Exploring Frameworks of Splunk Enterprise Security

© 2019 SPLUNK INC.© 2019 SPLUNK INC.
Explore the Frameworks of
Splunk Enterprise Security

© 2019 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements

© 2019 SPLUNK INC.
ANGELO BRANCATO
Security Specialist, EMEA

© 2019 SPLUNK INC.
1. Introduction
2. Splunk as an Analytics-Driven SIEM
3. Frameworks of Enterprise Security
4. Use Cases Enabled by the frameworks
5. Q&A
Agenda

© 2017 SPLUNK INC.
Splunk turns machine data into answers
Network
Servers
DevOps
Users
Cloud Security
Databases
O F T H E
Same Data
D I F F E R E N T
People
A S K I N G D I F F E R E N T
Questions

THREATS
ARE MORE
COMPLEX AND
FAR REACHING
NOT CLOSING
THE SKILLS GAP
SECURITY TO
ENABLE BUSINESS
AND THE MISSION

T I E R 1 A N A LY S T
W O R K W I L L B E
A U T O M AT E D
T I M E N O W S P E N T
T U N I N G D E T E C T I O N
A N D R E S P O N S E
L O G I C
P L AT F O R M F O R
I N V E S T I G AT I O N A N D
T O O R C H E S T R AT E
T H E M A L L
90%
50%
1

© 2018 SPLUNK INC.
Splunk Security Portfolio
DATA
PLATFORM
ANALYTICS OPERATIONS
Platform for Machine Data
Free Security Apps / Content

© 2018 SPLUNK INC.
Splunk Security Portfolio
ANALYTICS
DATA
PLATFORM
OPERATIONS
Platform for Machine Data
Free Security Apps / Content
Investigate,
Forensics,
Hunting
Security &
Compliance
Monitoring
IR, Risk &
Security
Situational
Awareness
SOC Automation
& Orchestration
Reactive
Proactive
Level 1
Level 2
Level 3
Level 4
INVESTIGATE
MONITOR
ANALYZE
ACT

© 2019 SPLUNK INC.
Slow
Investigations
Inability to
Effectively
Ingest Data
Limited
Security Data
Types
Inflexible
Deployment
Options
End-of-Life or
Uncertain
Roadmap
Closed
Ecosystem
Instability and
Scalability
Security Operations Must Change
Legacy SIEM not optimized for today’s security operations

© 2019 SPLUNK INC.
Splunk as Your SIEM
Fully optimized for modern security operations
Fast Flexible
Investigations
Quickly Ingest
Data at
Massive Scale
All Security
Related Data
Cloud, Hybrid
and On-
Premises
Portfolio
includes
SIEM, UEBA,
SOAR
Open
Ecosystem
with 850+
partner
integrations
Petabytes
Scale

© 2019 SPLUNK INC.
Splunk Enterprise Security
Addresses Security Operations Challenges
MONITOR RESPONDDETECTFUNCTIONS INVESTIGATE
Review Determine1 2 3 4Decide Act & AdaptPROCESS
Prioritize incidents
Decide what is most important
to follow up or investigate
SOLUTION Respond in a timely manner
Do each step as fast as possible, with
as little people as possible
Effectively analyze
Each bit of data needs context
and relationship to all others

What Is Enterprise Security?
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response

© 2019 SPLUNK INC.
► Streamline Incident Management
• Consolidated incident management allows
effective lifecycle management of security
incidents.
► Make Rapid Decisions
• Automatically aligns all security context
together for fast incident qualification and
provides predefined analysis paths.
► Refine Security Management
• Investigation management and
customizations to support complex process
integration requirements.
Workflow for Streamlined Incident Management
Handle Security Incidents – Notable Events Framework
Discovery to remediation

© 2019 SPLUNK INC.
► Use for Security Operations
• “Application” logics are pre-built on top of Splunk
Enterprise as data platform.
• Provide graphically oriented user experience
supporting the security operations workflow.
► Intuitive User Interface Optimized for
Security Operations
• Security operational tasks designed into user
interface versus search bar interface.
• Key relevant information automatically presented as
summary of incident.
Notable Events and Incident Review
MONITOR RESPONDDETECTFUNCTIONS INVESTIGATE

