Embed Size (px)
Citation preview
Copyright©2016SplunkInc.
EnterpriseSecurityandUBAOverview
2
DISCLAIMERDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.
3
Agenda
SplunkPortfolioUpdate
EnterpriseSecurity4.5
UserBehaviorAnalytics3.0
VMware
PlatformforMachineData
SplunkSolutions>EasytoAdopt
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions RichEcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
5
SplunkReleases
5
Splunk EnterpriseandSplunk Cloud6.5
EnterpriseSecurity4.5
ES
UserBehaviorAnalytics3.0
UBA
6 6
SplunkSecurityVisionSecurityMarkets
SIEMandCompliance
SecurityAnalytics(supervisedandunsupervised)
FraudandBusinessRisk
ManagedSecurityandIntelligence
Services
SplunkSecurityIntelligenceFrameworkWorkflow/collaboration,casemanagement,content/intelligencesyndicationandEcosystembrokering
7
EnterpriseSecurity
Provides: SIEMandSecurityNerveCenterforsecurityoperations/commandcenters
Functions: alertmanagement,detectsusingcorrelationrules(pre-built),incidentresponse,securitymonitoring,breachresponse,threatintelligenceautomation,statisticalanalysis,reporting,auditing
Personaservice: SOCAnalyst,securityteams,incidentresponders,hunters,securitymanagers
Detections: pre-builtadvancedthreatdetectionusingstatisticalanalysis,useractivitytracking,attacksusingcorrelationsearches,dynamicbaselines
7
8
UserBehaviorAnalytics
Provides advancedthreatdetectionusingunsupervisedmachinelearning –enrichesSplunkEnterpriseSecurity(SIEM)
Functions:baselinesbehaviorfromlogdataandotherdatatodetectanomaliesandthreats
Personaservice:SOCAnalyst,hunters
Detections:threatdetection(cyberattacker,insiderthreat)usingunsupervisedmachinelearninganddatascience.
8
Copyright©2016SplunkInc.
EnterpriseSecurity
9
ChristopherShobert(SecurityEngineer/SME)
10
Splunk Positionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
FourYearsinaRowasaLeader
FurthestoverallinCompletenessofVision
Splunk alsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeUseCases
11 11
Splunkscoreshighestin2016CriticalCapabilitiesforSIEM*reportinallthreeUseCases
*Gartner,Inc.,CriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswiththehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityor fitnessforaparticularpurpose.
12
SIEMUseCases
* Gartner Research Document : 2016 Critical Capabilities for SIEM
BasicSecurityMonitoring
AdvancedThreatDefense
ForensicsandIncidentManagement
Real-timeMonitoring
Usermonitoring
IncidentResponseandManagement
AdvancedAnalytics
Threatintelligence&BusinessContext
AdvancedThreatDefense
Dataandapplicationmonitoring
DeploymentandSupportFlexibility
CriticalCapabilities* ESFrameworks
NotableEvents
Asset&Identity
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
13
SplunkEnterpriseSecurity:FastFacts
● Currentversion:4.5releasedonOctober12,2016● Twomajorreleasesperyear● Contentcomesfromindustryexperts,marketanalysis,butmost
importantlyYOU● ThebestofSplunkcarriesthroughtoES– flexible,scalable,fast,
andcustomizable● EShasitsowndevelopmentteam,dedicatedsupport,services
practice,andtrainingcourses
14
SplunkEnterpriseSecurity– SIEMandSecurityNerveCenter
14
Q2 2015 Q4 2015
ES4.5• AdaptiveResponse• GlassTables• AdaptiveResponsepartnerenablement
ES4.1• BehaviorAnomalies• RiskandSearchinIncidentReview• FacebookThreatExchange
ES3.3• ThreatIntelFramework• UserActivityMonitoring• ContentSharing• DataIngestion
ES4.0• BreachAnalysis• IntegrationwithSplunkUBA• EnterpriseSecurityFramework
Q2 2016
ES4.2• AdaptiveResponseenablement• Performance• ActionsDashboard• SearchDrivenLookup
Q3 2016
TheFrameworksofES
16
WhatisEnterpriseSecurity?
16
EnterpriseSecurityNotableEvent
AssetandIdentity
RiskAnalysis
ThreatIntelligence
AdaptiveResponse
AcollectionofFrameworks
17 17
EnterpriseSecurity
Notable AssetandIdentity
RiskAnalysis
ThreatIntelligence
AdaptiveResponse
18
NotableEvents
18
WhereCorrelationSearchesareSurfaced
19 19
EnterpriseSecurityNotableEvent
Assetand
IdentityRisk
AnalysisThreat
IntelligenceAdaptiveResponse
20
AssetandIdentity
20
SystemInventoryinES
21 21
EnterpriseSecurity
Notable AssetandInventory
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
22
RiskAnalysis
22
Addscontext…
RiskscoredisplayedinIncidentReview
RiskscoredisplayedinIncidentReview
23 23
EnterpriseSecurityNotableEvent
AssetandInventory
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
24
ThreatIntelligence
24
indicatorseverywhere
25
ThreatIntelligence
25
CertificatesDomainsEmailFileHTTP
IPaddressesProcessesRegistryServicesUsers
26 26
EnterpriseSecurityNotableEvent
AssetandInventory
AdaptiveResponse
RiskAnalysis
ThreatIntel
27
AdaptiveResponseFramework
27
CorrelationSearch>AlertSearch>Alert
Meta,bro
28
SplunkastheSecurityNerveCenter
28
Workflow
Identity
Network
InternalNetworkSecurity
App
Endpoints
WebProxy ThreatIntel
29
InsightfromAcrossEcosystem
Effectivelyleveragesecurityinfrastructuretogainaholisticview
1. PaloAltoNetworks2. Anomali3. Phantom4. Cisco5. Fortinet6. ThreatConnect7. Ziften8. Acalvio9. Proofpoint10. CrowdStrike
11. Symantec(BlueCoat)12. Qualys13. RecordedFuture14. Okta15. DomainTools16. CyberArk17. Tanium18. CarbonBlack19. ForeScout
Workflow
Identity
Network
InternalNetworkSecurity
App
Endpoints
WebProxy ThreatIntel
30
EnterpriseSecurity
30
EnterpriseSecurity
Notable AssetandIdentity
RiskAnalysis
ThreatIntelligence
AdaptiveResponse
Demo
Copyright©2016SplunkInc.
