SlideShare a Scribd company logo

Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying

Splunk, profile picture
Splunk

This presentation discusses the migration from legacy SIEM systems to Splunk, highlighting key methodologies and best practices for a successful transition. It covers the importance of identifying high-value use cases, data sources, and third-party integrations while preparing for the migration process. The discussion also emphasizes the advantages of using Splunk's security products, such as improved visibility and reduced security incident response times.

Technology
1 of 63
Downloaded 77 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying Michel Oosterhof | Staff Sales Engineer
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
Agenda What Will We Be Talking About Today? You Got This Things you can do today, to get “ready” for a SIEM replacement SIEM Replacement Methodology Splunk PS best practices Use Cases These drive migrations Data Sources & Data Onboarding Parsers / connectors / TAs Architecture Measure twice, cut once Third Party Integrations Smart? Great! But do you play well with others?
© 2018 SPLUNK INC. How Did We Get Here? I’m done. I’m replacing this SIEM!
▶ Worthy reasons: • Limited security data type • Inability to effectively ingest data • Slow investigations • Instability and scalability • End-of-life or uncertain roadmap • Closed ecosystem • Limited to on-premises • Limted to Vendor Cloud ▶ Splunk’s a great product, why not? Most Common Reasons for Replacement
SIEM Migration Methodology Splunk Professional Services (PS) Best Practices – Based on Real World Experience
SIEM replacements can be complex, but if the following things are taken into account, you won’t lose your job | shirt over it: ▶ Use cases matter: • Audit & prioritize use cases • Planned response ... do something! ▶ Know your data / datasources • Identify datasources & owners • Audit datasources • Identify enrichment requirements ▶ Current / future state integrations ▶ Research & preparation is key ▶ Assets & identities ▶ Partner with Splunk + PS Things You Should Know About Legacy SIEM Replacement and Splunk Best Practices
Use Cases These Drive Replacements…Use Cases, Use Cases, USE CASES!
▶ Document describing a single detection activity. • What is the condition to detect? • What is the event data required? • What enrichment is required to scope down events? • What enrichment will reduce noise (false positives)? • Point to the response plan • What are your current use cases? • Which ones provide value? • Which ones don’t? What Is a Use Case? Spiral Analysis Planning Evaluation Development Waterfall Prototyping Determine Objectives Test Implement Requirements Design Implementation Verification Maintenance DEVE LOP DEMONSTRATE REFI NE
▶ Document describing a single response activity • For a response what event data is required to triage • What actions should be taken • Escalation communication and do we need to order pizza • Can we reduce the cost of pizza by providing better data for response decisions? What Is a Response Plan?
▶ The first step in embarking on a SIEM replacement initiative is • Identifying and prioritizing high value use cases, response plans and compliance reports: • Splunk PS has a 1-2 week SIEM replacement workshop where we come in and help customers: − Identify and develop high-fidelity use cases slated for migration/development − Datasources and enrichment identified via use case prioritization process − Plan the solution architecture • We typically see a 30-60% reduction in use cases selected for migration generally due to: − Old and/or stale rules − Housekeeping rules no longer needed − Rule consolidation due to advanced Splunk Query Language So no, you don’t have to migrate ALL your old funky rules! Putting the Horse Before the Cart…
Datasources & Data Onboarding Parsers / Connectors / TAs (Technology Add-ons)
▶ Use case analysis determines in-scope datasources ▶ Why you don’t need to migrate your historical data from Legacy SIEM ▶ Data Source Onboarding via: How Do You Migrate Datasources to Splunk? • Universal Forwarder (UF) Deployed alongside existing parsers/connectors • UF deployed on syslog aggregator to read and ship logs into Splunk • Modern HTTP Event Collection • Database Tables (DBX) • Never forget: Splunk Stream! • Fields from raw data • Data Normalization • Splunkbase - splunkbase.com - Easy Button: Custom TAs via “Splunk Add-on Builder” App Splunk Log Forwarding: Syslog Aggregation TAs (Technology Add-ons)Other Common Methods
ES Architecture Measure Twice, Cut Once
