Copyright©2016SplunkInc.

EnterpriseSecurity&UBAOverview

SplunkLive London2016JohanBjerke,SeniorSalesEngineer

TechnicalSplunkGuy

2

SplunkLiveSecurityTrackToday13:00-14:00: OperationalSecurityIntelligence14:00-15:00: SplunkforEnterpriseSecurityfeaturingUser

BehaviorAnalytics15:00-16:00: CloudBreach– DetectionandResponse

16:00-17:00: HappyHour

17:00– 19:30: SplunkLondonUserGroupMeeting

33

> Johan Bjerke johan@splunk.com

• 2+ years at Splunk• Splunk Security SME

whoami

4

Disclaimer

4

Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyou thatsuchstatementsreflectourcurrentexpectationsand

estimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-looking statements,pleasereviewourfilingswiththeSEC.Theforward-looking statementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlooking statementswemaymake.

Inaddition, anyinformationaboutourroadmapoutlines ourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformational purposes only andshallnot, beincorporatedintoanycontractorothercommitment.Splunk undertakesnoobligationeithertodevelopthefeaturesorfunctionality describedortoinclude

anysuch featureorfunctionality inafuturerelease.

5

Agenda

SplunkPortfolioUpdate

EnterpriseSecurity4.1

UserBehaviorAnalytics2.2

6

SplunkSolutions>EasytoAdopt

VMware

PlatformforMachineData

Exchange PCISecurity

AcrossDataSources,UseCases&ConsumptionModels

ITSvcInt

SplunkPremiumSolutions RichEcosystemofApps

ITSI UBA

UBA

MainframeData

RelationalDatabases

MobileForwarders Syslog/TCP IoTDevices

NetworkWireData

Hadoop&NoSQL

WhatisSplunkES?

PlatformforMachineData

SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity

SecurityandComplianceReporting

MonitorandDetect

InvestigateThreatsandIncidents

AnalyzeandOptimizeResponse

9

OpenSolutionsFrameworkSupports critical security related management framework features

9

EnterpriseSecurityFramework

• Notable Events Framework• Threat Intelligence Framework

• Risk Scoring Framework• Identity & Asset Framework

Customer Apps

APPs / Content

Partner Apps

APPs / Content

Splunk Apps

APPs / Content

• Export• Import• Share

• Summarization Framework• Alerting & Scheduling

• Visualization Framework• Application Framework

ExternalInstance

MoreHonors– March2016

● BestSIEMSolution

What’snewinSplunkEnterpriseSecurity4.1?

12

PrioritizeandSpeedInvestigations

Centralizedincidentreviewcombining risk andquicksearch

Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly

Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.

ES4.1

13

EnhancedInvestigationTimeline

AddfileattachmentstoInvestigationTimeline

ExportInvestigationTimelineasPDF

14

BehavioralAnalyticsinSIEMWorkflow

• AllSplunkUBAresultsavailableinEnterpriseSecurity• WorkflowsforSOCManager,SOCanalystandHunter/Investigator• SplunkUBAcanbepurchased/operatedseparatelyfromSplunkEnterpriseSecurity

ES4.1andUBA2.2

15

ExpandedThreatIntelligence ES4.1

SupportsFacebookThreatExchange

Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes

Usewithadhocsearchesandinvestigations

ExtendsSplunk’s ThreatIntelligenceFramework

EnterpriseSecurityDemo

WhatisSplunkUBA?

18

TECHNOLOGY EVOLUTION

19952002

2008

2011

2015

END-POINTSECURITY NETWORKSECURITY EARLYCORRELATION OBJECTANALYSIS BEHAVIORANALYSIS

19

IN2014,INDUSTRYSPENT

$1.7Billion

SECUREEMAILGATEWAY

$1.3Billion

SECUREWEBGATEWAY

$2.8Billion

ENDPOINTPROTECTION

$1.2Billion

INTRUSIONPREVENTION

$9.4Billion

FIREWALL

20

$16+BillionBut,weneedevenmoretools

21

FAMILIARWITHTHESEBREACHES?

January2015 February2015 February2015

MorganStanley

730KPIIRecords

Anthem Insurance

80MPatientRecords

OfficeofPersonalManagement22MPIIRecords

July 2015

PentagonUnclassifiedEmailSystem4KPIIRecords

22

SO,WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES

LACKOFRESOURCES(SECURITY EXPERTISE)

LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES

PROBLEM?

23

EXTERNALATTACK

USERACTIVITYPeterandSamaccessacompromisedwebsite-

backdoorgetsinstalled

Theattackeruses Peter’sstolencredentialandVPNsintoDomainController

Theattackeruses thebackdoorstodownloadandexecuteWCE– passwordcracker

Peter’sandSam’sdevicesbegincommunicatingwithCnC

TheattackerlogsinasSamandaccessessensitivedocumentsfromafileshare

TheattackerstealstheadminKerberosticket andescalatestheprivilegesforSam

Theattackeruses Peter’sVPNcredentialtoconnect,copiesthedocstoanexternalstagingserver, andlogs

outafterthreehours

Day1

.

