SlideShare ist ein Scribd-Unternehmen logo
© 2021 SPLUNK INC.
Der Weg in den
vollautomatisierten SOC
Betrieb
Splunk for Security
Udo Götzen, CISSP
Staff Sales Engineer
Beginn 16:30 Uhr
© 2021 SPLUNK INC.
Der Weg in den
vollautomatisierten SOC
Betrieb
Splunk for Security
Udo Götzen, CISSP
Staff Sales Engineer
© 2021 SPLUNK INC.
Die Security Data Journey
Der Weg zum vollautomatisierten SOC
Security Logging
& Investigation
●Aufbau einer investigativen
Datenplattform
●Korrelation von Ereignissen
●Überwachung von
spezifischen Security Use
Cases
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten
© 2021 SPLUNK INC.
Data
Lakes
Master Data
Management
ETL
Point Data
Management
Solutions
Data
Silos
IT
Security
IoT
Biz
Analytics
The
Data-to-Everything
Platform for
Machine Data
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
IT/OT Operations
Server, Network, App, DBs
Business
Analytics
Business Units
Up to 80% of the total
data commonly indexed
for Security is critical to
enable IT Ops use case
Up to 50% of the total
data commonly
indexed for IT Ops can
be leveraged to
enable Business
Analytics use cases
Up to 80% of the
total data commonly
indexed for IT Ops is
critical for App Dev to
produce faster
release cycles with
less errors
Application Development / DevOps
Testers, Developers
Helvetia
Dark Data
Security
SOC, Security Analysts
Data to Everything Platform
A main benefit of the Splunk platform is the data reuse across Security,
IT/OT Operations and Business
© 2021 SPLUNK INC.
Die 1. Etappe der Sicherheitsreise
Empfehlungen, welche Datenquellen erfasst werden sollten
Netzwerk Endpunkt Authentifizierung Web-Aktivitäten
Die Einsicht in den Netzwerkverkehr
ist für jedes Sicherheitsteam
entscheidend. In diesem frühen
Stadium ist es vorrangig, zu sehen,
welche Arten von Datenverkehr in
Ihrem Netzwerk bestehen. Es ist
wichtig, sowohl den erlaubten
Datenverkehr als auch die
Kommunikationsversuche zu sehen,
die blockiert wurden.
Endpunktprotokolle ergänzen die
Netzwerktransparenz und geben
Aufschluss über bösartige Aktivitäten,
wie z. B. die Ausführung von Malware,
einen Insider, der eine nicht
autorisierte Aktivität durchführt, oder
einen Angreifer, der sich in Ihrem
Netzwerk aufhält. Im ersten Schritt ist
es wichtig, diese Daten von Servern
aller Betriebssystemen zu erfassen (in
einer späteren Etappe sind Daten der
Desktops und Notebooks
unverzichtbar).
Authentifizierungsprotokolle können
Ihnen sagen, wann und von wo aus
Benutzer auf Ihre Systeme und
Anwendungen zugreifen. Da die
meisten erfolgreichen Angriffe
schließlich die Verwendung gültiger
Anmeldedaten beinhalten, sind diese
Daten entscheidend, um zwischen
einer gültigen Anmeldung und einer
Kontoübernahme zu unterscheiden.
Viele Angriffe beginnen damit, dass
ein Benutzer eine bösartige Website
besucht, oder enden damit, dass
wertvolle Daten auf eine Website
transferiert werden, die der Angreifer
kontrolliert. Die Transparenz
darüber, wer wann auf welche Seiten
zugreift, ist für die Untersuchung
entscheidend.
Beispiele:
• Palo Alto Networks
• Cisco
• Check Point
• Fortinet
Beispiele:
• Windows Event Logs
• Linux System Logs
• Linux Auditd
• Mac System Logs
Beispiele:
• Windows Active Directory
• Cloud Identity & Access
Management (IAM)
Beispiele Next Gen Firewall-
Verkehrsfilter:
• Palo Alto Networks
• Cisco
• Check Point
• Fortinet
Web Proxy:
• Bluecoat
• Websense
© 2021 SPLUNK INC.
Splunk Security Essentials
Identify Bad Guys:
• 850+ security analytics methods
• Free on Splunkbase – use on Splunk Enterprise
• Target external and insider threats
• Advanced threat detection, compliance, and
more
• Scales from small to massive companies