SplunkUserBehaviorAnalyticsAnuragGurtu(Dir.ProductMarketing)
33
WHATISSPLUNKUBA?SplunkUserBehaviorAnalytics(Splunk®UBA)isanout-of-the-boxsolutionthathelpsorganizationsfindknown,unknown,andhiddenthreatsusingdatascience,machinelearning,behaviorbaselineandpeergroupanalytics.
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
AFewCUSTOMERFINDINGS
q MaliciousDomain
q BeaconingActivity
q Malware:Asprox
q Webshell Activity
q PassTheHashAttack
q SuspiciousPrivilegedAccountactivity
q ExploitKit:Fiesta
q LateralMovement
q UnusualGeoLocation
q PrivilegedAccountAbuse
q AccessViolations
q IPTheft
RETAIL HI-TECH MANUFACTURING FINANCIAL
36
WHATWILLI DEMO
INGESTDATAFROMSECURITYPRODUCTS
OBSERVE ANOMALYGENERATION
OBSERVE THREATGENERATIONANDTRANSFORMATION
KEYTAKEAWAYS
DATAINGESTIONISSTRAIGHTFORWARDANDFAST
MLALGO’SPROCESSRAWEVENTSANDGENERATEANOMALIES(REAL-TIME)
MLALGO’SSTITCHANOMALIESINTOTHREATS(REAL-TIME)
MLALGO’STRANSFORM THREATINTOANEWSTATE
37
§ INGESTDATA:FIREWALLEAST-WEST
§ INGESTDATA:FIREWALLNORTH-SOUTH
§ INGESTDATA:VPNCONCENTRATOR
SWITCH SWITCH
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
NETWORKTOPOLOGY
1
2
3
2
3
1
38
§ INGESTDATA:FIREWALLEAST-WEST
INGESTFIREWALLEAST-WESTLOGS
1
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
39
§ INGESTDATA:FIREWALLNORTH-SOUTH
INGESTFIREWALLNORTH-SOUTHLOGS
2
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
40.1K
40
§ INGESTDATA:EDGEROUTERw/VPNCON.
INGESTVPNLOGS
3
80.9K
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
41
WHATWOULDHAPPENIFSPLUNKUBAINGESTEDDATAFROMONLYONEDEVICE?
42
FIREWALLEAST-WEST
EVENTS
30K
INSIDER:LATERALMOVEMENT(BILL)
INSIDER:LATERALMOVEMENT(ROD)
UNUSUALNETWORKACTIVITY(17)
EDGEROUTERw/VPNCONCENTRATOR
EVENTS
80.8K
UNUSUALACTIVITYTIME(1)
LANDSPEEDVIOLATION(1)
ANOMALY
THREAT
FIREWALLNORTH-SOUTH
EVENTS
40.1K
UNUSUALGEOLOCATIONOFCOMMUNICATIONDESTINATION (13)
EXCESSIVEDATATRANSMISSION(2)
DATAEXFILTRATIONBYSUSPICIOUSDEVICE
DATAEXFILTRATIONBYSUSPICIOUSDEVICE
ADDITIONALDATASOURCESENRICHTHREATDETECTION
43
LET’SSUMMARIZE
44
INSIDER:LATERALMOVEMENT(BILL)
INSIDER:LATERALMOVEMENT(ROD)
INSIDER:DATAEXFILTRATIONby
SUSPICIOUSUSERorDEVICE(BILL&ROD)
EXTERNAL:DATAEXFILTRATIONbyCOMPROMISEDACCOUNT(BILL&ROD)
THREATCONTINUEDTOEVOLVEWITHADDITIONALDATASOURCES
MLPROCESSEDRAWEVENTSAND
GENERATEDMANAGEABLEALERTS
>> >>
100%MLDRIVEN
46
MarkYourCalendars!• .conf2017isgoingtoDC!• Sept25-28,2017• WalterEWashingtonConventionCenter
![Linear actuators UBA Series and UAL Series · Linear actuators UBA Series SIZE UBA 1 UBA 2 UBA 3 UBA 4 UBA 5 Push rod diameter [mm] 25 30 35 40 50 Outer tube diameter [mm] 36 45 55](https://img.pdfslide.us/doc/110x75/5f11f8c668ca0d412533dd3d/linear-actuators-uba-series-and-ual-series-linear-actuators-uba-series-size-uba.jpg)