© 2019 SPLUNK INC.
Overall Incident Status and Control
• Provides central workflow management for all security incidents
• Search / Filter / Zoom into incidents or timeframe
• Monitor new and changing incident status
• Field oriented search/filtering on the most common investigation fields
Benefits:
• Integrated / consolidated incident management
• Simple and fast understanding of all incidents in the network
SEARCH AND NAVIGATION INTERFACE
INCIDENT REVIEW INTERFACE

© 2019 SPLUNK INC.
Notable events provide alerting framework tuned to the corporation
• Information dense display provide contextual information for rapid analyst understanding of threat
information
• Incident management and workflow including status, owner, triggering security domains
• Important fields are displayed and incident and field pivot actions provide contextual “investigation”
Benefits:
• Optimize triage to evidence gathering to incident investigation
• Rapid understanding of threats in the environment
CONSOLIDATED INCIDENT MANAGEMENT INTERFACE

© 2019 SPLUNK INC.
1Risk-based
security
Fast Incident Review and Investigation
List of installed / imported
Contents
Incidents that match correlation rule – important events within your
environment
1
Workflow Process 1: Event Overview
• The result of matching correlations searches executed, shows type
of rule, domain, urgency, status, owner
• Provides information to clear status of activities in the network

© 2019 SPLUNK INC.
1Risk-based
security
Contents
Incident Context - Identity, Asset,
..
2
Workflow Process 2: Incident Context
• Automated / customizable incident context correlations, aligns all
relevant context information to an incident
• Provides fast situational understanding of an incident

© 2019 SPLUNK INC.
Analysis Actions : set of actions are linked to each
field/value
3
Workflow Process 3: Analysis Actions
• Ability to deep dive into different pre-defined domain analysis for a
specific entity in an incident
• Provides most logical analysis options for deeper insights

© 2019 SPLUNK INC.
1Risk-based
security
Contents
Actions available for all
incidents4
Workflow Process 4: Remediation Actions
• Customizable incident remediation actions to manage the state of
incident or further extend the process to other features / systems
• Provides ability to associate desired remediation actions

© 2017 SPLUNK INC.
Notable Event Framework
https://dev.splunk.com/view/enterprise-security/SP-CAAAFA9

© 2019 SPLUNK INC.
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response

© 2019 SPLUNK INC.
Asset and Identity Framework
Automatically maps asset and identity context to incidents
ASSET RESOLUTION
- Which?
- Function
- Owner
- Location
- Impact
IDENTITY RESOLUTION
- By who?
- Role
- From?
- Privilege
- Source IP : PC from remote office
- Target server :
- PCI Zone Database
- Belongs to ecommerce team
- Web mart database
- Source IP User :
- Bill Williams, VP of Finance
- Pleasanton office
- No recent Windows patch
Identity
Info Mapped
Asset Info
Mapped ▶ Fast Incident Qualification
• By automating context enrichment,
SecOps can qualify more incidents
quickly
▶ Extended Situation Based
Insights
• Rich enrichment allows more accurate
assessment of situational aspect of
incidents

© 2019 SPLUNK INC.
Asset / Identity resolutions
• Translate related asset (Host function, name, location, subnet) and
user (ID, User name, location) to details for qualification
Benefits :
• Prioritize incidents by understand the importance of asset / ID as well
as situational awareness related to the asset
Other security / vulnerability lookups
• Status on various context enrichment data sources
- Vulnerability Information
- Patch Status
- Other various customizable lookups from other sources
Enriched security context / What? Where? Who? How?
SECURITY ENRICHED CONTEXT
Correlations search match details
• Detailed descriptions of the event, customizable for recommendation

© 2019 SPLUNK INC.
Asset and Identity Framework : Asset Database
ASSET Database Synchronize and merge asset DB (CMDB, API, Ext DB)

© 2019 SPLUNK INC.
Asset and Identity Framework : Identity Database
IDENTITY Database Synchronize with HR / LDAP/ AD / User DB

