This document summarizes an presentation about operationalizing security intelligence. It discusses three key aspects:
1. Using risk-based analytics to prioritize alerts based on correlating events over time and assigning risk scores to hosts. This helps determine which alerts require immediate investigation.
2. Adding context to alerts by integrating data from different technologies, matching context, and acquiring additional context through APIs. This provides more insight into prioritizing alerts.
3. Connecting security data with people by enabling human-mediated automation, collaboration, free-form investigation through interactive views and workflows. This allows leveraging all security data and human intuition in investigations.
The presentation promotes operationalizing security intelligence through these approaches and evaluating Spl
2. Who I am
• Now Product Marketing Manager EMEA
• 8 Years Consultant Security + Big Data
• 3+ Years at Splunk, McAfee (Intel Security),
Tibco LogLogic
• worked with top organizations across
industries advising customers
• CISSP, Certified ethical Hacker
4. 4
Turning Machine Data Into Business Value
Index Untapped Data: Any Source, Type, Volume
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
Ask Any Question
Application Delivery
Security, Compliance
and Fraud
IT Operations
Business Analytics
Internet of Things and
Industrial Data
5. SECURITY USE CASES
In
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN,
ADVANCED
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
INSIDER
THREAT
Splunk Can Complement OR Replace an Existing SIEM
INSIDER
THREAT
6. Disclaimer
6
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results
could differ materially. For important factors that may cause actual results to differ from those contained
in our forward-looking statements, please review our filings with the SEC. The forward-looking
statements made in the this presentation are being made as of the time and date of its live presentation.
If reviewed after its live presentation, this presentation may not contain current or accurate information.
We do not assume any obligation to update any forward looking statements we may make.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obligation either to develop the features
or functionality described or to include any such feature or functionality in a future release.
7. Agenda
The super hero and the fish market – a short story
What is Security Intelligence
Examples of Operationalizing Security Intelligence
Call to action
19. Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI
20. Security Intelligence
Information relevant to protecting an
organization from external and inside
threats as well as the processes, policies
and tools designed to gather and analyze
that information.
http://whatis.techtarget.com/definition/security-intelligence-SI
21. Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI
22. Intelligence
Actionable information that provides an
organization with decision support and possibly
a strategic advantage. SI is a comprehensive
approach that integrates multiple processes and
practices designed to protect the organization.
http://whatis.techtarget.com/definition/security-intelligence-SI
24. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?
29. Risk Based Analytics
Network Endpoint AccessThreat Intelligence
Rules/String/Regex matching
Statistical outliers and anomalies
Session and Behavior profiling
Scoring and aggregation
30. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?
31. Example - Situation
Day 1
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day 5
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day 10
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Day 20
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation
32. Context: Risk Scoring
Day 1
•Host A: IDS
Signature
Triggers
•Source:
Network
IDS
Day 5
•Host A: AV
System
Triggers
•Source:
AntiVirus
Day 10
•Host A:
Multiple
failed logins
from this
host
•Source:
Active
Directory
Day 20
•Host A:
accessing
unusual
network
segments
•Source:
Network
Traffic
Correlation
Risk Score
Host A: 0 + 10
Risk Score
Host A: 10 + 30
Risk Score
Host A: 40 + 30
Risk Score
Host A: 70 + 5
34. Context and Intelligence
Integrate across technologies
Automated context matching
Automated context acquisition
Post processing and post analysis
Threat
Intelligence
Asset
& CMDB
API/SDK
Integrations
Data
Stores
Applications
35. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Worth an Investigation?
Which one to investigate first?
36. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
Worth an Investigation?
Which one to investigate first?
37. Alerts
Alert 1 Alert 2
Host A Host B
Accessing unusual network segments Malware Found but couldn’t be removed
Risk Score Host A: 75 Risk Score Host B: 5
System Owner: Juergen Klopp
Location: Liverpool
System Owner: Donald Duck
Department: Duckburg
Confidentiality Level: High Confidentiality Level: Low
Worth an Investigation?
Which one to investigate first?
40. Connecting People and Data
Human mediated automation
Sharing and collaboration
Free form investigation – human intuition
Interact with views and workflows
Any data, all data
Automation Collaboration Investigation Workflows All data
44. Call to action
Today:
• Visit the Splunk booth and get a live demo of an Incident Investigation
• Pick up your free t-shirt
• Get at 4pm free beer at the booth!
Next 7 Days:
• Try Splunk Cloud Enterprise Security Sandbox to explore hands on
• Think about use cases or visibility gaps you have today that can be addressed!
Next 90 Days:
• Schedule a Splunk Workshop onsite to explore how you can mature your
security program with the help of Machine Data
At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. And this overarching mission is what drives our company and product priorities.
Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence.
The insights gained from machine data support a number of use cases and can drive value across your organization.
[In North America]
Splunk Cloud is available in North America and offers Splunk Enterprise as a cloud-based service – essentially empowering you with Operational Intelligence without any operational effort.
Stela starts
The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape.
The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape.