SlideShare a Scribd company logo

Securing the Enterprise/Cloud with Splunk at the Centre

Download as PPTX, PDF
H
Harry McLaren

The document discusses the Splunk User Group in Edinburgh, highlighting key presentations on security orchestration and AWS security. It emphasizes the importance of creating an engaging user experience, technical discussions, and the integration of various security tools to enhance processes. Additionally, resources and specific use cases related to AWS and security monitoring are provided.

Data & Analytics
Related topics:
Information SecurityData Analytics Insights
1 of 33
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk User Group Edinburgh
© 2017 SPLUNK INC. Recording In Progress Provided by: Product Forge
© 2017 SPLUNK INC. Introduction to Harry McLaren ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS ● Leader of the Splunk User Group Edinburgh
© 2017 SPLUNK INC. Introduction to ECS Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year
© 2017 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Splunk and Orchestration - Robert Williamson • Cloud (AWS) Security with Splunk - Harry McLaren • Operation Honey-Splunk - James Rowell - Cancelled
© 2017 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! ● We Have 140 Members!
© 2017 SPLUNK INC. Splunk and Orchestration Robert Williamson
© 2017 SPLUNK INC. Introduction – Robert Williamson ▶ Alumnus of Edinburgh Napier ▶ Security Consultant at ECS ▶ Co-leader of the Splunk User Group Edinburgh
© 2017 SPLUNK INC. ▶ “ Security orchestration is the method of connecting security tools and integrating disparate security systems.” ▶ “It is the connected layer that streamlines security processes and powered security automation” What is orchestration?
© 2017 SPLUNK INC. ▶ Question: Are they the same? ▶ Answer: No… • “The difference between “Automatize” and “Orchestrate” is comparable to the difference between “tasks” and “Processes”. This difference allows us to get the best of each process and the advantage of its combination in a joint execution.” Orchestration v.s. Automation
© 2017 SPLUNK INC. Orchestration Adaptation Develop ment Schedule Monitor Workflow Process Work Flow The “Engine”
© 2017 SPLUNK INC. Splunk Adaptive Response Orchestration the Splunk way The Adaptive Response Initiative: Acalvio, AlgoSec, Anomali, Blue Coat + Symantec, Carbon Black, Cisco, CrowdStrike, CyberArk, Demisto, DomainTools, ForeScout, Fortinet, Okta, OpenDNS, Palo Alto Networks, Phantom, Proofpoint, Qualys, Recorded Future, RedSeal, Resolve Systems, Splunk, Tanium, ThreatConnect, and Ziften.
© 2017 SPLUNK INC. ▶ Splunk as the trigger. Where an alert or event of interest has been established and depending on the alert, a certain path of pre-defined actions will take place, which is then passed to the orchestration tool. ▶ Splunk being queried. Where Splunk becomes the source of contextual information to make a decision based on the results gathered from the orchestration toolset. Splunk with Orchestration
© 2017 SPLUNK INC. Orchestration Tools What is available?
© 2017 SPLUNK INC. Questions?
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
© 2017 SPLUNK INC. Cloud (AWS) Security with Splunk Harry McLaren
© 2017 SPLUNK INC. ▶ Amazon Web Services Products ▶ Shared Security Model ▶ Built-in Controls/Features ▶ Security Framework/Model ▶ Collection & Use Cases ▶ Splunk Infrastructure ▶ Splunk App for AWS ▶ Demo ▶ Other Clouds ▶ Resources Cloud (AWS) Security with Splunk Agenda
© 2017 SPLUNK INC. 59+ Products (SaaS, PaaS, IaaS)
© 2017 SPLUNK INC. Shared Security Model: Infrastructure Services Such as Amazon EC2, Amazon EBS, and Amazon VPC
© 2017 SPLUNK INC. ▶ Built-in Firewalls ▶ Role-based Access Control ▶ Multi-factor Authentication ▶ Private Subnets ▶ Encrypt Your Data At Rest ▶ Cloud HSM ▶ Dedicated Connections ▶ Security Logs ▶ More… Built-in Controls/Features All Available with AWS
© 2017 SPLUNK INC. Identify Protect Detect Respond Recover Standard Security Approach NIST Cyber Security Framework: Model
© 2017 SPLUNK INC. Detection Processes Security Continuous Monitoring Anomalies & Events Detection NIST Cyber Security Framework: Detect
© 2017 SPLUNK INC. Collection & Use Cases Sourcetypes & Collection Methods Data Sources Use Cases Config + Config Rules • Configuration snapshots and historical configuration data. • Configuration change notifications. • Descriptions of your AWS EC2 instances. • Compliance details, compliance summary, and evaluation. Inspector • Assessment Runs and Findings data from the Inspector service. CloudTrail • Management and change events. CloudWatch • Data from the CloudWatch Logs and VPC logs. • Performance and billing metrics. S3 • Generic log data, access logs from your S3 buckets. • CloudFront and ELB access logs. Kinesis • Data from Kinesis streams. SQS • Generic data from SQS.
© 2017 SPLUNK INC. Build it Yourself Hosted On-Premise or Cloud Based (or Hybrid)
© 2017 SPLUNK INC. As a Service Built and Hosted by Splunk (On AWS)
© 2017 SPLUNK INC. Splunk App for AWS Demo URL
© 2017 SPLUNK INC. Dashboards Alerts Traffic Analysis (VPC, CloudFront, ELB, S3) IAM: Create/Delete Roles Network ACLs IAM: Create/Delete/Update Access Keys Security Groups Instances: Reboot/Stop/Terminate Actions IAM Activity Key Pairs: Create/Delete/Import Key Pairs Key Pairs Activity Unauthorized Actions S3 Data Events VPC: Create/Delete VPC Resource Activity VPC: Create/Delete/Replace Network ACLs User Activity New Non-Compliant Resource Security Anomaly Detection Splunk App for AWS Contains: Dashboards, Reports, Alerts, Inputs, Scripts
© 2017 SPLUNK INC. Microsoft Cloud • Splunk Add-on for Microsoft Cloud Services Google Cloud • Splunk Add-on for Google Cloud Platform Cloud Foundry • Splunk Add-on for Cloud Foundry Clouds Everywhere! What about other peoples Clouds?
© 2017 SPLUNK INC. ▶ Splunk App for AWS (Documentation) ▶ Splunk Add-on for AWS (Documentation) ▶ Splunk with AWS Case Study ▶ AWS Technical Whitepaper ▶ AWS CloudFormation Templates for Splunk Cluster ▶ Deploying Splunk on AWS Whitepaper ▶ AWS CloudTrail with Splunk ▶ Splunk on AWS (Quick Start) ▶ Add-ons for Cloud Foundry, Microsoft Cloud, Google Cloud Resources
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
© 2017 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via https://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu ‣ ECS | enquiries@ecs.co.uk | @ECS_Cybersec | ecs.co.uk
© 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