© 2019 SPLUNK INC.
Asset and Identity Framework : Enrichment
Expand Enrichment Unlimited expansion to enrich any information to incident

© 2019 SPLUNK INC.
Representative list of Assets and Identities
CMDB
Sophos

© 2019 SPLUNK INC.
Asset and Identity Framework
https://dev.splunk.com/view/enterprise-security/SP-CAAAFBB

© 2019 SPLUNK INC.
► Expose Risk Factors to Analysts
• Rationalize and analyze behaviors and
relationships across all data.
• Investigate risk factors to anticipate threats and
prevent future threats.
► Prioritize/Decide Based on Risk
• Transparent evidence translate to quantitative
numbers.
• Ability map scores to different objects including
events and aggregate based on a criteria.
(Functions, Business units, Physical business
location, etc.)
Risk Framework
Quantitative metrics are applied to distinguish importance
+80
Asset Identity
Other
Attributes
TOTAL
RISK SCORE
Occurrence of
matching correlations
searches

© 2019 SPLUNK INC.
Risk Attribution
Using a Summary Index or ES Risk Index
RiskRule-AnomalousLogin
RiskRule-ThreatIntelIOC
RiskRule-MalwareDetection
RiskRule-IDSRecon
RiskRule-IDSAttack
RiskRule-FirstTimeSeenDomain
RiskRule-LongPowershell
RiskRule-EncryptedPowershell
RiskRule-EndPointAV
RiskRule-#10
.
.
.
.
RiskRule-#150
Risk Index
RiskIncidentRule-HighCompositeRiskScore
RiskIncidentRule-Multiple RiskRulesSinglePhase
RiskIncidentRule-MultipleATT&CKPhases
.
.
.
.
Risk Driven Alert
Notable Event in ES

© 2019 SPLUNK INC.
Risk Change Postures : Snapshot of overall posture changes
Risk Change Trends : Overall risk score change trends
Risk Objects / Incident types Status :
Individual risk object status, object being either “system”, “users”,
“Incidents”
Recent Risk Modifiers :
Detailed events including the risk scores and associated risk
object
Risk Analysis Dashboard

© 2019 SPLUNK INC.
Risk Analysis With Incident Review
Adds Context…
Risk score displayed
in Incident Review
Risk score displayed
in incident review

© 2019 SPLUNK INC.
Risk Framework
https://dev.splunk.com/view/enterprise-security/SP-CAAAFBD

© 2019 SPLUNK INC.
Threat Intelligence Framework
Finding hidden IOCs using comprehensive threat intelligence mappings
• Multiple
sources
• Multiple
transmission
types
• Multiple
transports
• Multiple data
formats
INTEL SOURCES
1. IP
2. Emails
3. URLs
4. Files names/
hashes
5. Processes
names
6. Services
7. Registry entries
8. X509
Certificates
9. Users
CATEGORIZE
Index, Extract,
Categorize
Manage / Audit
threat sources
• List status
• List mgmt.
• List location
COLLECT MANAGE
Data Management
SEARCH
Ad-hoc search,
analyze,
investigate,
prioritize
Data Search
CORRELATE
Match all IOCs in
existing log data
Generate alert for
any matches
KSI and trends
Security Dashboard
Correlation Data /
Notable Events

© 2019 SPLUNK INC.
Threat Intel Support
Threat collection Supported IOC data types Local lookup file
certificate_intel X509 Certificates Local Certificate Intel
email_intel Email Local Email Intel
file_intel File names or hashes Local File Intel
http_intel URLs Local HTTP Intel
ip_intel
IP addresses Local IP Intel
domains Local Domain Intel
process_intel Processes Local Process Intel
registry_intel Registry entries Local Registry Intel
service_intel Services Local Service Intel
user_intel Users Local User Intel

© 2019 SPLUNK INC.
Threat intelligence source management
Manage various threat intelligence in a simple configuration framework. Fine tuning
the accuracy and relevancy by prioritizing higher importance of intel be applied.
Detailed Threat Update Setup
Provides management interface to easily
define / download / update / apply
Configure Threat Intel

