Copyright 2014 Splunk Inc. Splunk402 October 2015
Meeting.conf2015 Wrap Up Slide 2 Safe Harbor Statement During the
course of this presentation, we may make forward looking statements
regarding future events or the expected performance of the company.
We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us
and that actual events or results could differ materially. For
important factors that may cause actual results to differ from
those contained in our forward-looking statements, please review
our filings with the SEC. The forward-looking statements made in
this presentation are being made as of the time and date of its
live presentation. If reviewed after its live presentation, this
presentation may not contain current or accurate information. We do
not assume any obligation to update any forward looking statements
we may make. In addition, any information about our roadmap
outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and
shall not be incorporated into any contract or other commitment.
Splunk undertakes no obligation either to develop the features or
functionality described or to include any such feature or
functionality in a future release. Slide 3 Agenda Introductions and
Welcomes Recap of.conf 2015 Splunk Enterprise Security 4.0 Whats
New in Splunk 6.3 Networking 3 Slide 4 Recap of.conf2015 4 Slide 5
.conf2015 Highlights YouTube Video:
https://www.youtube.com/watch?v=O0ihb4Sn1lc Slide 6 Recap User
Recap 6 Slide 7 Recap Slides and Videos 7
http://conf.splunk.com/speakers.html Slide 8 Splunk Trust 8
http://wiki.splunk.com/Community:SplunkTrust Slide 9 Virtual.conf 9
Splunk Meetups http://www.meetup.com/Splunk-Meetups/ SplunkTrust
Virtual.conf Session #1!
http://www.meetup.com/Splunk-Meetups/events/225856928/ SplunkTrust
Virtual.conf Session #2!
http://www.meetup.com/Splunk-Meetups/events/226185447/ Slide 10
Splunk Enterprise Security Overview 10 Slide 11 Company Update 11
Company (NASDAQ: SPLK) Founded 2004, first software release in 2006
HQ: San Francisco / Regional HQ: London, Hong Kong Over 1,800
employees, based in 12 countries Business Model / Products Free
download to massive scale Splunk Enterprise, Splunk Cloud, Splunk
Light Hunk: Splunk Analytics for Hadoop and NoSQL 10,000+ Customers
Customers in 100 countries 80+ of the Fortune 100 Largest license:
Over 400 Terabytes per day Slide 12 12 Advanced Threats Are Hard to
Find Cyber Criminals Nation States Insider Threats Source: Mandiant
M-Trends Report 2012/2013/2014 100% Valid credentials were used 40
Average # of systems accessed 229 Median # of days before detection
67% Of victims were notified by external entity Slide 13 New
approach to security operation is needed Human directed
Goal-oriented Dynamic (adjust to changes) Coordinated Multiple
tools & activities New evasion techniques Fusion of people,
process, & technology Contextual and behavioral Rapid learning
and response Share info & collaborate Analyze all data for
relevance Leverage IOC & Threat Intel THREAT Attack
ApproachSecurity Approach 13 TECHNOLOGY PEOPLE PROCESS Slide 14 New
approach to security operation is needed THREAT Attack Approach
Analytics-driven Security Security Approach 14 TECHNOLOGY PEOPLE
PROCESS Human directed Goal-oriented Dynamic (adjust to changes)
Coordinated Multiple tools & activities New evasion techniques
Slide 15 Analytics-driven Security 15 1 0 1 1 1 1 1 0 1 0 1 0 0 1 0
0 0 1 0 0 0 0 0 1 1 1 1 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 0 1 0 0 1
0 0 0 1 0 0 0 0 0 1 1 1 1 0 1 1 1 1 1 0 1 0 1 0 0 1 1 0 1 0 1 1 0 0
1 0 1 0 1 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1 0 1 0 1 0 0 1 0 0 0 1 0 0
0 0 0 1 1 1 1 0 1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1 0 1 0 0 1 0 0 0 1 0
0 0 0 0 1 1 1 1 0 1 1 1 1 1 0 1 0 1 0 0 1 1 0 1 0 1 1 0 0 1 0 1 0
Risk-based Context & Intelligence CONNECTING PEOPLE AND DATA
Slide 16 16 All Data is Security Relevant Servers Storage Desktops
EmailWeb Transaction Records Network Flows DHCP/ DNS Hypervisor
Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB
Intrusion Detection Firewall Data Loss Prevention Anti- Malware
Vulnerability Scans Traditional Authentication Slide 17 Splunk for
Security 17 SECURITY APPS & ADD ONS SPLUNK ENTERPRISE SECURITY
SIEM Security Analytics Fraud & Business Risk Fraud &
Business Risk Managed Security & Intelligence Services SPLUNK
UBA Wire dataWindows = SIEM integration RDBMS (any) data Slide 18
18 Put it All Together Security Maturity Level APT
detection/hunting (kill chain method) Counter threat automation
Threat Intelligence aggregation (internal & external) Fraud
detection ATO, account abuse, Insider threat detection Replace SIEM
@ lower TCO, increase maturity Augment SIEM @ increase coverage
& agility Compliance monitoring, reporting, auditing Log
retention, storage, monitoring, auditing Continuous
monitoring/evaluation Incident response and forensic investigation
Event searching, reporting, monitoring & correlation Rapid
learning loop, shorten discover/detect cycle Rapid insight from all
data Fraud analyst Threat research/Intelligence Malware research
Cyber Security/Threat Security Analyst CSIRT Forensics Engineering
Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Audit/Compliance
Security Operations Roles/Functions Reactive Proactive Search and
Investigate Proactive Monitoring and Alerting Security Situational
Awareness Real-time Risk Insight Slide 19 19 Fraud Detection
Insider Threat Advanced Threat Detection Security & Compliance
Reporting Incident Analysis & Investigations Security
Intelligence Use Cases Splunk provides solutions that address a
wide range of use cases Real-time Monitoring & Alerting Slide
20 20 Threat intelligence Host Activity/Security Network
Activity/Security Command & ControlExploitation &
InstallationDeliveryAccomplish Mission Security Ecosystem for
Coverage and Protection Auth - User Roles, Corp Context Slide 21 21
Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc.,
SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor,
product or service depicted in its research publication and not
advise technology users to select only those vendors with the
highest ratings or other designation. Gartner research publications
consist of the opinions of Gartners research organization and
should not be construed as statements of fact. Gartner disclaims
all warranties, express or implied, with respect to this research,
including any warranties of merchantability or fitness for a
particular purpose. 2015 Leader and the only vendor to improve its
visionary position 2014 Leader 2013 Leader 2012 Challenger 2011
Niche Player 2015 Slide 22 22 Thousands of Global Security
Customers Copyright 2015 Splunk Inc. Slide 23 Splunk Enterprise
Security 4.0 Slide 24 Market Challenges & Requirements 24
CHALLENGES Attacks are increasingly dynamic Often a series of
events over time Investigations require multiple analysts Shortage
of qualified security analysts ? REQUIREMENTS Focus on tracking
attack activities while system tracks investigation, actions, notes
Help analyze & investigate faster, leverage expertise across
silos Easily collaborate with peers and enhance communication
Investigate sequence of events using the kill chain method to
determine attack lifecycle Slide 25 Whats New in Splunk Enterprise
Security 4.0 25 Extensible Analytics & Collaboration Open
Solutions Framework Attack & Investigation Timeline Benefit
Feature Optimized multi-step analyses to improve breach detection
and response Investigator Journal Attack & Investigation
Timeline Slide 26 Extensible Analytics & Collaboration 26
Splunk User Behavior Analytics (UBA) threats show up as ES Notable
Events View contributing anomalies from ES View contributing events
from UBA Single Sign-on Slide 27 Copyright 2014 Splunk Inc. Splunk
UBA Slide 28 Majority of the Threat Detection Solutions focus on
the KNOWNS. UNKNOWNS ? What about the Slide 29 29 ADVANCED CYBER
ATTACKS SPLUNK UBA detects & INSIDER THREATS with BEHAVIORAL
