Upload
splunk
View
75
Download
0
Embed Size (px)
Citation preview
2
DISCLAIMERDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.
VMware
PlatformforMachineData
SplunkSolutions>EasytoAdopt
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions RichEcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
5
SplunkReleases
5
Splunk EnterpriseandSplunk Cloud6.5
EnterpriseSecurity4.5
ES
UserBehaviorAnalytics3.0
UBA
6 6
SplunkSecurityVisionSecurityMarkets
SIEMandCompliance
SecurityAnalytics(supervisedandunsupervised)
FraudandBusinessRisk
ManagedSecurityandIntelligence
Services
SplunkSecurityIntelligenceFrameworkWorkflow/collaboration,casemanagement,content/intelligencesyndicationandEcosystembrokering
7
EnterpriseSecurity
Provides: SIEMandSecurityNerveCenterforsecurityoperations/commandcenters
Functions: alertmanagement,detectsusingcorrelationrules(pre-built),incidentresponse,securitymonitoring,breachresponse,threatintelligenceautomation,statisticalanalysis,reporting,auditing
Personaservice: SOCAnalyst,securityteams,incidentresponders,hunters,securitymanagers
Detections: pre-builtadvancedthreatdetectionusingstatisticalanalysis,useractivitytracking,attacksusingcorrelationsearches,dynamicbaselines
7
8
UserBehaviorAnalytics
Provides advancedthreatdetectionusingunsupervisedmachinelearning –enrichesSplunkEnterpriseSecurity(SIEM)
Functions:baselinesbehaviorfromlogdataandotherdatatodetectanomaliesandthreats
Personaservice:SOCAnalyst,hunters
Detections:threatdetection(cyberattacker,insiderthreat)usingunsupervisedmachinelearninganddatascience.
8
10
Splunk Positionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
FourYearsinaRowasaLeader
FurthestoverallinCompletenessofVision
Splunk alsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeUseCases
11 11
Splunkscoreshighestin2016CriticalCapabilitiesforSIEM*reportinallthreeUseCases
*Gartner,Inc.,CriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswiththehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityor fitnessforaparticularpurpose.
12
SIEMUseCases
* Gartner Research Document : 2016 Critical Capabilities for SIEM
BasicSecurityMonitoring
AdvancedThreatDefense
ForensicsandIncidentManagement
Real-timeMonitoring
Usermonitoring
IncidentResponseandManagement
AdvancedAnalytics
Threatintelligence&BusinessContext
AdvancedThreatDefense
Dataandapplicationmonitoring
DeploymentandSupportFlexibility
CriticalCapabilities* ESFrameworks
NotableEvents
Asset&Identity
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
13
SplunkEnterpriseSecurity:FastFacts
● Currentversion:4.5releasedonOctober12,2016● Twomajorreleasesperyear● Contentcomesfromindustryexperts,marketanalysis,butmost
importantlyYOU● ThebestofSplunkcarriesthroughtoES– flexible,scalable,fast,
andcustomizable● EShasitsowndevelopmentteam,dedicatedsupport,services
practice,andtrainingcourses
14
SplunkEnterpriseSecurity– SIEMandSecurityNerveCenter
14
Q2 2015 Q4 2015
ES4.5• AdaptiveResponse• GlassTables• AdaptiveResponsepartnerenablement
ES4.1• BehaviorAnomalies• RiskandSearchinIncidentReview• FacebookThreatExchange
ES3.3• ThreatIntelFramework• UserActivityMonitoring• ContentSharing• DataIngestion
ES4.0• BreachAnalysis• IntegrationwithSplunkUBA• EnterpriseSecurityFramework
Q2 2016
ES4.2• AdaptiveResponseenablement• Performance• ActionsDashboard• SearchDrivenLookup
Q3 2016
16
WhatisEnterpriseSecurity?
