Weitere ähnliche Inhalte Ähnlich wie Accelerate Incident Response with Orchestration & Automation (20) Kürzlich hochgeladen (20) Accelerate Incident Response with Orchestration & Automation1. © 2019 SPLUNK INC.© 2019 SPLUNK INC.
Accelerate Incident Response
Using Orchestration and
Automation
2. © 2019 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements
3. © 2019 SPLUNK INC.
Incident Response
Too many alerts
Not enough insights
Tools
Too many
No integration
Skills
Attracting
Training
Retaining
Scale
Orchestration & Automation
Horizontal & Vertical
Security Operations Practices Need to Change
5. © 2019 SPLUNK INC.
Incident Response Takes Significant Time
5
Source: SANS 2017 Incident Response Survey
Time from compromise to detection Time from detection to containment Time from containment to remediation
1-3 months
2–7 days
6. © 2019 SPLUNK INC.
Where Does Your Time Go?
When working an incident, which phase generally takes the
longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.
7. © 2019 SPLUNK INC.
Time-to-Contain + Time-to-Remediate = 86%
When working an incident, which phase generally takes
the longest to complete in your organization?
Day in the life of a security professional survey © 2016 EMA, Inc.
9. © 2019 SPLUNK INC.
How many security tools
and technologies does your
company use?
Poll #1
10. © 2019 SPLUNK INC.
Tools and Technologies Galore
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
TOO MANY TOOLS
On average, organizations are using
between 25 and 30 different security
technologies and services.
11. © 2019 SPLUNK INC.
Skills and Scale
Orchestration and Automation
12. © 2019 SPLUNK INC.
Orchestration
► Security Orchestration is the
machine-based coordination of
security actions across tools and
technologies.
► Brings together or integrates different
technologies and tools
► Provides the ability to coordinate
informed decision making, formalize
and automate responsive actions
Automation
► Security Automation is the machine-
based execution of security actions.
► Focus is on how to make machines do
task-oriented "human work”
► Improve repetitive work, with high
confidence in the outcome
► Allows multiple tasks or "playbooks" to
potentially execute numerous tasks
Orchestration vs. Automation
13. © 2019 SPLUNK INC.
Do you use
Security Orchestration
Automation and
Response (SOAR) ?
Poll #2
14. © 2019 SPLUNK INC.
Automation & Orchestration Adoption Growing
Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
16. © 2019 SPLUNK INC.
ANALYTICS
ORCHESTRATION
NETWORK
THREAT
INTELLIGENCE
MOBILE
ENDPOINTS
IDENTITY
AND ACCESS
CLOUD
SECURITY
WAF AND APP
SECURITY
WEB PROXY
FIREWALL
Observe
Decide
Orient
Act
Security Nerve Center
17. © 2019 SPLUNK INC.
Splunk Security Portfolio
Enterprise Security
3rd Party Apps &
Add-ons (900+)
User Behavior Analytics
Platform for Operational Intelligence
Network data
Exchange dataES Content Update
PCI Compliance
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps & Add-ons
Security Essentials
App for AWS
Google Cloud
Microsoft Cloud
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Phantom
Premium Solutions
18. © 2019 SPLUNK INC.
Adaptive Operations Framework
Partner ecosystem enables the Security Nerve Center
Mission
Deeply integrate with the best
security technologies to improve
cyber defenses and maximize
operational efficiency.
Approach
Gather, analyze, share, and
take action using end-to-end
context across across multiple
security domains.
NETWORK
THREAT
INTELLIGENCE
ENDPOINTS
IDENTITY
AND ACCESS
CLOUD
SECURITY
WAF AND APP
SECURITY
WEB PROXY
FIREWALL
Splunkbase
Apps & Add-Ons
Splunk Enterprise Security
Adaptive Response Actions
Splunk Phantom
Apps & Playbooks
DATA / ANALYTICS
OPERATIONS
240+ INTEGRATIONS / 1,200+ APIS
20. © 2019 SPLUNK INC.
Operationalizing Security
With Phantom
Integrate your team, processes,
and tools together.
Work smarter by automating repetitive tasks allowing
analysts to focus on more mission-critical tasks.
Respond faster and reduce dwell times with automated
detection, investigation, and response.
Strengthen defenses by integrating existing security
infrastructure together so that each part is an active
participant.
21. © 2019 SPLUNK INC.
Automation
Automate repetitive tasks to force multiply team efforts.
Execute automated actions in seconds versus hours.
Pre-fetch intelligence to support decision making.
22. © 2019 SPLUNK INC.
200+
APPS & GROWING
1000+
API’S
Orchestration
Coordinate complex workflows across your SOC.
23. © 2019 SPLUNK INC.
Collaboration
Communicate without losing context of the mission.
Share items of interest with your team.
Tap into collective knowledge with Phantom Mission Experts™.
24. © 2019 SPLUNK INC.
Event Management
Triage the most relevant events first.
Eliminate noise from your workload.
Escalate verified events to a formal case.
25. © 2019 SPLUNK INC.
Create case templates that replicate your SOPs.
Manage your response to threats with precision.
Embed automation within a case task.
Case Management
26. © 2019 SPLUNK INC.
Quickly assess operational status and team performance.
Conduct post-mortem case review.
Demonstrate return on your organization's security investment.
Reporting & Metrics
27. © 2019 SPLUNK INC.
SplunkSANDBOX QUERY RECIPIENTS
USER PROFILE
HUNT FILE
HUNT FILE
FILE REPUTATION
FILE ASSESSMENT
RUN PLAYBOOK
“REMEDIATE"
EMAIL ALERT
A Phantom Case Study
“Automation with Phantom
enables us to process malware
email alerts in about 40 seconds
vs. 30 minutes or more.”
Adam Fletcher
CISO
How it Works
Automated
Malware Investigation
29. © 2019 SPLUNK INC.
1. Use Phantom with Splunk or Splunk Enterprise
Security to accelerate Incident Investigation
and Response
2. Use Adaptive Operations Framework to realize
your security nerve center
3. Splunk offers market proven, comprehensive
solutions for Incident Response
4. Use with all Security domains and related IT
domains to solve incident response use
cases and more
Splunk offers options to
accelerate incident
response with
orchestration and
automation
Key
Takeaways
30. © 2019 SPLUNK INC.
https://usergroups.splunk.com/
Check website for
upcoming events
[CITY] Area User Group
Connect with Local Splunkers
Get More
Information
Here at the
SplunkZone