Abstract image of a woman sitting on books and studying on a laptop

2022 09 March Splunk PNW User Group

A
Amanda Richardson

The document provides an agenda for a Splunk user group meeting on March 9th, 2022. The agenda includes talks on implementing Splunk's Real-Time Business Analytics (RBA), updates on Splunk Enterprise 7.0, and a demo of an insider threat detection tool. There will also be a talk from Intel on their use of Splunk for chip design analytics. The document outlines the speakers and their presentations throughout the meeting.

Technology
Related topics:
Information Security
1 of 64
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
© 2022 SPLUNK INC. Splunk PNW User Group 09 March, 2022
© 2022 SPLUNK INC. If you did not have an opportunity to complete the form to receive a lunch voucher* from DTEX, please PM the email address associated with your grubhub account** via zoom chat to Bryan Duncan or Jennifer Phillips * Voucher is good for today only. ** Email address will NOT be shared. Thank you to today’s sponsor!
© 2022 SPLUNK INC. Agenda Topic Speaker Organization Start End Welcome Amanda Richardson Splunk 11:00am 11:05am News and Updates Joshua Marsh Amanda Richardson Splunk 11:05am 11:20am RBA Implementation Lessons Learned Brad Werner Nordstrom 11:20am 11:45am ES 7.0 update Dan Hogland Splunk 11:45am 12:00pm Little Pain, Much Gain - Splunk at Intel Engineering Yaron Kretchmer Matthew Bruehl Intel Corporation 12:00pm 12:25pm UEBA tool for insider threat detection demo Andy London DTEX 12:25pm 12:45pm Wrap-up Amanda Richardson Splunk 12:45pm 1:00pm
© 2022 SPLUNK INC. “.conf21 gave me the ability to immerse myself in all things Splunk for two full days, I learned so much.” — John Whitefield Progressive Insurance, IT DevOps Eng. Senior MGM Grand, Las Vegas, NV | June 13–16 Virtual | June 14–15 Join us for a hybrid experience and learn why data is key to achieving better outcomes.
© 2022 SPLUNK INC.
© 2022 SPLUNK INC. Empowering Business Users with Pre-Structured Data Tech Talk: Support less technical users in your org! Splunk includes multiple no-code features that allow users to explore, analyze, and pivot the data in Splunk. Learn how to structure your data and configure Splunk to enable these analytic tools and see an overview of how to use pivot tables and other no-code features. Watch the Tech Talk to learn about: ● Indexing and Enriching data with known source types and lookups, so that all business information is easily searchable for your users ● Building data models to structure your Splunk data, to enable pivot tables for your business users ● Exploring, analyzing, and pivoting your Splunk data with no-code features Watch on demand
© 2022 SPLUNK INC. "Blue-collar for the blue team." And that's SURGe in a nutshell. Practitioners, storytellers, and old UNIX plumbers who think differently and work on problems that we wish everyone had already solved. You can sign up for our rapid response alerts here splunk.com/surge
© 2022 SPLUNK INC. Thank You!
© 2021 SPLUNK INC. Accelerate Security Operations with Contextual Human Intelligence & Endpoint Telemetry Andy London Senior Director of Solutions Engineering & Architecture DTEX Systems
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC. Insider Threat (UAM+UEBA) Data Loss Prevention (DLP) Digital Forensics Fraud Risk & Compliance D M A P + T E C H N O L O G Y a patent-pending, real-time correlation of DMAP telemetry introspection and predictive modeling that leads to accurate detection of insider threats at scale ENCRYPTION LAYER: Employee Privacy & GDPR Compliance Credential Theft (ATT&CK) ES SOAR UEBA D T E X I n T E R C E P T P L A T F O R M THIRD PARTY INTEGRATIONS ZERO-IMPACT à 5MB PER DAY (PER ENDPOINT) USER ENDPOINT SERVER ENDPOINT VDI CLOUD UNIFIED TELEMETRY OTHER W H A T I S N E X T - G E N I N S I D E R T H R E A T ? I N S I D E R T H R E A T B E H A V I O R S MALICIOUS INSIDERS NEGLIGENT INSIDERS COMPROMISED INSIDERS DATA LOSS BEHAVIORS BEHAVIORAL INDICATORS
© 2021 SPLUNK INC. Insider Threat Detection (UAM + UEBA) Risk, Audit and Compliance Data Loss Prevention Server Security Forensic Investigations MALICIOUS BEHAVIOR COMPROMISED BEHAVIOR MITRE ATT&CKTM NEGLIGENT BEHAVIOR Automated Risk Reporting (Benchmark & Baseline) Wireless Transfers (e.g. Airdrop / Bluetooth) Privileged Account Misuse Audit trail of all activities Bypass of Security Controls Unusual Privilege Escalation Teachable Moment Reporting Inappropriate internet usage USB device usage File Integrity Monitoring (FIM) Contextualization Leavers Forensic Audit (365) Unusual Privilege Escalation JSP Backdoor Detection Accidental Data Loss Use of personal webmail Instant Messaging Applications SWIFT Server Monitoring Joiners Forensic Audit (Probation Period) Obfuscation & Covering Tracks Domain Fronting Use of Non-sanctioned software System configuration changes Upload to Cloud Storage (Online File Sharing) Unusual application behavior File lineage Unauthorized Use of Administrative / Cyber / Hacking Tools Lateral Movement Online File Sharing Misuse Unauthorized use of decommissioned accounts and/or assets Personal vs Corporate Webmail (e.g. Gsuite) Unusual Database behavior Rogue applications Flight Risk + Data Loss ToR & Proxy Bypass Shadow IT Business continuity reporting Printing Unusual Privilege Escalation Abnormal internet activity On / Off Network Monitoring Malicious or Unusual Application Behavior Bulk Transfer Utilities Use of Non-sanctioned software FTP / sFTP / SCP Bastion / Jump Server Monitoring DMAP Contextual Audits (Data Machine Application People) Portable Application Use Unusual Data Aggregation Instant Messaging Usage Unauthorized use of communication software Confidential / Sensitive File Transfers Unusual Service Account Behavior User to Admin Account Correlation
© 2021 SPLUNK INC.
© 2021 SPLUNK INC. How Organizations Are Utilizing DTEX InTERCEPT with Splunk
© 2021 SPLUNK INC.
© 2021 SPLUNK INC. How Organizations Are Utilizing DTEX InTERCEPT with Splunk ES & Phantom