• Data source onboarding guidance
• MITRE ATT&CK and Kill Chain mappings
• Save from app, send hits to ES / UBA
Solve use cases you can today for free,
then use Splunk UBA for advanced ML detection.
https://splunkbase.splunk.com/app/3435/
© 2021 SPLUNK INC.
Die Security Data Journey
Der Weg zum vollautomatisierten SOC
Security Logging
& Investigation
●Aufbau einer investigativen
Datenplattform
●Korrelation von Ereignissen
●Überwachung von
spezifischen Security Use
Cases
Analyse-
gestütztes SIEM
●Plattformübergreifende
Korrelation mit Ende-zu-Ende
Sichtbarkeit
●Proaktive Überwachung
●analysegestütztes
Framework
●Risikobasierte Alarmierung
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Notable Events and Incident Review
▶ STREAMLINE INCIDENT MGMT PROCESS
• Consolidated incident management allows
effective lifecycle management of security
incidents.
▶ RAPID DECISION MAKING SUPPORT
• Automatically aligns all security context together
for fast incident qualification and provides
predefined analysis paths.
▶ REFINE SECURITY MGMT PROCESS
• Investigation management and customizations
to support complex process integration
requirements.
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
How To Populate Asset & Identities
Long
Term
Success
User Lifecycle Management /
CMDB / HR System
1
2
3
Active Directory / LDAP / DHCP
Automated building and learning through indexed events
Nmap / Vulnerability Scanner
CSV Upload / Maintaining it in the
GUI
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Risk Framework
EXPOSE RISK FACTORS TO
ANALYSTS
• Rationalize and analyze behaviors and
relationships across all data.
• Investigate risk factors to anticipate
threats and prevent future threats.
ABILITY TO PRIORITIZE / DECIDE
BASED ON RISK
• Transparent evidence translate to
quantitative numbers.
• Ability map scores to different objects
including events and aggregate based
on a criteria.
(Functions, Business units, Physical
Quantitative metrics are applied to distinguish importance of certain situation for
advanced detection
+80
Asset Identity
Other
Attributes
TOTAL
RISK SCORE
Occurrence of
matching correlations
searches
© 2021 SPLUNK INC.
Alert Volumes Are Overwhelming SOCs
• Abandoned alerts
• Suppressed alerts
• Slow detection / response
• Analyst burnout
Over 40% of orgs receive 10,000+ alerts per day; experience 50%+ false positives
© 2021 SPLUNK INC.
But What Alternatives Do SOCs Have?
Alert Directly from
Analytics
Tune Analytics
Analytics/
Correlations
Alert Fatigue
There are no perfect correlation searches; alert fatigue seems inevitable
© 2021 SPLUNK INC.
2018: Risk-Based Alerting to the Rescue
Observation
Analytics/
Correlations
Dramatically reduce alert volumes while increasing analyst productivity and efficiency
Risk
Index
© 2021 SPLUNK INC.
2018: Risk-Based Alerting to the Rescue
Analytics/
Correlations
Dramatically reduce alert volumes while improving your security posture
Risk
Index Risk Notable
Alerting
Risk
Score
Mitre
ATT&CK
Tactic
BU
Outliers
Observation
© 2021 SPLUNK INC.
How Does This Look in Practice?
Traditionally, the events below would be considered too noisy and would be
abandoned
Potential
spearphishing
observed
Suspicious
command
disabling controls
Suspicious Powershell
observed
AWS ACLs opened
up all access
AWS user
provisioning
observed
AWS buckets
created
AWS permanent
creation observed
6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
© 2021 SPLUNK INC.
How Does This Look in Practice?
With risk-based alerting, these events become context that informs high-fidelity alerts
Risk Notable
Generate alert for any user or system that
exceeds a risk score of 100 in a 24 hour