More Related Content

PPTX
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
PDF
Getting Started with Splunk Observability September 8, 2021
Becky Burwell
 
PPTX
AWS on Splunk, Splunk on AWS
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Splunk Cloud
Splunk
 
PPTX
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
SnapLogic
 
PPTX
Danfoss - Splunk for Vulnerability Management
Splunk
 
PPTX
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
Sumo Logic
 
Latest Updates to Splunk from .conf 2017 Announcements
Harry McLaren
 
Getting Started with Splunk Observability September 8, 2021
Becky Burwell
 
AWS on Splunk, Splunk on AWS
Splunk
 
Getting Started with Splunk Enterprise
Splunk
 
Splunk Cloud
Splunk
 
Webinar: Improve Splunk Analytics and Automate Processes with SnapLogic
SnapLogic
 
Danfoss - Splunk for Vulnerability Management
Splunk
 
AWS and Sumo Logic Webinar: Simplify Compliance with Proactive Machine Data A...
Sumo Logic
 

What's hot (18)

PPTX
Splunk at Airbus
Splunk
 
PDF
SplunkLive! Munich 2018: Siemens Security Use Case
Splunk
 
PPTX
Splunk FISMA for Continuous Monitoring
Greg Hanchin
 
PDF
Intermedia Customer Presentation
Splunk
 
PPTX
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
PPTX
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
PPTX
.conf21 Recommended Sessions
Splunk
 
