SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

© 2017 SPLUNK INC.
Building the Analytics-Driven SOC
James Hanlon, Security Markets Specialist, EMEA
Johan Bjerke, Security Staff Engineer, UK
MAY 11, 2017 | LONDON

© 2017 SPLUNK INC.
1. A look at traditional security operations
2. Security operations emerging trends
3. How to use Splunk for an Analytics-
Driven SOC
Agenda

© 2017 SPLUNK INC.
Traditional Security
Operations

© 2017 SPLUNK INC.
A SOC By Any Other Name…
▶ Security Analytics Center
▶ Cyber Fusion Center
▶ Cyber Defense Center
▶ Threat Defense Center
▶ Detection and Response
Teams
A centralized unit that deals with
security on an organizational &
technical level
Security
Operations
Center
(SOC)
Cyber
Defense
Center
(CDC)
A team composed primarily of security
analysts organized to detect, analyze,
respond to, report on, and prevent
cybersecurity incidents

© 2017 SPLUNK INC.
“A perception of the SOC as a
big alert pipeline is outdated
and does not allow the
organization to make use of
more active processes such
as internal Threat Intelligence
generation and Threat
Hunting.”
– [1] Anton Chuvakin
https://www.gartner.com/doc/3479617
Traditional SOC
Alert Pipeline?

© 2017 SPLUNK INC.
Hybrid
OutsourceInsource
Types of Traditional SOCs…
10 Strategies of a World Class Cybersecurity Operations Center, Mitre 2014
Virtual
Small
Large
Tiered
National
Choices?

© 2017 SPLUNK INC.
Should or Can I build a SOC?
▶ Objectives & Business Alignment
▶ Motivation >> Cost
▶ Industry Guidance
▶ Data Visibility
▶ Staff Acquisition & Retention
▶ Sourcing Models
▶ Automation & Efficiency
▶ Service Catalogue Expansion
Challenges of traditional Security Operations
Security
Operations
Objectives &
Business
Alignment
Cost
Industry
Guidance
Data
Visibility
Staffing
Sourcing
Models
Automation
& Efficiency
Service
Catalogue
Expansion

© 2017 SPLUNK INC.
Many how-to guides…but little prescriptive guidance

© 2017 SPLUNK INC.
The Critical Challenge: Balancing Security Priorities & Business
Alignment
Security Operations: only part of the bigger picture…
Security
Architecture
Risk and
Compliance
Security
Engineering
Security
Operations
Includes SOC
https://www.sans.org/security-resources/posters/leadership/security-leadership-
poster-135

© 2017 SPLUNK INC.
Emerging Trends in
Security Operations

© 2017 SPLUNK INC.
To meet the challenges of the new "detection
and response" paradigm, an intelligence-
driven SOC also needs to move beyond
traditional defenses, with an adaptive
architecture and context-aware components.
To support these required changes in
information security programs, the traditional
SOC must evolve to become the intelligence-
driven SOC (ISOC) with automation and
orchestration of SOC processes being a
key enabler.
Gartner, 2016
The desire for a better SOC is clear..
http://www.gartner.com/newsroom/id/3347717
Splunk EMEA CISO SOC RoundTable
 Know what your SOC needs to
achieve!
 Align to business!
 Build business support
 Build a strategic roadmap
 Address people challenges and
cost strategies early
 Define data sources for SOC
insights
 Select technology wisely
Splunk CISO’s, 2016

© 2017 SPLUNK INC.
Three Interrelated Components of Security
Process
PeopleTechnology
[2017 FOCUS]
[2017 FOCUS]
[Automation & Analytics is the Driving Force]

© 2017 SPLUNK INC.
1. Threat Monitoring
2. Incident Investigation
3. Incident Response
Defining the
SOC Service
Catalogue
“What do you
need to achieve?”
4. Operational Reporting
5. Business Reporting!
Mapping the Service Catalogue
Splunk SOC Optimisation Workshop

© 2017 SPLUNK INC.
Example Documented Service Catalogue
Services Catalogue
● Announcements &
advisories
● Alerts & warnings
● Incident response,
support & analysis
● Artefact analysis
● Cyber threat intelligence
● IDS & log management
● Vulnerability assessment

© 2017 SPLUNK INC.
▶ Tier-1Triage
▶ Off hours
▶ Tool Engineering
▶ Outside Help With Specialties
• Reverse Engineering
• Forensics
• Advanced IR
• Red/Purple teaming
Hybrid Models (i.e. Int SOC platform + MSS) are
becoming more common

