Webinar: Neues zur Splunk App for Enterprise Security
Transcript of Webinar: Neues zur Splunk App for Enterprise Security
![Page 1: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/1.jpg)
Copyright © 2015 Splunk Inc.
The Splunk App for Enterprise Security Holger Sesterhenn, Sen. Sales Engineer, CISSP MaChias Maier, Security Product MarkeEng, EMEA
![Page 2: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/2.jpg)
2
Ihr Webcast Team
Ma#hias Maier Security Product MarkeEng, EMEA
Holger Sesterhenn Sen. Sales Engineer
![Page 3: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/3.jpg)
Copyright © 2015 Splunk Inc.
Safe Harbor Statement During the course of this presentaEon, we may make forward looking statements regarding future events or the expected performance of the company. We cauEon you that such statements reflect our current expectaEons and esEmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaEon are being made as of the Eme and date of its live presentaEon. If reviewed aSer its live presentaEon, this presentaEon may not contain current or accurate informaEon. We do not assume any obligaEon to update any forward looking statements we may make. In addiEon, any informaEon about our roadmap outlines our general product direcEon and is subject to change at any Eme without noEce. It is for informaEonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaEon either to develop the features or funcEonality described or to include any such feature or funcEonality in a future release.
![Page 4: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/4.jpg)
Copyright © 2015 Splunk Inc.
How Can Splunk Help?
![Page 5: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/5.jpg)
Roadmap Security Strategy
Security Posture
Visual Security AnalyEcs
Advanced Threats
Insider Threat
![Page 6: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/6.jpg)
Roadmap Security Strategy
![Page 7: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/7.jpg)
Source: Mandiant M-‐Trends Report 2012/2013/2014
67% VicEms noEfied by an external
enEty
100% Valid credenEals
were used 229
Median # of days before detecEon
The Ever-‐Changing Threat Landscape
![Page 8: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/8.jpg)
Copyright © 2015 Splunk Inc.
Intrusion DetecEon
Firewall
Data Loss PrevenEon
AnE-‐Malware
Vulnerability Scans
AuthenEcaEon
TradiEonal Security Strategy
![Page 9: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/9.jpg)
Copyright © 2015 Splunk Inc.
Connect the Dots Across All Data
Servers
Storage
Desktops Email Web
TransacEon Records
Network Flows
Hypervisor Custom Apps
Physical Access
Badges
Threat Intelligence
Mobile
CMBD DHCP/DNS
Intrusion DetecEon
Firewall
Data Loss PrevenEon
AnE-‐Malware
Vulnerability Scans
AuthenEcaEon
![Page 10: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/10.jpg)
Copyright © 2015 Splunk Inc.
ConnecEng the “Data Dots” via MulEple/Dynamic RelaEonships
Persist, Repeat
Threat Intelligence
Auth—User Roles
Host Ac@vity/Security
Network Ac@vity/Security
ACacker, know relay/C2 sites, infected sites, IOC, aCack/campaign intent and aCribuEon
Where they went to, who talked to whom, aCack transmiCed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process owner, registry mods, aCack/malware arEfacts, patching level, aCack suscepEbility
Access level, privileged users, likelihood of infecEon, where they might be in kill chain
Delivery, exploit installa@on
Gain trusted access
Exfiltra@on Data gathering Upgrade (escalate) lateral movement
Persist, repeat
![Page 11: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/11.jpg)
AnalyEcs-‐Driven Security
Risk Based Context and Intelligence
ConnecEng Data and People
![Page 12: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/12.jpg)
Copyright © 2015 Splunk Inc.