▶ Plan for modern data collection, deprecate legacy log collection infrastructure and stop accepting log loss today ▶ Plan for disaster recovery and availability ▶ Plan to remediate logging policies and source configuration Plan the Architecture Now that we know what we want to do, how will we execute it?
© 2018 SPLUNK INC. Components > • Collection layer (connectors / parsers vs. UF's / HF's ) • Parsing layer (Technology Add-ons) • Storage layer (indexers) • Presentation layer (search head + Splunk Enterprise Security) • Security analytics (Splunk Enterprise Security) • Management layer (deployment server, cluster master, license server, deployer) Data source will determine what components are needed—your network determines where they should be Splunk Architecture
Third Party Integrations Smart? Great! But Do You Play Well with Others?
Smart? Great! But Do You Play Well With Others? “At this point in the interview, Johnson, we would like to see how well you play with others.” – Richard Stevens, Penfield, NY
© 2018 SPLUNK INC. Identify current / future state third-party integration points Third Party Integrations We Support Integration With Most Third Party Systems: ▶ Case Management / Ticketing Systems • (ServiceNow, Remedy, etc) ▶ Threat Intelligence Feeds • (STIX, TAXII, Internal, etc) ▶ Database Integration • (Oracle, MySQL, etc) ▶ Microsoft Active Directory ▶ REST API support ▶ Custom Code ▶ Others
© 2017 SPLUNK INC. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
You Got This! Things You Can Do Today, to Get Prepared for Your SIEM Replacement
▶ Identify/audit and prioritize use cases for migrations ▶ Identify/audit and prioritize datasources for migration ▶ Identify datasource owners ▶ Research Splunk Technology Add-ons for datasource at splunkbase.com ▶ Assets and identities: identify CMDB sources ▶ Third-party integrations ▶ Develop logging standards Replacement Checklist:
What Do “You” Do Next?
Splunk as Your SIEM
Splunk Security Portfolio for SIEM Enterprise Security600+ Partner Apps User Behavior Analytics Platform for Operational Intelligence Network data Exchange data ES Content Update PCI Compliance Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps App for AWS ML Toolkit Google Cloud Microsoft Cloud Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Threat Intel Email EDR/ETDR DLP
Splunk Enterprise Security Demo
ES : Security Posture
Endpoint : Malware Center
Endpoint : System Center
Endpoint : Update Center
Endpoint : Endpoint Changes
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Enterprise Security Investigations Demo
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
1 2 3
1 2
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
1 2
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
2 1
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying
SIEM Replacement Customer Success
© 2018 SPLUNK INC. ▶ Improved visibility over hybrid infrastructure ▶ Gained ability to detect and respond to complex cyberthreats ▶ Reduced IT costs due to more efficient resourcing Analytics-Driven SIEM to Enable Hybrid Cloud Transition
© 2018 SPLUNK INC. ▶ Improve the speed of security event detection by at least 70 percent ▶ Accelerate investigation of high-priority security incidents by at least 70 percent ▶ Decrease the overall financial impact of security outages by at least 50 percent Speeding Detection, Investigation and Resolution With Splunk SIEM “With Splunk ES, our IT team can gain visibility across thousands of endpoints continuously – including servers, network devices, security scans and threat feeds – enabling faster threat detection and resolution for our customers.” – Vice President and Chief Information Security Officer, Rackspace
© 2018 SPLUNK INC. ▶ An estimated 30 percent lower cost of ownership compared to on-premises alternatives ▶ A dramatic reduction in security investigation and resolution times ▶ Protection against threats, breaches and malware; ensuring regulatory compliance Biopharma Leader Gets Ahead of Security Threats With Analytics-Driven SIEM in the Cloud “ With Splunk the organization now has a security solution that is flexible and scalable to ingest all of its data ubiquitously and that enables the security team to draw conclusions from its data in near real time.”Biopharma
Next Steps
▶ Contact your Account Executive ▶ Contact an Expert ▶ Bi-weekly security demos ▶ Schedule a pre- assessment session with a Sales Engineer Transform Your Security: Next Steps
© 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
© 2018 SPLUNK INC. October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando c o n f.s p lu n k .c o m SAVE THE DATE!

