How to go from crawl to walk to run with Splunk for Security. By Dimitri McKay, Staff Security Architect, Splunk

1. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
crawl|walk|run
Splunk for Security
Dimitri McKay | Staff Security Architect | Splunk

2. © 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United
States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. © 2017 SPLUNK INC.
Agenda
Splunk Level Set
Intro Maturity Crawl Walk Run Summary

4. © 2017 SPLUNK INC.
Intro
Maturity

5. Technology
PeopleProcess
3 equal parts make a mature security program

6. © 2017 SPLUNK INC.
Maturity of a Security Program
Search and
Investigate
Proactive
Monitoring
and Alerting
Security
Situational
Awareness
Real-time
Risk Insight
Proactive
Reactive
- Reactive security
- Limited visibility
- Limited data-sources
- Data spread across
multiple silos
- Specific data-sources
captured
- Realtime monitoring for
specific basic use cases
- Simple correlation alerts
in use
- Monitoring in real-time.
- High fidelity correlation in use.
- Basic automation for
enrichment.
- Threat data plays a heavy role
in security processes.
- Risk framework used to
prioritize activity.
- Automation is used to reduce
noise and threat.
- Breaches identified in real-time
and thwarted before exfil.

7. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

8. © 2017 SPLUNK INC.
Crawl
How do I get started?

9. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

10. © 2017 SPLUNK INC.
200+ APPS
The Splunk Platform for Security Intelligence
Splunk Enterprise (CORE)
Stream data
Cisco
Security Suite
Windows/ AD/
Exchange
Palo Alto
Networks
FireEye
Bit9
DShield
DNS
OSSEC
Splunk-built AppsSplunk for Security

11. © 2017 SPLUNK INC.
Step one?
Download Splunk. :)

12. © 2017 SPLUNK INC.
But, consider starting with
these top 5 data sources…

13. © 2017 SPLUNK INC.
#1
Windows
Splunk Add-on for
Microsoft Windows

14. © 2017 SPLUNK INC.
► Authentication:
- Success/ Failures
- New account logons
- Unused accounts
- Anomalous logins
► Endpoint changes:
- New applications/ processes
- New ports
- New services
Windows Use Cases
#1
Windows
Splunk Add-on for
Microsoft Windows

15. © 2017 SPLUNK INC.
#2
Linux
Splunk Add-on for
Unix and Linux
Add-on for Auditd

16. © 2017 SPLUNK INC.
#2
Linux
Splunk Add-on for
Unix and Linux
Add-on for Auditd
► Authentication:
- Success/ Failures
- New account logons
- Unused accounts
- Anomalous logins
► Endpoint changes:
- New applications/ processes
- New ports
- New services
Linux Use Cases

17. © 2017 SPLUNK INC.
#3
Firewalls
Splunk Add-on for
Juniper, Cisco,
Palo Alto, etc.

18. © 2017 SPLUNK INC.
#3
Firewalls
Splunk Add-on for
Juniper, Cisco,
Palo Alto, etc.
► Top categories
► Top apps consuming bandwidth
► Top protocol use
► Top bandwidth consumers
► Top threats by user/host/src
► Top blocked executables
► Top vulnerabilities / vulnerable machines
► Top targets
► Top actions
► Top malware
Firewall Use Cases

19. © 2017 SPLUNK INC.
#4
AWS + Cloud
Services
Adoption of Cloud in
the Security space

20. © 2017 SPLUNK INC.
#4
AWS + Cloud
Services
Adoption of Cloud in
the Security space
► Network ACLs
► Security groups
► IAM activity
► S3 data events
► VPC activity/traffic/security analysis
► Cloudfront/ELB/S3 Traffic Analysis
► Top user activity
► Top resource activity
AWS/Cloud Use Cases

21. © 2017 SPLUNK INC.
#5
Anti-virus
Symantec and McAfee
antivirus suites

22. © 2017 SPLUNK INC.
#5
Anti-virus
Symantec and McAfee
antivirus suites
► Top risks detected
► Top processes blocked
► Top viruses / spyware detected
► Malware client version reports
► Malware virus definitions version reports
► Host changes / modifications
Anti-virus Use Cases

23. © 2017 SPLUNK INC.
With these top 5 data sources
you manage…
► Detection of Possible Brute Force Attacks
► Detection of Insider Threat
► Expected Host/Log Source Not Reporting
► Unusual Login Behavior
► Unexpected Events Per Second (EPS) from Log Sources
► Detection of Anomalous Ports, Services and Unpatched
Devices
► More…
http://resources.infosecinstitute.com/top-6-seim-use-cases/#gref

24. © 2017 SPLUNK INC.
Use Cases + Apps
Dive into more advanced use cases

25. © 2017 SPLUNK INC.
Next, Dive Into More Advanced Use Cases
Security Intelligence Use Cases
Security &
Compliance
Reporting
Real-time
Monitoring of
Known Threats
Root Cause
Analysis
Action
AlertingIncident
Investigations
& Forensics