THREAT DETECTION Slide 30 How Does Splunk UBA Work? 30 SIEM, Hadoop
Firewall, AD, DLP AWS, VM, Cloud, Mobile End-point, App, DB logs
Netflow, PCAP Threat Feeds AUTOMATED THREAT DETECTION &
SECURITY ANALYTICS Baseline KPIs Analytics DATA SOURCES DATA
SCIENCE DRIVEN THREAT DETECTION 99.99% EVENT REDUCTION SPLUNK USER
BEHAVIOR ANALYTICS Slide 31 DEPLOYMENT MODELS CLUSTERED VMs
Enterprise On AWS for Cloud/Hybrid Deployments DATA SOURCES /
SPLUNK ENTERPRISE ON-PREM CLOUD SPLUNK UBA Slide 32 Splunk UBA :
Customer Threats Uncovered ACCOUNT TAKEOVER Privileged account
compromise Data loss LATERAL MOVEMENT Pass-the-hash kill chain
Privilege escalation INSIDER THREATS Misuse of credentials IP theft
32 MALWARE ATTACKS Hidden malware activity Advanced Persistent
Threats (APTs) BOTNET, C&C Malware beaconing Data exfiltration
USER & ENTITY BEHAVIOR ANALYTICS Login credential abuse
Suspicious behavior Slide 33 Splunk for Security : Advanced
Security Analytics 33 Slide 34 How to Prevent Insider Threat 34
YouTube Video: https://www.youtube.com/watch?v=ZN4azXu-jiE Slide 35
Copyright 2014 Splunk Inc. Introducing Splunk Enterprise 6.3 Slide
36 Turn Machine Data into Operational Intelligence INDEX ANY
MACHINE DATA: ANY SOURCE, TYPE, VOLUME Online Services Web Services
Servers Security GPS Location Storage Desktops Networks Packaged
Applications Custom Applications Messaging Telecoms Online Shopping
Cart Web Clickstreams Databases Energy Meters Call Detail Records
Smartphones and Devices RFID On- Premises Private Cloud Public
Cloud GAIN REAL-TIME VISIBILITY Application Delivery Security and
Compliance Infrastructure Monitoring Business Analytics Internet of
Things 36 Slide 37 Fully-integrated Enterprise Platform 37
Enterprise Scale & HA Secure Operation Splunk Apps Developer
SDKs/API Enterprise Integration Any Data Any Source Collect &
Index Data Search & Investigate Monitor & Alert Visualize
& Report Correlate & Analyze Access Anywhere Manage
Operations Platform for Operational Intelligence Slide 38 VERSIONS
Setting the Standard for Operational Intelligence Engine Platform 1
2 3 2006-2008 Tool 2009-2011 2012-2015 VERSIONS 4 4.1 4.2 4.3
VERSIONS 5x 6x Google for the datacenter Engine for machine-
generated data Platform for Operational Intelligence 38 Slide 39 39
Splunk Enterprise 6.3 Breakthrough Performance & Scale Doubles
performance and lowers TCO Meeting the needs of the most demanding
organizations Advanced Analysis & Visualization High-Volume
Event Collection Enterprise-Scale Platform Supports DevOps and IoT
data analysis at scale Simplifies analysis of large datasets
Delivers Enterprise platform requirements Slide 40 40 Splunk
Enterprise 6.3 Advanced Analysis & Visualization Breakthrough
Performance & Scale High-Volume Event Collection
Enterprise-Scale Platform Supports DevOps and IoT data analysis at
scale Simplifies analysis of large datasets Delivers Enterprise
platform requirements Doubles performance and lowers TCO 2x Search
& Indexing Speed 20-50% Increased Capacity 20%+ Reduced TCO
Meeting the needs of the most demanding organizations Slide 41
Breakthrough Performance, Scale, TCO 41 Search PerformanceIndexing
SpeedIntelligent Scheduling 25%+ Capacity Gain 2x Execution Speed
2-4x Data Rate Vertical scaling maximizes use of CPU power Total
System Capacity 20-50% Increase Improve speed of searches &
reports Onboard & analyze larger datasets Optimize resource
utilization Reduce TCO by 20% or more Comparisons are to Splunk
Enterprise 6.2. Customer performance and TCO will vary according to
workload, configuration and available processing capacity. Slide 42
So What Does Breakthrough Mean? Critical reports can be available
in the time It takes 20% less indexing hardware (HW) to expand or
deploy Splunk New data is ready for analysis in the time 42 Splunk
expansion costs have dropped over 50% since 2013 A new customer can
deploy Splunk using 1/3 the HW vs. 2013 Splunk deployment is now
the cost vs. 2013 Release 6.3 vs. Release 6.2 Release 6.3 vs.
