PowerPoint Presentation

Haiyan SongSVP of Security Markets

SPLUNK FOR SECURITYMONZY MERZA

Hello!!!!!! andWelcome to SplunkLIve Stockholm 2016I am..I look after security markets for EMEAAs some of you know, we had our global customer conference last week in Orlando (.conf 206) 200 breakout sessions, 60 sponsors & partners, multiple product releases, significant new security advancements and use casesWe had many of security customers come together and hear about:the changing trends in the secuity markets (with a focus on what we see in EMEA)but we also shared vison for the Splunk security products and partneships that is driving our customers security capabilities forwardI want to share both of these with you today!

1

Digital Transformation = [ Security transformation ]

We are in an exciting and blessed age of changeDigital transformation is changing every aspect of our all of our lives from personal, business and leisure smart cities, drones (Go pro karma vs Mavic Pro) , connected cars, fitness IoT, business digitization (deep learning, big data for connected cars)Digital transformation is driving new needs for security!I am lucky as I get to meet and talk with Splunk customers all around EMEA who are living this change in their daily business lives:[3 examples from my role]1. Business insights - [Gatwick/WP use case do not name]2. Manufacturing companies who are embracing IoT and cloud to differentiate [Bosch use case but do not name]Those who building CDC/SOC [Travis Perkins/ Rolls Royce /Williams Hill [do not use William Hill ame]]This transformation is creating vast digital or data imprint for society, encoding our DNA. This imprint provides valuable insights but also allows a futile ground for a adversary and threat actors to operate in growing dark economy

Data Facts: http://www.forbes.com/sites/bernardmarr/2015/09/30/big-data-20-mind-boggling-facts-everyone-must-read/#6786d2d36c1d4.4 zettabytes today, will be 44 zettabytes by 2020 (more bytes on earth than visible stars in the sky)By 2020, a third of all data will be passed by the cloudOnly 0.5% of all data is ever analysed!Within 5 years, there will be 50b connected devices Retailers could increase operating margins by 60% by levering big dataMore: http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html[Next Slide]

Gatwick Airport: http://blogs.splunk.com/tag/gatwick/At Splunk .conf2015, Joe Hardstaff, Business Systems Architect at Gatwick Airport, spoke about the challenges his organization faced as an airport, trying to compete with other local airports with more runways. To give us background on the size of Gatwick Airport, he shared the following stats (you can share them too):Gatwick is the busiest single-runway airport in the world hosting 925 flights per dayBy 2016, the airport will haveserviced 40 million passengers52 airlines flying to 200 locations in 90 countries (more destinations than any other UK airport)Hardstaff explained that to set themselves apart, his colleagues developed an on-time efficiency solution for Gatwick to allow for an increased number of slots/flights per hour.However, the problem Gatwick still faced was IT architecture monitor processes, specifically:Radar Zoned, Finals, LandedFlight Information DisplaysResource on StandStand Entry Guidance SystemFixed Electrical Ground PowerSteps & Air-bridge AttachedService Vehicles Geo Tag & FenceBaggage Reconciliation SystemPeople Counting SystemElectronic Flight Progress StripsAirport Operational Database Flight StatusGatwick implemented Splunk Cloud in July 2014. In doing so, Hardstaffs team realized that combining ops data in Splunk Cloud gave them the agility and scalability they needed while providing insight into airport performance.

Travis Perkins & Rolls Royce: his week we attended the Gartner Security & Risk Management Summit in London. IT-Security Managers from across Europe came together to network, exchange information about the latest cyber security strategies and understand Gartners perspective on the market.As every industry continues to focus on digital transformation and move services online, security has become an even greater organizational priority. Organizations that customers trust and are confident in using will be clear winners in the long term. For many organizations IT related risk has become a major part of their corporate risk assessment that the board of directors has to review regularly .As a result, many organizations have identified the need to build up Security Operations Centers (SOC) or Computer Emergency Response Teams (CERTs) to act as the nerve center for any digital incidents. The focus for such teams is not just on protecting internal company IT systems but to also protect digital services and products involved in the core business. One key to the success of a SOC or CERT is establishing a big data and analytics platform where the team can get insight into whats going on, correlating and processing threat intelligence in real time. Its also used as a Time Machine to go back into historical data and assess whether any threat information they have received could have affected the organisation previously. This helps teams to understand the where and how of security incidents and further improve their resilience against cyber attacks.

Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC' from SplunkAt the Gartner Security & Risk Management Summit, Nick Bleech, the CISO at Travis Perkins Group and the former CISO at Rolls-Royce, shared insights into how it has moved from an on-premise legacy SOC to a lean cloud based SOC, detailing how they work to protect the organisation through the adoption of Splunks data driven approach. Travis Perkins operates in a complex IT environment with a mixture of on-premise systems steadily being replaced by cloud services. The organisation needs to have secure and flexible technology that can adapt to support the business, with Splunk helping to identify incidents, lead data investigations as well as supporting compliance. During its deployment Travis Perkins has learnt many lessons, including how they define the roles and processes within their IT Operations Services Team.

