SplunkLive Sydney Enterprise Security & User Behavior Analytics
-
Upload
gabrielle-knowles -
Category
Data & Analytics
-
view
50 -
download
1
Transcript of SplunkLive Sydney Enterprise Security & User Behavior Analytics
![Page 1: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/1.jpg)
Copyright©2016SplunkInc.
SplunkforEnterpriseSecurityfeaturing
UserBehaviourAnalytics
SplunkLive Sydney2016VladoVajdic,Sr SE
![Page 2: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/2.jpg)
22
> Vlado Vajdic [email protected]
• 1 year as a Splunk Sales Engineer• 15+ years in IT security• Trend Micro, RSA, ... , Sun Microsystems • First used Splunk in 2010• GCFA, but don’t take this against me
whoami
![Page 3: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/3.jpg)
3
LEGALNOTICEDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe maymake. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithout notice.It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment.Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionality inafuturerelease.
![Page 4: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/4.jpg)
4
Agenda
SplunkSecurityUpdate
EnterpriseSecurity4.2
UserBehaviorAnalytics2.3
![Page 5: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/5.jpg)
5
DataBreachesinAustralia
![Page 6: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/6.jpg)
6
2016CostofDataBreachStudyThecostofadatabreachcontinuestorise:$158perrecordThelargestcomponentofthetotalcostofadatabreachislostbusiness“TimetoIdentify”and“TimetoContain”adatabreachiscriticalMaliciousorcriminalattacksweretheprimaryrootcausesofadatabreach.AveragetotalcostofdatabreachinAustraliais$2.64millionKeyfactortoreducethecostofadatabreachisenablingincidentresponseDatabreachesinregulatedindustriesaremorecostly
Source: June2016
![Page 7: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/7.jpg)
7
AppServers
Network
ThreatIntelligence
Firewall
WebProxy
InternalNetworkSecurity
Endpoints
Splunk:theSecurityNerveCenterfortheEnterprise
Identity
![Page 8: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/8.jpg)
8
SplunkSolutions
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCasesandConsumptionModels
ITSvcInt
SplunkPremiumSolutions EcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
![Page 9: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/9.jpg)
9
SplunkforSecurity
9
DETECTION OFCYBERATTACKS
INVESTIGATIONOFTHREATSAND
INCIDENTS
OPTIMIZEDINCIDENT
RESPONSE ANDBREACHANALYSIS
DETECTION OFINSIDERTHREATS
SECURITY&COMPLIANCEREPORTING
SPLUNKUBA SPLUNKES
![Page 10: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/10.jpg)
Threat Intelligence Identity and CloudEndpointNetwork
SplunkSecurityEcosystem
![Page 11: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/11.jpg)
WhatisSplunkEnterpriseSecurity?
![Page 12: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/12.jpg)
PlatformforMachineData
SplunkEnterpriseSecurityAnalytics-drivenSecurity
SecurityandComplianceReporting
MonitorandDetectThreats
InvestigateThreatsandIncidents
OptimizeResponseusingWorkflows
![Page 13: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/13.jpg)
13
SecurityIntelligence
13
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
ThreatIntelligence
Asset&CMDB
EmployeeInfo
DataStoresApplications
OnlineServices
WebServices
SecurityGPS
Location
Storage
Desktops
Networks
PackagedApplications
CustomApplications
Messaging
TelecomsOnlineShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
Firewall
Authentication
ThreatIntelligence
Servers
Endpoint
DataEnrichment
Search-timeDataNormalization
![Page 14: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/14.jpg)
14
SplunkESintheGartnerSIEMMagicQuadrant
*Gartner,Inc.,SIEMMagicQuadrant2011-2015.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublicationandnotadvisetechnologyuserstoselectonlythosevendorswiththehighestratingsorotherdesignation.Gartnerresearchpublicationsconsistoftheopinions ofGartner’sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressorimplied,withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
2015 - Leader(theonlyvendor toimproveitsvisionaryposition)
2014 - Leader
2013 - Leader
2012 - Challenger
2011 - NichePlayer
2015
![Page 15: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/15.jpg)
What’sNewSplunkEnterpriseSecurityv4
![Page 16: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/16.jpg)
16
BehavioralAnalyticsintheSIEMWorkflow• AllUBAanomaliesnowavailableinES• SOCManager:UBAReportingwithinES• SOCanalyst:UBAanomalydataavailableforenhancedcorrelation• Hunter/Investigator:Ad-hocsearching/pivoting
16
DetectandInvestigatefasterusingMLintegratedwithSIEM
![Page 17: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/17.jpg)
17
AttackandInvestigationTimelines
Addingcontenttotimeline:
17
Action History
Actions :• Search Run• Dashboard Viewed• Panel Filtered• Notable Status Change• Notable Event
Suppressed
Investigator Memo
Memo :- Investigator’s memos inserted in desired timeline
Incident Review
Incident :- Notable events from Incident Review
Analyst /Investigator
![Page 18: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/18.jpg)
18
SplunkES- MSSPPartnersVerizon“Splunk isenablingournextgenerationplatform.Withthesenewcapabilities,wearearmingourclientswiththetoolsandsystemsnecessarytoshiftthebalanceandmakeitharderforcybercriminalstosucceed.”VinnyLee,DirectorofProductManagement,VerizonEnterpriseSolutions.
