5. First Time Seen
powered by stats
Time Series Analysis
with Standard Deviation
General Security
Analytics Searches
Analytics Methods
Types of Use Cases
6. Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
8. Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
10. Applying to Stages of an Attack
HTTP (web) session to
command & control
server
Remote control,
Steal data,
Persist in company,
Rent as botnet
WEB
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exeCalc.exe
Attacker hacks website
Steals .pdf files Web
Portal
Attacker creates
malware, embed in .pdf,
Emails to
the target
MAIL
Read email, open attachment
Threat intelligence
Auth - User Roles
Host
Activity/Security
Network
Activity/Security
12. Implementation Approach for Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules
13. The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
14. Slow Response
from Basic Alerts
Fast Response from
Advanced Alerts
Managing Alert Volume vs Value
Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response
16. ▶ Enterprise Security has a Risk Framework designed
for aggregating low severity indicators
Aggregate Alerting with ES Risk
17. ▶ High Confidence alerts from UBA fed into ES
▶ Take actions like
• Box: “Change Permissions”
• AD: “Reset Password” or “Disable Account”
• PAN: Isolate Host
▶ 40+ partners!
Respond With ES Adaptive Response
18. ▶ Splunk UBA Threat Models leverage
Data Science, Machine Learning
▶ Finds important, inter-related
anomalies that analysts should
actually view
▶ Support more advanced
anomaly detections!
Apply Machine Learning With Splunk UBA
21. Where Can I Install Splunk Security Essentials?
Survey Results: Have You Tried to Install the App?
Tried and Failed
Installed in Dev
Installed in Production
Installed in Distributed Environment
Installed in a SHC Environment
Your
Laptop!
Your
Production
Environtment!
All Kinds of
Production
Environtments!
Your Dev
Environment!
22. ▶ You can think about operational
maturity in terms of data
▶ Start with the basics – get your
data into a single location
▶ Then work your way up the stack
▶ Not sure how to start? Yes, there is
an app for that
Looking at Security in Terms of Data
23. ▶ Identify bad guys:
• 300+ security analytics methods
• Target external and insider threats
• Scales from small to massive companies
• Save from app, send hits to ES/UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.
24. • Access
• Data
• Endpoint
• Network
• Threat
• Any Host Logs
• Electronic Medical
Record System
• Email Logs
• Firewall
• Netflow
• Print Server Logs
• Very Low
• Low
• Medium
• High
• Very High
Splunk Security Essentials App Inventory
“Say, aren’t those all recommended data sources
for Splunk Security in general?”
DOMAINS DATA SOURCES ALERT VOLUME
• Salesforce Event
Log File
• Source Code
Repository Logs
• Splunk Notable
Events
26. ▶ Download from apps.splunk.com
▶ Browse use cases that match
your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials
27. Open the Splunk Security Essentials App
First Open Splunk
Security Essentials
Then Open
Use Cases
28. ▶ Read through a few of the use cases
▶ Filter for use cases you care about
Take a Minute to Review Use Cases
29. Let’s Start With a Simple Example
Click on “Concentration
of Hacker Tools by
Filename”
30. ▶ A search you might not think of,
but is easy to use
▶ Input: CSV file with suspicious
filenames
▶ Input: Process launch logs
(Windows, Sysmon, Carbon
Black, etc.)
▶ Looks for those file names
concentrated in a short
period of time
Concentration of Hacker Tools by Filename
32. ▶ Phishing is a big risk
▶ Many approaches to mitigating with Splunk
An Advanced Splunk Search
From Data Sources,
Filter to Email Logs
Click on ‘Emails with
Lookalike Domains’
From Journey
Select Stage 4
33. ▶ A very long search you don’t
have to run
▶ Detects typos, like
company.com → campany.com
▶ Supports subdomains for typo
detection
▶ Detects suspicious subdomains,
like company.com →
company.yourithelpdesk.com
A Phishing Search Larger Than Your Pond
35. ▶ Actor:
Malicious Insider (because it’s hardest)
▶ Motivation:
Going to work for competitor
▶ Target:
Accounts, Opportunities, Contacts in Salesforce
▶ Additional Target:
Sales Proposals in Box
▶ Exfiltration:
Upload to a remote server
Apply Splunk to Real Life Scenario
Malicious Insider
Chris Geremy
Director of Finance
* Photo of Splunker, I promise she is not a malicious insider
36. ▶ No proxy
▶ No standard file servers
▶ No agents on laptop
▶ Cloud Services with their own APIs
How would you detect that?
Monitoring Challenges
37. ▶ Ingest Salesforce Event Log File
• https://splunkbase.splunk.com/app/1931/
▶ Ingest Box Data
• https://splunkbase.splunk.com/app/2679/
▶ Install Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
▶ Schedule Salesforce use cases
▶ Build a custom Box use case
Set Up Monitoring
About 1 Hour of Work
38. ▶ Do you want to build your own
detections like this?
▶ What if your environment is
totally custom?
▶ No product has ever worked
out of the box, and that’s why
you like Splunk, right?
We’ve got you.
But My Company Is So Custom
Click Assistants, then “Detect Spikes”
40. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
41. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
Got Her!
46. ▶ Download from apps.splunk.com
▶ Find use cases that match your
needs
▶ Data Source Check shows other
use cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!