2

Security Transformation = Imagine & Adapt

We are faced by new security challenges every day. Last few weeks we saw the largest DDoS attacks in history: OVH and Krebs. OVH saw the 1TB per sec from over 150K smart devices! (Krebs was 620GB)- Nordics is not immune. We have seen significant cyber attacks in the Nordics to: Russia blamed for Crashing Swedish air traffic control to test electronic warfare capabilities left domestic airtravel grounded for 4 daysLast year in November, public news in April this year. it was even escalated to NATO2. Ransomware Targets Millions by Spoofing Nordic Telco Telia attackers tried to phish the Telia customer base and load ransomware (also happened to IKEA and Post Denmark)As a security professionals, we have a mandate to protect and defend.But..... we also must transform and adapt as our business and personal lives alter through digital transformation. We must think differently, augment humans & dare to imagine what we can achieve[Next slide]

Reference 1: http://www.ibtimes.co.uk/russia-blamed-bringing-down-swedish-air-traffic-control-test-electronic-warfare-capabilities-1554895 Reference 2: http://www.infosecurity-magazine.com/news/ransomware-targets-millions-by/

Swedish Air traffic: Sources in the Swedish government have blamed Russian intelligence for causing a major cyberattack on Sweden's air traffic control system that lasted for at least five days in November 2015, allegedly due to Russia testing out its electronic warfare capabilities.Between 4-9 November 2015, hundreds of domestic and international flights were grounded at multiple airports across Sweden due to its air traffic control system going offline. The attack caused the radar systems to stop working, which made the computer screens to go blank. This meant that air traffic controllers were unable to see any aircraft on their screens at all.The source says that Swedish authorities were particularly concerned that Vattenfall, the Swedish state-owned power company, would be targeted by Russian hackers. As Vattenfall is one of the largest energy providers in Europe and owns several nuclear power plants in both Sweden and Germany, the potential damage from a cyberattack could have been astronomical.The source also says that at the same time that Sweden issued its warning to neighbouring Nato countries, at the same time Nato independently detected that Russia instigated electronic warfare activity in the Baltic Sea region that was jamming air traffic communication channels. Nato traced the signals and they led to a large radio tower in the Russian enclave of Kaliningrad, to the south of Lithuania.In October 2015, a month before the cyberattack on Sweden's air traffic control systems, a leading electronic warfare expert reported that Russia was using electronic warfare to both jam Islamic State (Isis) communications in Syria, as well as to mask its military activities from Nato.The Swedish Civil Aviation Administration is currently investigating the true cause of the air traffic control system outage, but currently is not ready to release results from its analysis of data during the attack. Nato and the Swedish Armed Forces have both said they cannot comment on the issue.

Ransomware Spoofs hit Telia: A new ransomware campaign is being mounted by cyber-criminals impersonating Telia, the Nordic telecom giant with operations in Europe and Asia.Telia has hundreds of millions of customers who could all become targets for the attack, which, according to Heimdal Security, is a highly targeted campaign using a mix of attack vectors.Victims are first baited with a link to an invoice which appears to come from Telia, a trusted telecom company. The primary target for the attack is Sweden, but additional campaigns may follow, replicating the same model.Once the victim triggers the infection, the attack unfolds. When the victim clicks the link, he/she will be redirected to the webpage where a Captcha code is displayed. When the victim fills out the code, the TorrentLocker payload will be downloaded.The Torrentlocker family is well known for its highly targeted spam email campaigns, said Heimdal Security researcher Andra Zaharia, in an analysis. Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.Interestingly, the payload is only downloaded if the victims IP is from Sweden. If an IP from another country is used, the victim will be redirected to Google.The moment the malicious code is run, it will connect to a central C & C server and register the infected computer and the data harvested from it, which includes certificates from the infected device. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.The next step is for TorrentLocker to encrypt all the data files available on the local drive and on connected network drives, if there are any. Victims are extorted to pay approximately 1.15 Bitcoins, which is worth around 4099 SEK (441 EUR). Theres a time limit for the payment, which, if surpassed, will double the ransom value.We cant emphasize this enough: a backup is the best protection for your data in case of a ransomware attack, said Zaharia. Actually, you should have multiple backups. We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cybersecurity education and proactive protection.She added, Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. Weve seen it happen with IKEA and especially Post Denmark and Portnord. And weve seen not once, not twice, but tens of times in the past year alone.

