Embed Size (px)
Citation preview
© 2017 SPLUNK INC.
This digital evolution is changing everything There’s an explosion of data beyond anything our world has experienced
3D PRINTING SMART CITIES
CLOUD
DRONES
MACHINE LEARNING
SELF-DRIVING EVERYTHING
AUTONOMOUSEVERYTHING
SMART PHONES
SMART APPLIANCES
SMART BUILDINGS
© 2017 SPLUNK INC.
¿Cómo convertir los datos del mundo en evolución enRESULTADOS DEL NEGOCIO SIGNIFICATIVOS?
© 2017 SPLUNK INC.
The traditional approach to managing complexityBuilding relational, structured databases and heavy integrations
Never Change!
(or face never-ending
integration and
MDM projects)
Hardened
systems and
databases
Attempt to gather
all present and
future requirements
Machine data is
messy and
unpredictable
You don’t always
know which
questions to ask
Requires
massive scale
But the traditional approach can’t adapt to digital evolution
Your structured systems miss critical business outcomes
© 2017 SPLUNK INC.
SecurityIT Business
UsersIoT Developers
Powered by AI and ML
Access to Expanding Data Universe
On-Premises Cloud
Splunk delivers a holistic approach to turning data into business outcomes
Any User, Anywhere
Splunk Analytics-Driven Security
Real-Time
Machine Data
References – Coded fields, mappings, aliases
Dynamic information – Stored in non-traditional formats
Environmental context – Human maintained files, documents
System/application – Available only using application request
Intelligence/analytics – Indicators, anomaly, research, white/blacklist
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
NGFW
Firewall
Intrusion
Prevention
Index Untapped Data: Any Source, Type, Volume
Threat
Intelligence
Custom dashboards
Report and analyze
Monitor and alert
DeveloperPlatform
Ad hoc search
Splunk Features▶ Search and investigate – Search and navigate all of your machine data in real time
▶ Correlate and analyze – Easily find relationships between events or activities. Correlate based on time, location, or custom search results.
▶ Monitor and alert – Prioritize investigation + response with threshold based alerting
▶ Visualize and report – Visualize long-term and historical trends; build reports and dashboards suited to any business, operational, or security need.
Security Investigation
Developing an Investigative Mindset
What
happened?
Who was
involved?
When did it
start?
Where was
it seen?
How did it
get in?
How do I
contain it?
ALERT
What specific
questions
do I want
answered?
Where do I look?What is the logic /
methodology to
apply?
What’s an
example?
Investigative Mindset – Questions to Ask
Why did an alert
trigger?
Has a system
actually been
compromised?
Question Logic Example Data
Search for events
that match alert
criteria and similar
events leading up to
the alert
Endpoint logs
Authentication logs
Network logs
Threat intelligence
Find all failed
authentication
attempts by a
user
What
happened?
Who was
involved?
When did it
start?
Where was
it seen?
How did it
get in?
How do I
contain it?
ALERT
Investigative Mindset – Questions to Ask
What
happened?
Who was
involved?
When did it
start?
ALERT
What accounts /
users are
associated with that
system?
Question Logic Example Data
Determine event
to identity
mapping
Identity system
Authentication logs
John’s account
attempted to access
a system it has never
logged into before
Where was
it seen?
How did it
get in?
How do I
contain it?
Investigative Mindset – Questions to Ask
What
happened?
Who was
involved?
When did it
start?
ALERT
What does the
timeline of activities
leading up to and
during the alert
look like?
Question Logic Example Data
Histogram and
timeline
All Available
DataWiden search to look
over a wider set of
historical data
Where was
it seen?
How did it
get in?
How do I
contain it?
Investigative Mindset – Questions to Ask
What
happened?
Who was
involved?
When did it
start?
ALERT
What devices /
assets are
associated with the
alert?
Question Logic Example Data
Determine event
to asset mapping
Endpoint
Network devices
CMDB/Asset
IP 10.1.12.12 has
the hostname of
DC-Seltzer, is a
Windows 10
Workstation and
has 2 critical
vulnerabilities
Where was
it seen?
How did it
get in?
How do I
contain it?
Investigative Mindset – Questions to Ask
What
happened?
Who was
involved?
When did it
start?
ALERT
Is there a logical
connection to other
activity, IPs, hosts,
malware, or other
alerts?
Question Logic Example Data
Search network and
host event logs to
determine initial
entry
Endpoint
Network devices
Web proxy
Mail proxy
DNS
Authentication
USB key opened
an infected
ransomware file,
user email
indicates victim of
spear phishing
Where was
it seen?
How did it
get in?
How do I
contain it?
Investigative Mindset – Questions to Ask
What
happened?
Who was
involved?
When did it
start?
ALERT
Has the attack
progressed beyond
system infection?
Question Logic Example Data
Identify whether
malware has
spread
Threat intelligence
Endpoint
Firewall
Web proxy
Mail proxy
Wire data
Observe indicators
on other hosts or
on the network
Where was
it seen?
How did it
get in?
How do I
contain it?
Security Intelligence Use Cases
Fraud DetectionCompliance
Security
Monitoring
Incident
Investigation
& Forensics
Advanced
Threat
Detection
SOC Automation
Insider Threat
Incident
Response
SOURCE: Center for Internet Security
https://www.cisecurity.org/critical-controls.cfm
Answer: Start with Top 5 CIS Controls
Organizations that apply just the first five CIS Controls can reduce their risk
of cyberattack by around 85 percent.
Implementing all 20 CIS Controls increases the risk reduction to around 94
percent.
CIS Critical Security Controls
https://splunkbase.splunk.com/app/3064/#/overview
https://www.splunk.com/goto/Top20CSC
THANK YOU
Log, I am your father