period
Aggregated user risk score >100
ALERT
With one click, view all
of the risk events that
contribute to the alert
Potential
spearphishing
observed
10 pts
Suspicious
command
disabling controls
15 pts
Suspicious Powershell
observed
20 pts
AWS ACLs opened
up all access
10 pts
AWS user
provisioning
observed
15 pts
AWS buckets
created
15 pts
AWS permanent
creation observed
20 pts
6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Threat Intelligence Framework
Finding hidden IOCs using comprehensive threat intelligence mappings
• Multiple
sources
• Multiple
transmission
types
• Multiple
transports
• Multiple data
formats
INTEL SOURCES
1. IP
2. Emails
3. URLs
4. Files names/
hashes
5. Processes
names
6. Services
7. Registry entries
8. X509
Certificates
9. Users
CATEGORIZE
Index, Extract,
Categorize
Manage / Audit
threat sources
• List status
• List mgmt.
• List location
COLLECT MANAGE
Data Management
SEARCH
Ad-hoc search,
analyze,
investigate,
prioritize
Data Search
CORRELATE
Match all IOCs in
existing log data
Generate alert for
any matches
KSI and trends
Security Dashboard
Correlation Data /
Notable Events
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Analytic Story Details
Story description and information
Top bar contains metadata around the Analytic Story, right
window shows association to various security frameworks,
and the description and narrative explain what it’s about
Run the searches in the story
Clicking ’Run Analytics’ runs all the
searches in the story and gives you a
count of the number of results returned
© 2021 SPLUNK INC.
Analytic Story Details
Configure in ES
Takes you to the associated
’Edit Correlation Search’
page in ES
Search Details
This is the area you can see the
exact search, related details, and
optionally run it
More searches
The associated contextual,
investigative, and supporting searches
are all available here as well
Search Metadata
Information on data models used
and examples of Technologies that
can provide the necessary data
© 2018 SPLUNK INC.
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Splunk Adaptive Response Framework
WAF & App
Security
Orchestration
Network
Threat
Intelligence
Internal Network
Security
Identity and Access
Endpoints
Firewall
Web Proxy
© 2021 SPLUNK INC.
What Is Enterprise Security?
Mainframe
Data
Relational
Databases
Mobile
Forwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
Notable
Events
Asset &
Identity
Risk
Analysis
Threat
Intelligence
Use Case
Library
Adaptive
Response
© 2021 SPLUNK INC.
Die Security Data Journey
Der Weg zum vollautomatisierten SOC
Security Logging
& Investigation
●Aufbau einer investigativen
Datenplattform
●Korrelation von Ereignissen
●Überwachung von
spezifischen Security Use
Cases
Automatisieren und
Reagieren
●Automatisierung und
Orchestrierung
●Ausführen von Playbooks
●Einholen von Security Kontext
●Schnelleres Reagieren
●Abwehrmaßnahmen stärken
●Zusammenarbeit intensivieren
Analyse-
gestütztes SIEM
●Plattformübergreifende
Korrelation mit Ende-zu-Ende
Sichtbarkeit
●Proaktive Überwachung
●analysegestütztes
Framework
●Risikobasierte Alarmierung
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten
© 2021 SPLUNK INC.
SOAR for Security Operation
Faster execution through the loop yields better security
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED MANUAL (TODAY)
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
© 2021 SPLUNK INC.
SOAR for Security Operation
Faster execution through the loop yields better security
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED MANUAL (TODAY)
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
Observe
