Webinar: Neues zur Splunk App for Enterprise Security
0 likes10,392 views
This document discusses a webcast on the Splunk App for Enterprise Security. It provides an overview of the app's capabilities for security strategy, security posture monitoring, visual security analytics, advanced threat detection, and insider threat detection. It also summarizes new features in the latest version, including improved threat intelligence integration and collaboration tools.
Webinar: Neues zur Splunk App for Enterprise Security
- 1. Copyright © 2015 Splunk Inc. The Splunk App for Enterprise Security Holger Sesterhenn, Sen. Sales Engineer, CISSP MaChias Maier, Security Product MarkeEng, EMEA
- 2. 2 Ihr Webcast Team Ma#hias Maier Security Product MarkeEng, EMEA mmaier@splunk.com Holger Sesterhenn Sen. Sales Engineer hsesterhenn@splunk.com
- 3. Copyright © 2015 Splunk Inc. Safe Harbor Statement During the course of this presentaEon, we may make forward looking statements regarding future events or the expected performance of the company. We cauEon you that such statements reflect our current expectaEons and esEmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaEon are being made as of the Eme and date of its live presentaEon. If reviewed aSer its live presentaEon, this presentaEon may not contain current or accurate informaEon. We do not assume any obligaEon to update any forward looking statements we may make. In addiEon, any informaEon about our roadmap outlines our general product direcEon and is subject to change at any Eme without noEce. It is for informaEonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaEon either to develop the features or funcEonality described or to include any such feature or funcEonality in a future release.
- 4. Copyright © 2015 Splunk Inc. How Can Splunk Help?
- 5. Roadmap Security Strategy Security Posture Visual Security AnalyEcs Advanced Threats Insider Threat
- 7. Source: Mandiant M-‐Trends Report 2012/2013/2014 67% VicEms noEfied by an external enEty 100% Valid credenEals were used 229 Median # of days before detecEon The Ever-‐Changing Threat Landscape
- 8. Copyright © 2015 Splunk Inc. Intrusion DetecEon Firewall Data Loss PrevenEon AnE-‐Malware Vulnerability Scans AuthenEcaEon TradiEonal Security Strategy
- 9. Copyright © 2015 Splunk Inc. Connect the Dots Across All Data Servers Storage Desktops Email Web TransacEon Records Network Flows Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMBD DHCP/DNS Intrusion DetecEon Firewall Data Loss PrevenEon AnE-‐ Malware Vulnerability Scans AuthenEcaEon
- 10. Copyright © 2015 Splunk Inc. ConnecEng the “Data Dots” via MulEple/Dynamic RelaEonships Persist, Repeat Threat Intelligence Auth—User Roles Host Ac@vity/Security Network Ac@vity/Security ACacker, know relay/C2 sites, infected sites, IOC, aCack/campaign intent and aCribuEon Where they went to, who talked to whom, aCack transmiCed, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, aCack/malware arEfacts, patching level, aCack suscepEbility Access level, privileged users, likelihood of infecEon, where they might be in kill chain Delivery, exploit installa@on Gain trusted access Exfiltra@on Data gathering Upgrade (escalate) lateral movement Persist, repeat
- 11. AnalyEcs-‐Driven Security Risk Based Context and Intelligence ConnecEng Data and People
- 12. Copyright © 2015 Splunk Inc. Sample Nasdaq -‐ Heartbleed
- 13. Complement, replace and go beyond tradi@onal SIEMs Security Intelligence Use Cases 13 SECURITY & COMPLIANCE REPORTING REAL-‐TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT
- 14. Roadmap Security Strategy • ConnecEng Data and People Security Posture
- 15. 15 What’s New in Splunk App for Enterprise Security 3.3 BeCer DetecEon of Advanced Threats • STIX/TAXII & OpenIOC threat intelligence • IOC/arEfacts research Improved CollaboraEon • Export correlaEon searches, KSIs, swim lanes BeCer DetecEon of Malicious Insiders • User acEvity monitoring dashboard and swim lanes • Access anomalies Faster Incident Response • Added funcEonality to Incident Response page Benefit Feature
- 16. Roadmap Security Strategy • ConnecEng Data and People Security Posture • SituaEonal Awareness Visual Security AnalyEcs
- 17. Roadmap Security Strategy • ConnecEng Data and People Security Posture • SituaEonal Awareness Visual Security AnalyEcs • Contextual Analysis Advanced Threats
- 18. Copyright © 2015 Splunk Inc. hCp://sExproject.github.io/about/
- 19. Copyright © 2015 Splunk Inc. STIX/TAXII and Open IOC 101 • Info sharing across companies and industries • Standardized XML • Contains TTPs, IOCs, COA • IOCs include IPs, web/e-‐mail domains, hashes, processes, registry key, cerEficates • hCp://sExproject.github.io/about/
- 20. Copyright © 2015 Splunk Inc. Threat Intelligence in Splunk
- 21. Copyright © 2015 Splunk Inc. TAXII Services Source: hCp://hailataxii.com
- 22. Copyright © 2015 Splunk Inc. Sample TAXII Feeds User Community Organisa@on Cyber Threat XChange Health InformaEon Trust Alliance Defense Security InformaEon Exchange Defense Industrial Base InformaEon and Sharing and Analysis OrganizaEon ICS-‐ISAC Industrial Control System InformaEon Sharing and Analysis Center NH-‐ISAC NaEonal Health Cybersecurity Intelligence Planorm NaEonal Health InformaEon and Analysis Center FS-‐ISAC / Soltra Edge Financial Services InformaEon Sharing and Analyses Center (FS-‐ISAC) Retail Cyber Intelligence Sharing Center, Intelligence Sharing Portal Retail InformaEon Sharing and Analysis Center (Retail-‐ISAC) More: hCp://sExproject.github.io/supporters/
- 23. Roadmap Security Strategy • ConnecEng Data and People Security Posture • SituaEonal Awareness Visual Security AnalyEcs • Contextual Analysis Advanced Threats • Knowledge Sharing and AdopEon Insider Threat
- 24. Copyright © 2015 Splunk Inc. DetecEng Suspicious User AcEvity • Spot suspicious user acEvity • Malicious insider or external threat using stolen credenEals • High aggregate risk score • Uploaded data to non-‐corp sites • Emailed data to non-‐corp domains • Visits to blacklisted sites • Remote access • Anomalous help desk Ecket
- 25. Roadmap Security Strategy • ConnecEng Data and People Security Posture • SituaEonal Awareness Visual Security AnalyEcs • Contextual Analysis Advanced Threats • Knowledge Sharing and AdopEon Insider Threat • Stop Data Breaches
- 26. Copyright © 2015 Splunk Inc. Case Study: Telenor " Challanges: – Millions of customers, thousands of servers and routers and they had missing details in operaEve tasks. – CommunicaEon between departments was challanging. – Errors and issues sporadically slipped unnoEced. " Breakthroughs: – Team noEced WebMail accounts being abused to send hundreds of thousands of SMS messages abroad – Baselining normal and track DeviaEon – Understand aCackers and their behaviour to take them down proacEve. Norway's largest telecom services provider 160 Mio mobile subscribers globally
- 27. Copyright © 2015 Splunk Inc. Thank You! Q&A