© 2021 SPLUNK INC.
This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved. Forward- Looking Statements This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.
© 2021 SPLUNK INC. Little Pain, Much Gain: Splunk at Intel Engineering PLA1680A Yaron Kretchmer Sr. Director, Design Infrastructure | Intel Corp. Matthew Bruehl Analytics Lead | Intel Corp.
© 2021 SPLUNK INC. Sr. Director, Design Infrastructure | Intel Corp. Yaron Kretchmer Analytics Lead | Intel Corp. Matthew Bruehl
© 2021 SPLUNK INC. Notice and Disclaimers © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others. Intel technologies may require enabled hardware, software or service activation. No product or component can be absolutely secure. Your costs and results may vary. Results have been estimated or simulated. Statements in this document that refer to future plans or expectations are forward-looking statements. These statements are based on current expectations and involve many risks and uncertainties that could cause actual results to differ materially from those expressed or implied in such statements. For more information on the factors that could cause actual results to differ materially, see our most recent earnings release and SEC filings at www.intc.com.
© 2021 SPLUNK INC. Agenda Why Are We Here? Chip Design at Intel How We Leveraged Splunk Ecosystem Growth of Splunk at Intel Engineering Wins and Pain Points 1 2 3 4 5
© 2021 SPLUNK INC. Why Are We Here? Convince Describe Talk Get Your Feedback
© 2021 SPLUNK INC. It Takes a Village to Design a Chip • Interdisciplinary work • Chip design depends heavily on thorough and insightful analytics • Our analytics team is small But we can’t afford another village to support the big village Intel’s Worldwide Manufacturing Network
© 2021 SPLUNK INC. Chip Design: 10,000 Foot View What is the chip’s performance vs…? What is the chip’s power vs…? What is the impact of layout on…? What is the timing of the sub-designs…? Are the manufacturing processes…? The most important attributes and variables in processor chip design
© 2021 SPLUNK INC. How We Leveraged the Splunk Ecosystem Full stack functional safety metrics Monitoring tools A small set of building blocks Multi-tenant environment Multiple, unique use-cases with distinct requirements, supported by:
© 2021 SPLUNK INC. Splunk Ecosystem - Dashboards and Visualizations • Splunk’s visualization capabilities are rich • Provides flexibility with XML dashboards • Enables freedom to customize almost anything • And a variety of add-on custom visualizations from Splunkbase
© 2021 SPLUNK INC. Splunk Ecosystem - Connectivity • dbxconnect allows for connectivity into existing solutions • Splunk Enterprise: one interface to access and query databases and data sources • Accessing data from different databases provides new opportunities for analytics, visualization and insights • Increased connectivity enables more informed decisions on optimal resource utilization
© 2021 SPLUNK INC. Splunk Ecosystem - Standardizing Data Ingestion • Primary reason: difficult for systems to individually "pull" data, easier to “push” • Accessing storage is difficult, but HEC makes it easy • Focus is structured data, versus log files • HEC supports variable schema structured data • Variable schema allows us to evolve metrics of interest
© 2021 SPLUNK INC. Splunk Ecosystem - Access Control Standardization • Splunk ‘roles’ (RBAC) allow for use-case customization at the application, index and individual user level • Solution: a multi-tenant environment with LDAP access controls, enables a small team to manage demands of a large organization • Advantage: easy to monitor access through web-based LDAP management interface
© 2021 SPLUNK INC. Splunk Ecosystem - Massive Data Volumes • The ‘out-of-the-box’ ingestion with HEC is suitable for most of our use cases • Kafka connector designed and built to ingest high volume batch compute records via HEC endpoint • Many accelerated data models built to analyze/chart the performance of batch compute tasks on metrics across 100s-million of events
© 2021 SPLUNK INC. Splunk Ecosystem - Machine Learning • ML models to detect quality outliers for design submissions based on historical data • Capabilities for extending commands with custom scripts to apply ML analysis for internal product applications like design quality forecasting • Schedule and design closure trends based on up-to-minute design metrics and indicators
© 2021 SPLUNK INC.
© 2021 SPLUNK INC. Successes • JSON over HEC is “flexible enough” • “Fixed” keys in JSON make life easier • Dbxquery can connect to *SQL databases • Built-in visualizations are “good enough” • Built-in high-availability cluster architecture
© 2021 SPLUNK INC. More Successes • Kafka connects Splunk to high-volume producers and consumers • Splunk users learn very quickly • Custom search commands are very powerful • Add-ons and ‘apps’ options are excellent
© 2021 SPLUNK INC. • Extend Splunk Enterprise reference documentation beyond log file mining • Provide drag-drop dashboard components and default visualizations with real data • Develop external REST query access as a built-in feature • Enable an easy connection to non-SQL (e.g. Mongo/Redis) databases • Enhance the documentation on managing object access with Active Directory hierarchy • Provide version tracking/revision control of artifacts or knowledge objects Recommendations for a Complete Solution
© 2021 SPLUNK INC. Key Take-Aways • Although designed for IT, Splunk has proved productive in a chip-design environment • Splunk business value for chip design - Scale fast without need for big team • We leveraged the ‘swiss army knife’ aspect of Splunk to be productive quickly • Splunk is a broad platform, rather than just log analytics If you have insights on solutions to any of our pain points, contact us :)
© 2021 SPLUNK INC. Thank You SESSION SURVEY Please provide feedback via the SESSION SURVEY Please provide feedback via the
Splunk RBA Lessons Learned
