Upload
nguyendan
View
223
Download
0
Embed Size (px)
Citation preview
Copyright © 2013 Splunk Inc.
Enoch Long Prin Sec Strategist/Client Architect, Splunk(Fed) #splunkconf
How to Leverage Splunk’s Security Intelligence PlaKorm for Security OperaNons Environments
Legal NoNces During the course of this presentaNon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauNon you that such statements reflect our current expectaNons and esNmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaNon are being made as of the Nme and date of its live presentaNon. If reviewed aYer its live presentaNon, this presentaNon may not contain current or accurate informaNon. We do not assume any obligaNon to update any forward-‐looking statements we may make. In addiNon, any informaNon about our roadmap outlines our general product direcNon and is subject to change at any Nme without noNce. It is for informaNonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaNon either to develop the features or funcNonality described or to include any such feature or funcNonality in a future release.
Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respecCve
owners.
©2013 Splunk Inc. All rights reserved.
2
Enoch Long | Principal Security Strategist [email protected]
! EducaNon: Computer Science, Temple University ! Skills: Network Security, Cyber Content Developer, Cyber OperaNons
! Career: 10yrs ! Jobs: Cyber SME 7yrs, SOC Mgr 2yrs, Security Strategist 1yr ! Govt Agencies: NSA, DHS, NRO, Dept of Edu ! Defense Companies: Northrop Grumman, General Dynamics, AT&T ! Accomplishments: 2012 Modern Day Technology Leader of the Year, BEYA
3
Agenda
! Overview of Splunk’s Security Intelligence PlaKorm ! Alignment of Security OperaNons to Splunk ! Overview of Security OperaNons “Third Eye” ! Security Intangibles ! QuesNons
4
Security → Intelligence → PlaKorm
5
• Security – ApplicaNon Security – CompuNng Security – Data Security – InformaNon Security – Network Security
• Intelligence – Logic – CreaNvity – Visual Processing – Abstract Thought – Learning
• PlaKorm – MulN-‐tenanted – Framework – Flexible – Development – Scale – Diverse Use Cases
Overview of Security OperaNons
OrganizaNons within SecOps
7
Security Monitoring
Incident/Intelligence & Response
Counter Intel
Splunk Alignment with Ops
8
Technology Alignment to OperaNons
Security Monitoring Using Splunk
9
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
Incident/Intelligence Response Using Splunk
10
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
Counter-‐Intelligence Using Splunk
11
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
Overview Security Ops “Third Eye”
"Third Eye" OrganizaNons
13
! Messaging Team ! AcNve Directory Team ! Firewall Team ! Web Server Team ! Data Loss PrevenNon Team ! AnN-‐Virus Team
Third Eye = is a mysNcal concept but in the security realm….it’s the inner eye…the invisible eye that monitors/protects the network….operaNons intelligence teams
14
Splunk for OperaNons Intelligence Scenarios
Mail Team
15
SOC Analyst Exchange Admins
CI Analyst
AcNve Directory Team
16
SOC Analyst AD Admins
Incident Responder
Firewall Team
17
SOC Analyst Firewall Admins
Incident Responder
Web Server Team
18
SOC Analyst Web Server Admins
App Developer
Security Intangibles
19
! Data Sources ! Common Mistakes ! Capability LimitaNons ! Lessons Learned
Data Sources ! Tradi&onal logs
– Network device – Server – Web applica&ons – An&-‐virus – Mail logs
! Non-‐tradi&onal logs – Chat logs – Phone call logs – War-‐dialing logs – Custom script logs – HR database logs – Honey-‐pot – The “secret sauce”
20
Insight
Common Mistakes
! Misalignment of personnel to product core capabiliNes
! Wrong data sources ! No content strategy ! Lack of tech integraNon ! Minimal usage of SDK/API framework
21
Capability LimitaNons
! Out of the box content/updates
! Complex search language ! Real-‐Nme at large scale ! No core case NckeNng system
! Robust asset modeling tool
22
Lessons Learned
! 1. Monitor role-‐based controls ! 2. PrioriNze data ! 3. PrioriNze concurrent searches
! 4. Align skills with Splunk capability
! 5. Not enough “backend” Splunk ninjas
23
Next Steps
24
Download the .conf2013 Mobile App If not iPhone, iPad or Android, use the Web App
Take the survey & WIN A PASS FOR .CONF2014… Or one of these bags!
1
2
THANK YOU