.

Day2

.

.

DayN

24

INSIDERTHREAT

JohnconnectsviaVPN

Administratorperformsssh (root)toafileshare-financedepartment

Johnexecutesremotedesktopto asystem(administrator) - PCIzone

Johnelevateshisprivileges

root copiesthedocumenttoanotherfileshare-Corporatezone

rootaccessesasensitivedocumentfromthefileshare

rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise

USERACTIVITY

Day1

.

.

Day2

.

.

DayN

SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS

PlatformforMachineData

BehaviorBaselining&Modelling

UnsupervisedMachineLearning

Real-Time&BigDataArchitecture

Threat&AnomalyDetection

SecurityAnalytics

26

MULTI-ENTITYBEHAVIORALMODELTemporalWindow

USER HOST NETWORK APPLICATION DATA

ActivityA

ActivityN

ActivityA

ActivityN

ActivityA

ActivityN

ActivityA

ActivityN

ActivityA

ActivityN

ACTIVITYA ACTIVITYC ACTIVITYF ACTIVITYB ACTIVITYL

27

ATTACKDEFENSES

28

INSIDERTHREAT

Day1

.

.

Day2

.

.

DayN

JohnconnectsviaVPN

Administratorperformsssh (root)toafileshare-financedepartment

Johnexecutesremotedesktopto asystem(administrator) - PCIzone

Johnelevateshisprivileges

root copiesthedocumenttoanotherfileshare-Corporatezone

rootaccessesasensitivedocumentfromthefileshare

rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise

USERACTIVITY

UnusualMachineAccess(LateralMovement;Individual&PeerGroup)

UnusualZone(CorpàPCI)traversal(LateralMovement)

UnusualActivitySequence

UnusualZoneCombination(PCIàCorp)

UnusualFileAccess(Individual&PeerGroup)

MultipleOutgoingConnections&UnusualSSLsessionduration

AFewCUSTOMERFINDINGS

q MaliciousDomain

q BeaconingActivity

q Malware:Asprox

q Webshell Activity

q PassTheHashAttack

q SuspiciousPrivilegedAccountactivity

q ExploitKit:Fiesta

q LateralMovement

q UnusualGeoLocation

q PrivilegedAccountAbuse

q AccessViolations

q IPTheft

RETAIL HI-TECH MANUFACTURING FINANCIAL

PROXYSERVER

FIREWALL

WHATDOESSPLUNKUBA NEED?

ACTIVEDIRECTORY/DOMAINCONTROLLER

DNS,DHCP

SPLUNKENTERPRISE ANYSIEM ATAMINIMUM

31

WHATCUSTOMERSHAVETOSAYABOUTSPLUNKUBA

Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather thanthe traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of thissolution as it makes the life of our SOC analysts’ way better.Mark Grimse, VP IT Security, Rambus

A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insiderthreats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found SplunkUBA to be oneof themost advanced technologieswithin thebehavioralanalytics space.Randolph Barr, CSO, Saba

SplunkUBAandSplunkESIntegration

SIEM,Hadoop

Firewall,AD,DLP

AWS,VM,Cloud,Mobile

End-point,App,DB logs

Netflow,PCAP

ThreatFeeds

DATASOURCES

DATASCIENCEDRIVEN

THREATDETECTION

99.99%EVENTREDUCTION

UBA

MACHINELEARNINGIN

SIEMWORKFLOW

ANOMALY-BASEDCORRELATION

101111101010010001000001111011111011101111101010010001000001111011111011

What’sNewinUBA2.2

34

EnhancedInsiderThreatandCyberAttackDetection

DETETION

ThreatDetectionFramework• Customthreatmodelingwithanomalies

ExpandedAttackCoverage• Dataaccessandphysicaldataloss

NewViewpoint• Precision,prioritizationandcorrelationofalertswithanomalies

UBA2.2

35

Create customthreatsusing60+anomalies.

Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.

Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.

Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.

Detection:CustomThreatModelingFramework UBA2.2

36

Detection:EnhancedSecurityAnalytics

Visibilityandbaselinemetricsarounduser,device,applicationandprotocol

30+newmetrics

USERCENTRIC DEVICECENTRIC

APPLICATION CENTRIC PROTOCOLCENTRIC

DetailedVisibility,UnderstandNormalBehavior

UBA2.2

37

ContextEnrichment

CitrixNetScaler(AppFlow)FireEyeEmail(EX)SymantecDLPBit9/CarbonBlackDigitalGuardianAndmanymore….

ImprovedPrecisionandPrioritizationofThreats

§ RiskPercentile&DynamicPeerGroups§ SupportforAdditional3rd PartyDevices

UBA2.2

UBADemo

39

SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS

• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks

• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!

The7th AnnualSplunkWorldwideUsers’Conference

PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!

ThankYou!