Assets and Identity Tables • Know how they are created and updated • DHCP issues • Removal of retired, lost systems
Framework Usage • Take the time up front to do framework mapping
Notable Creation Compliance Considerations • Story vs Compliance event presentation
Search Considerations • Increased visibility requires additional searches • Data model searching • Data normalization
Risk Scores • Be ready for extensive score tuning • This includes risk score, risk modifiers, notable creation risk levels
© 2022 SPLUNK INC. What’s New in Splunk Enterprise Security 7.0? Dan Hogland Staff Security CSE | Splunk
© 2022 SPLUNK INC. Contents ● Recap of ES 6.6 release ● What’s new in ES 7.0 ● Key Resources
© 2022 SPLUNK INC. Recap of Enterprise Security 6.6 GA: June 30, 2021 In case you missed it!
© 2022 SPLUNK INC. In case you missed it... Enterprise Security 6.6 June 30, 2021 • Incident Review Dashboard enhancements ○ Saved Filters ○ More Screen Real-Estate ○ RBA Details ○ Dispositions • RBA Event Timeline visualizations • Cloud Security Monitoring shared storage datasets Tune into the ES 6.6 Tech Talk On-Demand
© 2022 SPLUNK INC. Incident Review Dashboard Enhancements ● A fresh way to quickly triage notable events ● Easily identify threats with filters and tags ● Save filters to group notable events ● Classify the disposition of a notable event for false positives E S 6 . 6
© 2022 SPLUNK INC. © 2021 SPLUNK INC. Cloud Security Monitoring ● Data Model and Normalization Support for shared cloud storage services such as Box, Google Drive, SharePoint, and OneDrive ● Operationalize data across hybrid and multicloud environments such as AWS, GCP, and Microsoft Azure ● Build and strengthen a unified cloud security posture E S 6 . 6
© 2022 SPLUNK INC. © 2021 SPLUNK INC. Risk-Based Alerting Event Timeline ● Quickly identify timelines around contributing Risk Events ● Comprehensive view of overall threat activity combined into a single risk-based event. ● Improved visibility between risk objects, risk attributions, threat objects and the timeline of detection ● Reduce MTTD and shorten MTTR SOC metrics E S 6 . 6
© 2022 SPLUNK INC. Proactive Risk Based Alerting for Insider Threats SEC1163A Matt Snyder - Program Lead - Advanced Security Analytics, VMware
© 2022 SPLUNK INC. Accenture’s Journey to Risk Based Alerting with Splunk Enterprise Security and Beyond SEC1249A Chip Stearns - Partner, Keos Technology Marcus Boyd - Manager, Accenture It worked! Notable Events counts dropped between 30% & 80+% depending on the use case False Positive Rate reduced by 30%
© 2022 SPLUNK INC. Splunk Enterprise Security 7.0
© 2022 SPLUNK INC. What’s New in Splunk Enterprise Security 7.0? ● Executive Summary Dashboard ● Security Operations Dashboard ● Cloud Security Monitoring Dashboards ● Real-Time Content Updates ● Dark Mode User Experience (Cloud) On Prem & Cloud
© 2022 SPLUNK INC. © 2021 SPLUNK INC. On Prem & Cloud Executive Summary Dashboard ● Increased visibility for CISOs, Security Directors and SOC Managers into overall health of security program ● Key Insights ○ Mean Time to Triage ○ Mean Time to Respond ○ Investigations Created ○ Assigned Notables Over Time ○ Notable Event History Trends ○ Risk-Based Alerting Trends ○ Adaptive Response Action Trends Executive Level Security Insights with Trends over Time A v a i l a b l e N o w
© 2022 SPLUNK INC. © 2021 SPLUNK INC. On Prem & Cloud A v a i l a b l e N o w Security Operations Dashboard ● Key Insights ○ Mean Time to Triage ○ Mean Time to Respond ○ Investigations Created ○ Notable Assignments ○ Notable and Analyst Close Rate ○ Notable Disposition ■ False Positives ■ True Positives ■ Benign Positives Performance and Efficiency Insights across Security Operations
© 2022 SPLUNK INC. ● New Dashboards include ○ AWS Security Groups ○ AWS IAM Activity ○ AWS Network ACLs ○ AWS Access Analyzer ○ Microsoft 365 ● Enterprise Security 7.0 proactively notifies you of new content updates from the Splunk Threat Research Team and enables updates in one click Cloud Security Dashboards Visibility into AWS and Microsoft 365 Cloud Security Datasets Real-Time Content Updates Automated Security Content Delivery On Prem & Cloud A v a i l a b l e N o w
© 2022 SPLUNK INC. Cloud A v a i l a b l e N o w Modernized User Experience ● Updated “Dark Mode” User Interface ● ES joins other Splunk Security Products in adopting modern development frameworks and best practices Unified User Experience
© 2022 SPLUNK INC. Learn More about Risk-Based Alerting (RBA) at .conf21 SEC1249A - Accenture’s Journey to RBA with Splunk Enterprise Security and Beyond SEC1163A - Proactive Risk Based Alerting for Insider Threats SEC1162A - Supercharge Your Risk Based Alerting (RBA) Implementation SEC1466A - A Deep-Dive Into How Zoom Is Building Its World-Class Detection Pipeline in Response to the Zoom-Boom! SEC1800A - Implementing Zero Trust: From Hype to Reality SEC1590C - Augmented Case Management With Risk Based Analytics and Splunk SOAR
© 2022 SPLUNK INC. Additional Resources Continue your Splunk Security Journey Past RBA .conf Sessions ● SEC1113A - Streamlining Analysis of Security Stories with Risk-Based Alerting ● SEC1391C - Full Speed Ahead with Risk-Based Alerting (RBA) ● SEC 1479 - Say Goodbye to Your big Alert Pipeline , and Say Hello to Your New Risk-Based Approach ● SEC 1556 – Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT... ● SEC 1803 – Modernize and Mature Your SOC with Risk-Based Alerting ● SEC 1538 - Getting started with Risk-Based Alerting and MITRE ● SEC 1908 – Tales from a Threat Team: Lessons and Strategies for Succeeding with a Risk-Based Appr... Solution Brief and Tech Talks ● Embark on your Risk-Based Alerting Journey With Splunk | Solution Brief ● Operationalize MITRE ATT&CK™ with Risk Based Alerting (RBA) | Tech Talk ● Risk Based Alerting at Machine Speed with Splunk Phantom | Tech Talk ● What’s New in Splunk Enterprise Security 6.6? Success Advisors ● Risk-Based Alerting Launch Workshop and Implementation Offering
© 2021 SPLUNK INC. © 2022 SPLUNK INC. Thank You