26. © 2017 SPLUNK INC.
Splunk Security Essentials
Access and Network Domain
Access Domain
• Authentication Against a New Domain Controller
• First Time Logon to New Server
• Significant Increase in Interactively Logged On
Users
• Geographically Improbable Access (Superman)
• Increase in # of Hosts Logged into
• New AD Domain Detected
• New Interactive Logon from a Service Account
• New Local Admin Account
• New Logon Type for User
• Short Lived Admin Accounts
• Significant Increase in Interactive Logons
Network Domain
• Detect Algorithmically Generated Domains
• Remote PowerShell Launches
• Source IPs Communicating with Far More Hosts
Than Normal
• Sources Sending Many DNS Requests
• Sources Sending a High Volume of DNS Traffic

27. © 2017 SPLUNK INC.
Splunk Security Essentials
for Ransomware
The following are the Use Cases included in this app
1. Fake Windows Processes
2. Malicious Command Line Executions
3. Monitor AutoRun Reported Registry Keys
4. Monitoring Successful Backups
5. Monitor Successful Windows Update
6. Monitoring Unsuccessful Backups
7. Monitor Successful Windows Update
8. Ransomware extensions
9. Ransomware Note Files
10. Ransomware Vulnerabilities
11. SMB traffic Allowed
12. Spike in SMB traffic
13. Detect TOR Traffic

28. © 2017 SPLUNK INC.
CIS Critical Security Controls
The CIS Critical Security Controls app
for Splunk was designed to provide a
consolidated, easily-extensible
framework for baseline security “best-
practices” based on the Top 20 Critical
Security Controls published by the
Center for Internet Security.
Framework for Baseline Security

29. © 2017 SPLUNK INC.
Crawl
How do I get started?

30. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

31. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

32. © 2017 SPLUNK INC.
Splunk Enterprise Security
Analytics SIEM
Monitoring | Reporting | Alerting
• 50,000 foot view of of the organization’s security
posture
• Out of the box dashboards, reports, correlated
alerts, and incident response workflows
• Significant Increase in Interactively Logged On
Users
• Detect unusual activities by leveraging statistical
analysis, dynamic thresholds, and anomaly
detection.
• Verify privileged access and detect unusual
activity by applying user- and asset-based context
to all Cloud, on-premises and hybrid machine
data to monitor user and asset activities.
Threat | Case Management
• Leverage threat feeds from a broad set of
sources, including free threat intelligence feeds,
third party subscriptions, law enforcement, FS-
ISAC , STIX/TAXII, the Department of Homeland
Security’s (DHS) Automated Indicator Sharing
(AIS), Facebook ThreatExchange, internal and
shared dataRemote PowerShell Launches
• Manage alerts/cases and investigations in one
place, with the ability to pivot between data
sources to decrease remediate and investigation
time, thereby reducing risk.

33. © 2017 SPLUNK INC.
Crawl
How do I get started?

34. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

35. © 2017 SPLUNK INC.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/

36. © 2017 SPLUNK INC.
Splunk UBA + Enterprise Security
Unsupervised Machine Learning
Business Risk | Machine Learning
• Detects insider threats using out-of-the-box
purpose-built but extensible unsupervised machine
learning (ML) algorithms
• Provides context around the threat via ML driven
anomaly correlation and visual mapping of stitched
anomalies over various phases of the attack
lifecycle (Kill Chain View)
• Increases SOC efficiency with rank-ordered threats
and supporting evidence
• Prioritize assets and identities based on criticality to
the business, which then prioritizes alerts and case
management as the most important events bubble
to the surface.
High Fidelity Alerting + Orchestration
• By integrating UBA with Enterprise Security, high
fidelity alerts are then fed into a central location for
remediation.
• Alerts are also then actionable, allowing Splunk to
orchestrate and automate a response via a single
common interface for retrieval, sharing, and
response in multi-vendor environments. Examples
of those responses might be segregating a host off
of a network, re-setting a users password, pushing
out antivirus definitions to machines with out of date
updates, or blocking IPs and URLs found in threat
lists.

37. © 2017 SPLUNK INC.
Summary
In Conclusion

38. The Platform
PLATFORM
Analytics,Awareness&Action

39. The Platform
PLATFORM
SOLUTIONS
Analytics,Awareness&Action
Vendor Apps | Community Apps | Use Case Apps | Showcase Apps

40. The Platform
Incident
Investigations
and
Forensics
Security
and
Compliance
Real-Time
Monitoring
Root
Cause
Analysis
Automation
And
Orchestration
Reporting
And
Alerting
PLATFORM
USE CASES
SOLUTIONS
Analytics,Awareness&Action
Vendor Apps | Community Apps | Use Case Apps | Showcase Apps

41. © 2017 SPLUNK INC.
End
Thank you!