Operational Security Intelligence
4 likes1,499 views
The presentation discusses the concept of security intelligence, which involves processes, policies, and tools for protecting organizations from internal and external threats. It emphasizes the need for risk-based analytics and integrating various data sources to enhance decision-making and strategic advantage. Additionally, it highlights the role of Splunk as a central platform for operationalizing security intelligence, facilitating real-time monitoring and incident investigations.
Operational Security Intelligence
- 1. Operationalizing Security Intelligence Monzy Merza @monzymerza
- 2. 2 Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 3. 3 Agenda The super hero and the fish market – a short story What is Security Intelligence For the bosses Demos and Examples
- 5. 5 https://epicheroism.files.wordpress.com/2013 /09/kratos_god_of_war-1680x1050.jpg
- 7. 7
- 8. 8
- 10. 10 Lone hacker…
- 13. 13 Security Intelligence Information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. http://whatis.techtarget.com/definition/security-intelligence-SI
- 14. 14 Security Intelligence Information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. http://whatis.techtarget.com/definition/security-intelligence-SI
- 15. 15 Intelligence Actionable information that provides an organization with decision support and possibly a strategic advantage. SI is a comprehensive approach that integrates multiple processes and practices designed to protect the organization. http://whatis.techtarget.com/definition/security-intelligence-SI
- 16. 16 Intelligence Actionable information that provides an organization with decision support and possibly a strategic advantage. SI is a comprehensive approach that integrates multiple processes and practices designed to protect the organization. http://whatis.techtarget.com/definition/security-intelligence-SI
- 18. 18 Connecting People and Data Through a Nerve Center
- 19. Operationalizing Security Intelligence Risk-Based Context and Intelligence Connecting People and Data 19
- 20. 20 Requirements: Risk Based Analytics
- 21. 21 2 Network Endpoint Access Data Sources Threat Intelligence
- 22. 22 Data Sources Persist, Repeat Known relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Who talked to whom, traffic, malware download/delivery, C2, exfiltration, lateral movement Running process, services, process owner, registry mods, file system changes, patching level, network connections by process/service Access level, privileged use/escalation, system ownership, user/system/service business criticality 2 2 • 3rd party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall, IDS, IPS • DNS • Email • Web Proxy • NetFlow • Network • AV/IPS/FW • Malware detection • Config Management • Performance • OS logs • File System • Directory Services • Asset Mgmt • Authentication Logs • Application Services • VPN, SSO Threat intelligence Access/Identity Endpoint Network
- 23. 23 Risk Based Analytics Network Endpoint AccessThreat Intelligence Rules/String/Regex matching Statistical outliers and anomalies Scoring and aggregation Session and Behavior profiling
- 24. 24 Requirements: Context and Intelligence
- 25. 25 Context and Intelligence Integrate across technologies Automated context matching Automated context acquisition Post processing and post analysis Threat Intelligence Asset & CMDB API/SDK Integrations Data Stores Applications
- 27. 27 Requirements: Connecting Data and People
- 28. 28 Connecting People and Data Human mediated automation Sharing and collaboration Free form investigation – human intuition Interact with views and workflows Any data, all data Automation Collaboration Investigation Workflows All data
- 29. Operationalizing Security Intelligence Risk-Based Context and Intelligence Connecting People and Data 29
- 30. 30 Demo 1
- 31. 31 SECURITY USE CASES In SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN, ADVANCED THREATS INCIDENT INVESTIGATIONS & FORENSICS INSIDER THREAT 3 Splunk Can Complement OR Replace an Existing SIEM INSIDER THREAT
- 32. 32 SPLUNK FOR SECURITY 3 SECURITY APPS & ADD-ONS SPLUNK APP FOR PCI SIEM Security Analytics Fraud, Theft and Abuse Platform for Security Services SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data SPLUNK ENTERPRISE SECURITY
- 33. 33 Demo 2
- 34. 34
- 35. 35 Adaptive Response- Remediating USB Malware Detect Eject Malicious USB Block Network CommunicationsOrchestrate Automation
- 36. 36 SPLUNK IS THE NERVE CENTER 36 App Endpoint/ Server Cloud Threat Intelligence Firewall Web Proxy Internal Network Security Identity Network
- 37. 37 Connecting People and Data Through a Nerve Center
- 38. 38 Getting Started Splunk Enterprise Free Download Enterprise Security Cloud Trial Splunk UBA Proof of Value
- 39. 39 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
Editor's Notes
- #3: Stela starts
- #19: Let’s watch this short video and see how big the problem is … Did you feel their pain? Do you see the chaos? So now imagine Splunk in the middle of all that, being positioned in FY’17 as a leader to help our customers fight the bad guys. Help them do threat detection and threat analysis, be proactive and reactive, and resolve security events faster and before they create damages. This is a big mission and a very important one. We are helping protect not only our customers, but also our economy and our countries. So… what is in it for us? Besides purpose and fulfillment, there is also a big financial opportunity for Splunk (click)
- #20: The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape.
- #30: The process of discovering relationships across all security-relevant data, including data from IT infrastructures, point security products and all machine-generated data to rapidly adapt to a changing threat landscape.
- #38: Let’s watch this short video and see how big the problem is … Did you feel their pain? Do you see the chaos? So now imagine Splunk in the middle of all that, being positioned in FY’17 as a leader to help our customers fight the bad guys. Help them do threat detection and threat analysis, be proactive and reactive, and resolve security events faster and before they create damages. This is a big mission and a very important one. We are helping protect not only our customers, but also our economy and our countries. So… what is in it for us? Besides purpose and fulfillment, there is also a big financial opportunity for Splunk (click)
- #40: We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!