Presented at SplunkLive! Paris 2018: Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying: - Why? - SIEM Replacement - Use Cases - Data Sources & Data Onboarding - Architecture - Third Party Integrations - You Got This -

1. Legacy SIEM to Splunk,
How to Conquer Migration
and Not Die Trying
Mathieu Dessus | Presales engineer

2. During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. Agenda
What Will We Be Talking About Today?
You Got This
Things you can do
today, to get “ready”
for a SIEM
replacement
SIEM Replacement
Methodology
Splunk PS best practices
Use Cases
These drive migrations
DataSources &
Data Onboarding
Parsers / connectors / TAs
Architecture
Measure twice, cut once
Third Party Integrations
Smart? Great! But do you play
well with others?
?
Why ?
Splunk key advantages
compared to your old
SIEM

4. Mathieu Dessus
mdessus@splunk.com
Ingénieur avant-vente
▶ Implémentation de différentes solutions de
sécurité
▶ Jusqu’à la découverte de Splunk
▶ Splunker depuis 5 ans
Slogan: Looking for trouble !
Welcome !
Quick introduction

5. From your legacy SIEM, to a state of the art
security solution

6. Why do you want to
upgrade your SIEM ?
What the SOC ?

7. ▶ Worthy reasons:
• Limited security data type
• Inability to effectively ingest data
• Slow investigations
• Instability and scalability
• End-of-life or uncertain roadmap
• Closed ecosystem
• Limited to on-premises
• Limted to Vendor Cloud
▶ Splunk’s a great product. Can it help you to resolve your issues ?
Most Common Reasons for Replacement

8. Security solutions
8
Machinelearning
Correlation
Analytics
Investigation

9. © 2018 SPLUNK INC.
Enterprise Security advantages

10. Unknown-threats
The need to detect anomalies

11. All kind of data
Any format, any volume, any origin… IT and non-IT data

12. © 2018 SPLUNK INC.
ES uses by default
acceleration features
allowing to analyze
hundred of GB of data
in a very short period of
time
High
performance

13. © 2018 SPLUNK INC.
Workflow for incident
investigation and
collaboration with other
analysts
Investigation
framework

14. © 2018 SPLUNK INC.
Allows to focus on high
impact attacks and VIP
users, avoiding to be
distracted by noise
Network and
identities
modelisation

15. © 2018 SPLUNK INC.
Build your own
visualization with KPI
and metrics using drag
& drop
Flexible
reporting and
dashboarding

16. © 2018 SPLUNK INC.
Answer to many
compliance needs with
the same solution using
data already collected
Compliance

17. © 2018 SPLUNK INC.
How Did We Get
Here?
I’m done.
I’m replacing this SIEM!

18. SIEM Migration
Methodology
Splunk Professional Services (PS) Best Practices –
Based on Real World Experience

19. Adapt your security measures to your threats !

20. SIEM replacements can be complex, but if the following things are taken into
account, you won’t lose your job | shirt over it:
▶ Use cases matter:
• Audit & prioritize use cases
• Planned response ... do something!
▶ Know your data / datasources
• Identify datasources & owners
• Audit datasources
• Identify enrichment requirements
▶ Current / future state integrations
▶ Research & preparation is key
▶ Assets & identities
▶ Work with Splunk + PS & Partner
Things You Should Know About Legacy SIEM
Replacement and Splunk Best Practices

21. Use Cases
These Drive Replacements…Use Cases, Use Cases, USE CASES!

22. ▶ Document describing a single
detection activity.
• What is the condition to detect?
• What is the event data required?
• What enrichment is required to scope
down events?
• What enrichment will reduce noise
(false positives)?
• Point to the response plan
• What are your current use cases?
• Which ones provide value?
• Which ones don’t?
What Is a Use Case?
Spiral
Analysis
Planning
Evaluation
Development
Waterfall
Prototyping
Determine Objectives Test Implement
Requirements
Design
Implementation
Verification
Maintenance
DEVE
LOP
DEMONSTRATE
REFI
NE

23. ▶ Document describing a single
response activity
• For a response what event data is required
to triage
• What actions should be taken
• Escalation communication and do we need
to order pizza
• Can we reduce the cost of pizza by
providing better data for response
decisions?
What Is a Response Plan?

24. ▶ The first step in embarking on a SIEM replacement initiative is
• Identifying and prioritizing high value use cases, response plans and compliance reports:
• Splunk PS has a 1-2 week SIEM replacement workshop where we come
in and help customers:
− Identify and develop high-fidelity use cases slated for migration/development
− Datasources and enrichment identified via use case prioritization process
− Plan the solution architecture
• We typically see a 30-60% reduction in use cases selected for migration generally due to:
− Old and/or stale rules
− Housekeeping rules no longer needed
− Rule consolidation due to advanced Splunk Query Language
So no, you don’t have to migrate ALL your old funky rules!
Putting the Horse Before the Cart…

