin,Sr SalesEngineer

CYBERCRIMINALS

MALICIOUSINSIDERS

NATIONSTATES

TheEver-ChangingThreatLandscape

53%Victimsnotifiedbyexternalentity

100%Validcredentials

wereused

143Median#ofdaysbeforedetection

Source:MandiantM-TrendsReport2012-2016

Analytics-DrivenSecurity

Risk-Based

ContextandIntelligence

ConnectingDataandPeople

RECOVERPREPARE DETECTPREVENT

SecurityIntelligence

DeveloperPlatform

Reportand

analyze

Customdashboards

Monitorandalert

Adhocsearch

ThreatIntelligence

Asset&CMDB

EmployeeInfo

DataStoresApplications

OnlineServices

WebServices

SecurityGPS

Location

Storage

Desktops

Networks

PackagedApplications

CustomApplications

Messaging

TelecomsOnline

ShoppingCart

WebClickstreams

Databases

EnergyMeters

CallDetailRecords

SmartphonesandDevices

Firewall

Authentication

ThreatIntelligence

Servers

Endpoint

ExternalLookups

Connectingthe“data-dots”viamultiple/dynamicrelationships

Persist,Repeat

Threatintelligence

Auth - UserRoles

HostActivity/Security

NetworkActivity/Security

Attacker,knowrelay/C2sites,infectedsites,filehashes,IOC, attack/campaignintentandattribution

Wheretheywent,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload

Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility

Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain

Delivery,exploitinstallation

Gaintrustedaccess

ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement

Persist,Repeat

SinglePlatformforSecurityIntelligence

SECURITY&COMPLIANCEREPORTING

REAL-TIMEMONITORINGOFKNOWNTHREATS

DETECTUNKNOWNTHREATS

INCIDENTINVESTIGATIONS&FORENSICS

FRAUDDETECTION

INSIDERTHREAT

SplunkComplements,ReplacesandGoesBeyondExistingSIEMs

SplunkEnterpriseSecurity

Risk-BasedAnalytics VisualizeandDiscoverRelationships

EnrichSecurityAnalysiswithThreatIntelligence

SplunkEnterpriseSecurityisanadvancedSIEMandSecurityIntelligencePlatformthatempowersSecOps tomonitor,detect,investigateandrespondtoattacksand

threatswhileminimizingriskandsafeguardingyourbusiness.

SplunkEnterpriseSecurity

IncidentInvestigations& ManagementAlerts&Dashboards&Reports

StatisticalOutliers&RiskScoring&UserActivity ThreatIntel&Asset&IdentityIntegration

Pre-builtsearches,alerts,reports,dashboards,incidentworkflow,andthreatintelligencefeeds

AppsforSecuritySplunk

EnterpriseSecurity130+

SecurityAppsAdditionalSplunkApps

Sourcefire

CiscoSecuritySuite

ISE

PaloAltoNetworks

FireEye

Symantec

DShield

DNS

OSSEC

VENDOR COMMUNITYCISCO

SPECIFIC

SIEMcomparisontotheSplunkEnterpriseSecurity

SIEMcomparisontoSplunkLEGACYSIEM SPLUNK

Datasources Limited Anytechnology, device

Custom DeviceSupport Difficult Easy

AddIntelligence Difficult Easy

Customized Reporting Required3rd partyApp Built-in(fromsearch)

SpeedofSearch/Reporting SlowandUnusable Fast andResponsive

Correlation Difficult(rule-based)

Easy(search-based)

Scalability Limited Extensible