SplunkLive! London Enterprise Security & UBA
-
Upload
splunk -
Category
Technology
-
view
197 -
download
3
Transcript of SplunkLive! London Enterprise Security & UBA
![Page 1: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/1.jpg)
Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLive London2016JohanBjerke,SeniorSalesEngineer
TechnicalSplunkGuy
![Page 2: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/2.jpg)
2
SplunkLiveSecurityTrackToday13:00-14:00: OperationalSecurityIntelligence14:00-15:00: SplunkforEnterpriseSecurityfeaturingUser
BehaviorAnalytics15:00-16:00: CloudBreach– DetectionandResponse
16:00-17:00: HappyHour
17:00– 19:30: SplunkLondonUserGroupMeeting
![Page 4: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/4.jpg)
4
Disclaimer
4
Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyou thatsuchstatementsreflectourcurrentexpectationsand
estimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-looking statements,pleasereviewourfilingswiththeSEC.Theforward-looking statementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlooking statementswemaymake.
Inaddition, anyinformationaboutourroadmapoutlines ourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformational purposes only andshallnot, beincorporatedintoanycontractorothercommitment.Splunk undertakesnoobligationeithertodevelopthefeaturesorfunctionality describedortoinclude
anysuch featureorfunctionality inafuturerelease.
![Page 5: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/5.jpg)
5
Agenda
SplunkPortfolioUpdate
EnterpriseSecurity4.1
UserBehaviorAnalytics2.2
![Page 6: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/6.jpg)
6
SplunkSolutions>EasytoAdopt
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCases&ConsumptionModels
ITSvcInt
SplunkPremiumSolutions RichEcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
![Page 7: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/7.jpg)
WhatisSplunkES?
![Page 8: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/8.jpg)
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
![Page 9: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/9.jpg)
9
OpenSolutionsFrameworkSupports critical security related management framework features
9
EnterpriseSecurityFramework
• Notable Events Framework• Threat Intelligence Framework
• Risk Scoring Framework• Identity & Asset Framework
Customer Apps
APPs / Content
Partner Apps
APPs / Content
Splunk Apps
APPs / Content
• Export• Import• Share
• Summarization Framework• Alerting & Scheduling
• Visualization Framework• Application Framework
ExternalInstance
![Page 10: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/10.jpg)
MoreHonors– March2016
● BestSIEMSolution
![Page 11: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/11.jpg)
What’snewinSplunkEnterpriseSecurity4.1?
![Page 12: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/12.jpg)
12
PrioritizeandSpeedInvestigations
Centralizedincidentreviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
![Page 13: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/13.jpg)
13
EnhancedInvestigationTimeline
AddfileattachmentstoInvestigationTimeline
ExportInvestigationTimelineasPDF
![Page 14: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/14.jpg)
14
BehavioralAnalyticsinSIEMWorkflow
• AllSplunkUBAresultsavailableinEnterpriseSecurity• WorkflowsforSOCManager,SOCanalystandHunter/Investigator• SplunkUBAcanbepurchased/operatedseparatelyfromSplunkEnterpriseSecurity
ES4.1andUBA2.2
![Page 15: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/15.jpg)
15
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
![Page 16: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/16.jpg)
EnterpriseSecurityDemo
![Page 17: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/17.jpg)
WhatisSplunkUBA?
![Page 18: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/18.jpg)
18
TECHNOLOGY EVOLUTION
19952002
2008
2011
2015
END-POINTSECURITY NETWORKSECURITY EARLYCORRELATION OBJECTANALYSIS BEHAVIORANALYSIS
![Page 19: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/19.jpg)
19
IN2014,INDUSTRYSPENT
$1.7Billion
SECUREEMAILGATEWAY
$1.3Billion
SECUREWEBGATEWAY
$2.8Billion
ENDPOINTPROTECTION
$1.2Billion
INTRUSIONPREVENTION
$9.4Billion
FIREWALL
![Page 20: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/20.jpg)
20
$16+BillionBut,weneedevenmoretools
![Page 21: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/21.jpg)
21
FAMILIARWITHTHESEBREACHES?
January2015 February2015 February2015
MorganStanley
730KPIIRecords
Anthem Insurance
80MPatientRecords
OfficeofPersonalManagement22MPIIRecords
July 2015
PentagonUnclassifiedEmailSystem4KPIIRecords
![Page 22: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/22.jpg)
22
SO,WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
![Page 23: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/23.jpg)
23
EXTERNALATTACK
USERACTIVITYPeterandSamaccessacompromisedwebsite-
backdoorgetsinstalled
Theattackeruses Peter’sstolencredentialandVPNsintoDomainController
Theattackeruses thebackdoorstodownloadandexecuteWCE– passwordcracker
Peter’sandSam’sdevicesbegincommunicatingwithCnC
TheattackerlogsinasSamandaccessessensitivedocumentsfromafileshare
TheattackerstealstheadminKerberosticket andescalatestheprivilegesforSam
Theattackeruses Peter’sVPNcredentialtoconnect,copiesthedocstoanexternalstagingserver, andlogs
outafterthreehours
Day1
.