Release 6.2 Release 6.3 vs. Release 6.0 Release 6.3 vs. Release 6.0
Slide 43 See for Yourself Release 6.2 Versus 6.3 43 Slide 44
Vertical Scaling: Search & Reporting Multiple CPU cores can be
used to execute more searches faster Common batch-style searches
& reports can execute 2x as fast (or faster!) Search
performance can be optimized without additional systems 44 Search
Speed Search Performance 2x Execution Speed At least double the
execution speed of most common activities Slide 45 Vertical
Scaling: Data Indexing Additional CPU cores can be used to:
Increase data onboarding capacity Increase burst data ingestion
speed by 2x or more The new architecture guideline is raised from
250 to 300GB/day per indexer (commodity hardware) 45 Increased Data
Throughput With Fewer Indexers Onboarding Speed 2-4x Data Rate
Slide 46 Intelligent Job Scheduling Simplified and more effective
scheduling Admin can use finish by criteria for daily jobs Splunk
automatically profiles workloads and controls scheduling Optimizes
resource utilization; Reduces skipped searches Helps ensure timely
execution of time-critical searches 46 Can Increase Capacity by 25%
or More Job Scheduling Smooths workloads over time Slide 47
Forwarder Efficiency Vertical Scaling: Forwarders With 6.2: Using
more than 4 cores requires multi-instance installation and
management With 6.3: Use additional CPU cores (4 packs) with single
instance simplicity E.g., a 16 core system can now process 4x the
data 47 Simplify Forwarder Management 4x Efficiency Slide 48 48
Splunk Enterprise 6.3 Breakthrough Performance & Scale Doubles
performance and lowers TCO 2X Search & Indexing Speed 20-50%
Increased Capacity 20%+ Reduced TCO Meeting the needs of the most
demanding organizations Advanced Analysis & Visualization
High-Volume Event Collection Enterprise-Scale Platform Supports
DevOps and IoT data analysis at scale Simplifies analysis of large
datasets Delivers Enterprise platform requirements Anomaly
Detection Geospatial Mapping Single-Value Display Slide 49 Analysis
& Visualization Anomaly Detection Incorporates Z-Score, IQR
& histogram methodologies in a single command Geospatial
Visualization Visualizes metric variance across a customizable
geographic area Single Value Display At-a-glance, single-value
indicators with useful context 49 Slide 50 Anomaly Detection New
SPL command provides histogram-based anomaly detection Net new
histogram-based approach offers a more accurate detection method
Single command offers 3 options: Z-Score, IQR & histogram
Replaces existing Outlier and AnomalousValue commands 50 Slide 51
51 Geospatial Visualization Choropleth maps help users to easily
spot spatial patterns Color scales can be configured per use case
Users can upload their own geographical polygon definitions
Visualizes metric variance across a customizable geographic area
Slide 52 52 Single Value Display Large type and prominent colors
make values or changes visible, even from a distance Sparkline
shows trends in the recent history Delta indicator shows changes
since a previous time At-a-glance, single-value indicators with
useful context Slide 53 53 Splunk Enterprise 6.3 Breakthrough
Performance & Scale Doubles performance and lowers TCO 2x
Search & Indexing Speed 20-50% Increased Capacity 20%+ Reduced
TCO Meeting the needs of the most demanding organizations Advanced
Analysis & Visualization High-Volume Event Collection