© 2017 SPLUNK INC.
▶ Big Data Log Platform (BLDP)
▶ User Behavior Analytics (UBA)
▶ Threat intelligence (TI)
(consumption, creation & sharing)
▶ Threat Hunting (TH)
▶ Threat & Vulnerability Management
(TVM)
▶ Security Incident Response (SIR)
▶ Security Operations Automation (SOA)
New Automation & Tooling Opportunities in the SOC
Security
Operations
Big Data Log
Platform
(BDLP)
User Behavior
Analytics
(UBA)
Threat
intelligence
(TI)
Threat
Hunting (TH)
Threat &
Vulnerability
Management
(TVM)
Security
Incident
Response
(SIR)
Security
Operations
Automation
(SOA)

© 2017 SPLUNK INC.
… effort by analysts who purposely set out
to identify and counteract adversaries that
may already be in the environment.
https://www.sans.org/reading-room/whitepapers/analyst/
who-what-where-when-effective-threat-hunting-36785
“Threat Hunting”

© 2017 SPLUNK INC.
▶ Start with a hypothesis that considers:
• Situational Awareness (often crown jewels focused)
• Threat Intelligence
• Domain experience
• Best Results > all 3!
▶ Requires lots of data
▶ Flexible platform to ask/answer questions
▶ Process Automation
▶ Data science / ML / Analytics increasingly used
How are SOC Teams Hunting?
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

© 2017 SPLUNK INC.
SOC Persona
Responsible for the operations, technology, team and leadership
Responsible for
the technology,
product, upgrades
SIEM Admin,
Tools Engineer
Security
Analyst
Hunter, Incident
Responder
SecOps / SOC
Manager / Director
CISO / Head
InfoSec
Responsible for
investigating alerts,
incidents and triage
Responsible for SOC
process, initiatives,
often budget
Proactively/reactively
hunts for threats.
Head or Exec of
Info Security,
Security
Considerations:
Hiring &
Retention
Shift Rotations
& Coverage
Skills
Development
Business
Engagement

© 2017 SPLUNK INC.
Calculating
the Staff
Requirements
& Costs
Mapping the Staffing Requirements & Costs
Splunk SOC Optimisation Workshop

© 2017 SPLUNK INC.
✓ Fast data onboarding
✓ Any data source
✓ Easy correlation
✓ Automation / integration
✓ Performant and scalable
✓ Full fidelity
✓ Retention and integrity
✓ Normalized
✓ Enables Hunting
✓ Forensic investigation
✓ Alerting
✓ User access controls
✓ Flexible Visualization
✓ Advanced Analytics (ML?)
Critical Characteristics for Log Data Platforms

© 2017 SPLUNK INC.
1. Assets and Identities
2. Threat intel
3. Firewall
4. Network metadata
5. Authentication
6. Server (Windows / Linux)
7. Endpoint
8. IDS / IPS
9. VPN
10.Application
11.Vulnerability
Common SOC
Data Sources
Mapping the Data source Requirements
Splunk Security Data Source Assessment

© 2017 SPLUNK INC.
Challenges to building you own custom cyber data lake:
▶ Dirty data
▶ Debugging custom big data collectors
▶ Accessing data
▶ Little value beyond collection
▶ Little value beyond keyword searching
▶ Little threat detection value
▶ Ability to find, retain & integrate skills needed
Build your own custom cyber security data lake?
http://blogs.gartner.com/anton-chuvakin/2017/04/11/why-your-security-data-lake-project-will-fail/

© 2017 SPLUNK INC.
Splunk for
Analytics-Driven SOC

© 2017 SPLUNK INC.
1. Select the right sourcing strategy
2. Adopt an adaptive security architecture
3. Optimise threat intelligence management
4. Deploy advanced analytics
5. Proactive investigation & threat hunting
6. Promote security automation & human efficiency
7. Drive Enterprise ‘Not Just’ Security Insights
“7 Enablers”
of the
Analytics
Driven SOC

© 2017 SPLUNK INC.
Splunk as the Nerve Center
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall

© 2017 SPLUNK INC.
Splunk Security Portfolio
• Risky behavior detection
• Advanced attacks & insider
• Entity & kill chain profiling
Enterprise Security
Response
• Security analytics (SOC)
platform
• Incident response workflow
• Adaptive response
• OOB key security metrics
Splunk Enterprise
Detection
Realm of
Known
Human-driven
Splunk Security
Essentials/UBA
Detection
Realm of
Unknown
ML-driven
• Any data log aggregation
• Rules, statistics, correlation
• Search, visualize & hunt

© 2017 SPLUNK INC.
Splunk Enterprise Security
A collection of orchestration frameworks for SOC Operations
NOTABLE
EVENT
THREAT
INTELLIGENCE
ASSET AND
IDENTITY
CORRELATION
ADAPTIVE
RESPONSE
RISK
ANALYSIS
Platform for Operational Intelligence

