Make Your SOC Work Smarter, Not Harder

Editor's Notes

• #3: Now, before I begin, our Legal team would like me to make sure I share with you this notice regarding forward-looking statements, which I’ll be making some of today during my presentation. But please, be sure to make any purchasing decisions based on the products and the information that are currently and publicly available to the market.
• #4: And for today’s agenda, I’m going to focus on 3 things---and those are how Splunk’s Security Operations Suite helps you: [CLICK] Accelerate your mean time to detect and respond [CLICK] Optimize your security operations, and [CLICK] Scale your resources
• #5: Alrighty, so let’s get started---shall we? Let’s do a quick run through the state of Security Operations Today... 
• #6: Today’s Security Operations Center is under siege. The volume of security alerts is massive, in fact---according to a survey conducted at the 2018 RSA Conference and reported by SC Magazine, 27% of enterprise security teams see more than 1 million alerts per day.
• #7: Here’s how that goes: [ANIMATED SEQUENCE] First, you have your data generating tools, all of which are relevant as sources of possible Security data [CLICK] They all issue an alert when something that matches a known threat is found [CLICK] Your tier-1 analysts go through all of those alerts to determine which ones are real and which ones are false positives [CLICK] Once validated, your tier-2 analysts set a response in motion via any of the very tools that first hinted of the possible issue. [CLICK] But then you end up with a process that doesn’t scale---bombarded by millions of alerts, taxing your Tier-1 Analysts by having them separate the wheat from the chaff to determine which threats are worth spending time on and which ones are simply false positives. Now, you may be saying [CLICK] “that’s why I have a SIEM.” But then your SIEM can’t make sense of all these data types, and false positives can’t be validated---leaving your Tier-1 analysts chasing far too many alerts, many that are complete waste of time. You need a better SIEM. As if that wasn’t unproductive enough, your Tier 2 analysts are additionally taxed, having to manually execute a response to remediate every validated incident. Add to that the fact that the average organization runs over 70 security apps, tools, databases, etc. for all sorts of things, and now your Tier-2 analysts are stuck with a swivel-chair approach to Security where they’re toggling between tabs, windows, and screens, all while wasting precious time that’s delaying their ability to detect and respond to incidents. This also adds to the stress of the role, which only helps increase human error or forces analysts to cut corners. And with every second this process is delayed or shortcut that is taken, your organization is at greater risk. How big of a team do you need in order to investigate, validate, and respond to all of those alerts?
• #8: [ANIMATED SEQUENCE MEANT TO EMPHASIZE ALL THE SKILLS NEEDED] Well, it’s not only how big of a team, but also how seasoned and experienced that team is. You need a bit of of everything as they need to have the security acumen to know what they’re looking for, where to look for it, and how to solve problems when they’re found, but also, soft skills to write effective reports, document processes, make sharp decisions quickly, and a lot more. Finding a single professional with these skills is already difficult... 
• #9: ...finding an entire team of them is nearly impossible. Security professionals are indeed so difficult to find, 3.5 million of them will be sought after in 2021, with little to no success, according to Cybersecurity Ventures’ Cybersecurity Jobs Report from 2017.
• #10: So we know the problem, and I know most of you feel that problem. Now how do we optimize this process?
• #11: Well, we’re seeing a shift in the focus and role for Security Operations Center, where it’s:(1) Going beyond situational awareness, and towards analysis and rapid understanding, decision making, and acting(2) From a passive monitoring approach, to a command center mindset(3) That is less dependent on human-only decisions and processes, and instead, more reliant on a combined human-and-machine learning approach(4) That helps scale the SOC—taking it from human-speed operations to machine-speed execution.A prominent addition I’d like to share is the way organizations are orienting themselves to consider the human trade-off in handling threats, as they reach their limits around investigating, monitoring, analyzing, and acting on them. A sound strategy is to scale the SOC team with technology that can streamline and automate key elements of the response and remediation cycle.These are just some of reasons SOC teams must modernize their security operations to stay ahead of present-day threats.
• #12: At Splunk, we see [CLICK] SIEM and [CLICK] SOAR technologies aiding that move to an optimized SOC, helping scale tier-1 and tier-2 resources, and streamlining the security operations workflow to accelerate detection and response.
