Copyright  ©  2013  Splunk  Inc.  

Enoch  Long  Prin  Sec  Strategist/Client  Architect,  Splunk(Fed)  #splunkconf  

   

How  to  Leverage  Splunk’s  Security  Intelligence  PlaKorm  for  Security  OperaNons  Environments  

Legal  NoNces  During  the  course  of  this  presentaNon,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cauNon  you  that  such  statements  reflect  our  current  expectaNons  and  esNmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made  in  this  presentaNon  are  being  made  as  of  the  Nme  and  date  of  its  live  presentaNon.    If  reviewed  aYer  its  live  presentaNon,  this  presentaNon  may  not  contain  current  or  accurate  informaNon.      We  do  not  assume  any  obligaNon  to  update  any  forward-­‐looking  statements  we  may  make.    In  addiNon,  any  informaNon  about  our  roadmap  outlines  our  general  product  direcNon  and  is  subject  to  change  at  any  Nme  without  noNce.    It  is  for  informaNonal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or  other  commitment.    Splunk  undertakes  no  obligaNon  either  to  develop  the  features  or  funcNonality  described  or  to  include  any  such  feature  or  funcNonality  in  a  future  release.  

 

Splunk,  Splunk>,  Splunk  Storm,  Listen  to  Your  Data,  SPL  and  The  Engine  for  Machine  Data  are  trademarks  and  registered  trademarks  of  Splunk  Inc.  in  the  United  States  and  other  countries.  All  other  brand  names,  product  names,  or  trademarks  belong  to  their  respecCve  

owners.    

©2013  Splunk  Inc.  All  rights  reserved.  

2  

Enoch  Long  |  Principal  Security  Strategist  elong@splunk.com  

!   EducaNon:  Computer  Science,  Temple  University  !   Skills:  Network  Security,  Cyber  Content  Developer,  Cyber  OperaNons  

!   Career:  10yrs  !   Jobs:    Cyber  SME  7yrs,  SOC  Mgr  2yrs,  Security  Strategist  1yr  ! Govt  Agencies:  NSA,  DHS,  NRO,  Dept  of  Edu  !   Defense  Companies:  Northrop  Grumman,  General  Dynamics,  AT&T  !   Accomplishments:  2012  Modern  Day  Technology  Leader  of  the  Year,  BEYA  

3  

Agenda  

!   Overview  of  Splunk’s  Security  Intelligence  PlaKorm  !   Alignment  of  Security  OperaNons  to  Splunk  !   Overview  of  Security  OperaNons  “Third  Eye”  !   Security  Intangibles  !   QuesNons    

4  

Security  →  Intelligence  →  PlaKorm  

5  

•  Security  –  ApplicaNon  Security  –  CompuNng  Security  –  Data  Security  –  InformaNon  Security  –  Network  Security    

•  Intelligence  –  Logic  –  CreaNvity  –  Visual  Processing  –  Abstract  Thought  –  Learning    

•  PlaKorm  –  MulN-­‐tenanted  –  Framework  –  Flexible  –  Development  –  Scale  –  Diverse  Use  Cases      

 

Overview  of  Security  OperaNons  

OrganizaNons  within  SecOps  

7  

Security  Monitoring  

Incident/Intelligence  &  Response    

 Counter  Intel    

Splunk  Alignment  with  Ops  

8  

Technology  Alignment  to  OperaNons  

Security  Monitoring  Using  Splunk  

9  

!   Job  Roles  !   Job  Skills  !   The  Mission  !   Leveraging  Splunk  !   Scenario  

Incident/Intelligence  Response  Using  Splunk  

10  

!   Job  Roles  !   Job  Skills  !   The  Mission  !   Leveraging  Splunk  !   Scenario  

Counter-­‐Intelligence  Using  Splunk  

11  

!   Job  Roles  !   Job  Skills  !   The  Mission  !   Leveraging  Splunk  !   Scenario  

Overview  Security  Ops  “Third  Eye”  

"Third  Eye"  OrganizaNons  

13  

!   Messaging  Team  !   AcNve  Directory  Team  !   Firewall  Team  !   Web  Server  Team  !   Data  Loss  PrevenNon  Team  !   AnN-­‐Virus  Team  

Third  Eye  =  is  a  mysNcal  concept  but  in  the  security  realm….it’s  the  inner  eye…the  invisible  eye  that  monitors/protects  the  network….operaNons  intelligence  teams  

14  

Splunk  for  OperaNons  Intelligence  Scenarios  

Mail  Team  

15  

SOC  Analyst   Exchange  Admins  

CI  Analyst  

AcNve  Directory  Team  

16  

SOC  Analyst   AD  Admins  

Incident  Responder  

Firewall  Team  

17  

SOC  Analyst   Firewall  Admins  

Incident  Responder  

Web  Server  Team  

18  

SOC  Analyst   Web  Server    Admins  

App  Developer  

Security  Intangibles  

19  

!   Data  Sources  !   Common  Mistakes  !   Capability  LimitaNons  !   Lessons  Learned  

Data  Sources  !   Tradi&onal  logs  

–  Network  device    –  Server  –  Web  applica&ons  –  An&-­‐virus  –  Mail  logs  

!   Non-­‐tradi&onal  logs  –  Chat  logs  –  Phone  call  logs  –  War-­‐dialing  logs  –  Custom  script  logs  –  HR  database  logs  –  Honey-­‐pot  –  The  “secret  sauce”  

20  

Insight  

Common  Mistakes  

!   Misalignment  of  personnel  to  product  core  capabiliNes  

!   Wrong  data  sources  !   No  content  strategy  !   Lack  of  tech  integraNon  !   Minimal  usage  of  SDK/API  framework  

 

21  

Capability  LimitaNons  

!   Out  of  the  box  content/updates  

!   Complex  search  language  !   Real-­‐Nme  at  large  scale  !   No  core  case  NckeNng  system  

!   Robust  asset  modeling  tool    

22  

Lessons  Learned  

!   1.  Monitor  role-­‐based  controls  !   2.  PrioriNze  data  !   3.  PrioriNze  concurrent  searches  

!   4.    Align  skills  with  Splunk  capability  

!   5.  Not  enough  “backend”  Splunk  ninjas  

23  

Next  Steps  

24  

Download  the  .conf2013  Mobile  App  If  not  iPhone,  iPad  or  Android,  use  the  Web  App    

Take  the  survey  &  WIN  A  PASS  FOR  .CONF2014…  Or  one  of  these  bags!    

1  

2  

THANK  YOU