Upload
splunk
View
640
Download
2
Embed Size (px)
Citation preview
Copyright © 2014 Splunk Inc.
Monzy Merza Minister of Defense, Splunk, Inc.
OperaAonalizing Advanced Threat Defense
Disclaimer
2
During the course of this presentaAon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauAon you that such statements reflect our current expectaAons and
esAmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaAon are being made as of the Ame and date of its live presentaAon. If reviewed aQer its live presentaAon, this presentaAon may not contain current or accurate informaAon. We do not assume any obligaAon to update any forward-‐looking statements we may make. In addiAon, any informaAon about our roadmap outlines our general product direcAon and is subject to change at any Ame without noAce. It is for informaAonal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaAon either to develop the features or funcAonality described or to
include any such feature or funcAonality in a future release.
Agenda ! The advanced threat actors and their success ! An approach to combat advanced threat actors ! ProducAonizing and operaAonalizing advanced threat defense ! Demo ! Q&A
4
The Adversary’s M.O. : Kill Chain
8
• The adversary works to understand your organizaAon looking for opportuniAes
Reconnaissance
• Your system is compromised and the adversary goes to work
ExploitaAon
• The afacker steals data, disrupts your operaAons or causes damage…
AcAng on Intent
Intrusion DetecAon
Firewall
Data Loss PrevenAon
AnA-‐Malware
Vulnerability Scans
Tradi.onal Security Strategy
AuthenAcaAon
10
Connect the Dots Across All Data
Servers
Storage
Desktops Email Web
TransacAon Records
Network Flows Hypervisor
Custom Apps
Physical Access
Badges
Threat Intelligence
Mobile
CMBD DHCP/ DNS
Intrusion DetecAon
Firewall
Data Loss PrevenAon
AnA-‐Malware
Vulnerability Scans
AuthenAcaAon
11
13
Online Services
Web Services
Security GPS
LocaAon
Storage
Desktops
Networks
Packaged ApplicaAons
Custom ApplicaAons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Security Intelligence
Firewall
AuthenAcaAon
Threat Intelligence
Servers
Endpoint
Security Intelligence
14
Raw Events
Online Services
Web Services
Security GPS
LocaAon
Storage
Desktops
Networks
Packaged ApplicaAons
Custom ApplicaAons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Firewall
AuthenAcaAon
Threat Intelligence
Servers
Endpoint
Security Intelligence
15
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica.ons
Raw Events
Online Services
Web Services
Security GPS
LocaAon
Storage
Desktops
Networks
Packaged ApplicaAons
Custom ApplicaAons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Firewall
AuthenAcaAon
Threat Intelligence
Servers
Endpoint
Security Intelligence
16
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica.ons
Raw Events
Online Services
Web Services
Security GPS
LocaAon
Storage
Desktops
Networks
Packaged ApplicaAons
Custom ApplicaAons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Firewall
AuthenAcaAon
Threat Intelligence
Servers
Endpoint
What’s New in ES 3.1
RISK-‐BASED ANALYTICS VISUALIZE AND DISCOVER RELATIONSHIPS
ENRICH SECURITY ANALYSIS WITH THREAT INTELLIGENCE
Risk Scoring Framework KSI/KPI/KRI Edi.ng
Contribu.ng Factors Analysis
GUI Edi.ng of Swimlanes Guided Search Builder
Domain and URL threat Intel Aggrega.on and Deduplica.on Threat Intel Source Weights
23
Security Intelligence
26
Developer PlaUorm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Threat Intelligence
Asset & CMDB
Employee Info
Data Stores Applica.ons
Online Services
Web Services
Security GPS
LocaAon
Storage
Desktops
Networks
Packaged ApplicaAons
Custom ApplicaAons
Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
Firewall
AuthenAcaAon
Threat Intelligence
Servers
Endpoint
Industry RecogniAon
28
2012
2013
This research note is restricted to the personal use of [email protected]
This research note is restricted to the personal use of [email protected]
Table 2. Product/Service Rating on Critical Capabilities
Product/Service Rating
Acc
elO
ps
Alie
nVau
lt
Bla
ckS
trat
us
Eve
ntTr
acke
r
HP
(Arc
Sig
ht)
IBM
Sec
urity
(QR
adar
)
LogR
hyth
m
McA
fee
(ES
M)
Net
IQ
EM
C (R
SA
)
Sol
arW
inds
Spl
unk
Tena
ble
Net
wor
k S
ecur
ity
Tibc
o S
oftw
are
(Log
Logi
c)
Trus
twav
e
Real-Time Monitoring 3.50 3.00 3.00 2.9 4.1 4.0 3.75 3.75 3.90 3.3 3.00 3.7 2.0 1.50 3.00
Threat Intelligence 3.00 3.50 2.50 1.5 4.0 4.0 3.25 4.00 1.50 4.0 3.00 3.5 1.5 1.00 3.65
Behavior Profiling 2.50 3.50 2.50 2.8 4.0 4.5 3.38 3.50 3.25 3.0 2.50 3.6 2.5 3.00 3.25
Data and User Monitoring 2.97 2.43 2.16 3.2 4.2 3.8 3.41 4.44 3.56 3.5 3.38 3.3 2.1 2.44 3.28
Application Monitoring 2.90 3.65 2.90 3.2 4.5 4.3 4.10 4.20 3.40 4.0 2.90 4.3 2.8 2.60 3.10
Analytics 2.44 3.19 2.94 2.9 3.8 3.7 3.30 3.59 2.44 3.3 2.44 3.8 2.1 1.63 3.13
Log Management and Reporting 2.75 3.00 2.50 3.4 4.0 3.8 3.75 3.25 3.63 3.1 3.25 4.0 2.5 4.00 3.25
Deployment/Support Simplicity 3.50 4.00 3.00 4.3 3.7 4.3 4.25 4.00 3.50 2.0 4.40 3.4 2.8 3.25 2.50
Source: Gartner (June 2014)
Page 32 of 37 Gartner, Inc. | G00261642
29
Enterprise Security Office Hours @Room 103
Best Kept Secrets of Enterprise Security Dimitri McKay
Automated MiAgaAon With Enterprise Security Jose Hernandez
Enterprise Security @Apps Showcase
CPE, CISSP Credits For Security Talks
30
Security office hours: 11:00 AM – 2:00 PM @Room 103 Everyday Geek out, share ideas with Enterprise Security developers
Red Team / Blue Team -‐ Challenge your skills and learn new tricks Mon-‐Wed: 3:00 PM – 6:00 PM @Splunk Community Lounge Thurs: 11:00 AM – 2:00 PM
Learn, share and hack
Birds of a feather-‐ Collaborate and brainstorm with security ninjas Thurs: 12:00 PM – 1:00 PM @Meal Room
THANK YOU!!! [email protected]