© 2017 SPLUNK INC.
A Recipe for the Security Analytics Driven SOC
Event Aggregation
Incident Creation
Investigation &
Response Investigative
Platform
▶ Flexible Analyst Visualisation
▶ Provide automation with security
solutions & tooling
▶ Security operations orchestration &
threat hunting
Simple
Detection
▶ Rules & Statistics
▶ Quick development
▶ Easy for analysts
Advanced
Detection
▶ Detect unknown
▶ New vectors
▶ Machine learning
Event
Management
▶ Fast data onboarding
▶ Manage High Volume
▶ Track Entity Relationships
Alert Management
Incident Contextualization (Enrichment)
Decrease MTTR

© 2017 SPLUNK INC.
1. Select an Appropriate SOC Sourcing Strategy
1 2 3 4
On Premise Cloud Only Hybrid
Spilt
Technology
& SOC Provider
Model
▶ To Prevent, Detect, Respond and Predict

© 2017 SPLUNK INC.
Customer
▶ UK’s largest building and construction supplier
▶ 20+ business units in group & 27,0000 employees
Challenges
▶ Failed previous SIEM project
▶ Complex mix of legacy on premise and cloud solutions
▶ Difficult ingesting data sources for visibility
▶ Limited security personnel
Customer Solution: Splunk Enterprise & Splunk Enterprise Security)
▶ Fast time from data ingestion to obtaining security insight
▶ Splunk Cloud removes pain from managing host infrastructure
▶ Intrinsic Splunk ES risk scoring has been pivotal in multiple cyber incidents
▶ Architecture design now serving non security use cases (IT Event Monitoring)
RETAIL
Building a Lean ‘Cloud’ SOC
Splunk Security:
Fast
Time to
Value

© 2017 SPLUNK INC.
▶ Correlation across all security relevant data
▶ Insights from existing security architectures
▶ Advanced analytics techniques such as machine learning
2. Adopt an Adaptive Security Architecture
To Prevent, Detect, Respond and Predict
1,000+ Apps
and Add-ons
Splunk Security
Solutions

© 2017 SPLUNK INC.
▶ Automatically collect,
aggregate and de-duplicate
threat feeds from a broad
set of sources
▶ Support for STIX/TAXII,
OpenIOC, Facebook
▶ Build your own data to
create your own Threat Intel
▶ Out of the box Activity and
Artifact dashboards
3. Threat Intelligence – ES Threat Intel Framework
▶ Determine impact
on network, assets
▶ Use for analysis / IR
▶ Collect / provide
forensics
▶ Use to hunt /
uncover / link events
▶ Share info with
partners
Law Enforcement
Feeds
ISAC
Feeds
Agency Feed
Commercial Service
Community Feed
Open-Source
Feed
Other Enrichment
Services

© 2017 SPLUNK INC.
Customer
▶ EU Intuitions own Computer Emergency Response Team (CERT)
▶ Supports 60 organizations across Europe supporting 100,000 end users
Challenges
▶ Ingestion from many sources
▶ Constituents: very high value targets
▶ Complex decentralized, heterogeneous environment
▶ Need to correlate everything with everything: file-less lateral movements,
bypassing protection layers, phishing attacks
Customer Solution: Splunk Enterprise
▶ Provides common language and conventions to control all data (CIM)
▶ Drives time saving & reduces human error while increased visibility
▶ Enables any data & intelligence correlation. Easily integrates with custom
security tooling via open API’s
▶ Two tier architecture with end users in control of their data
GOVERNMENT
Enabling EU Cyber Response
Splunk Security:
Trusted
vhttps://de.slideshare.net/Splunk/splunk-live-utrecht-2016-cert-eu

© 2017 SPLUNK INC.
Demo:
Proactively Managing Threat Intelligence
[Splunk Enterprise Security Threat Intelligence Management]

• Accelerate anomaly and unknown threat detection – minimize attacks & insider threat
• Use Splunk Security Essentials App – FOC App with 55+ UBA use cases
• Premium Machine learning solution – Splunk User Behavior Analytics
– Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM
4. Deploy Advanced Analytics – Native ML and UBA
To Prevent, Detect, Respond and Predict:
Security Essentials App UBA Premium Solution Premium Solution Integration

© 2017 SPLUNK INC.
5. Proactive Investigation & Threat Hunting
Enrichment Automation
Search &
Visualization
Hypotheses
Automated
Analytics
Data Science
and Machine
Learning
Data and
Intelligence
Enrichment
Data Search
Visualisation
Threat Hunting Enablement
Integrated & out of the box automation tooling from artifact
query, contextual “swim-lane analysis”, anomaly & time series
analysis to advanced data science leveraging machine learning
Threat Hunting Data Enrichment
Enrich data with context and threat-intel across the stack or
time to discern deeper patterns or relationships
Search & Visualize Relationships for Faster Hunting
Search and correlate data while visually fusing results for faster
context, analysis and insight
Ingest & Onboard Any Threat Hunting Machine Data
Source
Enable fast ingestion of any machine data through efficient
indexing, a big data real time architecture and ‘schema on the
read’ technology
DATA
MATURITY