PPTX
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
PPTX
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
PPTX
SplunkLive! Utrecht 2019: NN Group
Splunk
 
PPTX
Catch these Sessions on-demand at .conf Online
Splunk
 
PDF
Splunk Cloud
Splunk
 
PDF
Overview of Blue Medora - New Relic Plugin for Nutanix
Blue Medora
 
PDF
Overview of Blue Medora - New Relic Plugin for Cisco UCS
Blue Medora
 
PPTX
Remediate and secure your organization with azure sentinel
Samik Roy
 
PDF
Combining Logs, Metrics, and Traces for Unified Observability
Elasticsearch
 
PDF
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Splunk at Airbus
Splunk
 
SplunkLive! Munich 2018: Siemens Security Use Case
Splunk
 
Splunk FISMA for Continuous Monitoring
Greg Hanchin
 
Intermedia Customer Presentation
Splunk
 
How McGraw Hill Uses Sumo Logic and AWS for Operational and Security Intellig...
Sumo Logic
 
SplDevOps: Making Splunk Development a Breeze With a Deep Dive on DevOps' Con...
Harry McLaren
 
.conf21 Recommended Sessions
Splunk
 
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
Collecting AWS Logs & Introducing Splunk New S3 Compatible Storage (SmartStore)
Harry McLaren
 
SplunkLive! Utrecht 2019: NN Group
Splunk
 
Catch these Sessions on-demand at .conf Online
Splunk
 
Splunk Cloud
Splunk
 
Overview of Blue Medora - New Relic Plugin for Nutanix
Blue Medora
 
Overview of Blue Medora - New Relic Plugin for Cisco UCS
Blue Medora
 
Remediate and secure your organization with azure sentinel
Samik Roy
 
Combining Logs, Metrics, and Traces for Unified Observability
Elasticsearch
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
Cisco DevNet
 
Ad

Similar to Securing the Enterprise/Cloud with Splunk at the Centre (20)

PPTX
SplunkLive! London 2017 - DevOps Powered by Splunk
Splunk
 
PDF
Encontro anual para apresentação das novidades da .conf23
Rafael Santos
 
PPTX
Clear the Mist from your Clouds with Splunk
Splunk
 
PPTX
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
PPTX
Accelerate incident Response Using Orchestration and Automation
Splunk
 
PPTX
Accelerate incident Response Using Orchestration and Automation
Splunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PDF
Evento anual Splunk .conf24 Highlights recap
Rafael Santos
 
PPTX
Accelerate Incident Response with Orchestration & Automation
Splunk
 
PPTX
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPTX
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
PPTX
What's New with the Latest Splunk Platform Release
Splunk
 
PPTX
Customer Presentation with a Healthcare Company
Splunk
 
PPTX
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Machine Data 101: Turning Data Into Insight
Splunk
 
SplunkLive! London 2017 - DevOps Powered by Splunk
Splunk
 
Encontro anual para apresentação das novidades da .conf23
Rafael Santos
 
Clear the Mist from your Clouds with Splunk
Splunk
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
 
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
Evento anual Splunk .conf24 Highlights recap
Rafael Santos
 
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Splunk Incident Response, Orchestrierung und Automation
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Splunk-Presentation
PrasadThorat23
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
What's New with the Latest Splunk Platform Release
Splunk
 
Customer Presentation with a Healthcare Company
Splunk
 
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Machine Data 101: Turning Data Into Insight
Splunk
 
Ad

More from Harry McLaren (20)

PPTX
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
PPTX
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
PPTX
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
PPTX
SOC Fundamental Roles & Skills
Harry McLaren
 
PPTX
Hunting Hard & Failing Fast (ScotSoft 2019)
Harry McLaren
 
PPTX
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
PPTX
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
PPTX
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
PPTX
Big Data For Threat Detection & Response
Harry McLaren
 
PPTX
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
PPTX
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
PPTX
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
PPTX
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
PPTX
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
PPTX
Deconstructing SIEM
Harry McLaren
 