Point Products
Orient
Analytics
© 2021 SPLUNK INC.
How SOAR Solves Security Operations Problems
Too
Many
Alerts
Clear 80% of alerts
with no human
interaction
Phantom automates
security alerts so your
team can go from
overwhelmed to in-
control
Limited
Resource
s
Force multiply
your team
Automate repetitive
tasks so you can
do more with the
people you already
have
Lack of
Process
Establish SOPs to
be more effective
Phantom has case
management built-in
to help customers
build operational rigor
Spee
d
From 30 mins to
40 seconds
Phantom
orchestration and
automation makes
everything work
faster
Cost
s
Definitive ROI and
hard cost savings
Phantom saves your
team time, headache,
and makes your
current tools work
better
Too Many
Siloed Products
Unlock value from
previous investments
Phantom orchestrates
workflows and response
across all your products
so that each one is
actively participating in
your defense strategy
© 2021 SPLUNK INC.
SOAR
Maestro
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
App
actions
Playbook
© 2021 SPLUNK INC.
How it Works
Automated Malware
Investigation
• “Automation with Phantom
enables us to process
malware email alerts in
about 40 seconds vs.
30 minutes or more.”
— Adam Fletcher, CISO
A Phantom Case Study
SANDBOX QUERY RECIPIENTS
USER PROFILE
HUNT FILE
HUNT FILE
FILE REPUTATION
FILE ASSESSMENT
RUN PLAYBOOK
“REMEDIATE"
EMAIL ALERT
© 2021 SPLUNK INC.
SOAR Playbook Example
© 2021 SPLUNK INC.
Die Security Data Journey
Der Weg zum vollautomatisierten SOC
Security Logging
& Investigation
●Aufbau einer investigativen
Datenplattform
●Korrelation von Ereignissen
●Überwachung von
spezifischen Security Use
Cases
Automatisieren und
Reagieren
●Automatisierung und
Orchestrierung
●Ausführen von Playbooks
●Einholen von Security Kontext
●Schnelleres Reagieren
●Abwehrmaßnahmen stärken
●Zusammenarbeit intensivieren
Analyse-
gestütztes SIEM
●Plattformübergreifende
Korrelation mit Ende-zu-Ende
Sichtbarkeit
●Proaktive Überwachung
●analysegestütztes
Framework
●Risikobasierte Alarmierung
Collaborative SOC
●vollautomatisiertes Security
Operations Center
●Zusammenführung von SIEM-,
UEBA- und SOAR-
Technologien
●Effektive Kommunikation und
Zusammenarbeit
Stufe
1
Stufe
2
Stufe
3
Stufe
4
Untersuchen
Analysieren
Handeln
Zusammenarbeiten
© 2021 SPLUNK INC.
Act
Security Nerve Center
Endpoints
Threat
Intelligence
Network
Web Proxy
Firewall
Identity and Access
WAF and
App Security
Cloud
Security
Mobile
SOAR
SIEM
Analyze
Monitor
Investigate
© 2021 SPLUNK INC.
Security Portfolio
• Risky Behavior Detection
• Entity Profiling, Scoring
• Kill chain, Graph analysis
Enterprise Security
Detect, Investigate &
Response
• Single pane of glass
• Security Metrics & Incident
Response
• Adaptive Response
• Collaboration
Splunk Enterprise
Investigate
Realm of
Known
Human-
driven
Splunk UBA
Detect
Realm of
Unknown
ML-
driven
• Log Aggregation
• Rules, statistics, correlation
• Ad hoc searches and data pivot
© 2021 SPLUNK INC.
Wertgewinn mit Splunk
70%
Zeitverkürzung bei
der Recherche von
Sicherheitsereignisse
n durch Korrelation
30%
Reduzierung des
Risikos in
Verbindung mit IP-
Diebstahl,
Datenschutzverletzu
ngen und Betrug
80%
Reduzierung des
Zeitaufwands für die
manuelle
Berichterstattung
über die Compliance
80%
Reduzierung des
Zeitaufwands für
manuelle,
routinemäßige
Sicherheitsaufgaben
Im Durchschnitt erfahren die Kunden signifikante Verbesserungen bei der Erkennung,
Triage und Untersuchung von Vorfällen, was das Gesamtrisiko reduziert.
© 2021 SPLUNK INC.
https://events.splunk.com/security_workshops_de
Enterprise Security Hands-On
Workshop
Risk-Based Alerting Hands-On
Workshop
Thank You
© 2021 SPLUNK INC.

