Splunk for Security - · PDF fileSplunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases Splunk Positioned as a Leader Gartner 2016 Magic Quadrant

© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Splunk for Cyber Security

Cyber Security Trade Mission to Canada

Sebastien Ferreira

Director of Sales, Federal and Eastern Canada

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

During the course of this presentation, we may make forward-looking statements regarding future events or

the expected performance of the company. We caution you that such statements reflect our current

expectations and estimates based on factors currently known to us and that actual events or results could

differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live

presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

information. We do not assume any obligation to update any forward looking statements we may make. In

addition, any information about our roadmap outlines our general product direction and is subject to change

at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

or other commitment. Splunk undertakes no obligation either to develop the features or functionality

described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in

the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.


CyberCriminals

MaliciousInsiders

NationStates


Advanced Threats Are Hard To Find

Cyber Criminals

Nation States

Insider Threats

100% Valid credentials were used

40Average # of systems accessed

229Median # of days before detection

67%Of victims were notified by

external entity

Source: Mandiant M-Trends Report 2012/2013/2014


Advanced Threats are Hard to Find

• Human directed

• Goal-oriented

• Dynamic (adjust to changes)

• Coordinated

• Multiple tools & activities

• New evasion techniques

• Fusion of people, process,

& technology

• Contextual and behavioral

• Rapid learning and response

• Share info & collaborate

• Analyze all data for relevance

• Leverage IOC & Threat Intel

Threat

Attack Approach Security Approach

Technology

People

Process


• Human directed

• Goal-oriented

• Dynamic (adjust to changes)

• Coordinated

• Multiple tools & activities

• New evasion techniques

Threat

Attack Approach Security Approach

Technology

People

Process


Analytics-driven Security

Connecting Dataand People

Risk-Based Context and Intelligence


▶ Continuously Protect thebusiness against:

• Data Breaches

• Malware

• Fraud

• IP Theft

▶ Comply with audit requirements

▶ Provide enterprise Visibility

▶ 70% to 90% improvement withdetection and research of events

▶ 70% to 95% reduction in securityincident investigation

▶ 10% to 30% reduction in risksassociated with data breaches,fraud and IP theft

▶ 70% to 90% reduction incompliance labor


Top Goals Top Splunk Benefits



Servers

Storage

DesktopsEmail Web

TransactionRecords

NetworkFlows

DHCP/ DNS

Hypervisor Custom Apps

PhysicalAccess

Badges

Threat Intelligence

Mobile

CMDB

Intrusion

Detection

Firewall

Data Loss

Prevention

Anti-Malware

Vulnerability

Scans

Traditional

Authentication

© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Solution: Splunk, the Engine for Machine Data

Custom dashboards

Report and analyze

Monitor and alert

DeveloperPlatform

Ad hoc search

References – Coded fields, mappings, aliases

Dynamic information – Stored in non-traditional formats

Environmental context – Human maintained files, documents

System/application – Available only using application request

Intelligence/analytics – Indicators, anomaly, research, white/blacklist

Real-Time

Machine Data

On-Premises

Private Cloud

Public

Cloud

Storage

Online

Shopping Cart

Telecoms

Desktops

Security

Web

Services

Networks

Containers

Web

Clickstreams

RFID

Smartphones

and Devices

Servers

Messaging

GPS

Location

Packaged

Applications

Custom

Applications

Online

Services

DatabasesCall Detail

Records

Energy MetersFirewall

Intrusion

Prevention


Security Intelligence Use CasesComplement, replace and go beyond traditional SIEMs

Security &

Compliance

Reporting

Real-time

Monitoring of

Known Threats

Detecting

Unknown

Threats

Fraud

Detection

Insider

Threat

Incident

Investigations

& Forensics


Connect the “Data-Dots” to See the Whole Story

Persist, Repeat

Attacker, know relay/C2 sites, infected sites, IOC,

attack/campaign intent and attribution

Where they went to, who talked to whom, attack transmitted,

abnormal traffic, malware download

What process is running (malicious, abnormal, etc.)