PPTX
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
PPTX
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
Becoming a Defender (Blue Teams FTW!)
Harry McLaren
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
SOC Fundamental Roles & Skills
Harry McLaren
 
Hunting Hard & Failing Fast (ScotSoft 2019)
Harry McLaren
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
Using Metrics for Fun, Developing with the KV Store + Javascript & News from ...
Harry McLaren
 
Lessons on Human Vulnerability within InfoSec/Cyber
Harry McLaren
 
Big Data For Threat Detection & Response
Harry McLaren
 
OWASP - Analyst, Engineer or Consultant?
Harry McLaren
 
TSTAS, the Life of a Splunk Trainer and using DevOps in Splunk Development
Harry McLaren
 
Cyber Scotland Connect: What is Security Engineering?
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 2)
Harry McLaren
 
Cyber Scotland Connect: Getting into Cybersecurity (Deck 1)
Harry McLaren
 
Cyber Scotland Connect: Welcome & Purpose Statement
Harry McLaren
 
Security Meetup Scotland - August 2017 (Deconstructing SIEM)
Harry McLaren
 
Deconstructing SIEM
Harry McLaren
 
Supporting Splunk at Scale, Splunking at Home & Introduction to Enterprise Se...
Harry McLaren
 
Building Splunk Apps, Development Paths with Splunk & User Behaviour Analytics
Harry McLaren
 

Recently uploaded (20)

PPTX
New ISO 27001_2022 standard and the changes
Mayank Mathur
 
PPTX
sac 451hinhgsgshssjsjsjheegdggeegegdggddgeg.pptx
Akash486765
 
DOCX
Factor Analysis Word Document Presentation
SoeMoe58
 
PDF
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PPTX
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
 
PDF
Introduction to Data Science and Data Analysis
Suraj Patil
 
PDF
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
PPTX
QUANTUM_COMPUTING_AND_ITS_POTENTIAL_APPLICATIONS[2].pptx
ArmanShaikh41
 
PPTX
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
 
PPTX
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
PDF
annual-report-2024-2025 original latest.
nityanema19
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PPTX
Copy of 16 Timeline & Flowchart Templates – HubSpot.pptx
ahsonbashir
 
PPT
ISS -ESG Data flows What is ESG and HowHow
lucandthemachine
 
PDF
Optimise Shopper Experiences with a Strong Data Estate.pdf
Prasad Chandane
 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 
PDF
How to run a consulting project- client discovery
P&CO
 
PDF
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
PPTX
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 
New ISO 27001_2022 standard and the changes
Mayank Mathur
 
sac 451hinhgsgshssjsjsjheegdggeegegdggddgeg.pptx
Akash486765
 
Factor Analysis Word Document Presentation
SoeMoe58
 
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
 
Introduction to Data Science and Data Analysis
Suraj Patil
 
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
QUANTUM_COMPUTING_AND_ITS_POTENTIAL_APPLICATIONS[2].pptx
ArmanShaikh41
 
Database Infoormation System (DBIS).pptx
TefferiMekonnen2
 
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
annual-report-2024-2025 original latest.
nityanema19
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
Copy of 16 Timeline & Flowchart Templates – HubSpot.pptx
ahsonbashir
 