25. Datasources & Data
Onboarding
Parsers / Connectors / TAs (Technology Add-ons)

26. ▶ Use case analysis determines in-scope datasources
▶ Why you don’t need to migrate your historical data from Legacy SIEM
▶ Data Source Onboarding via:
How Do You Migrate Datasources to Splunk?
• Universal Forwarder (UF)
Deployed alongside existing
parsers/connectors
• UF deployed on syslog
aggregator to read and ship
logs into Splunk
• Modern HTTP Event
Collection
• Database Tables (DBX)
• Never forget: Splunk Stream!
• Fields from raw data
• Data Normalization
• Splunkbase
- splunkbase.com
- Easy Button: Custom TAs via
“Splunk Add-on Builder” App
Splunk Log Forwarding:
Syslog Aggregation
TAs (Technology Add-ons)Other Common Methods

27. ES Architecture
Measure Twice, Cut Once

28. ▶ Plan for modern data collection,
deprecate legacy log collection
infrastructure and stop accepting log
loss today
▶ Plan for disaster recovery and
availability
▶ Plan to remediate logging policies and
source configuration
Plan the Architecture
Now that we know what we want to do, how will we execute it?

29. © 2018 SPLUNK INC.
Components >
• Collection layer (connectors /
parsers vs. UF's / HF's )
• Parsing layer (Technology Add-ons)
• Storage layer (indexers)
• Presentation layer (search head +
Splunk Enterprise Security)
• Security analytics (Splunk Enterprise
Security)
• Management layer (deployment
server, cluster master, license
server, deployer)
Data source will determine what
components are needed—your
network determines where they
should be
Splunk
Architecture

30. Third Party
Integrations
Smart? Great! But Do You Play Well with Others?

31. Smart? Great! But Do You Play Well With Others?
“At this point in the interview, Johnson, we would like to see
how well you play with others.”
– Richard Stevens, Penfield, NY

32. © 2018 SPLUNK INC.
Identify current / future state
third-party integration points
Third Party
Integrations
We Support Integration With Most Third Party Systems:
▶ Case Management / Ticketing Systems
• (ServiceNow, Remedy, etc)
▶ Threat Intelligence Feeds
• (STIX, TAXII, Internal, etc)
▶ Database Integration
• (Oracle, MySQL, etc)
▶ Microsoft Active Directory
▶ REST API support
▶ Custom Code
▶ Others

33. © 2018 SPLUNK INC.
ES manages lists of
threat feed
Threat
intelligence &
IOC

34. © 2017 SPLUNK INC.
Cloud Security Endpoints
Orchestration
WAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access

35. You Got This!
Things You Can Do Today, to Get Prepared
for Your SIEM Replacement

36. ▶ Identify/audit and prioritize use cases
for migrations
▶ Identify/audit and prioritize datasources
for migration
▶ Identify datasource owners
▶ Research Splunk Technology Add-ons for
datasource at splunkbase.com
▶ Assets and identities: identify CMDB sources
▶ Third-party integrations
▶ Develop logging standards
Replacement Checklist:

37. What Do “You” Do Next?

38. Splunk as
Your SIEM

39. Splunk Security Portfolio for SIEM
Enterprise Security600+ Partner Apps User Behavior Analytics
Platform for Operational Intelligence
Network data
Exchange data
ES Content Update
PCI Compliance
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps
App for AWS
ML Toolkit
Google Cloud
Microsoft Cloud
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Threat Intel
Email
EDR/ETDR
DLP

40. Splunk Enterprise
Security Demo

41. ES : Security Posture

42. Endpoint : Malware Center

43. Endpoint : Update Center

44. Endpoint : Endpoint Changes

54. Splunk
Enterprise Security
Investigations Demo

56. 1
2
3

57. 1
2

59. 1
2

64. 2
1

66. SIEM Replacement
Customer Success

67. © 2018 SPLUNK INC.
▶ An estimated 30 percent lower cost of ownership
compared to on-premises alternatives
▶ A dramatic reduction in security investigation and
resolution times
▶ Protection against threats, breaches and malware;
ensuring regulatory compliance
Biopharma Leader Gets Ahead of Security
Threats With Analytics-Driven SIEM in the Cloud
“ With Splunk the organization now has a security solution that is flexible
and scalable to ingest all of its data ubiquitously and that enables the
security team to draw conclusions from its data in near real time.”Biopharma

68. Next Steps

69. ▶ Contact your Account
Executive
▶ Contact an Expert
▶ Bi-weekly security
demos
▶ Schedule a pre-
assessment session
with a Sales Engineer
Transform Your Security: Next Steps

70. © 2018 SPLUNK INC.
Thank You!
https://www.surveymonkey.com/r/SLParis2018

71. © 2018 SPLUNK INC.
October 1-4, 2018
▶ 8,750+ Splunk Enthusiasts
▶ 300+ Sessions
▶ 100+ Customer Speakers
Plus Splunk University:
▶ Three Days: September 29-October 1, 2018
▶ Get Splunk Certified for FREE!
▶ Get CPE credits for CISSP, CAP, SSCP
Walt Disney World Swan and Dolphin Resort in Orlando
conf .splunk.com
SAVE THE DATE!