We have all heard that threat intelligence can help level the battlefield against advanced persistent threats whether criminal or nation state attackers. But what is Threat Intelligence? How does it fit into your organization’s security operations? And how can you develop your own Threat Intelligence?
In this presentation you'll learn:
- How to leverage Threat Intelligence to identify potential adversaries and take appropriate action
- How to develop Threat Intelligence using the Diamond Model
- How ThreatConnect investigated Chinese state-sponsored threats using the Diamond Model
- How to operationalize Threat Intelligence using Splunk and ThreatConnect
20. 20All material confidential and proprietary
TI Team
SOC Team
IR Team
ISAC/ISAO
SIEM
IPS/IDS
End-Point Protection
Firewalls/UTM
Intelligence Feeds
Network Controls
Vulnerability Scanner
Web Proxy
Public Community
Private Community
CISO/CIO
C-Suite/Board
CONNECTED ON ONE PLATFORM
23. Why Splunk?
FAST TIME-TO-VALUE
ONE PLATFORM, MULTIPLE USE CASES
VISIBILITY ACROSS STACK, NOT JUST SILOS
ASK ANY QUESTION OF DATA
ANY DATA, SOURCE OR DEPLOYMENT MODEL
23
24. Turning Machine Data into Operational Intelligence
INDEX ANY MACHINE DATA: ANY SOURCE, TYPE, VOLUME
Online
Services Web
Services
Servers
Security GPS
Location
Storage
Desktops
Networks
Packaged
Applications
Custom
ApplicationsMessaging
Telecoms
Online
Shopping
Cart
Web
Clickstreams
Databases
Energy
Meters
Call Detail
Records
Smartphones
and Devices
RFID
On-
Premises
Private
Cloud
Public
Cloud
GAIN REAL-TIME VISIBILITY
Application Delivery
Security and
Compliance
IT Operations
Business Analytics
Internet of Things
24
25. IT
Operations
Application
Delivery
Developer Platform (REST API, SDKs)
Business
Analytics
Industrial Data
and Internet of
Things
Delivers Value Across IT and the Business
Business
Analytics
Industrial Data
and Internet of
Things
Security,
Compliance,
and Fraud
27. Splunk for Security
27
SECURITY APPS & ADD-ONS SPLUNK ENTERPRISE SECURITY
SIEM Security Analytics Fraud
Platform for
Security Services
SPLUNK USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
28. 28
Developing Threat Intelligence - 3 Take Aways
Disruptive
Security
Operations
Track your adversary
– not just alerts
Enrich event data
to develop context
Develop your own
threat intelligence
28
29. Demo Scenarios
Enrich alerts with
intel from
ThreatConnect
Execute the
Diamond Model in
Splunk Enterprise
Security
Create new threat
intel using Splunk
Enterprise
Security
29
37. Demo Review
Enrich alerts with
intel from
ThreatConnect
Execute the
Diamond Model in
Splunk Enterprise
Security
Create new threat
intel using Splunk
Enterprise
Security
37
38. Developing Threat Intelligence - 3 Take Aways
Disruptive
Security
Operations
Track your adversary
– not just alerts
Enrich event data
to develop context
Develop your own
threat intelligence
38
39. 39
Traditional SIEMSplunk
Next Steps
• https://www.splunk.com
Download Splunk
• https://splunkbase.splunk.com/app/1893/
Splunk app for ThreatConnect
• http://docs.splunk.com
• https://answers.splunk.com/
Getting started and help