ISS -ESG Data flows What is ESG and HowHow
lucandthemachine
 
Optimise Shopper Experiences with a Strong Data Estate.pdf
Prasad Chandane
 
Business Analytics and business intelligence.pdf
khalidisah4750
 
Capcut Pro Crack For PC Latest Version {Fully Unlocked 2025}
malikyahyah1122
 
How to run a consulting project- client discovery
P&CO
 
168300704-gasification-ppt.pdfhghhhsjsjhsuxush
sriram270905
 
mbdjdhjjodule 5-1 rhfhhfjtjjhafbrhfnfbbfnb
CHINTU5000
 

Securing the Enterprise/Cloud with Splunk at the Centre

  • 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Splunk User Group Edinburgh
  • 2. © 2017 SPLUNK INC. Recording In Progress Provided by: Product Forge
  • 3. © 2017 SPLUNK INC. Introduction to Harry McLaren ● Alumnus of Edinburgh Napier ● Senior Security Consultant at ECS ● Leader of the Splunk User Group Edinburgh
  • 4. © 2017 SPLUNK INC. Introduction to ECS Strategic Splunk Partner - UK – Type: Security / IT Operations / Managed Services – Awards: Splunk Revolution Award & Splunk Partner of the Year
  • 5. © 2017 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Splunk and Orchestration - Robert Williamson • Cloud (AWS) Security with Splunk - Harry McLaren • Operation Honey-Splunk - James Rowell - Cancelled
  • 6. © 2017 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● User Lead Technical Discussions ● Sharing Environment ● Build Trust ● No Sales! ● We Have 140 Members!
  • 7. © 2017 SPLUNK INC. Splunk and Orchestration Robert Williamson
  • 8. © 2017 SPLUNK INC. Introduction – Robert Williamson ▶ Alumnus of Edinburgh Napier ▶ Security Consultant at ECS ▶ Co-leader of the Splunk User Group Edinburgh
  • 9. © 2017 SPLUNK INC. ▶ “ Security orchestration is the method of connecting security tools and integrating disparate security systems.” ▶ “It is the connected layer that streamlines security processes and powered security automation” What is orchestration?
  • 10. © 2017 SPLUNK INC. ▶ Question: Are they the same? ▶ Answer: No… • “The difference between “Automatize” and “Orchestrate” is comparable to the difference between “tasks” and “Processes”. This difference allows us to get the best of each process and the advantage of its combination in a joint execution.” Orchestration v.s. Automation
  • 11. © 2017 SPLUNK INC. Orchestration Adaptation Develop ment Schedule Monitor Workflow Process Work Flow The “Engine”
  • 12. © 2017 SPLUNK INC. Splunk Adaptive Response Orchestration the Splunk way The Adaptive Response Initiative: Acalvio, AlgoSec, Anomali, Blue Coat + Symantec, Carbon Black, Cisco, CrowdStrike, CyberArk, Demisto, DomainTools, ForeScout, Fortinet, Okta, OpenDNS, Palo Alto Networks, Phantom, Proofpoint, Qualys, Recorded Future, RedSeal, Resolve Systems, Splunk, Tanium, ThreatConnect, and Ziften.
  • 13. © 2017 SPLUNK INC. ▶ Splunk as the trigger. Where an alert or event of interest has been established and depending on the alert, a certain path of pre-defined actions will take place, which is then passed to the orchestration tool. ▶ Splunk being queried. Where Splunk becomes the source of contextual information to make a decision based on the results gathered from the orchestration toolset. Splunk with Orchestration
  • 14. © 2017 SPLUNK INC. Orchestration Tools What is available?
  • 15. © 2017 SPLUNK INC. Questions?
  • 16. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  • 17. © 2017 SPLUNK INC. Cloud (AWS) Security with Splunk Harry McLaren
  • 18. © 2017 SPLUNK INC. ▶ Amazon Web Services Products ▶ Shared Security Model ▶ Built-in Controls/Features ▶ Security Framework/Model ▶ Collection & Use Cases ▶ Splunk Infrastructure ▶ Splunk App for AWS ▶ Demo ▶ Other Clouds ▶ Resources Cloud (AWS) Security with Splunk Agenda
  • 19. © 2017 SPLUNK INC. 59+ Products (SaaS, PaaS, IaaS)
  • 20. © 2017 SPLUNK INC. Shared Security Model: Infrastructure Services Such as Amazon EC2, Amazon EBS, and Amazon VPC
  • 21. © 2017 SPLUNK INC. ▶ Built-in Firewalls ▶ Role-based Access Control ▶ Multi-factor Authentication ▶ Private Subnets ▶ Encrypt Your Data At Rest ▶ Cloud HSM ▶ Dedicated Connections ▶ Security Logs ▶ More… Built-in Controls/Features All Available with AWS
  • 22. © 2017 SPLUNK INC. Identify Protect Detect Respond Recover Standard Security Approach NIST Cyber Security Framework: Model
  • 23. © 2017 SPLUNK INC. Detection Processes Security Continuous Monitoring Anomalies & Events Detection NIST Cyber Security Framework: Detect
  • 24. © 2017 SPLUNK INC. Collection & Use Cases Sourcetypes & Collection Methods Data Sources Use Cases Config + Config Rules • Configuration snapshots and historical configuration data. • Configuration change notifications. • Descriptions of your AWS EC2 instances. • Compliance details, compliance summary, and evaluation. Inspector • Assessment Runs and Findings data from the Inspector service. CloudTrail • Management and change events. CloudWatch • Data from the CloudWatch Logs and VPC logs. • Performance and billing metrics. S3 • Generic log data, access logs from your S3 buckets. • CloudFront and ELB access logs. Kinesis • Data from Kinesis streams. SQS • Generic data from SQS.
  • 25. © 2017 SPLUNK INC. Build it Yourself Hosted On-Premise or Cloud Based (or Hybrid)
  • 26. © 2017 SPLUNK INC. As a Service Built and Hosted by Splunk (On AWS)
  • 27. © 2017 SPLUNK INC. Splunk App for AWS Demo URL
  • 28. © 2017 SPLUNK INC. Dashboards Alerts Traffic Analysis (VPC, CloudFront, ELB, S3) IAM: Create/Delete Roles Network ACLs IAM: Create/Delete/Update Access Keys Security Groups Instances: Reboot/Stop/Terminate Actions IAM Activity Key Pairs: Create/Delete/Import Key Pairs Key Pairs Activity Unauthorized Actions S3 Data Events VPC: Create/Delete VPC Resource Activity VPC: Create/Delete/Replace Network ACLs User Activity New Non-Compliant Resource Security Anomaly Detection Splunk App for AWS Contains: Dashboards, Reports, Alerts, Inputs, Scripts
  • 29. © 2017 SPLUNK INC. Microsoft Cloud • Splunk Add-on for Microsoft Cloud Services Google Cloud • Splunk Add-on for Google Cloud Platform Cloud Foundry • Splunk Add-on for Cloud Foundry Clouds Everywhere! What about other peoples Clouds?
  • 30. © 2017 SPLUNK INC. ▶ Splunk App for AWS (Documentation) ▶ Splunk Add-on for AWS (Documentation) ▶ Splunk with AWS Case Study ▶ AWS Technical Whitepaper ▶ AWS CloudFormation Templates for Splunk Cluster ▶ Deploying Splunk on AWS Whitepaper ▶ AWS CloudTrail with Splunk ▶ Splunk on AWS (Quick Start) ▶ Add-ons for Cloud Foundry, Microsoft Cloud, Google Cloud Resources
  • 31. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You
  • 32. © 2017 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via https://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecs.co.uk | @cyberharibu ‣ ECS | enquiries@ecs.co.uk | @ECS_Cybersec | ecs.co.uk
  • 33. © 2017 SPLUNK INC.© 2017 SPLUNK INC. Thank You