More Related Content

PPTX
July 2021 Virtual PNW Splunk User Group Slides
Amanda Richardson
 
PPTX
November 2021 Splunk PNW User Group
Amanda Richardson
 
PDF
Portland Splunk User Group May 2020
Amanda Richardson
 
PPTX
Splunk
Deep Mehta
 
PPTX
Introduction into Security Analytics Methods
Splunk
 
PPTX
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
PPTX
Security Automation & Orchestration
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
July 2021 Virtual PNW Splunk User Group Slides
Amanda Richardson
 
November 2021 Splunk PNW User Group
Amanda Richardson
 
Portland Splunk User Group May 2020
Amanda Richardson
 
Splunk
Deep Mehta
 
Introduction into Security Analytics Methods
Splunk
 
Spliunk Discovery Köln - 17-01-2020 - Intro to Security Analytics Methods
Splunk
 
Security Automation & Orchestration
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 

What's hot (20)

PPTX
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
PPTX
Machine Data 101: Turning Data Into Insight
Splunk
 
PPTX
The Risks and Rewards of AI
Splunk
 
PPTX
IoT Analytics @ splunk
Splunk
 
PDF
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
PPTX
Splunk4Leaders
Splunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
PPTX
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
PDF
Analytics Driven SIEM Workshop
Splunk
 
PPTX
Worst Splunk practices...and how to fix them
Splunk
 
PPTX
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
Splunk
 
PPTX
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
PDF
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
PPTX
SplunkLive! Munich 2018: Predictive, Proactive, and Collaborative ML with IT ...
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
PPTX
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
PPTX
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
PPTX
SplunkLive! Munich 2018: Integrating Metrics and Logs
Splunk
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Machine Data 101: Turning Data Into Insight
Splunk
 
The Risks and Rewards of AI
Splunk
 
IoT Analytics @ splunk
Splunk
 
Reactive to Proactive: Intelligent Troubleshooting and Monitoring with Splunk
Splunk
 
Splunk4Leaders
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Analytics Driven SIEM Workshop
Splunk
 
Worst Splunk practices...and how to fix them
Splunk
 
SplunkLive! Zurich 2017 - Advanced Analytics / Machine Learning
Splunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
SplunkLive! Munich 2018: Predictive, Proactive, and Collaborative ML with IT ...
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
SplunkLive! Munich 2018: Integrating Metrics and Logs
Splunk
 
