Noam SyrkinSr. Technical Marketing Engineer, RedSeal

Best Practices for Rapid Containment of Incidents

© 2019 SPLUNK INC.

During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED, DO NOT DELETE

© 2019 SPLUNK INC.

▶ The importance of network terrain▶ The shifting terrain▶ Splunk ES and RedSeal▶ Summary▶ Q&A

Agenda

© 2019 SPLUNK INC.

Defending a CityWhat do you need to know?

What is in the city?

Where is the valuable stuff?

How would attacker get in?

How would the attacker move around?

© 2019 SPLUNK INC.

▶ What is in the city?• Hosts, routers, switches, firewalls, etc.• CMDB• Vulnerability Scans• Endpoint Protection

▶ Where is the valuable stuff?• Data Discovery• Tagging• Tribal knowledge?

▶ How would an attacker get in?• Security Awareness• Pen Testing

▶ How would an attacker move around?• Traceroute, Ping• Live Traffic

How We Try to Identify Cyber Terrain Today…

© 2019 SPLUNK INC.

Inventory

VulnerabilitiesConnections

RedSeal Helps You Understand All Your Cyber TerrainAcross public cloud, SDN and physical environments

Knowing what you have and how it’s all connected

© 2019 SPLUNK INC.

Load Balancers

Firewalls

Routers

Switches

Cloud “configs”

Network Configuration

Managers

Host and Vulnerability data

The PlatformIngest Information to Create a Model

DISCOVER INGEST & CALCULATE OUTPUT

L2, L3, L4 & L7 modeling Model Private Cloud Model Public Cloud

Model On-Prem Networks

As-built Network Model

© 2019 SPLUNK INC.

The Shifting Terrain

© 2019 SPLUNK INC.

Why Is The Terrain Shifting?

82%of global IT leaders

report significant labor shortages in cybersecurity

Skills Shortage

Source | April 2016 TechCrunch CIO Report

✔ Software defined everything

✔ Digital transformation

✔ Hybrid datacenters

✔ Internet of things

✔ Shadow IT

© 2019 SPLUNK INC.

What Should Be One

Integrated World …

© 2019 SPLUNK INC.

Network EngineersAccess & Policy

Security EngineersPrioritization & Speed

Security AuditorAudit & Compliance

Your Fabric Cloud & SDN

HP ArcSight

Security Technologies

Cloud & SDN

Is Really a Complex Ecosystem

© 2019 SPLUNK INC.

Network EngineersAccess & Policy

Security EngineersPrioritization & Speed

Security AuditorAudit & Compliance

Your Fabric Cloud & SDN

HP ArcSight

Security Technologies

Cloud & SDN

With Serious Gaps

Separate Worlds

Incomplete Information

Too Many Interfaces

© 2019 SPLUNK INC.

Splunk + RedSealMinimizing the time to contain incidents

© 2019 SPLUNK INC.

Integration with RedSeal

Understand your network

terrain

Valuable Threat Source Data

Where is it located?Both logically and physically?What other assets can it reach?What is the access path and the source to the target?

Accelerate Containment

ObservePoint Products

OrientAnalytics Decision Making Acting

© 2019 SPLUNK INC.

Model & Understand Hybrid EnvironmentsBring all your assets into one place…

© 2019 SPLUNK INC.

Model & Understand Hybrid EnvironmentsBring all your assets into one place…

© 2019 SPLUNK INC.

Incident Investigation

A threat is detected, now what?

▶ Top 4 questions:• What are the details of Threat Source?

• Where is it located? Both logically and physically?

• What other assets can it reach?

• What is the access path and the devices from Threat source to the destination target?

▶ Can you answer these questions within minutes?

© 2019 SPLUNK INC.

How does RedSeal Help?

1Model and understand hybrid environments, compute access paths

2Rapidly provide data on IoC – location, OS, services, switch port, etc.

3 Identify top reachable target groups

4Details on access path and devices along the path

IoC

Access Path Details

Reachable Targets

5Identified all needed information to implement containment of IoC

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

IoC IP Address

© 2019 SPLUNK INC.

Adaptive Response Actions

© 2019 SPLUNK INC.

RedSeal Adaptive Response Actions

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

RedSeal AR Reports

© 2019 SPLUNK INC.

Basic host details

© 2019 SPLUNK INC.

Host Details:Attack DepthPort ,Switch,

Access to Critical Assets

© 2019 SPLUNK INC.

Reachable Groups from IoC

© 2019 SPLUNK INC.

Reachable Groups

© 2019 SPLUNK INC.

Launch RedSeal

© 2019 SPLUNK INC.

IP of IoC

What is it?

Where is it at?

© 2019 SPLUNK INC.

Where can they go?

© 2019 SPLUNK INC.

Where can they go?

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

How do they get there?

© 2019 SPLUNK INC.

A B

© 2019 SPLUNK INC.

© 2019 SPLUNK INC.

Integration with RedSeal

Understand your network

terrain

Valuable Threat Source Data

Where is it located?Both logically and physically?What other assets can it reach?What is the access path and the source to the target?

Accelerate Containment

ObservePoint Products

OrientAnalytics Decision Making Acting

© 2019 SPLUNK INC.© 2019 SPLUNK INC.

You!Thank

RATE THIS SESSION

Go to the .conf19 mobile app to