Virtual Gov Day - Security Breakout - Deloitte

Editor's Notes

• #2: Glenn – can you please update your title and add anyone else presenting with you?
• #8: You can add as many screen shots as you like – this is where you’d discuss your specific use case(s)
• #13: The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, whether it be credit cards or IP, and many of their victims unfortunately end up in the headlines. Cyber criminals include the credit card theft at Target and Neiman Marcus. Nation state attacks include Iran and China attacking governments and private sector companies to steal intellectual property and/or national secrets. FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats. APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports. 100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected. The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors 243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions. 63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
• #17: Concept is that NEW analysis is required – beyond simple event correlation – this is why SIEMs are not solving the problem – the requires have changed Phase, location, etc. – speak to additional attributes are required to both understand and to defend against attacks Data inclusion – core splunk message – don’t filter/tune out noise/false positive, look at all data, collect so it’s available when needed Multiple/dynamic relationships – the event chain and bits of any attack are scattered, and cannot be detected using pre-defined correlation rules – example of multiple login failure with success and then access to internal resources – great for gaining an advantage, but then what happens when they download additional malware – how does static correlation rules help find the new malware, or how does it look for potential data that is accessed/stolen. Detect attackers – main concept is there is an attacker directing the malware (once internal access is established via valid credentials, therefore the attacker must be deduced from activities associated with normal activities from those trusted credentials) - once the malware is delivered, the additional attack tools and activities will not be “attacks” anymore, then are activities of the attacker Hay in a haystack – needle is a different object from hay – but now, since trusted credential are used, and often in normal, good traffic – the analysis is to look for particular attributes and characteristics of the hay to determine good/bad – this applies to concepts like insider threat is an insider with access (account privileges, etc.), and fraud uses good access (credit card, accounts, etc.) – the identifiable traits are their activities, characteristics, etc.
• #18: Make sure to stress we are a Security Intelligence Platform and we can meet their needs these use cases plus more. We are more than a SIEM in that we are much more flexible and also can be used for use cases outside of security. Do not go into detail on the 5 use cases because the next few slides detail each of them. And highlight that many customers already have a SIEM and are generally happy with it. But they do have some pain with current SIEM….maybe it struggles getting in non-security data, maybe it has limited search/reporting capabilities, etc. In these cases, Splunk can happily complement their SIEM. They perhaps use their existing SIEM for alerting, and they then log into Splunk to do the investigation, etc. But key point is that we can easily complement or replace a SIEM.
• #21: Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigate them, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats. Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
• #22: Insight for Insider threats comes both traditional data sources used for security AS WELL AS FROM non-traditional, often from HR, personnel and other “people-oriented” data.
• #30: 1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it. On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3. The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
• #34: 3:45pm – Bert: Moderate Q&A REMEMBER: Check the presenter pod to ensure Deloitte has not asked you to skip any questions NEXT: 3:55pm – Close session: Thank our presenters Hand it over to Alicia to close and mention Splunk’s upcoming events
• #35: 3:55pm – Close session: Thank our presenters Hand it over to Alicia to close and mention Splunk’s upcoming events