HerjavecGroup"Splunk’s solutionsarecuttingedge- changingthewaysecurityteamsoperateateverylevel.ThatiswhySplunk issuchakeycontributortooursecurityoperationscenterandmanagedservicespractice,”RobertHerjavec,FounderandCEO,HerjavecGroup.
Accenture“OuralliancewithSplunk isanotherstrongexampleofhowAccentureisimpactingourclients’businesseswith‘newIT.’”BhaskarGhosh,GroupChiefExecutive,AccentureTechnologyServices.
![Page 19: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/19.jpg)
ESDemo
![Page 20: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/20.jpg)
WhatisSplunkUBA?
![Page 21: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/21.jpg)
21
ENTERPRISE SECURITYOPSCHALLENGES
21
THREATS
PEOPLE
EFFICIENCYExternal,Insiders,Hidden
And/OrUnknown
AvailabilityofSecurityExpertise
FalsePositives vsTruePositives
![Page 22: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/22.jpg)
22
SplunkUBA: TECHNOLOGY
ANOMALYDETECTION THREATDETECTION
UNSUPERVISEDMACHINELEARNING
BEHAVIOURMODELING
REALTIME&BIGDATAARCHITECTURE
![Page 23: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/23.jpg)
23
REAL-TIME,BIGDATAARCHITECTURE
SCALABLEARCHITECTURE
500MEVENTS/NODE/DAY
![Page 24: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/24.jpg)
24
MULTI-ENTITYBEHAVIORALMODEL
APPLICATION
USER
HOST
NETWORK
DATA
![Page 25: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/25.jpg)
25
EVOLUTION
COMPLEX
ITY
RULES- THRESHOLDPOLICY- THRESHOLD
POLICY- STATISTICS
UNSUPERVISEDMACHINELEARNING
POLICY- PEERGROUPSTATISTICS
SUPERVISEDMACHINELEARNING
LARGESTLIBRARYOFUNSUPERVISEDMLALGORITHMS
![Page 26: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/26.jpg)
26
DESIGNEDFORA
HUNTERANALYSTANOMALYDETECTION
APPLYINGMLAGAINST
BEHAVIOURBASELINES
![Page 27: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/27.jpg)
27
DESIGNEDFORASOCANALYST
THREATDETECTION
ML-DRIVENAUTOMATEDORRULESBASEDANOMALYCORRELATION
![Page 28: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/28.jpg)
THREATSUNCOVERED
ACCOUNTTAKEOVER• Privilegedaccountcompromise• Dataloss
LATERALMOVEMENT• Pass-the-hashkillchain• Privilegeescalation
INSIDERTHREATS• Misuseofcredentials• IPtheft
2
MALWAREATTACKS• Hiddenmalwareactivity• AdvancedPersistentThreats(APTs)
BOTNETs,C&C• Malwarebeaconing• Dataexfiltration
USER&ENTITYBEHAVIORANALYTICS• Logincredentialabuse• Anomalousbehaviour
![Page 29: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/29.jpg)
WebGateway
ProxyServer
Firewall
Box,Salesforce,Dropbox,otherSaaS
apps
MobileDevices
Anti-Malware
ThreatIntelligence
DATA SOURCESforUBA
29
ActiveDirectory/Windows
SingleSign-on
HR- Identity
VPN
DNS,DHCP
Identity/Auth SaaS/MobileSecurityControls
ExternalThreatFeeds
Activity(N-S,E-W)
KEY OPTIONAL
DLP
AWSCloudTrail
Endpoint
IDS,IPS,AV
![Page 30: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/30.jpg)
30
DataFlows:SplunkES/UBA
APICONNECTOR
SYSLOG
FORWARDER
Explore Visualize ShareAnalyze Dashboards
RESULTS
THREAT &ANOMALYDATA
QUERY UBAREQUEST FOR
ADDITIONAL DETAILS
THREATS & ANOMALIES
RESULTS
QUERY
NOTABLEEVENTS
RISKSCORINGFRAMEWORK
WORKFLOWMANAGEMENT
![Page 31: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/31.jpg)
What’sNewinUBAv2
![Page 32: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/32.jpg)
32
ThreatModelingFramework
Create customthreatsusing60+anomalies.Examples:§ CompromisedAccount:Accessed
blacklisteddomainfollowedbyoutgoingconnection alongwithunusual geolocations
§ CompromisedDevice:Beaconingfollowedbyoutgoingconnections alongwithunusual geolocations
ThreatCustomizationusing MLgeneratedanomalies
EnhancedThreatDetection
32
![Page 33: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/33.jpg)
33
EnhancedThreatDetection
Visibilityandbaselinemetricsforusers,devices,applicationsandprotocols,dynamicpeergroups,assesstheindividualuserrisk,new/enhancedmodels:devicemodel,USBactivity,unusualactivitytime,lateralmovement,andunusualfileaccess
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
33
![Page 34: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/34.jpg)
UBADemo
![Page 35: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/35.jpg)
35
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
![Page 36: SplunkLive Sydney Enterprise Security & User Behavior Analytics](https://reader031.fdocuments.in/reader031/viewer/2022022413/58ed6c451a28ab09358b4689/html5/thumbnails/36.jpg)
ThankYou!