Weitere ähnliche Inhalte

Was ist angesagt?

Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Canada
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
Splunk
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
Mostafa El Lathy
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
Splunk
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkHow to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk
Splunk
 
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
CatoNetworks
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme Ürünleri
BGA Cyber Security
 
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans FilAlphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
Alphorm
 
TekRADIUS Installation step by step
TekRADIUS Installation step by stepTekRADIUS Installation step by step
TekRADIUS Installation step by step
Yasin KAPLAN
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts
Mostafa El Lathy
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
Daniel Hernandez
 

Was ist angesagt? (20)

Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2 Splunk Cloud and Splunk Enterprise 7.2
Splunk Cloud and Splunk Enterprise 7.2
 
Cisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network IntuitiveCisco Digital Network Architecture - Introducing the Network Intuitive
Cisco Digital Network Architecture - Introducing the Network Intuitive
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
 
SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - Architecture
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
 
How to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in SplunkHow to Design, Build and Map IT and Business Services in Splunk
How to Design, Build and Map IT and Business Services in Splunk
 
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
MPLS, SD-WAN and Cloud Network: The path to a better, secure and more afforda...
 
DDoS Engelleme Ürünleri
DDoS Engelleme ÜrünleriDDoS Engelleme Ürünleri
DDoS Engelleme Ürünleri
 
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans FilAlphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
Alphorm.com Formation CCNP ENCOR 350-401 (3of8) : Sans Fil
 
TekRADIUS Installation step by step
TekRADIUS Installation step by stepTekRADIUS Installation step by step
TekRADIUS Installation step by step
 
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise SecurityExploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
 

Ähnlich wie Der Weg in den vollautomatisierten SOC Betrieb

Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
Splunk EMEA
 
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
OPEN KNOWLEDGE GmbH
 
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit InformationenSplunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
Georg Knon
 
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT SecurityCWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC - Christian Wild Management Consultants
 
Internet of Things Architecture
Internet of Things ArchitectureInternet of Things Architecture
Internet of Things Architecture
Christian Waha
 
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
QAware GmbH
 
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
Splunk EMEA
 
Cloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und LoesungenCloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und Loesungen
Daniel Steiger
 
End-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal SoszynskiEnd-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal Soszynski
Carsten Muetzlitz
 
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - WinterbergEvent Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
OPITZ CONSULTING Deutschland
 
ScriptRunner - Eine Einführung
ScriptRunner - Eine EinführungScriptRunner - Eine Einführung
ScriptRunner - Eine Einführung
Heiko Brenn
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
Splunk
 
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
Splunk EMEA
 
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Carsten Muetzlitz
 
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
Carsten Cordes
 
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über  IT-Sicherheit in Industrie 4.0 Projekten der DST consulting Whitepaper über  IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Hans Peter Knaust
 
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-MitarbeiterBestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Precisely
 
Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)
Agenda Europe 2035
 
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mkThorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Informatik Aktuell
 
Splunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit SplunkSplunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit Splunk
Splunk
 

Ähnlich wie Der Weg in den vollautomatisierten SOC Betrieb (20)

Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
Transparenz? Leicht und zentral - Splunk Public Sector Summit 2024
 
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
 
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit InformationenSplunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
 
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT SecurityCWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT Security
 
Internet of Things Architecture
Internet of Things ArchitectureInternet of Things Architecture
Internet of Things Architecture
 
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
 
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
Private Cloud Monitoring, Security Monitoring & DevOps - Splunk Public Sector...
 
Cloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und LoesungenCloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und Loesungen
 
End-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal SoszynskiEnd-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal Soszynski
 
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - WinterbergEvent Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
 
ScriptRunner - Eine Einführung
ScriptRunner - Eine EinführungScriptRunner - Eine Einführung
ScriptRunner - Eine Einführung
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
 
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
Splunk für alle: Optimierte Prozesse für eine zuverlässige und störungsfreie ...
 
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
 
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
 
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über  IT-Sicherheit in Industrie 4.0 Projekten der DST consulting Whitepaper über  IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
 
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-MitarbeiterBestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
 
Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)
 
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mkThorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
 
Splunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit SplunkSplunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit Splunk
 

Mehr von Splunk

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
 
Data foundations building success, at city scale – Imperial College London
 Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
 

Mehr von Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
 Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Der Weg in den vollautomatisierten SOC Betrieb