© 2019 SPLUNK INC.
Threat intel Source lookups
• ES data is mapped with detailed Threat source that
indicate potential IOCs
• Threat match provide information on the type of
threat activities
Threat Intel Details
• Detailed description of matching ES Threat Incident
• Provide immediate detailed information about the
detected activity
Contributing Event
Raw data source that supports the event as evidence to events
Threat Intelligence in Incident Review

© 2019 SPLUNK INC.
Threat intel indicator overview
Shows overall posture of threat activities
to understand quickly the changes in the
detected threat activities status.
Threat intel trending overview
Shows trend changes of threat activities including the changes in the type of threats.
Detailed threat type activities
Shows detailed active threat types and associated assets to
understand, what kind of threats are active in network.
Active threat sources
Shows how different threat sources are active to understand
and calibrate threat intel enhancements.
THREAT ACTIVITY

© 2019 SPLUNK INC.
Threat Intelligence Framework
https://dev.splunk.com/view/enterprise-security/SP-CAAAFBC

© 2019 SPLUNK INC.
. Access Protection – show analytic story – detection searches
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response

© 2019 SPLUNK INC.
Use Case Library
Faster Detection and Incident Response
Discover new use cases and
determine which ones can be used
within your environment right away
Create, curate, install, and manage
content, Analytic Stories and third-party
created content

© 2019 SPLUNK INC.
Splunk as the Security Nerve Center
Endpoints
Threat
Intelligence
Network
Web Proxy
Firewall
Identity and Access
WAF and
App Security
Cloud
Security
Mobile
ORCHESTRATION
ANALYTICS
Mission:
Deeper integrations
across the best security
technologies to help
combat advanced
attacks together
Approach:
Gather / analyze, share,
take action based on
end-to-end context,
across security domains

© 2019 SPLUNK INC.
Adaptive Response Framework
https://dev.splunk.com/view/enterprise-security/SP-CAAAFBE

© 2019 SPLUNK INC.
▶ Stay ahead of compliance mandates
▶ Quickly gain real-time posture and insights across all
IT resources and security controls to clear compliance
▶ Pass audits with minimal effort, regardless of mandate
or regulatory framework.
Compliance
▶ Real-time state of risk, alerts, and compliance
▶ Full and continuous monitoring of critical assets
▶ Full visibility into vulnerabilities, asset/devices, context of
threats and alerting
▶ Don't miss a thing with continuous and automated security
monitoring that lets you respond 24/7
Security Monitoring

© 2019 SPLUNK INC.
▶ Detect compromised hosts and users
▶ Find activities associated with accounts and attackers
involved in attacks
▶ Determine scope of user activities
▶ Find indicators and artifacts associated with
compromised user hosts
Advanced Threat Detection
▶ Identify real incidents and full-scope
▶ Gain investigation capability across all security relevant
data
▶ Get context from popular Enterprise SaaS apps,
correlate across SaaS and on-premises sources
▶ Gain thorough understanding on options to
remediate a breach
Incident Investigation, Forensics

© 2019 SPLUNK INC.
► Shorten investigation cycles - prioritize, confirm and
take actions on higher priority threat.
► Use Investigation Workbench to investigate notable
events that may represent a threat
► Leverage integration with existing capabilities -
collaborate and track the investigation
► Quickly launch a response to critical incidents
Incident Response
► Centrally automate retrieval, sharing and response
actions resulting in improved detection, investigation and
remediation times
► Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
► Extract new insight by leveraging context, sharing data
and taking automated actions between ES and partners
using Adaptive Response
SOC Automation

© 2019 SPLUNK INC.
1. Use the Analytics-Driven SIEM to handle
your security operations challenges
2. Use the Frameworks of Enterprise
Security to solve your use cases
3. To schedule a hands-on workshop
contact your sales executive
Key Takeways

Exploring Frameworks of Splunk Enterprise Security

Recommended

More Related Content

What's hot (20)

Similar to Exploring Frameworks of Splunk Enterprise Security (20)

More from Splunk (20)

Recently uploaded (20)

Exploring Frameworks of Splunk Enterprise Security