Presentation slides from Splunk Discovery held in Köln on January 17th 2020.

1. © 2019 SPLUNK INC.
Make Your SOC Work
Smarter, Not Harder with
Splunk
Jan 2020
Splunk Security Operations Suite
Zac Warren | Security Specialist

2. © 2019 SPLUNK INC.
Zac Warren
Cybersecurity Specialist
● Joined Splunk: 7 Oct 2019
● 15 Years of IT and Cybersecurity
Experience
● Executive Cybersecurity Advisor
● Expertise with multiple OEMs security
suites
● Extensive partner experience
● Developed Multi-OEM Security
Architectures

3. During the course of this presentation, we may make forward‐looking statements
regarding future events or plans of the company. We caution you that such statements
reflect our current expectations and estimates based on factors currently known to us
and that actual events or results may differ materially. The forward-looking statements
made in the this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, it may not contain current or
accurate information. We do not assume any obligation to update
any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only,
and shall not be incorporated into any contract or other commitment. Splunk undertakes
no obligation either to develop the features or functionalities described or to include any
such feature or functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud,
Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the
United States and other countries. All other brand names, product names, or
trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
© 2019 SPLUNK INC.

4. © 2019 SPLUNK INC.
Agenda
Security Operations
Today
Optimizing
security
operations
Scaling Human
Resources

5. © 2019 SPLUNK INC.
Security Operations
Today

6. © 2019 SPLUNK INC.
Today’s SOC
!
!
!
!
!
!
!
!!
!!
!
!
!
!
!
!
!
!
! !
!
!
!!
!!
!

7. © 2019 SPLUNK INC.
Today’s Security Operations Workflow
A process that doesn’t scale
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETECTION
TIER 1
TIER 2
NETWORK TRAFFIC
INTRUSION DATA
ENDPOINT
THREAT
INTEL
MALWARE AUTHENTICATION
WIRE DATA
ASSETS & IDENTITIES
SIEM

8. © 2019 SPLUNK INC.
Experience Needed
Both hard and soft skills
TIER
1
TIER
2
• Security Knowledge
• Networking
• Application Layer Protocols
• Database and Query Languages
• Unix
• Windows
• Basic Parsing
• Command Line Familiarity
• Security Monitoring Tools
• Coding/Scripting
• Regulatory Compliance
• Vulnerability Scanning
• Investigations
• Troubleshooting
• Security Clearance
• Communication & Writing
• Critical Thinking
• Creativity & Curiosity

9. © 2019 SPLUNK INC.
Security people are
hard to find.
A GROWING
SKILLS
SHORTAGE
3.5 Million
Unfilled cybersecurity jobs by 2021 (+75% YOY)
Cybersecurity Ventures, Cybersecurity Jobs Report, 2017
But…

10. © 2019 SPLUNK INC.
Optimizing
Security Operations

11. © 2019 SPLUNK INC.
Shifting Focus and Role for SOCs
Situational Awareness
LEGACY
Operation / Monitoring Center
Human Authored
Human Speed Operations
Analysis and Decision-Making
REQUIRED
Nerve Center / Command Center
Human — Machine Learning
Machine-Speed Cycle Times

12. © 2019 SPLUNK INC.
TIER 1
TIER 2
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETECTION
SIEM
SOAR
Security Operations Workflow
NETWORK TRAFFIC
INTRUSION DATA
ENDPOINT
THREAT
INTEL
MALWARE AUTHENTICATION
WIRE DATA
ASSETS & IDENTITIES

13. © 2019 SPLUNK INC.
Act
Security Nerve Center
Endpoints
Threat
Intelligence
Network
Web Proxy
Firewall
Identity and Access
WAF and
App Security
Cloud
Security
Mobile
SOAR
SIEM
Analyze
Monitor
Investigate

14. © 2019 SPLUNK INC.
The only integrated suite with
industry-leading SIEM, UEBA and
SOAR solutions that utilize a market-
proven, scalable big data platform,
continually augmented with actionable
use case content.
Splunk modernizes security operations
by acting as their security nerve
center, turning data into detections,
and insights into actions, across all
security use cases, teams, and
functions.
Splunk drives the Data, Analytics, and
Operations layers for the SOC to
enable security teams to function at its
highest level of performance.
AOF
Data Sources
Content
Splunk
Enterprise
Security
Splunk
User Behavior
Analytics
Splunk
Phantom+
Splunk Security
Operations Suite
Modernize your security operations
AOF = Adaptive Operations Framework - our
ecosystem of apps and security partner integrations.
Content = Pre-packaged security content (searches,
detection models, automation playbooks) from the
Splunk Research Team. Stay current with latest
threat landscape.

