Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLiveMelbourne2016NickCrofts,Sr SE
SecuritySplunkGuy
22
> Nick Crofts [email protected]
• < 1 year at Splunk• Senior SE (Security SME)• 14+ years in IT and security• CISSP – passed the test.
whoami
3
LEGALNOTICESDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
5
DataBreachesinAustralia
6
2016CostofDataBreachStudy
Thecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalAveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponse
Source: June2016
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyzeallofthatdata
Human Machine
Machine Machine
8
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
SplunkastheSecurityNerveCenter
Identity
9
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
10
SplunkforSecurity
10
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMIZEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
WhatisSplunkES?
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
What’sNewSplunkEnterpriseSecurityv4
15
AttackandInvestigationTimelines
Addingcontenttotimeline:
15
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
16
PrioritizeandSpeedInvestigations
Centralizedincidentreviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
17
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
ESDemo
WhatisSplunkUBA?
20
WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
22
MULTI-ENTITYBEHAVIORALMODEL
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
23
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
24
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
25
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
26
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
What’sNewinUBA2.x
29
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
30
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehavior
UBA2.2
31
BehavioralAnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
31
DetectandInvestigatefasterusingMLintegratedwithSIEM
32
USERCENTRICTop-NusersbynumberoftransactionsTop-Nusersbylogin/logoutactivityLogin/LogoutactivityovertimeAverage daily/weekly/monthly/yearlylogin/logoutcountNumberoffailedlogins(global)Top-NusersforfailedloginsFailedloginsovertimeAverage daily/weekly/monthly/yearlyfailedlogincountsTop-NusersbydatatransferAverage daily/weekly/monthly/yearlydatatransferforusersTop-NusersbysessioncountTop-NusersbysessionlengthAverage sessiondurationofusers
DEVICECENTRIC
APPLICATION /SESSIONCENTRICPROTOCOLCENTRIC
Top-Nservers byactivity(numberoftransactions)Top-Nservers bylogin/logoutactivityTop-Nservers forfailedloginsFailedloginsovertimeTop-NdestinationdevicesbydatatransferTop-Nservers bydatatransferAverage daily/weekly/monthly/yearlydatatransferforserversTop-Nsourcedevicesbysessioncount
TotalsessionscountTotalsessionscountovertimeTotalsessionscountbydevice-type(AD,VPN,SSH)Average sessionscountdaily,weekly,monthly,yearly)Average globalsessiondurationAverage sessionsdurationovertime(daily,weekly,monthly,yearly)
HTTPTrafficbyapplication-type(Protocol)Top-NdomainsbytrafficTop-Ndomainsbyactivity(numberofevents)Top-NclientmachinesbytrafficHTTPtrafficovertime(day,week,month,year)Average daily,weekly,monthly,yearlyhttptraffic
UBADemo
34
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!