• #13: Splunk is uniquely positioned to address your security challenges—to modernize the SOC and to better detect, respond, and most importantly, adapt at machine speed. This is only possible with an approach to security that turns the SOC into a Nerve Center for security. It is driving an industry shift—delivering the innovation required to power a new generation of Security Operations. With Splunk as the nerve center, you can optimize people, process, and technology. Security teams can leverage statistical, visual, behavioral, and exploratory analytics to drive insights, decisions, and actions.All data from the security technology stack can be used to investigate, monitor, analyze and take rapid, coordinated action in a manual, semi-automated, or automated fashion across the entire organization.Splunk also helps you connect disparate technologies together—their data, their insights, their actions—allowing them to share and gain content, and to leverage analytical, machine learning, and automation capabilities. This ultimately helps make better, faster, and more effective decisions across Security, IT Operations, and every other part of the enterprise and take precise action to defend your network and your business.
• #14: And like that, Splunk delivers on the Nerve Center vision with its Security Operations Suite, which features everything a SOC needs to optimize their entire security workflow. I’ll go over each of these components in a bit more detail. 
• #15: Alright so, how it works...
• #16: Most of you are familiar with SIEM, but what’s important to highlight is that not all SIEMs are created equal. At Splunk, we regularly say that “all data is Security relevant.” So a SIEM should be able to derive insight from any type of data from any type of tool. It should be able to ingest volumes of that data, to ensure no activity is flying below the radar of the security organization. This data aggregation and correlation, combined with dashboards that give you a quick snapshot of enterprise activity, help you monitor and understand your security posture---so you can take action if something were to arise, or report on it with confidence. Data and alerts that result in a validated incident become sequenced events after the SIEM takes a closer look at all the activity that took place at the time of that incident or alert. It then connects the dots across all of it to give you a full view of the entire chain of related events, adding depth to your investigation, without wasting time from security analysts who would’ve otherwise had to piece it together manually. Incidents are triaged to help you prioritize those that put your enterprise at greater risk. All the information that is gathered and synthesized for each incident helps you make better decisions regarding the best path to respond and solve incidents. You can trigger those response actions within the application---which we’ll learn more about later on in this presentation.
• #17: Splunk Enterprise Security acts as that SIEM---the market-leading SIEM, to be specific--- which can be augmented by other solutions that I’ll cover in just a bit, to provide: Detailed understanding of your Security Posture and everything that could be putting it at risk, so you can take quick action Fast and flexible investigations, that’ll automatically give you everything you need to make educated decisions as to which actions to take next And unbeatable scalability---and this is a key differentiator for Splunk, where not only you can make sense of any type of data, structured or unstructured, to derive insights from all of it, but you can do so at unprecedented volumes, leaving no stone unturned in the investigation process.
• #18: Adding to the SIEM is a whole new level of threat detection, powered by machine learning---called User and Entity Behavior Analytics. This technology allows you to detect unknown threats---from external actors or insiders---by applying machine learning to the data and learning from it without assistance. So for example, I’ve listed here some of the types of data that can be analyzed, from: Network activity and application activity (like what your patterns are around using an application) Login attempts (and the opposite, failed login attempts, which could indicate someone without credentials is doing login by trial-and-error, or brute force) Removable media (and whether any critical data has been saved onto it) Badge scans (and this is quite specific, but I still wanted to call it out, as it not only tells you who was were when, but also tracks any deviation to someone’s normal clock-in/clock-out patterns) Printer Activity (to see if someone has printed confidential documents) And many more All of that data is baselined---to determine regular patterns of behavior and activity. Baselines are ran across multiple configurable dimensions, starting with the user’s own activity, but also their department’s regular activity and what’s normal and average at that level, or their region’s regular activity, or the entire company’s activity. Those baselines are used to determine outliers, and those outliers are further correlated to see what other activity took place at the time of that outlier, to determine its threat score---based not only on how much that outlier deviates from the baseline, but also on how severe is the activity that’s connected to that outlier. That threat score helps with prioritization, and that information can be used by the SIEM to augment the intelligence it has on other incidents, and to sequence events for additional investigation.
• #19: And that’s exactly what Splunk User Behavior Analytics does. It seamlessly integrates with Splunk Enterprise Security to detect unknown threats and anomalous user behavior. It enhances threat visibility because---unlike threat detection tools that use signatures to detect exact matches of known threats---machine learning helps detect activity without the need for indicators, by simply learning from everything it sees. It also accelerates investigation because, armed with the data from UBA, ES can use the intelligence to quickly arrive at the who, what, where, and when of security incidents. Last, it increases productivity because it automates the stitching of hundreds of anomalies into a single threat to simplify the Tier-1 analyst’s work.
• #20: So you have your SIEM---augmented with machine learning and user behavior analytics---investigating, monitoring, and analyzing incidents, but now you need to act. Now, with Splunk ES you can initiate response actions, but if you want to supercharge that process and tremendously increase the efficiency of your SOC, you need [CLICK] SOAR, which stands for Security Orchestration, Automation, and Response. A SOAR solution is designed to integrate with your security stack to automate a response that it can execute through them. It uses playbooks, which are prescriptive collections of repeatable queries that connect to apps in and out of the SOC and that are run against security event data that flow from the integrated sources, determining along the way if/then response paths, and automatically executing orchestrated actions. That way, the moment the SOAR tool receives an alert or an event from the SIEM, it can trigger a set of actions that can accelerate response to merely seconds. Because the process is automated, the SOAR tool can trigger these responses for pretty much any alert or event that’s sent its way. What could’ve taken an hour or more for a tier-1 analyst to validate and triage, and a tier-2 analyst to respond, a SOAR tool can do in a fraction of that time.
• #21: And that’s what Splunk Phantom is for. What you’re seeing here is a playbook, and the individual actions this playbook is ready to orchestrate the moment the alert is received. Phantom comes with a number of playbooks out of the box, which are programmed to run responses for a variety of threat types and use cases. And creating your own custom playbooks is pretty simple within the tool. Splunk Phantom’s automated approach to IR helps you respond faster, let’s your team and your SOC work smarter---eliminating all that manual, tedious work out of your workflow---and ultimately strengthens your defenses, by responding immediately and reducing the window of possible compromise to only seconds, if at all.
• #22: [ANIMATED SEQUENCE] Now, we know you’ve already invested in various solutions that make up your current security stack and that you want to make sure any new investment can work with what you already have. And not just “work”, but integrate so they make the most out of each other via that integration. That’s why we’ve created the Adaptive Operations Framework---our partner ecosystem. We’ve worked with over 250 vendor apps to support more than 1500 APIs---from firewalls and antivirus tools, endpoint detection and response platforms and malware detection tools, and many more. And we’re constantly adding new tools and APIs to our ecosystem, so this list will keep increasing. Splunk can serve as the connective tissue of your SOC, ingesting the data from these tools and then instructing them to take action. 
• #23: Knowing how important it is to stay on top of the threat landscape to understand the latest trends in malicious activity and hacking tactics, our Security Research team---who keeps a close eye on all of this stuff---has created the Security Content Updates. Content Updates are a free subscription program that allows Splunk customers who have invested in ES, UBA, and/ or Phantom to receive regular security content, in the form of pre-packaged searches, algorithms, dashboards, response playbooks, analytic stories, and much more. These provide actionable intelligence that you can use to add context to your Splunk deployments, ultimately increasing your ability to defend your enterprise. That way, your investments grow with you. You can learn more at Splunkbase.com
• #24: With this move onto more automation, orchestration, and machine learning in the SOC, we see these technologies generating roles in Security Operations, such as the role of the Security Content Developer---tuning logic, creating dashboards and playbooks, and adding context so that the machine can learn better and the automation can be even more effective---and the role of the Automation Engineer, who helps set up the integrations and arrange the orchestration that is automatically triggered via response playbooks.
• #25: [ANIMATED SEQUENCE] And we anticipate that by next year, 90% of tier-1 analysts tasks can be automated with SIEM and SOAR solutions, giving them time they can now spend tuning detection and response logic.
