Click here to load reader

Splunk for Security - · PDF fileSplunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases Splunk Positioned as a Leader Gartner 2016 Magic Quadrant

  • View
    213

  • Download
    0

Embed Size (px)

Text of Splunk for Security - · PDF fileSplunk also scores highest in 2016 Critical Capabilities for...

  • 2017 SPLUNK INC. 2017 SPLUNK INC. 2017 SPLUNK INC.

    Splunk for Cyber Security

    Cyber Security Trade Mission to Canada

    Sebastien Ferreira

    Director of Sales, Federal and Eastern Canada

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    During the course of this presentation, we may make forward-looking statements regarding future events or

    the expected performance of the company. We caution you that such statements reflect our current

    expectations and estimates based on factors currently known to us and that actual events or results could

    differ materially. For important factors that may cause actual results to differ from those contained in our

    forward-looking statements, please review our filings with the SEC.

    The forward-looking statements made in this presentation are being made as of the time and date of its live

    presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

    information. We do not assume any obligation to update any forward looking statements we may make. In

    addition, any information about our roadmap outlines our general product direction and is subject to change

    at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

    or other commitment. Splunk undertakes no obligation either to develop the features or functionality

    described or to include any such feature or functionality in a future release.

    Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in

    the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.

    Forward-Looking Statements

    THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    CyberCriminals

    MaliciousInsiders

    NationStates

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Advanced Threats Are Hard To Find

    Cyber Criminals

    Nation States

    Insider Threats

    100% Valid credentials were used

    40Average # of systems accessed

    229Median # of days before detection

    67%Of victims were notified by

    external entity

    Source: Mandiant M-Trends Report 2012/2013/2014

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Advanced Threats are Hard to Find

    Human directed

    Goal-oriented

    Dynamic (adjust to changes)

    Coordinated

    Multiple tools & activities

    New evasion techniques

    Fusion of people, process,

    & technology

    Contextual and behavioral

    Rapid learning and response

    Share info & collaborate

    Analyze all data for relevance

    Leverage IOC & Threat Intel

    Threat

    Attack Approach Security Approach

    Technology

    People

    Process

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Human directed

    Goal-oriented

    Dynamic (adjust to changes)

    Coordinated

    Multiple tools & activities

    New evasion techniques

    Threat

    Attack Approach Security Approach

    Technology

    People

    Process

    Advanced Threats are Hard to Find

    Analytics-driven Security

    Connecting Dataand People

    Risk-Based Context and Intelligence

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Continuously Protect thebusiness against:

    Data Breaches

    Malware

    Fraud

    IP Theft

    Comply with audit requirements

    Provide enterprise Visibility

    70% to 90% improvement withdetection and research of events

    70% to 95% reduction in securityincident investigation

    10% to 30% reduction in risksassociated with data breaches,fraud and IP theft

    70% to 90% reduction incompliance labor

    Advanced Threats are Hard to Find

    Top Goals Top Splunk Benefits

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Advanced Threats are Hard to Find

    Servers

    Storage

    DesktopsEmail Web

    TransactionRecords

    NetworkFlows

    DHCP/ DNS

    Hypervisor Custom Apps

    PhysicalAccess

    Badges

    Threat Intelligence

    Mobile

    CMDB

    Intrusion

    Detection

    Firewall

    Data Loss

    Prevention

    Anti-Malware

    Vulnerability

    Scans

    Traditional

    Authentication

  • 2017 SPLUNK INC. 2017 SPLUNK INC. 2017 SPLUNK INC.