Ad

Similar to 2022 09 March Splunk PNW User Group (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Solution overview testing versi 1
yulitasarahhh
 
PDF
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
PDF
March 2023 PNW User Group
Amanda Richardson
 
PDF
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
PDF
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
PPTX
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
PDF
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
PDF
Building an Analytics Enables SOC
Splunk
 
PDF
SFBA Splunk Usergroup meeting July 17, 2024
Becky Burwell
 
PDF
Splunk-Presentation
PrasadThorat23
 
PDF
Splunk Forum Financial Services Chicago 9/13/17
Splunk
 
PPTX
Getting Started with Splunk Enterprise Hands-On
Splunk
 
PPTX
Delivering New Visibility and Analytics for IT Operations
Splunk
 
PPTX
Getting Started with Splunk Enterprise Hands-On
Splunk
 
PPTX
Splunk for IT Operations Breakout Session
Splunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Splunk
 
PPTX
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
PPTX
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Splunk
 
PPTX
Splunk Data Stream Processor (DSP)
Anthony Reinke
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Solution overview testing versi 1
yulitasarahhh
 
December Bengaluru Splunk User Group Meetup
kamlesh2410
 
March 2023 PNW User Group
Amanda Richardson
 
Splunk PNW User Group - Seattle - 2023-06-28.pdf
Amanda Richardson
 
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
Splunk4Rookies - Attendee - May 2023.pdf
djdhhdddhhd
 
Building an Analytics Enables SOC
Splunk
 
SFBA Splunk Usergroup meeting July 17, 2024
Becky Burwell
 
Splunk-Presentation
PrasadThorat23
 
Splunk Forum Financial Services Chicago 9/13/17
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Delivering New Visibility and Analytics for IT Operations
Splunk
 
Getting Started with Splunk Enterprise Hands-On
Splunk
 
Splunk for IT Operations Breakout Session
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Splunk Business Flow Beta
Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
Webinar: Neuigkeiten zu Splunk Enterprise 6.3
Splunk
 
Splunk Data Stream Processor (DSP)
Anthony Reinke
 
Ad

Recently uploaded (20)

PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Five Habits of High-Impact Board Members
OnBoard
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 

2022 09 March Splunk PNW User Group

  • 1. © 2022 SPLUNK INC. Splunk PNW User Group 09 March, 2022
  • 2. © 2022 SPLUNK INC. If you did not have an opportunity to complete the form to receive a lunch voucher* from DTEX, please PM the email address associated with your grubhub account** via zoom chat to Bryan Duncan or Jennifer Phillips * Voucher is good for today only. ** Email address will NOT be shared. Thank you to today’s sponsor!
  • 3. © 2022 SPLUNK INC. Agenda Topic Speaker Organization Start End Welcome Amanda Richardson Splunk 11:00am 11:05am News and Updates Joshua Marsh Amanda Richardson Splunk 11:05am 11:20am RBA Implementation Lessons Learned Brad Werner Nordstrom 11:20am 11:45am ES 7.0 update Dan Hogland Splunk 11:45am 12:00pm Little Pain, Much Gain - Splunk at Intel Engineering Yaron Kretchmer Matthew Bruehl Intel Corporation 12:00pm 12:25pm UEBA tool for insider threat detection demo Andy London DTEX 12:25pm 12:45pm Wrap-up Amanda Richardson Splunk 12:45pm 1:00pm
  • 4. © 2022 SPLUNK INC. “.conf21 gave me the ability to immerse myself in all things Splunk for two full days, I learned so much.” — John Whitefield Progressive Insurance, IT DevOps Eng. Senior MGM Grand, Las Vegas, NV | June 13–16 Virtual | June 14–15 Join us for a hybrid experience and learn why data is key to achieving better outcomes.
  • 6. © 2022 SPLUNK INC. Empowering Business Users with Pre-Structured Data Tech Talk: Support less technical users in your org! Splunk includes multiple no-code features that allow users to explore, analyze, and pivot the data in Splunk. Learn how to structure your data and configure Splunk to enable these analytic tools and see an overview of how to use pivot tables and other no-code features. Watch the Tech Talk to learn about: ● Indexing and Enriching data with known source types and lookups, so that all business information is easily searchable for your users ● Building data models to structure your Splunk data, to enable pivot tables for your business users ● Exploring, analyzing, and pivoting your Splunk data with no-code features Watch on demand
  • 7. © 2022 SPLUNK INC. "Blue-collar for the blue team." And that's SURGe in a nutshell. Practitioners, storytellers, and old UNIX plumbers who think differently and work on problems that we wish everyone had already solved. You can sign up for our rapid response alerts here splunk.com/surge
  • 8. © 2022 SPLUNK INC. Thank You!
  • 9. © 2021 SPLUNK INC. Accelerate Security Operations with Contextual Human Intelligence & Endpoint Telemetry Andy London Senior Director of Solutions Engineering & Architecture DTEX Systems
  • 13. © 2021 SPLUNK INC. Insider Threat (UAM+UEBA) Data Loss Prevention (DLP) Digital Forensics Fraud Risk & Compliance D M A P + T E C H N O L O G Y a patent-pending, real-time correlation of DMAP telemetry introspection and predictive modeling that leads to accurate detection of insider threats at scale ENCRYPTION LAYER: Employee Privacy & GDPR Compliance Credential Theft (ATT&CK) ES SOAR UEBA D T E X I n T E R C E P T P L A T F O R M THIRD PARTY INTEGRATIONS ZERO-IMPACT à 5MB PER DAY (PER ENDPOINT) USER ENDPOINT SERVER ENDPOINT VDI CLOUD UNIFIED TELEMETRY OTHER W H A T I S N E X T - G E N I N S I D E R T H R E A T ? I N S I D E R T H R E A T B E H A V I O R S MALICIOUS INSIDERS NEGLIGENT INSIDERS COMPROMISED INSIDERS DATA LOSS BEHAVIORS BEHAVIORAL INDICATORS
  • 14. © 2021 SPLUNK INC. Insider Threat Detection (UAM + UEBA) Risk, Audit and Compliance Data Loss Prevention Server Security Forensic Investigations MALICIOUS BEHAVIOR COMPROMISED BEHAVIOR MITRE ATT&CKTM NEGLIGENT BEHAVIOR Automated Risk Reporting (Benchmark & Baseline) Wireless Transfers (e.g. Airdrop / Bluetooth) Privileged Account Misuse Audit trail of all activities Bypass of Security Controls Unusual Privilege Escalation Teachable Moment Reporting Inappropriate internet usage USB device usage File Integrity Monitoring (FIM) Contextualization Leavers Forensic Audit (365) Unusual Privilege Escalation JSP Backdoor Detection Accidental Data Loss Use of personal webmail Instant Messaging Applications SWIFT Server Monitoring Joiners Forensic Audit (Probation Period) Obfuscation & Covering Tracks Domain Fronting Use of Non-sanctioned software System configuration changes Upload to Cloud Storage (Online File Sharing) Unusual application behavior File lineage Unauthorized Use of Administrative / Cyber / Hacking Tools Lateral Movement Online File Sharing Misuse Unauthorized use of decommissioned accounts and/or assets Personal vs Corporate Webmail (e.g. Gsuite) Unusual Database behavior Rogue applications Flight Risk + Data Loss ToR & Proxy Bypass Shadow IT Business continuity reporting Printing Unusual Privilege Escalation Abnormal internet activity On / Off Network Monitoring Malicious or Unusual Application Behavior Bulk Transfer Utilities Use of Non-sanctioned software FTP / sFTP / SCP Bastion / Jump Server Monitoring DMAP Contextual Audits (Data Machine Application People) Portable Application Use Unusual Data Aggregation Instant Messaging Usage Unauthorized use of communication software Confidential / Sensitive File Transfers Unusual Service Account Behavior User to Admin Account Correlation
  • 16. © 2021 SPLUNK INC. How Organizations Are Utilizing DTEX InTERCEPT with Splunk
  • 18. © 2021 SPLUNK INC. How Organizations Are Utilizing DTEX InTERCEPT with Splunk ES & Phantom
  • 20. This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved. Forward- Looking Statements This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved.
  • 21. © 2021 SPLUNK INC. Little Pain, Much Gain: Splunk at Intel Engineering PLA1680A Yaron Kretchmer Sr. Director, Design Infrastructure | Intel Corp. Matthew Bruehl Analytics Lead | Intel Corp.
  • 22. © 2021 SPLUNK INC. Sr. Director, Design Infrastructure | Intel Corp. Yaron Kretchmer Analytics Lead | Intel Corp. Matthew Bruehl
  • 23. © 2021 SPLUNK INC. Notice and Disclaimers © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others. Intel technologies may require enabled hardware, software or service activation. No product or component can be absolutely secure. Your costs and results may vary. Results have been estimated or simulated. Statements in this document that refer to future plans or expectations are forward-looking statements. These statements are based on current expectations and involve many risks and uncertainties that could cause actual results to differ materially from those expressed or implied in such statements. For more information on the factors that could cause actual results to differ materially, see our most recent earnings release and SEC filings at www.intc.com.
  • 24. © 2021 SPLUNK INC. Agenda Why Are We Here? Chip Design at Intel How We Leveraged Splunk Ecosystem Growth of Splunk at Intel Engineering Wins and Pain Points 1 2 3 4 5
  • 25. © 2021 SPLUNK INC. Why Are We Here? Convince Describe Talk Get Your Feedback
  • 26. © 2021 SPLUNK INC. It Takes a Village to Design a Chip • Interdisciplinary work • Chip design depends heavily on thorough and insightful analytics • Our analytics team is small But we can’t afford another village to support the big village Intel’s Worldwide Manufacturing Network
  • 27. © 2021 SPLUNK INC. Chip Design: 10,000 Foot View What is the chip’s performance vs…? What is the chip’s power vs…? What is the impact of layout on…? What is the timing of the sub-designs…? Are the manufacturing processes…? The most important attributes and variables in processor chip design
  • 28. © 2021 SPLUNK INC. How We Leveraged the Splunk Ecosystem Full stack functional safety metrics Monitoring tools A small set of building blocks Multi-tenant environment Multiple, unique use-cases with distinct requirements, supported by:
  • 29. © 2021 SPLUNK INC. Splunk Ecosystem - Dashboards and Visualizations • Splunk’s visualization capabilities are rich • Provides flexibility with XML dashboards • Enables freedom to customize almost anything • And a variety of add-on custom visualizations from Splunkbase
  • 30. © 2021 SPLUNK INC. Splunk Ecosystem - Connectivity • dbxconnect allows for connectivity into existing solutions • Splunk Enterprise: one interface to access and query databases and data sources • Accessing data from different databases provides new opportunities for analytics, visualization and insights • Increased connectivity enables more informed decisions on optimal resource utilization
  • 31. © 2021 SPLUNK INC. Splunk Ecosystem - Standardizing Data Ingestion • Primary reason: difficult for systems to individually "pull" data, easier to “push” • Accessing storage is difficult, but HEC makes it easy • Focus is structured data, versus log files • HEC supports variable schema structured data • Variable schema allows us to evolve metrics of interest
  • 32. © 2021 SPLUNK INC. Splunk Ecosystem - Access Control Standardization • Splunk ‘roles’ (RBAC) allow for use-case customization at the application, index and individual user level • Solution: a multi-tenant environment with LDAP access controls, enables a small team to manage demands of a large organization • Advantage: easy to monitor access through web-based LDAP management interface
  • 33. © 2021 SPLUNK INC. Splunk Ecosystem - Massive Data Volumes • The ‘out-of-the-box’ ingestion with HEC is suitable for most of our use cases • Kafka connector designed and built to ingest high volume batch compute records via HEC endpoint • Many accelerated data models built to analyze/chart the performance of batch compute tasks on metrics across 100s-million of events
  • 34. © 2021 SPLUNK INC. Splunk Ecosystem - Machine Learning • ML models to detect quality outliers for design submissions based on historical data • Capabilities for extending commands with custom scripts to apply ML analysis for internal product applications like design quality forecasting • Schedule and design closure trends based on up-to-minute design metrics and indicators
  • 36. © 2021 SPLUNK INC. Successes • JSON over HEC is “flexible enough” • “Fixed” keys in JSON make life easier • Dbxquery can connect to *SQL databases • Built-in visualizations are “good enough” • Built-in high-availability cluster architecture
  • 37. © 2021 SPLUNK INC. More Successes • Kafka connects Splunk to high-volume producers and consumers • Splunk users learn very quickly • Custom search commands are very powerful • Add-ons and ‘apps’ options are excellent
  • 38. © 2021 SPLUNK INC. • Extend Splunk Enterprise reference documentation beyond log file mining • Provide drag-drop dashboard components and default visualizations with real data • Develop external REST query access as a built-in feature • Enable an easy connection to non-SQL (e.g. Mongo/Redis) databases • Enhance the documentation on managing object access with Active Directory hierarchy • Provide version tracking/revision control of artifacts or knowledge objects Recommendations for a Complete Solution
  • 39. © 2021 SPLUNK INC. Key Take-Aways • Although designed for IT, Splunk has proved productive in a chip-design environment • Splunk business value for chip design - Scale fast without need for big team • We leveraged the ‘swiss army knife’ aspect of Splunk to be productive quickly • Splunk is a broad platform, rather than just log analytics If you have insights on solutions to any of our pain points, contact us :)
  • 40. © 2021 SPLUNK INC. Thank You SESSION SURVEY Please provide feedback via the SESSION SURVEY Please provide feedback via the
  • 42. Assets and Identity Tables • Know how they are created and updated • DHCP issues • Removal of retired, lost systems
  • 43. Framework Usage • Take the time up front to do framework mapping
  • 44. Notable Creation Compliance Considerations • Story vs Compliance event presentation