Editor's Notes

  • #10: The best security operation centers (SOCs) are built on efficiency and speed-to-response. But if you’ve ever worked in a SOC or on a security team, you know it’s tough to get your security systems, tools and teams to integrate in a way that streamlines detection, response, and remediation. One of the most tedious tasks of all is cobbling together alert details to assess if a security event is a real threat, along with correlating data and coordinating the appropriate response. That’s why security tools need to be connected, security processes need to be efficient and as an industry, we need to start working together. As new technologies arrive on the scene every day (IoT, BOYD and continued virtualization of all the things), security teams need a way to become more agile. This is where security orchestration comes in. Orchestration is not a new term by any means. You’ve probably heard of DevOps orchestration, which seeks to automate infrastructure deployments and document ‘infrastructure as code’. Now it’s time to apply this to security processes.
  • #11: Orchestration is the process of taking a “simple” task and creating a workflow. The basic idea of a workflow is taking the task at hand, breaking it down as much as you can, adding logic along with input(s), then outputting a value that is either an output of the logic, interaction, or possibly a Boolean value. https://www.thinkahead.com/blog/automation-vs-orchestration-what-s-the-difference-and-how-to-pick-the-right-tool/
  • #28: Showcase: Security Overview Topology Timeline Config Rules Security Anomaly Insights