    Solution: Splunk, the Engine for Machine Data

    Custom dashboards

    Report and analyze

    Monitor and alert

    DeveloperPlatform

    Ad hoc search

    References Coded fields, mappings, aliases

    Dynamic information Stored in non-traditional formats

    Environmental context Human maintained files, documents

    System/application Available only using application request

    Intelligence/analytics Indicators, anomaly, research, white/blacklist

    Real-Time

    Machine Data

    On-Premises

    Private Cloud

    Public

    Cloud

    Storage

    Online

    Shopping Cart

    Telecoms

    Desktops

    Security

    Web

    Services

    Networks

    Containers

    Web

    Clickstreams

    RFID

    Smartphones

    and Devices

    Servers

    Messaging

    GPS

    Location

    Packaged

    Applications

    Custom

    Applications

    Online

    Services

    DatabasesCall Detail

    Records

    Energy MetersFirewall

    Intrusion

    Prevention

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Security Intelligence Use CasesComplement, replace and go beyond traditional SIEMs

    Security &

    Compliance

    Reporting

    Real-time

    Monitoring of

    Known Threats

    Detecting

    Unknown

    Threats

    Fraud

    Detection

    Insider

    Threat

    Incident

    Investigations

    & Forensics

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Connect the Data-Dots to See the Whole Story

    Persist, Repeat

    Attacker, know relay/C2 sites, infected sites, IOC,

    attack/campaign intent and attribution

    Where they went to, who talked to whom, attack transmitted,

    abnormal traffic, malware download

    What process is running (malicious, abnormal, etc.)

    Process owner, registry mods, attack/malware artifacts,

    patching level, attack susceptibility

    Access level, privileged users, likelihood of infection,

    where they might be in kill chain

    Third-party Threat Intel

    Open source blacklist

    Internal threat intelligence

    Firewall

    IDS / IPS

    Vulnerability scanners

    Web Proxy

    NetFlow

    Network

    Endpoint (AV/IPS/FW)

    Malware detection

    PCLM

    DHCP

    OS logs

    Patching

    Active Directory

    LDAP

    CMDB

    Operating System

    Database

    VPN, AAA, SSO

    Delivery, Exploit

    Installation

    Gain Trusted

    Access

    Upgrade (escalate)

    Lateral MovementData Gathering Exfiltration Persist, Repeat

    ThreatIntelligence

    Auth - User Roles

    Host Activity/Security

    Network Activity/Security

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    phishing

    Download

    from

    infected site

    1

    2

    5

    67

    8

    3

    4

    Threat Intelligence Data

    Host or ETDR Data

    Web or Firewall Data

    Threat

    Intelligence

    DataThreatIntelligence

    Auth - User Roles

    Host Activity/Security

    Network Activity/Security

    EMAIL WEB EMAIL WEB

    Start Anywhere, AnalyzeUp-Down-Across-Backwards-Forward

    Delivery Exploitation & Installation Command & Control Accomplish Mission

    Third-party Threat Intel

    Open source blacklist

    Internal threat intelligence

    Firewall

    IDS / IPS

    Vulnerability scanners

    Web Proxy

    NetFlow

    Network

    Endpoint (AV/IPS/FW)

    Malware detection

    PCLM

    DHCP

    OS logs

    Patching

    Active Directory

    LDAP

    CMDB

    Operating System

    Database

    VPN, AAA, SSO

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Security Ecosystem for Coverage and Protection

    ThreatIntelligence

    Auth - User Roles

    Host Activity/Security

    Network Activity/Security

    Command & ControlExploitation & InstallationDelivery Accomplish Mission

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Limited view of security threats. Difficult to collect non-security data; costly, custom collectors; data store schema

    Inflexible search/reporting hampers investigations and threat detection

    Limitations of Existing SIEMs

    Scale/speed issues impede ability to do big data analytics

    Difficult to deploy and manage; often multiple products

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Single product, UI, data store

    Software-only; install on commodity hardware

    Quick deployment + ease-of-use = fast time-to-value

    Can index any data type

    All original/raw data indexed and searchable

    Big data architecture enables scale and speed

    Flexible search and reporting enables better/faster threat investigations and detection

    Splunk Key Differentiators vs Traditional SIEMs

    Open platform with API, SDKs, Apps

    Use cases beyond security/compliance

  • 2017 SPLUNK INC. 2017 SPLUNK INC.

    Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.

    16

    Dashboards & Reports I

Search related