  • 1. © 2021 SPLUNK INC. Der Weg in den vollautomatisierten SOC Betrieb Splunk for Security Udo Götzen, CISSP Staff Sales Engineer Beginn 16:30 Uhr
  • 2. © 2021 SPLUNK INC. Der Weg in den vollautomatisierten SOC Betrieb Splunk for Security Udo Götzen, CISSP Staff Sales Engineer
  • 3. © 2021 SPLUNK INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
  • 4. © 2021 SPLUNK INC. Data Lakes Master Data Management ETL Point Data Management Solutions Data Silos IT Security IoT Biz Analytics The Data-to-Everything Platform for Machine Data © 2021 SPLUNK INC.
  • 5. © 2021 SPLUNK INC. IT/OT Operations Server, Network, App, DBs Business Analytics Business Units Up to 80% of the total data commonly indexed for Security is critical to enable IT Ops use case Up to 50% of the total data commonly indexed for IT Ops can be leveraged to enable Business Analytics use cases Up to 80% of the total data commonly indexed for IT Ops is critical for App Dev to produce faster release cycles with less errors Application Development / DevOps Testers, Developers Helvetia Dark Data Security SOC, Security Analysts Data to Everything Platform A main benefit of the Splunk platform is the data reuse across Security, IT/OT Operations and Business
  • 6. © 2021 SPLUNK INC. Die 1. Etappe der Sicherheitsreise Empfehlungen, welche Datenquellen erfasst werden sollten Netzwerk Endpunkt Authentifizierung Web-Aktivitäten Die Einsicht in den Netzwerkverkehr ist für jedes Sicherheitsteam entscheidend. In diesem frühen Stadium ist es vorrangig, zu sehen, welche Arten von Datenverkehr in Ihrem Netzwerk bestehen. Es ist wichtig, sowohl den erlaubten Datenverkehr als auch die Kommunikationsversuche zu sehen, die blockiert wurden. Endpunktprotokolle ergänzen die Netzwerktransparenz und geben Aufschluss über bösartige Aktivitäten, wie z. B. die Ausführung von Malware, einen Insider, der eine nicht autorisierte Aktivität durchführt, oder einen Angreifer, der sich in Ihrem Netzwerk aufhält. Im ersten Schritt ist es wichtig, diese Daten von Servern aller Betriebssystemen zu erfassen (in einer späteren Etappe sind Daten der Desktops und Notebooks unverzichtbar). Authentifizierungsprotokolle können Ihnen sagen, wann und von wo aus Benutzer auf Ihre Systeme und Anwendungen zugreifen. Da die meisten erfolgreichen Angriffe schließlich die Verwendung gültiger Anmeldedaten beinhalten, sind diese Daten entscheidend, um zwischen einer gültigen Anmeldung und einer Kontoübernahme zu unterscheiden. Viele Angriffe beginnen damit, dass ein Benutzer eine bösartige Website besucht, oder enden damit, dass wertvolle Daten auf eine Website transferiert werden, die der Angreifer kontrolliert. Die Transparenz darüber, wer wann auf welche Seiten zugreift, ist für die Untersuchung entscheidend. Beispiele: • Palo Alto Networks • Cisco • Check Point • Fortinet Beispiele: • Windows Event Logs • Linux System Logs • Linux Auditd • Mac System Logs Beispiele: • Windows Active Directory • Cloud Identity & Access Management (IAM) Beispiele Next Gen Firewall- Verkehrsfilter: • Palo Alto Networks • Cisco • Check Point • Fortinet Web Proxy: • Bluecoat • Websense
  • 7. © 2021 SPLUNK INC. Splunk Security Essentials Identify Bad Guys: • 850+ security analytics methods • Free on Splunkbase – use on Splunk Enterprise • Target external and insider threats • Advanced threat detection, compliance, and more • Scales from small to massive companies • Data source onboarding guidance • MITRE ATT&CK and Kill Chain mappings • Save from app, send hits to ES / UBA Solve use cases you can today for free, then use Splunk UBA for advanced ML detection. https://splunkbase.splunk.com/app/3435/
  • 8. © 2021 SPLUNK INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
  • 9. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 10. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 11. © 2021 SPLUNK INC. Notable Events and Incident Review ▶ STREAMLINE INCIDENT MGMT PROCESS • Consolidated incident management allows effective lifecycle management of security incidents. ▶ RAPID DECISION MAKING SUPPORT • Automatically aligns all security context together for fast incident qualification and provides predefined analysis paths. ▶ REFINE SECURITY MGMT PROCESS • Investigation management and customizations to support complex process integration requirements.
  • 12. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 13. © 2021 SPLUNK INC. How To Populate Asset & Identities Long Term Success User Lifecycle Management / CMDB / HR System 1 2 3 Active Directory / LDAP / DHCP Automated building and learning through indexed events Nmap / Vulnerability Scanner CSV Upload / Maintaining it in the GUI
  • 14. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 15. © 2021 SPLUNK INC. Risk Framework EXPOSE RISK FACTORS TO ANALYSTS • Rationalize and analyze behaviors and relationships across all data. • Investigate risk factors to anticipate threats and prevent future threats. ABILITY TO PRIORITIZE / DECIDE BASED ON RISK • Transparent evidence translate to quantitative numbers. • Ability map scores to different objects including events and aggregate based on a criteria. (Functions, Business units, Physical Quantitative metrics are applied to distinguish importance of certain situation for advanced detection +80 Asset Identity Other Attributes TOTAL RISK SCORE Occurrence of matching correlations searches
  • 16. © 2021 SPLUNK INC. Alert Volumes Are Overwhelming SOCs • Abandoned alerts • Suppressed alerts • Slow detection / response • Analyst burnout Over 40% of orgs receive 10,000+ alerts per day; experience 50%+ false positives
  • 17. © 2021 SPLUNK INC. But What Alternatives Do SOCs Have? Alert Directly from Analytics Tune Analytics Analytics/ Correlations Alert Fatigue There are no perfect correlation searches; alert fatigue seems inevitable
  • 18. © 2021 SPLUNK INC. 2018: Risk-Based Alerting to the Rescue Observation Analytics/ Correlations Dramatically reduce alert volumes while increasing analyst productivity and efficiency Risk Index
  • 19. © 2021 SPLUNK INC. 2018: Risk-Based Alerting to the Rescue Analytics/ Correlations Dramatically reduce alert volumes while improving your security posture Risk Index Risk Notable Alerting Risk Score Mitre ATT&CK Tactic BU Outliers Observation
  • 20. © 2021 SPLUNK INC. How Does This Look in Practice? Traditionally, the events below would be considered too noisy and would be abandoned Potential spearphishing observed Suspicious command disabling controls Suspicious Powershell observed AWS ACLs opened up all access AWS user provisioning observed AWS buckets created AWS permanent creation observed 6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
  • 21. © 2021 SPLUNK INC. How Does This Look in Practice? With risk-based alerting, these events become context that informs high-fidelity alerts Risk Notable Generate alert for any user or system that exceeds a risk score of 100 in a 24 hour period Aggregated user risk score >100 ALERT With one click, view all of the risk events that contribute to the alert Potential spearphishing observed 10 pts Suspicious command disabling controls 15 pts Suspicious Powershell observed 20 pts AWS ACLs opened up all access 10 pts AWS user provisioning observed 15 pts AWS buckets created 15 pts AWS permanent creation observed 20 pts 6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
  • 22. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 23. © 2021 SPLUNK INC. Threat Intelligence Framework Finding hidden IOCs using comprehensive threat intelligence mappings • Multiple sources • Multiple transmission types • Multiple transports • Multiple data formats INTEL SOURCES 1. IP 2. Emails 3. URLs 4. Files names/ hashes 5. Processes names 6. Services 7. Registry entries 8. X509 Certificates 9. Users CATEGORIZE Index, Extract, Categorize Manage / Audit threat sources • List status • List mgmt. • List location COLLECT MANAGE Data Management SEARCH Ad-hoc search, analyze, investigate, prioritize Data Search CORRELATE Match all IOCs in existing log data Generate alert for any matches KSI and trends Security Dashboard Correlation Data / Notable Events
  • 24. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 25. © 2021 SPLUNK INC. Analytic Story Details Story description and information Top bar contains metadata around the Analytic Story, right window shows association to various security frameworks, and the description and narrative explain what it’s about Run the searches in the story Clicking ’Run Analytics’ runs all the searches in the story and gives you a count of the number of results returned
  • 26. © 2021 SPLUNK INC. Analytic Story Details Configure in ES Takes you to the associated ’Edit Correlation Search’ page in ES Search Details This is the area you can see the exact search, related details, and optionally run it More searches The associated contextual, investigative, and supporting searches are all available here as well Search Metadata Information on data models used and examples of Technologies that can provide the necessary data © 2018 SPLUNK INC.