Sample Nasdaq -‐ Heartbleed
![Page 13: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/13.jpg)
Complement, replace and go beyond tradi@onal SIEMs
Security Intelligence Use Cases
13
SECURITY & COMPLIANCE REPORTING
REAL-‐TIME MONITORING OF KNOWN THREATS
MONITORING OF UNKNOWN
THREATS
INCIDENT INVESTIGATIONS & FORENSICS
FRAUD DETECTION
INSIDER THREAT
![Page 14: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/14.jpg)
Roadmap Security Strategy • ConnecEng Data and People
Security Posture
![Page 15: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/15.jpg)
15
What’s New in Splunk App for Enterprise Security 3.3
BeCer DetecEon of Advanced Threats
• STIX/TAXII & OpenIOC threat intelligence
• IOC/arEfacts research
Improved CollaboraEon
• Export correlaEon searches, KSIs, swim lanes
BeCer DetecEon of Malicious Insiders
• User acEvity monitoring dashboard and swim lanes
• Access anomalies
Faster Incident Response
• Added funcEonality to Incident Response page
Bene
fit
Feature
![Page 16: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/16.jpg)
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs
![Page 17: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/17.jpg)
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats
![Page 18: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/18.jpg)
Copyright © 2015 Splunk Inc.
hCp://sExproject.github.io/about/
![Page 19: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/19.jpg)
Copyright © 2015 Splunk Inc.
STIX/TAXII and Open IOC 101 • Info sharing across companies and
industries
• Standardized XML • Contains TTPs, IOCs, COA • IOCs include IPs, web/e-‐mail
domains, hashes, processes, registry key, cerEficates
• hCp://sExproject.github.io/about/
![Page 20: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/20.jpg)
Copyright © 2015 Splunk Inc.
Threat Intelligence in Splunk
![Page 21: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/21.jpg)
Copyright © 2015 Splunk Inc.
TAXII Services
Source: hCp://hailataxii.com
![Page 22: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/22.jpg)
Copyright © 2015 Splunk Inc.
Sample TAXII Feeds User Community Organisa@on
Cyber Threat XChange Health InformaEon Trust Alliance
Defense Security InformaEon Exchange Defense Industrial Base InformaEon and Sharing and Analysis OrganizaEon
ICS-‐ISAC Industrial Control System InformaEon Sharing and Analysis Center
NH-‐ISAC NaEonal Health Cybersecurity Intelligence Planorm
NaEonal Health InformaEon and Analysis Center
FS-‐ISAC / Soltra Edge Financial Services InformaEon Sharing and Analyses Center (FS-‐ISAC)
Retail Cyber Intelligence Sharing Center, Intelligence Sharing Portal
Retail InformaEon Sharing and Analysis Center (Retail-‐ISAC)
More: hCp://sExproject.github.io/supporters/
![Page 23: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/23.jpg)
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats • Knowledge Sharing and AdopEon
Insider Threat
![Page 24: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/24.jpg)
Copyright © 2015 Splunk Inc.
DetecEng Suspicious User AcEvity • Spot suspicious user acEvity • Malicious insider or external threat using stolen credenEals • High aggregate risk score • Uploaded data to non-‐corp sites • Emailed data to non-‐corp domains • Visits to blacklisted sites • Remote access • Anomalous help desk Ecket
![Page 25: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/25.jpg)
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats • Knowledge Sharing and AdopEon
Insider Threat • Stop Data Breaches
![Page 26: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/26.jpg)
Copyright © 2015 Splunk Inc.
Case Study: Telenor " Challanges:
– Millions of customers, thousands of servers and routers and they had missing details in operaEve tasks.
– CommunicaEon between departments was challanging. – Errors and issues sporadically slipped unnoEced.
" Breakthroughs: – Team noEced WebMail accounts being abused to send
hundreds of thousands of SMS messages abroad – Baselining normal and track DeviaEon – Understand aCackers and their behaviour to take them
down proacEve.
Norway's largest telecom services provider 160 Mio mobile subscribers globally
![Page 27: Webinar: Neues zur Splunk App for Enterprise Security](https://reader030.fdocuments.in/reader030/viewer/2022032619/55c4a4e1bb61ebfc0a8b45b6/html5/thumbnails/27.jpg)
Copyright © 2015 Splunk Inc.
Thank You! Q&A