15. © 2019 SPLUNK INC.
How it Works

16. © 2019 SPLUNK INC.
Combat Threats with Advanced Analytics
Powered by Security Information Event Management (SIEM)
NETWORK TRAFFIC
INTRUSION
DATA
ENDPOINT
THREAT INTEL
MALWARE AUTHENTICATION
WIRE DATA
ASSETS & IDENTITIES
SECURITY
ANALYTICS
SIEM Correlate and Sequence Events
Validate
Alerts
Prioritize, Review and Investigate
Decide Best Path to Resolution
Monitor Security
Activity

17. © 2019 SPLUNK INC.
Splunk Enterprise Security (ES)
Analytics-Driven Security Information Event Management (SIEM)
▪ Know Your Security Posture
▪ Investigate with Speed and
Flexibility
▪ Scale to Petabytes of Data

18. © 2019 SPLUNK INC.
Augment your SIEM with Behavioral Analytics
Powered by Machine Learning
Network Activity
Application Activity
Login Attempts
Removable Media
Badge Scans
Printer Activity
User’s activity
Departmental activity
Region’s activity
Company’s activity
Data Analyzed Baselining
(and more…)
Threat
Score: 8
Examples:
• Data Exfiltration by Suspicious User or Device
• Data Storage Attached by Unusual Number of Times
• Unusual Printer Usage
• Privilege Escalation
• Multiple Failed Login Attempts
• Malware
• Blacklisted IP Address
• Compromised Account
4Threat
Score:
> >
(and more…)
Correlation & Detection

19. © 2019 SPLUNK INC.
Splunk User Behavior Analytics (UBA)
Detect unknown threats and anomalous user behavior using machine learning
▪ Enhance Threat Visibility
▪ Accelerate Investigation
▪ Increase Productivity

20. © 2019 SPLUNK INC.
Automate Your Incident Response
Powered by Security Orchestration, Automation, and Response (SOAR)
SECURITY
ANALYTICS
AUTOMATION ORCHESTRATION
SIEM SOAR
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETECTION
ML-BASED
BEHAVIORAL
ANALYTICS
UEBA
+
NETWORK TRAFFIC
INTRUSION DATA
ENDPOINT
THREAT INTEL
MALWARE AUTHENTICATION
WIRE DATA
ASSETS & IDENTITIES

21. © 2019 SPLUNK INC.
Splunk Phantom
Integrate and Scale Your Team, Processes, and Tools
▪ Respond Faster
▪ Work Smarter
▪ Strengthen Your Defenses

22. © 2019 SPLUNK INC.
Splunk
Mission Control
A Modern, Cloud-Based, and
Unified Security Operations
Experience
● One place for every team member to
manage the security operations
event lifecycle, start to finish
● Detect, manage, investigate, hunt,
contain, and remediate threats and
other high-priority security issues
● Integrate Splunk tools and other
cloud, on-premise, and hybrid
tools/services together
BETA

23. © 2019 SPLUNK INC.
Identity and
Access
Internal Network
Security
Endpoints
Orchestratio
n
WAF & App
Security
Threat
Intelligence
Network
Web Proxy
Firewall
+
Splunk
Adaptive
Operations
Framework

24. © 2019 SPLUNK INC.
Security Content Updates
▪ Pre-packaged Searches
▪ Algorithms
▪ Dashboards
▪ Playbooks
▪ …and more!
Available for:
Splunk
Enterprise Security
Splunk
User Behavior Analytics
Splunk
Phantom

25. © 2019 SPLUNK INC.
New Roles in Security Operations
Security Content Developer Automation Engineer

26. © 2019 SPLUNK INC.
Security Operations in 2020
90%
TIER 1 ANALYST WORK
WILL BE AUTOMATED
50%
TIME SPENT OPTIMIZING
DETECTION &
RESPONSE LOGIC

27. © 2019 SPLUNK INC.
Beyond the Security Operations (SOC)
Splunk Enterprise for Security
▪ Compliance
▪ Data Privacy
▪ Fraud
▪ Risk

28. © 2019 SPLUNK INC.
Splunk in Action

29. © 2019 SPLUNK INC.
Aflac
▪ Blocked over two million security threats
▪ Orchestrated threat intelligence across 20 security technologies
sitting within its internal Threat Intelligence System
▪ Automated threat hunting and 90% of its security metrics process in
just two months
Automating Threat Intelligence System

30. © 2019 SPLUNK INC.
Blackstone
▪ Reduced alert investigation times from 30-45 minutes to less than
one minute
▪ Applied a consistent approach to alert management and
investigation, eliminating human error
▪ Increased resource efficiency by turning manual, repetitive tasks into
automated processes
Automating Malware Investigation

31. © 2019 SPLUNK INC.
*Gartner and Forrester are all trademarks from their respective companies.
*Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh | Toby Bussa, Dec. 4, 2017. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner
disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates
in the U.S. and internationally, and is used herein with permission. All rights reserved.
*The Gartner Peer Insights Customer Choice Logo is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customer Choice Awards are determined by the
subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described
here http://www.gartner.com/reviews-pages/peer-insights-customer-choice-awards/ and are not intended in any way to represent the views of Gartner or its affiliates.
Recognized in Security
By Industry Analysts
Named a Leader in Gartner’s Magic
Quadrant for Security Information
and Event Management
Designated a 2018 Customer’s
Choice for Security Information
and Event Management
By End Users

32. © 2019 SPLUNK INC.
Key Takeaways
Accelerate detection
and response
Optimize
security
operations
Scale human
resources

33. © 2019 SPLUNK INC.
Thank You

34. © 2019 SPLUNK INC.
Agenda: