Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Enterprise Security featuring UBA

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 47 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (16)

Ähnlich wie Enterprise Security featuring UBA (17)

Anzeige

Weitere von Splunk (20)

Aktuellste (20)

Anzeige

Enterprise Security featuring UBA

  1. 1. Copyright © 2016 Splunk Inc. Enterprise Security and UBA Overview
  2. 2. 2 DISCLAIMER During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
  3. 3. 3 Agenda Splunk Portfolio Update Enterprise Security 4.5 User Behavior Analytics 3.0
  4. 4. VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Across Data Sources, Use Cases and Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
  5. 5. 5 Splunk Releases 5 Splunk Enterprise and Splunk Cloud 6.5 Enterprise Security 4.5 ES User Behavior Analytics 3.0 UBA
  6. 6. 6 6 Splunk Security Vision Security Markets SIEM and Compliance Security Analytics (supervised and unsupervised) Fraud and Business Risk Managed Security and Intelligence Services Splunk Security Intelligence Framework Workflow/collaboration, case management, content/intelligence syndication and Ecosystem brokering
  7. 7. 7 Enterprise Security Provides: SIEM and Security Nerve Center for security operations/command centers Functions: alert management, detects using correlation rules (pre-built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches, dynamic baselines 7
  8. 8. 8 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – enriches Splunk Enterprise Security (SIEM) Functions: baselines behavior from log data and other data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 8
  9. 9. Copyright © 2016 Splunk Inc. Enterprise Security 9 Christopher Shobert (Security Engineer/SME)
  10. 10. 10 Splunk Positioned as a Leader in Gartner 2016 Magic Quadrant for Security Information and Event Management* *Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Four Years in a Row as a Leader Furthest overall in Completeness of Vision Splunk also scores highest in 2016 Critical Capabilities for SIEM report in all three Use Cases
  11. 11. 11 11 Splunk scores highest in 2016 Critical Capabilities for SIEM* report in all three Use Cases *Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
  12. 12. 12 SIEM Use Cases * Gartner Research Document : 2016 Critical Capabilities for SIEM Basic Security Monitoring Advanced Threat Defense Forensics and Incident Management Real-time Monitoring User monitoring Incident Response and Management Advanced Analytics Threat intelligence & Business Context Advanced Threat Defense Data and application monitoring Deployment and Support Flexibility Critical Capabilities* ES Frameworks Notable Events Asset & Identity Threat Intelligence Risk Analysis Adaptive Response
  13. 13. 13 Splunk Enterprise Security: Fast Facts ● Current version: 4.5 released on October 12, 2016 ● Two major releases per year ● Content comes from industry experts, market analysis, but most importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and customizable ● ES has its own development team, dedicated support, services practice, and training courses
  14. 14. 14 Splunk Enterprise Security – SIEM and Security Nerve Center 14 Q2 2015 Q4 2015 ES 4.5 • Adaptive Response • Glass Tables • Adaptive Response partner enablement ES 4.1 • Behavior Anomalies • Risk and Search in Incident Review • Facebook ThreatExchange ES 3.3 • Threat Intel Framework • User Activity Monitoring • Content Sharing • Data Ingestion ES 4.0 • Breach Analysis • Integration with Splunk UBA • Enterprise Security Framework Q2 2016 ES 4.2 • Adaptive Response enablement • Performance • Actions Dashboard • Search Driven Lookup Q3 2016
  15. 15. The Frameworks of ES
  16. 16. 16 What is Enterprise Security? 16 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response A collection of Frameworks
  17. 17. 17 17 Enterprise Security Notable Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  18. 18. 18 Notable Events 18 Where Correlation Searches are Surfaced
  19. 19. 19 19 Enterprise Security Notable Event Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  20. 20. 20 Asset and Identity 20 System Inventory in ES
  21. 21. 21 21 Enterprise Security Notable Asset and Inventory Threat Intelligence Risk Analysis Adaptive Response
  22. 22. 22 Risk Analysis 22 Adds context… Risk score displayed in Incident Review Risk score displayed in Incident Review
  23. 23. 23 23 Enterprise Security Notable Event Asset and Inventory Threat Intelligence Risk Analysis Adaptive Response
  24. 24. 24 Threat Intelligence 24 indicators everywhere
  25. 25. 25 Threat Intelligence 25 Certificates Domains Email File HTTP IP addresses Processes Registry Services Users
  26. 26. 26 26 Enterprise Security Notable Event Asset and Inventory Adaptive Response Risk Analysis Threat Intel
  27. 27. 27 Adaptive Response Framework 27 Correlation Search > AlertSearch > Alert Meta, bro
  28. 28. 28 Splunk as the Security Nerve Center 2 Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel
  29. 29. 29 Insight from Across Ecosystem Effectively leverage security infrastructure to gain a holistic view 1. Palo Alto Networks 2. Anomali 3. Phantom 4. Cisco 5. Fortinet 6. Threat Connect 7. Ziften 8. Acalvio 9. Proofpoint 10. CrowdStrike 11. Symantec (Blue Coat) 12. Qualys 13. Recorded Future 14. Okta 15. DomainTools 16. Cyber Ark 17. Tanium 18. Carbon Black 19. ForeScout Workflow Identity Network Internal Network Security App Endpoints Web Proxy Threat Intel
  30. 30. 30 Enterprise Security 30 Enterprise Security Notable Asset and Identity Risk Analysis Threat Intelligence Adaptive Response
  31. 31. Demo
  32. 32. Copyright © 2016 Splunk Inc. Splunk User Behavior Analytics Anurag Gurtu (Dir. Product Marketing)
  33. 33. 33 WHAT IS SPLUNK UBA? Splunk User Behavior Analytics (Splunk® UBA) is an out-of-the- box solution that helps organizations find known, unknown, and hidden threats using data science, machine learning, behavior baseline and peer group analytics.
  34. 34. Splunk User Behavioral Analytics Automated Detection of INSIDER THREATS AND CYBER ATTACKS Platform for Machine Data Behavior Baselining & Modelling Unsupervised Machine Learning Real-Time & Big Data Architecture Threat & Anomaly Detection Security Analytics
  35. 35. A Few CUSTOMER FINDINGS q Malicious Domain q Beaconing Activity q Malware: Asprox q Webshell Activity q Pass The Hash Attack q Suspicious Privileged Account activity q Exploit Kit: Fiesta q Lateral Movement q Unusual Geo Location q Privileged Account Abuse q Access Violations q IP Theft RETAIL HI-TECH MANUFACTURING FINANCIAL
  36. 36. 36 WHAT WILL I DEMO INGEST DATA FROM SECURITY PRODUCTS OBSERVE ANOMALY GENERATION OBSERVE THREAT GENERATION AND TRANSFORMATION KEY TAKEAWAYS DATA INGESTION IS STRAIGHTFORWARD AND FAST ML ALGO’S PROCESS RAW EVENTS AND GENERATE ANOMALIES (REAL-TIME) ML ALGO’S STITCH ANOMALIES INTO THREATS (REAL-TIME) ML ALGO’S TRANSFORM THREAT INTO A NEW STATE
  37. 37. 37 § INGEST DATA: FIREWALL EAST-WEST § INGEST DATA: FIREWALL NORTH-SOUTH § INGEST DATA: VPN CONCENTRATOR SWITCH SWITCH FIREWALL EAST-WEST FIREWALL NORTH-SOUTH EDGE ROUTER w/ VPN CONCENTRATOR NETWORK TOPOLOGY 1 2 3 2 3 1
  38. 38. 38 § INGEST DATA: FIREWALL EAST-WEST INGEST FIREWALL EAST-WEST LOGS 1 SWITCH EDGE ROUTER w/ VPN CONCENTRATOR FIREWALL EAST-WEST FIREWALL NORTH-SOUTH EDGE ROUTER w/ VPN CONCENTRATOR 1 2 3 SWITCH SWITCH
  39. 39. 39 § INGEST DATA: FIREWALL NORTH-SOUTH INGEST FIREWALL NORTH-SOUTH LOGS 2 SWITCH EDGE ROUTER w/ VPN CONCENTRATOR FIREWALL EAST-WEST FIREWALL NORTH-SOUTH EDGE ROUTER w/ VPN CONCENTRATOR 1 2 3 SWITCH SWITCH 40.1K
  40. 40. 40 § INGEST DATA: EDGE ROUTER w/ VPN CON. INGEST VPN LOGS 3 80.9K SWITCH EDGE ROUTER w/ VPN CONCENTRATOR FIREWALL EAST-WEST FIREWALL NORTH-SOUTH EDGE ROUTER w/ VPN CONCENTRATOR 1 2 3 SWITCH SWITCH
  41. 41. 41 WHAT WOULD HAPPEN IF SPLUNK UBA INGESTED DATA FROM ONLY ONE DEVICE?
  42. 42. 42 FIREWALL EAST-WEST EVENTS 30K INSIDER: LATERAL MOVEMENT (BILL) INSIDER: LATERAL MOVEMENT (ROD) UNUSUAL NETWORK ACTIVITY (17) EDGE ROUTER w/ VPN CONCENTRATOR EVENTS 80.8K UNUSUAL ACTIVITY TIME (1) LAND SPEED VIOLATION (1) ANOMALY THREAT FIREWALL NORTH-SOUTH EVENTS 40.1K UNUSUAL GEO LOCATION OF COMMUNICATION DESTINATION (13) EXCESSIVE DATA TRANSMISSION (2) DATA EXFILTRATION BY SUSPICIOUS DEVICE DATA EXFILTRATION BY SUSPICIOUS DEVICE ADDITIONAL DATA SOURCES ENRICH THREAT DETECTION
  43. 43. 43 LET’S SUMMARIZE
  44. 44. 44 INSIDER: LATERAL MOVEMENT (BILL) INSIDER: LATERAL MOVEMENT (ROD) INSIDER: DATA EXFILTRATION by SUSPICIOUS USER or DEVICE (BILL & ROD) EXTERNAL: DATA EXFILTRATION by COMPROMISED ACCOUNT (BILL & ROD) THREAT CONTINUED TO EVOLVE WITH ADDITIONAL DATA SOURCES ML PROCESSED RAW EVENTS AND GENERATED MANAGEABLE ALERTS >> >> 100% ML DRIVEN
  45. 45. 45 EXPLORE SPLUNK UBA WITH YOUR OWN DATA. CONTACT: UBA-SALES@SPLUNK.COM
  46. 46. 46 Mark Your Calendars! • .conf2017 is going to DC! • Sept 25-28, 2017 • Walter E Washington Convention Center

×