• #26: But it’s not just all about the SOC. Splunk also addresses use cases and functions that typically sit outside of the SOC, like Compliance, Data Privacy, Fraud, and Risk---with Splunk Enterprise, our data platform (and flagship product). Splunk Enterprise is also a key component of the Security Operations Suite. Splunk Enterprise can ingest and index all of your data, regardless of format, and offers you powerful searching capabilities to help you derive insights in just seconds. While the solutions I shared with you before are designed specifically to help you solve Security challenges, Splunk Enterprise is more agnostic in that it can also help you solve IT Operations, IoT, Business Analytics, and challenges of nearly any other nature. It would all be up to the searches you run against your data. So for example, if you’re a data privacy analyst looking to ensure your organization is compliant with regulations such as GDPR or HIPAA, you can run searches in Splunk Enterprise that’ll give you visibility into the type of data that is relevant for a specific regulation, along with every detail about its usage, to help you determine if that use is indeed compliant. Add Splunk Enterprise Security, and you can monitor this type of activity regularly to keep an eye on anything that could be putting you out of compliance.
• #27: So let’s take a look at how these technologies are put to good use by some of our customers.
• #28: The City of Los Angeles is a vast metropolis with critical infrastructure like airports, seaports, and water and power, as well as 35,000 employees and over 100,000 endpoints generating 14 million security events daily.  They have more than 40 departments, each with their own security tools, requiring the city to gather and manually correlate logs from each agency for broad views of its network security. This process was cumbersome, imprecise, and slow to address threats.To protect its digital infrastructure, Los Angeles needed situational awareness of its security posture and threat intelligence for its departments and stakeholders. Since deploying Splunk Enterprise Security, the City of Los Angeles has seen benefits including: Creating a citywide security operations center Obtaining real-time threat intelligence, and Reducing operational costs
• #29: Aflac, a Fortune 500 company, provides insurance protection to more than 50 million people worldwide. Two years ago, they embarked on a mission to build a custom threat intelligence system in response to the rapid increase in security threats—from malware and spear-phishing, to nation-state compromises—targeting its network of 15,000 worldwide employees.  Aflac needed a more robust threat intelligence system to adequately detect and respond to attacks.And so they chose Splunk Enterprise Security to consume, manage, and operationalize threat intelligence data from distributed sources. They augmented it with Splunk User Behavior Analytics, our machine-learning powered solution, to find unknown threats, identify internal threats and anomalous behavior across users, endpoint devices, and applications. Together, Splunk Enterprise Security and Splunk User Behavior Analytics helped Aflac: Block over two million security threats Orchestrate threat intelligence across 20 security technologies Automate threat hunting and 90% of its security metrics process in just two months, and Give security analysts more than 30 hours a month back to focus on proactive security, instead of spending it on manual data collection and reporting. Aflac is a great example of how our customers leveraging the combined power of Splunk Enterprise Security and Splunk User Behavior Analytics to enhance their overall security posture.
• #30: Blackstone, one of the world’s leading investment firms, sees as many as 30-40 malware alerts in a single day, and investigates each malware alert as if a compromise has already occurred---a process that requires 30 to 45 minutes if done manually. Blackstone knew there had to be a better way. They needed a solution that could tie together their existing security products to reduce the response and remediation gap caused by limited resources, a widening attack surface, and a complex technology infrastructure. Blackstone turned to Phantom as their security automation and orchestration solution. After implementing Phantom, Blackstone was able to dramatically reduce the time required to investigate malware alerts, from 45 minutes when done manually, to less than one minute. Automating incident response with Phantom resulted in a number of improvements at Blackstone, ultimately allowing them to spend less time performing tedious, repetitive tasks, and to investigate issues faster, driving consistency to ensure a fast and accurate result.
• #31: Last but not least, we are recognized by analyst firms such as Gartner as the leader in the SIEM space, and have been featured in their Magic Quadrant report for six consecutive years. And our customers have also voted us their designated SIEM solution in 2018 via Gartner’s Peer Insights. //////////////////////////////////// *Gartner and Gartner Peer Insights are trademarks of Gartner Inc. *Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, Dec. 4, 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. *Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
• #32: Alright---today, we went over how the Splunk Security Operations Suite delivers security analytics, machine learning, and automation capabilities to increase the efficiency of your security teams and reduce your exposure to risk. We also discussed how intelligently streamlined incident detection and response workflows: [CLICK] Accelerate your mean time to detect and respond [CLICK] Optimize your security operations, and [CLICK] Scale your resources