More Related Content

PPTX
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PPTX
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 
Splunk Discovery: Warsaw 2018 - IT Operations Track
Splunk
 
Splunk Discovery: Milan 2018 - Splunk Overview
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
SplunkLive! Zurich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
 
SplunkLive! Frankfurt 2018 - Legacy SIEM to Splunk, How to Conquer Migration ...
Splunk
 

What's hot (20)

PPTX
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
PPTX
SplunkLive! Zurich 2018: Get More From Your Machine Data with Splunk & AI
Splunk
 
PPTX
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk
 
PPTX
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk
 
PPTX
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
PPTX
SplunkLive! Zurich 2018: Integrating Metrics and Logs
Splunk
 
PPTX
SplunkLive! Paris 2018: Splunk And AI 101
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
Splunk
 
PPTX
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
Splunk
 
PPTX
SplunkLive! Zurich 2018: Monitoring the End User Experience with Splunk
Splunk
 
PPTX
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
PPTX
SplunkLive! Paris 2018: Event Management Is Dead
Splunk
 
PPTX
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
PPTX
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
PPTX
SplunkLive! Paris 2018: Plenary Session
Splunk
 
PPTX
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
Splunk Discovery: Warsaw 2018 - Reimagining IT with Service Intelligence
Splunk
 
SplunkLive! Zurich 2018: Get More From Your Machine Data with Splunk & AI
Splunk
 
SplunkLive! Zurich 2018: Event Analytics
Splunk
 
Splunk Discovery: Milan 2018 - Get More From Your Machine Data with Splunk AI
Splunk
 
Splunk Discovery: Milan 2018 - Delivering New Visibility and Analytics for IT...
Splunk
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
SplunkLive! Zurich 2018: Integrating Metrics and Logs
Splunk
 
SplunkLive! Paris 2018: Splunk And AI 101
Splunk
 
SplunkLive! Frankfurt 2018 - Predictive, Proactive, and Collaborative ML with...
Splunk
 
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
Splunk
 
SplunkLive! Frankfurt 2018 - Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Zurich 2018: Monitoring the End User Experience with Splunk
Splunk
 
SplunkLive! Paris 2018: Splunk Overview
Splunk
 
SplunkLive! Paris 2018: Event Management Is Dead
Splunk
 
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
SplunkLive! Paris 2018: Plenary Session
Splunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
Ad

Similar to Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying (20)

PPTX
SplunkLive! Paris 2018: Legacy SIEM to Splunk
Splunk
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPTX
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
PDF
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
PPTX
Make Your SOC Work Smarter, Not Harder
Splunk
 
PPTX
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
Splunk
 
PPTX
Learn how to use an Analytics-Driven SIEM for your Security Operations
Splunk
 
PPTX
SplunkLive! - Splunk for Security
Splunk
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PPTX
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
PPTX
Splunk Enterprise Security
Splunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
PPTX
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
PPTX
Customer Presentation with a Healthcare Company
Splunk
 
PPTX
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
PPTX
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 
PPTX
Customer Presentation - Financial Services Organization
Splunk
 
SplunkLive! Paris 2018: Legacy SIEM to Splunk
Splunk
 
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
 
Splunk-Presentation
PrasadThorat23
 
Travis Perkins at Gartner Risk and Security Management Summit Europe
Splunk
 
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Jonathan Singer
 
Make Your SOC Work Smarter, Not Harder
Splunk
 
SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Re...
Splunk
 
Learn how to use an Analytics-Driven SIEM for your Security Operations
Splunk
 
SplunkLive! - Splunk for Security
Splunk
 
Splunk for Security Breakout Session
Splunk
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Splunk Enterprise Security
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Customer Presentation with a Healthcare Company
Splunk
 
SplunkLive! Customer Presentation – HCA
Stephanie Bies
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 
Customer Presentation - Financial Services Organization
Splunk
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying

  • 1. Legacy SIEM to Splunk, How to Conquer Migration and Not Die Trying Michel Oosterhof | Staff Sales Engineer
  • 2. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved. Forward-Looking Statements THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
  • 3. Agenda What Will We Be Talking About Today? You Got This Things you can do today, to get “ready” for a SIEM replacement SIEM Replacement Methodology Splunk PS best practices Use Cases These drive migrations Data Sources & Data Onboarding Parsers / connectors / TAs Architecture Measure twice, cut once Third Party Integrations Smart? Great! But do you play well with others?
  • 4. © 2018 SPLUNK INC. How Did We Get Here? I’m done. I’m replacing this SIEM!
  • 5. ▶ Worthy reasons: • Limited security data type • Inability to effectively ingest data • Slow investigations • Instability and scalability • End-of-life or uncertain roadmap • Closed ecosystem • Limited to on-premises • Limted to Vendor Cloud ▶ Splunk’s a great product, why not? Most Common Reasons for Replacement
  • 6. SIEM Migration Methodology Splunk Professional Services (PS) Best Practices – Based on Real World Experience
  • 7. SIEM replacements can be complex, but if the following things are taken into account, you won’t lose your job | shirt over it: ▶ Use cases matter: • Audit & prioritize use cases • Planned response ... do something! ▶ Know your data / datasources • Identify datasources & owners • Audit datasources • Identify enrichment requirements ▶ Current / future state integrations ▶ Research & preparation is key ▶ Assets & identities ▶ Partner with Splunk + PS Things You Should Know About Legacy SIEM Replacement and Splunk Best Practices
  • 8. Use Cases These Drive Replacements…Use Cases, Use Cases, USE CASES!
  • 9. ▶ Document describing a single detection activity. • What is the condition to detect? • What is the event data required? • What enrichment is required to scope down events? • What enrichment will reduce noise (false positives)? • Point to the response plan • What are your current use cases? • Which ones provide value? • Which ones don’t? What Is a Use Case? Spiral Analysis Planning Evaluation Development Waterfall Prototyping Determine Objectives Test Implement Requirements Design Implementation Verification Maintenance DEVE LOP DEMONSTRATE REFI NE
  • 10. ▶ Document describing a single response activity • For a response what event data is required to triage • What actions should be taken • Escalation communication and do we need to order pizza • Can we reduce the cost of pizza by providing better data for response decisions? What Is a Response Plan?
  • 11. ▶ The first step in embarking on a SIEM replacement initiative is • Identifying and prioritizing high value use cases, response plans and compliance reports: • Splunk PS has a 1-2 week SIEM replacement workshop where we come in and help customers: − Identify and develop high-fidelity use cases slated for migration/development − Datasources and enrichment identified via use case prioritization process − Plan the solution architecture • We typically see a 30-60% reduction in use cases selected for migration generally due to: − Old and/or stale rules − Housekeeping rules no longer needed − Rule consolidation due to advanced Splunk Query Language So no, you don’t have to migrate ALL your old funky rules! Putting the Horse Before the Cart…
  • 12. Datasources & Data Onboarding Parsers / Connectors / TAs (Technology Add-ons)
  • 13. ▶ Use case analysis determines in-scope datasources ▶ Why you don’t need to migrate your historical data from Legacy SIEM ▶ Data Source Onboarding via: How Do You Migrate Datasources to Splunk? • Universal Forwarder (UF) Deployed alongside existing parsers/connectors • UF deployed on syslog aggregator to read and ship logs into Splunk • Modern HTTP Event Collection • Database Tables (DBX) • Never forget: Splunk Stream! • Fields from raw data • Data Normalization • Splunkbase - splunkbase.com - Easy Button: Custom TAs via “Splunk Add-on Builder” App Splunk Log Forwarding: Syslog Aggregation TAs (Technology Add-ons)Other Common Methods
  • 15. ▶ Plan for modern data collection, deprecate legacy log collection infrastructure and stop accepting log loss today ▶ Plan for disaster recovery and availability ▶ Plan to remediate logging policies and source configuration Plan the Architecture Now that we know what we want to do, how will we execute it?