  • 27. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 28. © 2021 SPLUNK INC. Splunk Adaptive Response Framework WAF & App Security Orchestration Network Threat Intelligence Internal Network Security Identity and Access Endpoints Firewall Web Proxy
  • 29. © 2021 SPLUNK INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
  • 30. © 2021 SPLUNK INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Automatisieren und Reagieren ●Automatisierung und Orchestrierung ●Ausführen von Playbooks ●Einholen von Security Kontext ●Schnelleres Reagieren ●Abwehrmaßnahmen stärken ●Zusammenarbeit intensivieren Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
  • 31. © 2021 SPLUNK INC. SOAR for Security Operation Faster execution through the loop yields better security Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics
  • 32. © 2021 SPLUNK INC. SOAR for Security Operation Faster execution through the loop yields better security Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics
  • 33. © 2021 SPLUNK INC. How SOAR Solves Security Operations Problems Too Many Alerts Clear 80% of alerts with no human interaction Phantom automates security alerts so your team can go from overwhelmed to in- control Limited Resource s Force multiply your team Automate repetitive tasks so you can do more with the people you already have Lack of Process Establish SOPs to be more effective Phantom has case management built-in to help customers build operational rigor Spee d From 30 mins to 40 seconds Phantom orchestration and automation makes everything work faster Cost s Definitive ROI and hard cost savings Phantom saves your team time, headache, and makes your current tools work better Too Many Siloed Products Unlock value from previous investments Phantom orchestrates workflows and response across all your products so that each one is actively participating in your defense strategy
  • 34. © 2021 SPLUNK INC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
  • 35. © 2021 SPLUNK INC. How it Works Automated Malware Investigation • “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” — Adam Fletcher, CISO A Phantom Case Study SANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT
  • 36. © 2021 SPLUNK INC. SOAR Playbook Example
  • 37. © 2021 SPLUNK INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Automatisieren und Reagieren ●Automatisierung und Orchestrierung ●Ausführen von Playbooks ●Einholen von Security Kontext ●Schnelleres Reagieren ●Abwehrmaßnahmen stärken ●Zusammenarbeit intensivieren Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Collaborative SOC ●vollautomatisiertes Security Operations Center ●Zusammenführung von SIEM-, UEBA- und SOAR- Technologien ●Effektive Kommunikation und Zusammenarbeit Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
  • 38. © 2021 SPLUNK INC. Act Security Nerve Center Endpoints Threat Intelligence Network Web Proxy Firewall Identity and Access WAF and App Security Cloud Security Mobile SOAR SIEM Analyze Monitor Investigate
  • 39. © 2021 SPLUNK INC. Security Portfolio • Risky Behavior Detection • Entity Profiling, Scoring • Kill chain, Graph analysis Enterprise Security Detect, Investigate & Response • Single pane of glass • Security Metrics & Incident Response • Adaptive Response • Collaboration Splunk Enterprise Investigate Realm of Known Human- driven Splunk UBA Detect Realm of Unknown ML- driven • Log Aggregation • Rules, statistics, correlation • Ad hoc searches and data pivot
  • 40. © 2021 SPLUNK INC. Wertgewinn mit Splunk 70% Zeitverkürzung bei der Recherche von Sicherheitsereignisse n durch Korrelation 30% Reduzierung des Risikos in Verbindung mit IP- Diebstahl, Datenschutzverletzu ngen und Betrug 80% Reduzierung des Zeitaufwands für die manuelle Berichterstattung über die Compliance 80% Reduzierung des Zeitaufwands für manuelle, routinemäßige Sicherheitsaufgaben Im Durchschnitt erfahren die Kunden signifikante Verbesserungen bei der Erkennung, Triage und Untersuchung von Vorfällen, was das Gesamtrisiko reduziert.
  • 41. © 2021 SPLUNK INC. https://events.splunk.com/security_workshops_de Enterprise Security Hands-On Workshop Risk-Based Alerting Hands-On Workshop
  • 42. Thank You © 2021 SPLUNK INC.