DDoS Attacks: https://fossbytes.com/1tbps-worlds-largest-ddos-attack-launched-152000-hacked-iot-devices/[Short Bytes]: Hosting provider OVH has witnessed the worlds largest DDoS attack. This attack of 1Gpbs intensity was launched by a botnet network of152,463 smart devices. The same network was also responsible for the recent DDoS assault on security publication Krebs On Security. Sadly, more than 15k new cameras have participated in the attack on OVH in the last 48 hours.It looks like we have a new record for the biggestDDoS attack ever seen. This time, the attack has managed to touch the magical 1Tbps mark. This attack was faced last week by the hosting provider OVH. The OVH founder and CTO Octave Klaba shared ascreenshot of the multiple sources of the ongoing attack.Klabas posts reveal that OVHs website was flooded with a massive torrent of traffic on September 20. It claims that more than 25 colossal DDoS attacks were faced by the company in 48 hours.Klaba has also added further information that the attack has been clocked from a network of 152,463 hacked low-powered cameras and smart devices.The overall attack capacity of the botnet is being estimated to 1.5Tbps.The same botnet network also crippled the security publication Krebs On Security with an intensity of 620Gbps. Eventually, Krebs got help from Googles Project Shield to protect the website. Krebs took this step after Akamai withdrew its expensive support, saying that the DDoS was nearly double the size of the largest attack theyd seen previously.The current situation of OVH isnt good. Recently, Klaba tweeted that some new IoT devices have participated in the DDoS attack.

3

Transforming SecurityAlert Based TimestampMonitor EventResult08.07.2015 SMTP 465 @ smtp.gmail Can not connect to port08.07.2015 POP 110 @ pop.gmail.co Can not connect to port08.07.2015 IMAP 143 @ imap.gmail. Can not connect to port08.07.2015 Check DNS (53) @ Code Success08.07.2015 Ping my new device @ M Average roundtrip time is 08.07.2015 Physical memory usage l Used physical memory p

1. So we need to transform and adapt:From alert based security to contextual based security [Next slide]

Additional notes: Alert fatigue (like target)Knowing what is important to our business (i.e. target breach issue)4

Transforming SecurityAlert Based Attack Based TimestampMonitor EventResult08.07.2015 SMTP 465 @ smtp.gmail Can not connect to port08.07.2015 POP 110 @ pop.gmail.co Can not connect to port08.07.2015 IMAP 143 @ imap.gmail. Can not connect to port08.07.2015 Check DNS (53) @ Code Success08.07.2015 Ping my new device @ M Average roundtrip time is 08.07.2015 Physical memory usage l Used physical memory p

5

Transforming SecurityOnly Human Authoring

2. So we need to transform and adapt:From human based authoring to human and machine based learning approaches[Next slide]

Additional comments: Significant global lack of security professionalsBut still need a human break automated financial trading platforms and need for human oversight

6

Transforming SecurityHuman AuthoringHuman - Machine Learning

See previous

2. So we need to transform and adapt:From human based authoring to human and machine based learning approaches[Next slide]

Additional comments: Significant global lack of security professionalsBut still need a human break automated financial trading platforms and need for human oversight

7

Transforming SecurityMonitoring Center

3. So we need to transform and adapt:From simply monitoring for security operations to becoming a security command center (that provides automated, contextual intelligence through combined human and machine learning for security)[Next slide]

Additional comments: Knowing is not enough (check box approach to security)Need contextual information - digestible, timely, relevant, appropriate,

8

Transforming SecurityMonitoring CenterCommand Center

ShareBlock

ContextDetect

See previous

3. So we need to transform and adapt:From simply monitoring for security operations to becoming a security command center (that provides automated, contextual intelligence through combined human and machine learning for security)[Next slide]

Additional comments: Knowing is not enough (check box approach to security)Need contextual information - digestible, timely, relevant, appropriate,

9

Transforming SecuritySiloed Approach

Internal Network Security

Network

Context & Intelligence

Identity

App

Firewall

Endpoints

Run Book

Internal Network Security

Network

Context & IntelligenceIdentity

App

Firewall

Endpoints

Run Book

Internal Network Security

Network

Context & IntelligenceIdentity

App

Firewall

Endpoints

Run Book

FirewallEndpoints

Internal Network SecurityNetworkContext & IntelligenceIdentityAppRun Book

Internal Network SecurityNetworkContext & IntelligenceAppFirewallEndpointsIdentity

Run Book

Context & Intelligence

Internal Network SecurityNetworkIdentityAppFirewallEndpointsRun Book

Internal Network Security

Network

Context & IntelligenceIdentity

App

Firewall

Endpoints

Run Book

Adaptive Response Initiative Traction

Feb 2016

Adaptive Response Initiative Traction

Feb 2016Sept 2016+

Delivering the Nerve Center

Technology

Ecosystem

Internal Network Security

Network

Context & IntelligenceIdentity

App

Firewall

Endpoints

Run Book

Security & Compliance Reporting

Incident Investigations & Forensics

Monitoringof Known Threats

Advanced Threat Detection

Fraud Detection

Insider Threat

Our Vision

Our Vision:

Allow you to build and operate the next generation security command or neve center, regardless of your maturity that deals with the legacy challenges and provides flexibility of operating in our rapidly changing digital world.