© 2017 SPLUNK INC.
Customer
▶ Third largest retail bank in Switzerland with 3m+ customer
▶ No 1 online payments provider
Challenges
▶ Protecting financial assets & customer is a top priority
▶ Data ingestion and security insight
▶ Highly manual security analysis and reporting
▶ Cultural and organizational barriers to optimal security
Customer Solution: Splunk Enterprise
▶ Risk reduction through E-payment & debit card fraud detection
▶ Increased visibility & security automation for online banking, payment
processing, customer data protection such as phishing attack workflows
FINANCE
Connecting Business & Security at
a Swiss Bank
Splunk Security:
Business
Value https://conf.splunk.com/session/2015/conf2015_PHoffman_PostFinance_UsingSplunkSearchLanguage_HowSplunkConnectsBusiness.pdf

© 2017 SPLUNK INC.
1. Select the right sourcing strategy
2. Adopt an adaptive security architecture
3. Optimise threat intelligence management
4. Deploy advanced analytics
5. Proactive investigation & threat hunting
6. Promote security automation & human
efficiency
7. Drive Enterprise ‘Not Just’ Security Insights
“7 Enablers”
of the
Analytics
Driven SOC

© 2017 SPLUNK INC.
▶ Use rules to automate routine
aspects of detection and investigation
▶ Extract insights from existing security
controls by use of common interface
▶ Take actions with confidence for
faster decisions and response
▶ Automate any process along the
continuous monitoring, response and
analytics cycle
6. Promote Security Automation & Human Efficiency
To Prevent, Detect, Respond and Predict:
Identity and
Access
Internal Network
Security
Endpoints
OrchestrationWAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall
+
Splunk Adaptive Response
Alliance

© 2017 SPLUNK INC.
SECURITY & RISK IT OPERATIONS BUSINESS ANALYTICS
SAME DATA
Of theAsking differentDifferent
PEOPLE QUESTIONS
40-70%security data that can be re-used for
additional non security business value
Online Services
SplunkCustomer
ValueExamples
$11m Benefit
Increased revenue from
higher uptime
High Tech
$25m Benefit
Increased revenue from
higher uptime
Oil & Gas
$200m Benefit
Revenues from
Preventing APT’s
Transportation
$1b Benefit
Optimisation with
Sensor Data
7.From Security to Enterprise Data Insights

© 2017 SPLUNK INC.
Customer
▶ Operate in 60 counties with over 45,000 Employees
▶ 29 engineering and project execution centers and 5 fabrication yards
Challenges
▶ Needed to gain operational visibility into distributed infrastructure
▶ Unable to meet compliance needs (PCI, ISO27001, SOX, Privacy)
▶ Struggling with governance of IT Operations
▶ Inability to reports holistically across all domains
Customer Solution (Splunk Enterprise)
▶ Real time data insights across Security, ITOps & Application Development
▶ LoB security risk & compliance reporting
▶ SIEM & One ‘dashboard’ to rule them all
▶ IT Operations, application, server reboot, software license utilization
monitoring…
OIL & GAS
Drive Enterprise Insights!
Splunk Security:
Build an
Enterprise
Data Fabric
from Security

Next Step:
Splunk Security Workshops
SIEM+/SOC Readiness, Security Use Case Definition, Security
Data Source Assessment, Security Automation, Security Business
& Risk Visualisation…......
• Scope data sources, use cases and volumes
• Security Analytics & SOC Building
• Adding Machine Learning to SecOps
• Learn how to visualize security success for the
business
• Data privacy & protection
Contact your Splunk representative to find out how to schedule

Threat Activity Dashboard
Splunk Quick Start for Security Analytics & SOC
Rapidly Determine Advanced Malware and Threat Activity
Malware Center Dashboard

© 2017 SPLUNK INC.
• 5,000+ IT and Business Professionals
• 175+ Sessions
• 80+ Customer Speakers
PLUS Splunk University
• Three days: Sept 23-25, 2017
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
SEPT 25-28, 2017
Walter E. Washington Convention Center
Washington, D.C.
CONF.SPLUNK.COM
.conf2017: The 8th Annual Splunk Conference

© 2017 SPLUNK INC.
Rate This Session on Pony Poll
ponypoll.com/london17
Complete the survey for
your chance to win a
.conf2017 pass

Learn:
How Travis Perkins built
a SOC in the Cloud
blogs.splunk.com
Learn:
Three Tips from Cisco’s
CSIRT using Splunk
isc2.org
Try it yourself:
Splunk Enterprise Security
in our Sandbox with 50+
Data Sources
splunk.com

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security

Recommended

More Related Content

What's hot (20)

Viewers also liked (19)

Similar to SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security (20)

More from Splunk (20)

Recently uploaded (20)

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Centre using Splunk Enterprise Security