2017 SPLUNK INC. 2017 SPLUNK INC. 2017 SPLUNK INC.
Splunk for Cyber Security
Cyber Security Trade Mission to Canada
Sebastien Ferreira
Director of Sales, Federal and Eastern Canada
2017 SPLUNK INC. 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
2017 SPLUNK INC. 2017 SPLUNK INC.
CyberCriminals
MaliciousInsiders
NationStates
2017 SPLUNK INC. 2017 SPLUNK INC.
Advanced Threats Are Hard To Find
Cyber Criminals
Nation States
Insider Threats
100% Valid credentials were used
40Average # of systems accessed
229Median # of days before detection
67%Of victims were notified by
external entity
Source: Mandiant M-Trends Report 2012/2013/2014
2017 SPLUNK INC. 2017 SPLUNK INC.
Advanced Threats are Hard to Find
Human directed
Goal-oriented
Dynamic (adjust to changes)
Coordinated
Multiple tools & activities
New evasion techniques
Fusion of people, process,
& technology
Contextual and behavioral
Rapid learning and response
Share info & collaborate
Analyze all data for relevance
Leverage IOC & Threat Intel
Threat
Attack Approach Security Approach
Technology
People
Process
2017 SPLUNK INC. 2017 SPLUNK INC.
Human directed
Goal-oriented
Dynamic (adjust to changes)
Coordinated
Multiple tools & activities
New evasion techniques
Threat
Attack Approach Security Approach
Technology
People
Process
Advanced Threats are Hard to Find
Analytics-driven Security
Connecting Dataand People
Risk-Based Context and Intelligence
2017 SPLUNK INC. 2017 SPLUNK INC.
Continuously Protect thebusiness against:
Data Breaches
Malware
Fraud
IP Theft
Comply with audit requirements
Provide enterprise Visibility
70% to 90% improvement withdetection and research of events
70% to 95% reduction in securityincident investigation
10% to 30% reduction in risksassociated with data breaches,fraud and IP theft
70% to 90% reduction incompliance labor
Advanced Threats are Hard to Find
Top Goals Top Splunk Benefits
2017 SPLUNK INC. 2017 SPLUNK INC.
Advanced Threats are Hard to Find
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/ DNS
Hypervisor Custom Apps
PhysicalAccess
Badges
Threat Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional
Authentication
2017 SPLUNK INC. 2017 SPLUNK INC. 2017 SPLUNK INC.
Solution: Splunk, the Engine for Machine Data
Custom dashboards
Report and analyze
Monitor and alert
DeveloperPlatform
Ad hoc search
References Coded fields, mappings, aliases
Dynamic information Stored in non-traditional formats
Environmental context Human maintained files, documents
System/application Available only using application request
Intelligence/analytics Indicators, anomaly, research, white/blacklist
Real-Time
Machine Data
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
2017 SPLUNK INC. 2017 SPLUNK INC.
Security Intelligence Use CasesComplement, replace and go beyond traditional SIEMs
Security &
Compliance
Reporting
Real-time
Monitoring of
Known Threats
Detecting
Unknown
Threats
Fraud
Detection
Insider
Threat
Incident
Investigations
& Forensics
2017 SPLUNK INC. 2017 SPLUNK INC.
Connect the Data-Dots to See the Whole Story
Persist, Repeat
Attacker, know relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went to, who talked to whom, attack transmitted,
abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware artifacts,
patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
Third-party Threat Intel
Open source blacklist
Internal threat intelligence
Firewall
IDS / IPS
Vulnerability scanners
Web Proxy
NetFlow
Network
Endpoint (AV/IPS/FW)
Malware detection
PCLM
DHCP
OS logs
Patching
Active Directory
LDAP
CMDB
Operating System
Database
VPN, AAA, SSO
Delivery, Exploit
Installation
Gain Trusted
Access
Upgrade (escalate)
Lateral MovementData Gathering Exfiltration Persist, Repeat
ThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
2017 SPLUNK INC. 2017 SPLUNK INC.
phishing
Download
from
infected site
1
2
5
67
8
3
4
Threat Intelligence Data
Host or ETDR Data
Web or Firewall Data
Threat
Intelligence
DataThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
EMAIL WEB EMAIL WEB
Start Anywhere, AnalyzeUp-Down-Across-Backwards-Forward
Delivery Exploitation & Installation Command & Control Accomplish Mission
Third-party Threat Intel
Open source blacklist
Internal threat intelligence
Firewall
IDS / IPS
Vulnerability scanners
Web Proxy
NetFlow
Network
Endpoint (AV/IPS/FW)
Malware detection
PCLM
DHCP
OS logs
Patching
Active Directory
LDAP
CMDB
Operating System
Database
VPN, AAA, SSO
2017 SPLUNK INC. 2017 SPLUNK INC.
Security Ecosystem for Coverage and Protection
ThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
2017 SPLUNK INC. 2017 SPLUNK INC.
Limited view of security threats. Difficult to collect non-security data; costly, custom collectors; data store schema
Inflexible search/reporting hampers investigations and threat detection
Limitations of Existing SIEMs
Scale/speed issues impede ability to do big data analytics
Difficult to deploy and manage; often multiple products
2017 SPLUNK INC. 2017 SPLUNK INC.
Single product, UI, data store
Software-only; install on commodity hardware
Quick deployment + ease-of-use = fast time-to-value
Can index any data type
All original/raw data indexed and searchable
Big data architecture enables scale and speed
Flexible search and reporting enables better/faster threat investigations and detection
Splunk Key Differentiators vs Traditional SIEMs
Open platform with API, SDKs, Apps
Use cases beyond security/compliance
2017 SPLUNK INC. 2017 SPLUNK INC.
Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
16
Dashboards & Reports I
