SplunkLive Melbourne Enterprise Security & User Behavior Analytics
-
Upload
gabrielle-knowles -
Category
Data & Analytics
-
view
44 -
download
0
Transcript of SplunkLive Melbourne Enterprise Security & User Behavior Analytics
![Page 1: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/1.jpg)
Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLiveMelbourne2016NickCrofts,Sr SE
SecuritySplunkGuy
![Page 2: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/2.jpg)
22
> Nick Crofts [email protected]
• < 1 year at Splunk• Senior SE (Security SME)• 14+ years in IT and security• CISSP – passed the test.
whoami
![Page 3: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/3.jpg)
3
LEGALNOTICESDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
![Page 4: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/4.jpg)
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
![Page 5: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/5.jpg)
5
DataBreachesinAustralia
![Page 6: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/6.jpg)
6
2016CostofDataBreachStudy
Thecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalAveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponse
Source: June2016
![Page 7: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/7.jpg)
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyzeallofthatdata
Human Machine
Machine Machine
![Page 8: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/8.jpg)
8
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
SplunkastheSecurityNerveCenter
Identity
![Page 9: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/9.jpg)
9
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
![Page 10: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/10.jpg)
10
SplunkforSecurity
10
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMIZEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
![Page 11: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/11.jpg)
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
![Page 12: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/12.jpg)
WhatisSplunkES?
![Page 13: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/13.jpg)
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
![Page 14: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/14.jpg)
What’sNewSplunkEnterpriseSecurityv4
![Page 15: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/15.jpg)
15
AttackandInvestigationTimelines
Addingcontenttotimeline:
15
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
![Page 16: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/16.jpg)
16
PrioritizeandSpeedInvestigations
Centralizedincidentreviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
![Page 17: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/17.jpg)
17
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
![Page 18: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/18.jpg)
ESDemo
![Page 19: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/19.jpg)
WhatisSplunkUBA?
![Page 20: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/20.jpg)
20
WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
![Page 21: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/21.jpg)
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
![Page 22: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/22.jpg)
22
MULTI-ENTITYBEHAVIORALMODEL
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
![Page 23: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/23.jpg)
23
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
![Page 24: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/24.jpg)
24
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
![Page 25: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/25.jpg)
25
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
![Page 26: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/26.jpg)
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
26
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
![Page 27: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/27.jpg)
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
![Page 28: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/28.jpg)
What’sNewinUBA2.x
![Page 29: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/29.jpg)
29
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
![Page 30: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/30.jpg)
30
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehavior
UBA2.2
![Page 31: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/31.jpg)
31
BehavioralAnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
31
DetectandInvestigatefasterusingMLintegratedwithSIEM
![Page 32: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/32.jpg)
32
USERCENTRICTop-NusersbynumberoftransactionsTop-Nusersbylogin/logoutactivityLogin/LogoutactivityovertimeAverage daily/weekly/monthly/yearlylogin/logoutcountNumberoffailedlogins(global)Top-NusersforfailedloginsFailedloginsovertimeAverage daily/weekly/monthly/yearlyfailedlogincountsTop-NusersbydatatransferAverage daily/weekly/monthly/yearlydatatransferforusersTop-NusersbysessioncountTop-NusersbysessionlengthAverage sessiondurationofusers
DEVICECENTRIC
APPLICATION /SESSIONCENTRICPROTOCOLCENTRIC
Top-Nservers byactivity(numberoftransactions)Top-Nservers bylogin/logoutactivityTop-Nservers forfailedloginsFailedloginsovertimeTop-NdestinationdevicesbydatatransferTop-Nservers bydatatransferAverage daily/weekly/monthly/yearlydatatransferforserversTop-Nsourcedevicesbysessioncount
TotalsessionscountTotalsessionscountovertimeTotalsessionscountbydevice-type(AD,VPN,SSH)Average sessionscountdaily,weekly,monthly,yearly)Average globalsessiondurationAverage sessionsdurationovertime(daily,weekly,monthly,yearly)
HTTPTrafficbyapplication-type(Protocol)Top-NdomainsbytrafficTop-Ndomainsbyactivity(numberofevents)Top-NclientmachinesbytrafficHTTPtrafficovertime(day,week,month,year)Average daily,weekly,monthly,yearlyhttptraffic
![Page 33: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/33.jpg)
UBADemo
![Page 34: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/34.jpg)
34
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
![Page 35: SplunkLive Melbourne Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022030312/58ed6c4b1a28abb0498b458f/html5/thumbnails/35.jpg)
ThankYou!