Enterprise-Scale Platform Supports DevOps and IoT data analysis at
scale Simplifies analysis of large datasets Delivers Enterprise
platform requirements Anomaly Detection Geospatial Mapping
Single-Value Display HTTP Event Collector Developer API & SDKs
3 rd Party Integrations Slide 54 HTTP Event Collector Supports
DevOps and IoT data analysis needs at scale 54 DevOps &
Developers IoT Devices & Applications 1. Standard API and
logging libraries send events directly to Splunk 2. Libraries
integrated into popular platforms and services Scales to Millions
of Events/Second Slide 55 55 Splunk Enterprise 6.3 Breakthrough
Performance & Scale Doubles performance and lowers TCO 2x
Search & Indexing Speed 20-50% Increased Capacity 20%+ Reduced
TCO Meeting the needs of the most demanding organizations Advanced
Analysis & Visualization High-Volume Event Collection
Enterprise-Scale Platform Supports DevOps and IoT data analysis at
scale Simplifies analysis of large datasets Delivers Enterprise
platform requirements Anomaly Detection Geospatial Mapping
Single-Value Display HTTP Event Collector Developer API & SDKs
3 rd Party Integrations Expanded Management Custom Alert Actions
Data Integrity Control Slide 56 Distributed Management Console - II
New topology views, status and alerting for Splunk deployments
Visualizes Search Head/Indexer matrix with KPI and performance
overlays Search Head clustering replication and scheduler views
Forwarder views with status and performance data Index and metadata
storage utilization System health alerting 56 Slide 57 Indexer
Auto-Discovery Simplifies forwarder management in a dynamic
environment Cluster master maintains dynamic Indexer list accessed
by forwarders Indexers can be added/removed without affecting
forwarder configuration or operation 57 Slide 58 Data Integrity
Control Helps ensure data fidelity; Meets GPG13 compliance
requirements Hash signatures of selected index data are saved at
regular intervals Intervals can be validated by the admin Meets
security and compliance requirements by verifying that data has not
been tampered with Hashes can be exported to further ensure
security 58 Slide 59 Custom Alert Actions Use Splunk Alerts to
trigger & automate workflows Allows packaged integration with
third-party applications Simple admin/user configuration Developers
can build, package and publish alert actions within an app Growing
list of integrations available 59 Slide 60 Splunk Mobile Access
Splunk dashboards, alerts and more for iOS and Android devices
Monitor dashboards, KPIs, reports Receive real-time business and
operational alerts Annotate and share data Supports MDM and single
sign-on No longer requires separate Mobile Access Server 60
Formerly called Splunk Mobile App Slide 61 61 Splunk Enterprise 6.3
Breakthrough Performance & Scale Doubles performance and lowers
TCO 2x Search & Indexing Speed 20-50% Increased Capacity 20%+
Reduced TCO Meeting the needs of the most demanding organizations
Advanced Analysis & Visualization High-Volume Event Collection
Enterprise-Scale Platform Supports DevOps and IoT data analysis at
scale Simplifies analysis of large datasets Delivers Enterprise
platform requirements Anomaly Detection Geospatial Mapping
Single-Value Display HTTP Event Collector Developer API & SDKs
3 rd Party Integrations Expanded Management Custom Alert Actions
Data Integrity Control Slide 62 Thank You