  • 45. Search Considerations • Increased visibility requires additional searches • Data model searching • Data normalization
  • 46. Risk Scores • Be ready for extensive score tuning • This includes risk score, risk modifiers, notable creation risk levels
  • 47. © 2022 SPLUNK INC. What’s New in Splunk Enterprise Security 7.0? Dan Hogland Staff Security CSE | Splunk
  • 48. © 2022 SPLUNK INC. Contents ● Recap of ES 6.6 release ● What’s new in ES 7.0 ● Key Resources
  • 49. © 2022 SPLUNK INC. Recap of Enterprise Security 6.6 GA: June 30, 2021 In case you missed it!
  • 50. © 2022 SPLUNK INC. In case you missed it... Enterprise Security 6.6 June 30, 2021 • Incident Review Dashboard enhancements ○ Saved Filters ○ More Screen Real-Estate ○ RBA Details ○ Dispositions • RBA Event Timeline visualizations • Cloud Security Monitoring shared storage datasets Tune into the ES 6.6 Tech Talk On-Demand
  • 51. © 2022 SPLUNK INC. Incident Review Dashboard Enhancements ● A fresh way to quickly triage notable events ● Easily identify threats with filters and tags ● Save filters to group notable events ● Classify the disposition of a notable event for false positives E S 6 . 6
  • 52. © 2022 SPLUNK INC. © 2021 SPLUNK INC. Cloud Security Monitoring ● Data Model and Normalization Support for shared cloud storage services such as Box, Google Drive, SharePoint, and OneDrive ● Operationalize data across hybrid and multicloud environments such as AWS, GCP, and Microsoft Azure ● Build and strengthen a unified cloud security posture E S 6 . 6
  • 53. © 2022 SPLUNK INC. © 2021 SPLUNK INC. Risk-Based Alerting Event Timeline ● Quickly identify timelines around contributing Risk Events ● Comprehensive view of overall threat activity combined into a single risk-based event. ● Improved visibility between risk objects, risk attributions, threat objects and the timeline of detection ● Reduce MTTD and shorten MTTR SOC metrics E S 6 . 6
  • 54. © 2022 SPLUNK INC. Proactive Risk Based Alerting for Insider Threats SEC1163A Matt Snyder - Program Lead - Advanced Security Analytics, VMware
  • 55. © 2022 SPLUNK INC. Accenture’s Journey to Risk Based Alerting with Splunk Enterprise Security and Beyond SEC1249A Chip Stearns - Partner, Keos Technology Marcus Boyd - Manager, Accenture It worked! Notable Events counts dropped between 30% & 80+% depending on the use case False Positive Rate reduced by 30%
  • 56. © 2022 SPLUNK INC. Splunk Enterprise Security 7.0
  • 57. © 2022 SPLUNK INC. What’s New in Splunk Enterprise Security 7.0? ● Executive Summary Dashboard ● Security Operations Dashboard ● Cloud Security Monitoring Dashboards ● Real-Time Content Updates ● Dark Mode User Experience (Cloud) On Prem & Cloud
  • 58. © 2022 SPLUNK INC. © 2021 SPLUNK INC. On Prem & Cloud Executive Summary Dashboard ● Increased visibility for CISOs, Security Directors and SOC Managers into overall health of security program ● Key Insights ○ Mean Time to Triage ○ Mean Time to Respond ○ Investigations Created ○ Assigned Notables Over Time ○ Notable Event History Trends ○ Risk-Based Alerting Trends ○ Adaptive Response Action Trends Executive Level Security Insights with Trends over Time A v a i l a b l e N o w
  • 59. © 2022 SPLUNK INC. © 2021 SPLUNK INC. On Prem & Cloud A v a i l a b l e N o w Security Operations Dashboard ● Key Insights ○ Mean Time to Triage ○ Mean Time to Respond ○ Investigations Created ○ Notable Assignments ○ Notable and Analyst Close Rate ○ Notable Disposition ■ False Positives ■ True Positives ■ Benign Positives Performance and Efficiency Insights across Security Operations
  • 60. © 2022 SPLUNK INC. ● New Dashboards include ○ AWS Security Groups ○ AWS IAM Activity ○ AWS Network ACLs ○ AWS Access Analyzer ○ Microsoft 365 ● Enterprise Security 7.0 proactively notifies you of new content updates from the Splunk Threat Research Team and enables updates in one click Cloud Security Dashboards Visibility into AWS and Microsoft 365 Cloud Security Datasets Real-Time Content Updates Automated Security Content Delivery On Prem & Cloud A v a i l a b l e N o w
  • 61. © 2022 SPLUNK INC. Cloud A v a i l a b l e N o w Modernized User Experience ● Updated “Dark Mode” User Interface ● ES joins other Splunk Security Products in adopting modern development frameworks and best practices Unified User Experience
  • 62. © 2022 SPLUNK INC. Learn More about Risk-Based Alerting (RBA) at .conf21 SEC1249A - Accenture’s Journey to RBA with Splunk Enterprise Security and Beyond SEC1163A - Proactive Risk Based Alerting for Insider Threats SEC1162A - Supercharge Your Risk Based Alerting (RBA) Implementation SEC1466A - A Deep-Dive Into How Zoom Is Building Its World-Class Detection Pipeline in Response to the Zoom-Boom! SEC1800A - Implementing Zero Trust: From Hype to Reality SEC1590C - Augmented Case Management With Risk Based Analytics and Splunk SOAR
  • 63. © 2022 SPLUNK INC. Additional Resources Continue your Splunk Security Journey Past RBA .conf Sessions ● SEC1113A - Streamlining Analysis of Security Stories with Risk-Based Alerting ● SEC1391C - Full Speed Ahead with Risk-Based Alerting (RBA) ● SEC 1479 - Say Goodbye to Your big Alert Pipeline , and Say Hello to Your New Risk-Based Approach ● SEC 1556 – Building Behavioral Detections: Cross-Correlating Suspicious Activity with the MITRE ATT... ● SEC 1803 – Modernize and Mature Your SOC with Risk-Based Alerting ● SEC 1538 - Getting started with Risk-Based Alerting and MITRE ● SEC 1908 – Tales from a Threat Team: Lessons and Strategies for Succeeding with a Risk-Based Appr... Solution Brief and Tech Talks ● Embark on your Risk-Based Alerting Journey With Splunk | Solution Brief ● Operationalize MITRE ATT&CK™ with Risk Based Alerting (RBA) | Tech Talk ● Risk Based Alerting at Machine Speed with Splunk Phantom | Tech Talk ● What’s New in Splunk Enterprise Security 6.6? Success Advisors ● Risk-Based Alerting Launch Workshop and Implementation Offering
  • 64. © 2021 SPLUNK INC. © 2022 SPLUNK INC. Thank You