Process owner, registry mods, attack/malware artifacts,

patching level, attack susceptibility

Access level, privileged users, likelihood of infection,

where they might be in kill chain

• Third-party Threat Intel

• Open source blacklist

• Internal threat intelligence

• Firewall

• IDS / IPS

• Vulnerability scanners

• Web Proxy

• NetFlow

• Network

• Endpoint (AV/IPS/FW)

• Malware detection

• PCLM

• DHCP

• OS logs

• Patching

• Active Directory

• LDAP

• CMDB

• Operating System

• Database

• VPN, AAA, SSO

Delivery, Exploit

Installation

Gain Trusted

Access

Upgrade (escalate)

Lateral MovementData Gathering Exfiltration Persist, Repeat

ThreatIntelligence

Auth - User Roles

Host Activity/Security

Network Activity/Security


phishing

Download

from

infected site

1

2

5

67

8

3

4

Threat Intelligence Data

Host or ETDR Data

Web or Firewall Data

Threat

Intelligence

DataThreatIntelligence

Auth - User Roles



EMAIL WEB EMAIL WEB

Start Anywhere, AnalyzeUp-Down-Across-Backwards-Forward

Delivery Exploitation & Installation Command & Control Accomplish Mission

• Third-party Threat Intel

• Open source blacklist

• Internal threat intelligence

• Firewall

• IDS / IPS

• Vulnerability scanners

• Web Proxy

• NetFlow

• Network

• Endpoint (AV/IPS/FW)

• Malware detection

• PCLM

• DHCP

• OS logs

• Patching

• Active Directory

• LDAP

• CMDB

• Operating System

• Database

• VPN, AAA, SSO


Security Ecosystem for Coverage and Protection

ThreatIntelligence

Auth - User Roles



Command & ControlExploitation & InstallationDelivery Accomplish Mission


▶ Limited view of security threats. Difficult to collect non-security data; costly, custom collectors; data store schema

▶ Inflexible search/reporting hampers investigations and threat detection

Limitations of Existing SIEMs

▶ Scale/speed issues impede ability to do big data analytics

▶ Difficult to deploy and manage; often multiple products


▶ Single product, UI, data store

▶ Software-only; install on commodity hardware

▶ Quick deployment + ease-of-use = fast time-to-value

▶ Can index any data type

▶ All original/raw data indexed and searchable

▶ Big data architecture enables scale and speed

▶ Flexible search and reporting enables better/faster threat investigations and detection

Splunk Key Differentiators vs Traditional SIEMs

Open platform with API, SDKs, Apps

Use cases beyond security/compliance


Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.

16

Dashboards & Reports Incident Investigations and Management

Statistical Outliers & Risk Scoring Asset & Identity Aware


1Risk-based security

Security Posture



Continuous Monitoring for Security Domains



Risk-Based Analytics



Fast Incident Review and Investigation


Broad and Deep Investigation


▶ Centrally automate retrieval, sharing and response action

resulting in improved detection, investigation and

remediation times

▶ Improve operational efficiency using workflow-based

context with automated and human-assisted decisions

▶ Extract new insight by leveraging context, sharing data

and taking actions between Enterprise Security and

Adaptive Response partners

Adaptive Response: Analytics-DrivenDecisions, Automation


Qualys

Recorded Future

Okta

DomainTools

Cyber Ark

Tanium

Carbon Black

ForeScout

RedSeal

AlgoSec

Resolve

CloudLock

Insight from Across Ecosystem

Acalvio

Palo Alto Networks

Anomali

Phantom

Cisco

Fortinet

Threat Connect

Ziften

Proofpoint

CrowdStrike

Demisto

OpenDNS

Symantec

Effectively leverage security infrastructure to gain a holistic view

Workflow

Identity

Network

Internal Network Security

App

Endpoints

Web Proxy Threat Intel


▶ Four Years in a Row as a Leader

▶ Furthest overall in Completeness of Vision

▶ Splunk also scores highest in 2016Critical Capabilities for SIEM reportin all three Use Cases

Splunk Positioned as a LeaderGartner 2016 Magic Quadrant for Security Information and Event Management*

*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security

Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was

published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire

document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or

service depicted in its research publications, and does not advise technology users to select only those vendors with the

highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization

and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this

research, including any warranties of merchantability or fitness for a particular purpose.


Splunk scores highest in 2016 Critical Capabilities for SIEM* report

*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research

document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research

publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not

be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

http://www.gartner.com/doc/reprints?id=1-2JNR3RU&ct=150720&st=sb

© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Thank you

Documents

Splunk for Security - · PDF fileSplunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases Splunk Positioned as a Leader Gartner 2016 Magic Quadrant