16
EnterpriseSecurityNotableEvent
AssetandIdentity
RiskAnalysis
ThreatIntelligence
AdaptiveResponse
AcollectionofFrameworks
19 19
EnterpriseSecurityNotableEvent
Assetand
IdentityRisk
AnalysisThreat
IntelligenceAdaptiveResponse
22
RiskAnalysis
22
Addscontext…
RiskscoredisplayedinIncidentReview
RiskscoredisplayedinIncidentReview
23 23
EnterpriseSecurityNotableEvent
AssetandInventory
ThreatIntelligence
RiskAnalysis
AdaptiveResponse
28
SplunkastheSecurityNerveCenter
28
Workflow
Identity
Network
InternalNetworkSecurity
App
Endpoints
WebProxy ThreatIntel
29
InsightfromAcrossEcosystem
Effectivelyleveragesecurityinfrastructuretogainaholisticview
1. PaloAltoNetworks2. Anomali3. Phantom4. Cisco5. Fortinet6. ThreatConnect7. Ziften8. Acalvio9. Proofpoint10. CrowdStrike
11. Symantec(BlueCoat)12. Qualys13. RecordedFuture14. Okta15. DomainTools16. CyberArk17. Tanium18. CarbonBlack19. ForeScout
Workflow
Identity
Network
InternalNetworkSecurity
App
Endpoints
WebProxy ThreatIntel
30
EnterpriseSecurity
30
EnterpriseSecurity
Notable AssetandIdentity
RiskAnalysis
ThreatIntelligence
AdaptiveResponse
33
WHATISSPLUNKUBA?SplunkUserBehaviorAnalytics(Splunk®UBA)isanout-of-the-boxsolutionthathelpsorganizationsfindknown,unknown,andhiddenthreatsusingdatascience,machinelearning,behaviorbaselineandpeergroupanalytics.
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
AFewCUSTOMERFINDINGS
q MaliciousDomain
q BeaconingActivity
q Malware:Asprox
q Webshell Activity
q PassTheHashAttack
q SuspiciousPrivilegedAccountactivity
q ExploitKit:Fiesta
q LateralMovement
q UnusualGeoLocation
q PrivilegedAccountAbuse
q AccessViolations
q IPTheft
RETAIL HI-TECH MANUFACTURING FINANCIAL
36
WHATWILLI DEMO
INGESTDATAFROMSECURITYPRODUCTS
OBSERVE ANOMALYGENERATION
OBSERVE THREATGENERATIONANDTRANSFORMATION
KEYTAKEAWAYS
DATAINGESTIONISSTRAIGHTFORWARDANDFAST
MLALGO’SPROCESSRAWEVENTSANDGENERATEANOMALIES(REAL-TIME)
MLALGO’SSTITCHANOMALIESINTOTHREATS(REAL-TIME)
MLALGO’STRANSFORM THREATINTOANEWSTATE
37
§ INGESTDATA:FIREWALLEAST-WEST
§ INGESTDATA:FIREWALLNORTH-SOUTH
§ INGESTDATA:VPNCONCENTRATOR
SWITCH SWITCH
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
NETWORKTOPOLOGY
1
2
3
2
3
1
38
§ INGESTDATA:FIREWALLEAST-WEST
INGESTFIREWALLEAST-WESTLOGS
1
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
39
§ INGESTDATA:FIREWALLNORTH-SOUTH
INGESTFIREWALLNORTH-SOUTHLOGS
2
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
40.1K
40
§ INGESTDATA:EDGEROUTERw/VPNCON.
INGESTVPNLOGS
3
80.9K
SWITCH
EDGEROUTERw/VPNCONCENTRATOR
FIREWALLEAST-WEST
FIREWALLNORTH-SOUTH
EDGEROUTERw/VPNCONCENTRATOR
1
2
3
SWITCH SWITCH
42
FIREWALLEAST-WEST
EVENTS
30K
INSIDER:LATERALMOVEMENT(BILL)
INSIDER:LATERALMOVEMENT(ROD)
UNUSUALNETWORKACTIVITY(17)
EDGEROUTERw/VPNCONCENTRATOR
EVENTS
80.8K
UNUSUALACTIVITYTIME(1)
LANDSPEEDVIOLATION(1)
ANOMALY
THREAT
FIREWALLNORTH-SOUTH
EVENTS
40.1K
UNUSUALGEOLOCATIONOFCOMMUNICATIONDESTINATION (13)
EXCESSIVEDATATRANSMISSION(2)
DATAEXFILTRATIONBYSUSPICIOUSDEVICE
DATAEXFILTRATIONBYSUSPICIOUSDEVICE
ADDITIONALDATASOURCESENRICHTHREATDETECTION
44
INSIDER:LATERALMOVEMENT(BILL)
INSIDER:LATERALMOVEMENT(ROD)
INSIDER:DATAEXFILTRATIONby
SUSPICIOUSUSERorDEVICE(BILL&ROD)
EXTERNAL:DATAEXFILTRATIONbyCOMPROMISEDACCOUNT(BILL&ROD)
THREATCONTINUEDTOEVOLVEWITHADDITIONALDATASOURCES
MLPROCESSEDRAWEVENTSAND
GENERATEDMANAGEABLEALERTS
>> >>
100%MLDRIVEN