.
Day2
.
.
DayN
![Page 24: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/24.jpg)
24
INSIDERTHREAT
JohnconnectsviaVPN
Administratorperformsssh (root)toafileshare-financedepartment
Johnexecutesremotedesktopto asystem(administrator) - PCIzone
Johnelevateshisprivileges
root copiesthedocumenttoanotherfileshare-Corporatezone
rootaccessesasensitivedocumentfromthefileshare
rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise
USERACTIVITY
Day1
.
.
Day2
.
.
DayN
![Page 25: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/25.jpg)
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
![Page 26: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/26.jpg)
26
MULTI-ENTITYBEHAVIORALMODELTemporalWindow
USER HOST NETWORK APPLICATION DATA
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ACTIVITYA ACTIVITYC ACTIVITYF ACTIVITYB ACTIVITYL
![Page 27: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/27.jpg)
27
ATTACKDEFENSES
![Page 28: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/28.jpg)
28
INSIDERTHREAT
Day1
.
.
Day2
.
.
DayN
JohnconnectsviaVPN
Administratorperformsssh (root)toafileshare-financedepartment
Johnexecutesremotedesktopto asystem(administrator) - PCIzone
Johnelevateshisprivileges
root copiesthedocumenttoanotherfileshare-Corporatezone
rootaccessesasensitivedocumentfromthefileshare
rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise
USERACTIVITY
UnusualMachineAccess(LateralMovement;Individual&PeerGroup)
UnusualZone(CorpàPCI)traversal(LateralMovement)
UnusualActivitySequence
UnusualZoneCombination(PCIàCorp)
UnusualFileAccess(Individual&PeerGroup)
MultipleOutgoingConnections&UnusualSSLsessionduration
![Page 29: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/29.jpg)
AFewCUSTOMERFINDINGS
q MaliciousDomain
q BeaconingActivity
q Malware:Asprox
q Webshell Activity
q PassTheHashAttack
q SuspiciousPrivilegedAccountactivity
q ExploitKit:Fiesta
q LateralMovement
q UnusualGeoLocation
q PrivilegedAccountAbuse
q AccessViolations
q IPTheft
RETAIL HI-TECH MANUFACTURING FINANCIAL
![Page 30: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/30.jpg)
PROXYSERVER
FIREWALL
WHATDOESSPLUNKUBA NEED?
ACTIVEDIRECTORY/DOMAINCONTROLLER
DNS,DHCP
SPLUNKENTERPRISE ANYSIEM ATAMINIMUM
![Page 31: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/31.jpg)
31
WHATCUSTOMERSHAVETOSAYABOUTSPLUNKUBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather thanthe traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of thissolution as it makes the life of our SOC analysts’ way better.Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insiderthreats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found SplunkUBA to be oneof themost advanced technologieswithin thebehavioralanalytics space.Randolph Barr, CSO, Saba
![Page 32: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/32.jpg)
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
![Page 33: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/33.jpg)
What’sNewinUBA2.2
![Page 34: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/34.jpg)
34
EnhancedInsiderThreatandCyberAttackDetection
DETETION
ThreatDetectionFramework• Customthreatmodelingwithanomalies
ExpandedAttackCoverage• Dataaccessandphysicaldataloss
NewViewpoint• Precision,prioritizationandcorrelationofalertswithanomalies
UBA2.2
![Page 35: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/35.jpg)
35
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
![Page 36: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/36.jpg)
36
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehavior
UBA2.2
![Page 37: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/37.jpg)
37
ContextEnrichment
CitrixNetScaler(AppFlow)FireEyeEmail(EX)SymantecDLPBit9/CarbonBlackDigitalGuardianAndmanymore….
ImprovedPrecisionandPrioritizationofThreats
§ RiskPercentile&DynamicPeerGroups§ SupportforAdditional3rd PartyDevices
UBA2.2
![Page 38: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/38.jpg)
UBADemo
![Page 39: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/39.jpg)
39
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
![Page 40: SplunkLive! London Enterprise Security & UBA](https://reader033.fdocuments.net/reader033/viewer/2022042611/588037751a28abfd0a8b466b/html5/thumbnails/40.jpg)
ThankYou!