  • 16. © 2018 SPLUNK INC. Components > • Collection layer (connectors / parsers vs. UF's / HF's ) • Parsing layer (Technology Add-ons) • Storage layer (indexers) • Presentation layer (search head + Splunk Enterprise Security) • Security analytics (Splunk Enterprise Security) • Management layer (deployment server, cluster master, license server, deployer) Data source will determine what components are needed—your network determines where they should be Splunk Architecture
  • 17. Third Party Integrations Smart? Great! But Do You Play Well with Others?
  • 18. Smart? Great! But Do You Play Well With Others? “At this point in the interview, Johnson, we would like to see how well you play with others.” – Richard Stevens, Penfield, NY
  • 19. © 2018 SPLUNK INC. Identify current / future state third-party integration points Third Party Integrations We Support Integration With Most Third Party Systems: ▶ Case Management / Ticketing Systems • (ServiceNow, Remedy, etc) ▶ Threat Intelligence Feeds • (STIX, TAXII, Internal, etc) ▶ Database Integration • (Oracle, MySQL, etc) ▶ Microsoft Active Directory ▶ REST API support ▶ Custom Code ▶ Others
  • 20. © 2017 SPLUNK INC. Cloud Security Endpoints Orchestration WAF & App Security Threat Intelligence Network Web Proxy Firewall Identity and Access
  • 21. You Got This! Things You Can Do Today, to Get Prepared for Your SIEM Replacement
  • 22. ▶ Identify/audit and prioritize use cases for migrations ▶ Identify/audit and prioritize datasources for migration ▶ Identify datasource owners ▶ Research Splunk Technology Add-ons for datasource at splunkbase.com ▶ Assets and identities: identify CMDB sources ▶ Third-party integrations ▶ Develop logging standards Replacement Checklist:
  • 23. What Do “You” Do Next?
  • 25. Splunk Security Portfolio for SIEM Enterprise Security600+ Partner Apps User Behavior Analytics Platform for Operational Intelligence Network data Exchange data ES Content Update PCI Compliance Search and Investigate Monitoring & Alerting Dashboards and Reports Incident & Breach Response Splunk Security Apps App for AWS ML Toolkit Google Cloud Microsoft Cloud Discover Anomalous Behavior Detect Unknown Threats Automation & Orchestration Threat Detection Security Operations Threat Intel Email EDR/ETDR DLP
  • 27. ES : Security Posture
  • 46. 1 2 3
  • 47. 1 2
  • 49. 1 2
  • 54. 2 1
  • 57. © 2018 SPLUNK INC. ▶ Improved visibility over hybrid infrastructure ▶ Gained ability to detect and respond to complex cyberthreats ▶ Reduced IT costs due to more efficient resourcing Analytics-Driven SIEM to Enable Hybrid Cloud Transition
  • 58. © 2018 SPLUNK INC. ▶ Improve the speed of security event detection by at least 70 percent ▶ Accelerate investigation of high-priority security incidents by at least 70 percent ▶ Decrease the overall financial impact of security outages by at least 50 percent Speeding Detection, Investigation and Resolution With Splunk SIEM “With Splunk ES, our IT team can gain visibility across thousands of endpoints continuously – including servers, network devices, security scans and threat feeds – enabling faster threat detection and resolution for our customers.” – Vice President and Chief Information Security Officer, Rackspace
  • 59. © 2018 SPLUNK INC. ▶ An estimated 30 percent lower cost of ownership compared to on-premises alternatives ▶ A dramatic reduction in security investigation and resolution times ▶ Protection against threats, breaches and malware; ensuring regulatory compliance Biopharma Leader Gets Ahead of Security Threats With Analytics-Driven SIEM in the Cloud “ With Splunk the organization now has a security solution that is flexible and scalable to ingest all of its data ubiquitously and that enables the security team to draw conclusions from its data in near real time.”Biopharma
  • 61. ▶ Contact your Account Executive ▶ Contact an Expert ▶ Bi-weekly security demos ▶ Schedule a pre- assessment session with a Sales Engineer Transform Your Security: Next Steps
  • 62. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
  • 63. © 2018 SPLUNK INC. October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando c o n f.s p lu n k .c o m SAVE THE DATE!