Focus on: Break down all legacy silosSupport flexibility & Innovation (consume how you will, change and update use cases as the threat landscape changes)Automates and supports the human analystProvide contextKey: get to the why and what is coming next

To do this, we are:

Building from our core platform for operational intelligence Providing solutions to power critical security use cases but always staying true to our vision with advanced new capabilities with: (Automaton) Adaptive response capabilities(Machine Learning) Machine learning security capabilities(breaking down silos) Building the nerve center20

Security Monitoring, Detection & Alerting

Incident & Breach Response

Automation & Orchestration

Splunk for Enterprise SecurityOptimize your SOC Team and Augment/Replace your SIEM

Risk-Based AnalyticsIncidentInvestigation & ResponseEnrich Security Analysis with Threat Intelligence

FeaturedCustomer Video

Post Finance is nice: https://www.splunk.com/en_us/resources/video.9oMGI5MzE6pX2zLFOsqUYEiwVRjcJBVm.html

[2.48mins, Swiss]

24

#

Splunk Enterprise SecurityIntroducing Splunk Enterprise Security 4.5

Adaptive ResponseEnhanced Visual AnalyticsImproved Threat Detection / UBA + ES Integration

Enterprise Security 4.5: Released October 31st

What is ES: (for those of you who dont know):Security analytics platform to augment your SOC capability or replace your legacy SIEM. It includes:Contextualize, prioritize & visualize to find threats fastEnable rapid threat hunting/relationship discoveryRisk-Based AnalyticsEnrich security analysis with threat intelligence

New Features: Adaptive ResponseEnhanced Visual AnalyticsImproved threat detection/UBA integration

Adaptive Response: Splunk Adaptive Response helps extend security architecture beyond legacy preventative technologies and events-based monitoring to connected intelligence for security operations. This provides full visibility and responsiveness across the entire security ecosystem. By combining alert and threat information from multiple security domains and technologies for collective insight, Adaptive Response enables better-informed human-assisted and automated decisions across the entire kill chain and when validating threats and applying analytics-driven response directives to a security environment. Centrally automate retrieval, sharing and response action resulting in improved detection, investigation and remediation timesImprove operational efficiency using workflow-based context with automated and human-assisted decisions Extract new insight by leveraging context, sharing data and taking actions between Enterprise Security and Adaptive Response partnersUse UI wizards and dashboards to specify the nature of actions, categorizing actions, receive feedback on status of actions and results across a wide range set of entities.Gain a holistic view across all security relevant data from network, endpoint, identity, access, incident response, automation, threat intelligence, deception tools and moreDetect, investigate and respond by overcoming silos

ES Glass Tables: (Making security digestible for non security stakeholder => security gold-dust)Simplify analysis by understanding the impact of security metrics within a logical or physical Glass Table view Improve response times with nested views to display whats important or relevantOptimize workflow with drill-down to the supporting criteria of the metric Custom visualizations that reflect workflows, topology, detect, investigate and respond sequences with dashboards, summaryViews with relevant context to suit your needs

Improved Threat Detection/Response & UBA Integration: Use the correlation search builder to configure, automate and attach the results to notable eventsIn incident review, configure and execute responses and queries across the security ecosystemUse the audit dashboard to search and review responses taken and their results

26

Demo ES 4.5 Adaptive Response

#

demoGlass Table

#

Splunk Enterprise SecurityIntroducing Splunk Enterprise Security 4.5

Adaptive ResponseGlass TablesImproved Threat Detection / UBA + ES Integration

33

Splunk User Behavior AnalyticsPackaged Advanced & Behavioral Analytics

Behavior-Based Threat DetectionKill Chain Detection and Attack Vector DiscoverySelf-Learning and Tuning

Splunk User Behavior Analytics

Peer Group Analytics

ContentUpdates

Customizable Threats and Anomalies

Announcing User Behavior Analytics 3.0

DEMOUBA Threats & Anomalies

#

Splunk User Behavior Analytics

Peer Group Analytics

ContentUpdates

Customizable Threats and Anomalies

Announcing User Behavior Analytics 3.0

Enterprise SecurityAdaptive ResponseGlass Table

User Behavior AnalyticsContent SubscriptionCustomizable Threats

Internal Network Security

Network

Context & IntelligenceIdentity

App

Firewall

Endpoints

Run Book

THANK YOU

40