SplunkLive Perth Enterprise Security & User Behavior Analytics
-
Upload
gabrielle-knowles -
Category
Data & Analytics
-
view
142 -
download
0
Transcript of SplunkLive Perth Enterprise Security & User Behavior Analytics
![Page 1: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/1.jpg)
Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLive 2016JonHarris,Sr SE
SecuritySplunkGuy
![Page 2: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/2.jpg)
2
> Jon Harris [email protected]
• 6 months at Splunk• Senior SE (focus on security)• 15+ years in IT and security• Worked for leading IT Security vendors• Software development background
whoami
![Page 3: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/3.jpg)
3
LEGALNOTICESDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
![Page 4: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/4.jpg)
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
![Page 5: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/5.jpg)
5
DataBreachesinAustralia
![Page 6: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/6.jpg)
6
2016CostofDataBreachStudy
Thecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalAveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponse
Source: June2016
![Page 7: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/7.jpg)
7
AdvancedThreatsAreHardtoFind
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-Trends Report2012/2013/2014
100%Validcredentialswereused
40Average#ofsystems accessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotified byexternalentity
![Page 8: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/8.jpg)
Machinedatacontainsadefinitiverecordofallinteractions
Splunkisaveryeffectiveplatformtocollect,store,andanalyse allofthatdata
Human Machine
Machine Machine
![Page 9: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/9.jpg)
9
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
SplunkastheSecurityNerveCenter
Identity
![Page 10: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/10.jpg)
10
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
![Page 11: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/11.jpg)
11
SplunkforSecurity
11
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMISEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
![Page 12: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/12.jpg)
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
![Page 13: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/13.jpg)
WhatisSplunkES?
![Page 14: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/14.jpg)
14
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
![Page 15: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/15.jpg)
What’sNewSplunkEnterpriseSecurityv4
![Page 16: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/16.jpg)
16
AttackandInvestigationTimelines
Addingcontenttotimeline:
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
![Page 17: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/17.jpg)
17
Prioritise andSpeedInvestigations
Centralised incident reviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
![Page 18: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/18.jpg)
18
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
![Page 19: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/19.jpg)
ESDemo
![Page 20: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/20.jpg)
WhatisSplunkUBA?
![Page 21: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/21.jpg)
21
WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
![Page 22: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/22.jpg)
22
ENTERPRISE SECURITYOPSCHALLENGES
THREATS
RESOURCES
EFFICIENCYExternal,Insiders,Hidden
And/OrUnknown
AvailabilityofSecurityExpertise
LackofAlertPrioritisation&ExcessiveFalsePositives
![Page 23: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/23.jpg)
23
SplunkUserBehavioural AnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviourBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
![Page 24: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/24.jpg)
24
SplunkUBA: TECHNOLOGY
ANOMALYDETECTION THREATDETECTION
UNSUPERVISEDMACHINELEARNING
BEHAVIOURMODELING
REALTIME&BIGDATAARCHITECTURE
![Page 25: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/25.jpg)
25
MULTI-ENTITYBEHAVIOURALMODEL
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
![Page 26: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/26.jpg)
26
MULTI-ENTITYBEHAVIOURALMODEL
APPLICATION
USER
HOST
NETWORK
DATA
![Page 27: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/27.jpg)
27
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
![Page 28: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/28.jpg)
28
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
![Page 29: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/29.jpg)
29
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
![Page 30: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/30.jpg)
30
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
![Page 31: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/31.jpg)
31
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
![Page 32: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/32.jpg)
What’sNewinUBA2.x
![Page 33: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/33.jpg)
33
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
![Page 34: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/34.jpg)
34
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehaviour
UBA2.2
![Page 35: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/35.jpg)
35
Behavioural AnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
35
DetectandInvestigatefasterusingMLintegratedwithSIEM
![Page 36: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/36.jpg)
36
USERCENTRICTop-NusersbynumberoftransactionsTop-Nusersbylogin/logoutactivityLogin/LogoutactivityovertimeAverage daily/weekly/monthly/yearlylogin/logoutcountNumberoffailedlogins(global)Top-NusersforfailedloginsFailedloginsovertimeAverage daily/weekly/monthly/yearlyfailedlogincountsTop-NusersbydatatransferAverage daily/weekly/monthly/yearlydatatransferforusersTop-NusersbysessioncountTop-NusersbysessionlengthAverage sessiondurationofusers
DEVICECENTRIC
APPLICATION /SESSIONCENTRICPROTOCOLCENTRIC
Top-Nservers byactivity(numberoftransactions)Top-Nservers bylogin/logoutactivityTop-Nservers forfailedloginsFailedloginsovertimeTop-NdestinationdevicesbydatatransferTop-Nservers bydatatransferAverage daily/weekly/monthly/yearlydatatransferforserversTop-Nsourcedevicesbysessioncount
TotalsessionscountTotalsessionscountovertimeTotalsessionscountbydevice-type(AD,VPN,SSH)Average sessionscountdaily,weekly,monthly,yearly)Average globalsessiondurationAverage sessionsdurationovertime(daily,weekly,monthly,yearly)
HTTPTrafficbyapplication-type(Protocol)Top-NdomainsbytrafficTop-Ndomainsbyactivity(numberofevents)Top-NclientmachinesbytrafficHTTPtrafficovertime(day,week,month,year)Average daily,weekly,monthly,yearlyhttptraffic
![Page 37: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/37.jpg)
UBADemo
![Page 38: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/38.jpg)
38
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
![Page 39: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/39.jpg)
ThankYou!
![Page 40: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/40.jpg)
Appendix
![Page 41: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/41.jpg)
41
DesktopsEmail WebThreat
Intelligence
StorageHypervisor BadgesMobile
Servers DHCP/DNS PhysicalAccess
CMDB
TransactionRecords
NetworkFlows
CustomApps
Traditional
IntrusionDetection
Data LossPrevention
Anti-Malware
Firewall VulnerabilityScans
Authentication
AllDataisSecurityRelevant
Services
WebClickstreams
Cloud
Printers
![Page 42: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/42.jpg)
42
Protect GrowServe
MissionofGovernment
Defendagainstandreduceimpactof
externalandinsiderthreats
Meetmissiongoalsthrough operational
excellence
Ensureagilityandscalewhileembracing
innovation
![Page 43: SplunkLive Perth Enterprise Security & User Behavior Analytics](https://reader030.fdocuments.in/reader030/viewer/2022021500/58ed6c4b1a28abb0498b4591/html5/thumbnails/43.jpg)
43
Challenges:• Proactivehuntingofcyberadversaries
• Resource(analysts) constraints
• Cumbersomemalwaredetectionprocess
• Myopicvisibility intothenetwork
ValueDelivered:• Wentfromreactivetoproactive
• MadeTier1analystsimmediatelyeffective
• Holisticvisibility acrossnetwork
• Bonus:ITOperationstroubleshooting
• Validatesecuritydeployment decisions
WhiteHouseMilitaryOffice– FromHuntedtoHunter
“Splunk hashelpedustakeTier1securityanalystsandmakethemimmediatelyeffectivetodefendournetwork.”