SlideShare a Scribd company logo

Splunk Incident Response, Orchestrierung und Automation

Download as PPTX, PDF
Splunk, profile picture
Splunk

This document discusses how orchestration and automation can accelerate incident response. It notes that incident response currently takes a significant amount of time, with the majority of time spent on containment and remediation. It also states that security operations are challenged by too many alerts, a lack of integration between tools, and difficulties attracting, training and retaining skills at scale. The document argues that orchestration and automation can help address these challenges by coordinating security actions across tools and technologies, and executing repetitive security tasks. It provides an overview of Splunk's security portfolio for operationalizing security, including the Splunk Phantom platform for security orchestration and automation.

Technology
1 of 31
Downloaded 86 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Accelerate Incident Response Using Orchestration and Automation Andreas Buis – Senior Sales Engineer 26.03.2019
© 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
© 2019 SPLUNK INC. ANDREAS BUIS Senior Sales Engineer
© 2019 SPLUNK INC. Incident Response Too many alerts Not enough insights Tools Too many No integration Skills Attracting Training Retaining Scale Orchestration & Automation Horizontal & Vertical Security Operations Practices Need to Change
© 2019 SPLUNK INC. Incident Response Challenge
© 2019 SPLUNK INC. Incident Response Takes Significant Time 6 Source: SANS 2017 Incident Response Survey Time from compromise to detection Time from detection to containment Time from containment to remediation 1-3 months 2–7 days
© 2019 SPLUNK INC. Where Does Your Time Go? When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
© 2019 SPLUNK INC. Time-to-Contain + Time-to-Remediate = 86% When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
© 2019 SPLUNK INC. Tools
© 2019 SPLUNK INC. How many security tools and technologies does your company use? Poll #1 < 10 10 - 25 26 - 50 51 – 75+
© 2019 SPLUNK INC. Tools and Technologies Galore Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017 TOO MANY TOOLS On average, organizations are using between 25 and 30 different security technologies and services.
© 2019 SPLUNK INC. Skills and Scale Orchestration and Automation
© 2019 SPLUNK INC. Orchestration ► Security Orchestration is the machine-based coordination of security actions across tools and technologies. ► Brings together or integrates different technologies and tools ► Provides the ability to coordinate informed decision making, formalize and automate responsive actions Automation ► Security Automation is the machine- based execution of security actions. ► Focus is on how to make machines do task-oriented "human work” ► Improve repetitive work, with high confidence in the outcome ► Allows multiple tasks or "playbooks" to potentially execute numerous tasks Orchestration vs. Automation
© 2019 SPLUNK INC. Do you use Security Orchestration Automation and Response (SOAR) ? Poll #2
© 2019 SPLUNK INC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
© 2019 SPLUNK INC. Automation & Orchestration Adoption Growing Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
© 2019 SPLUNK INC. Security Nerve Center Overview
© 2019 SPLUNK INC. ANALYTICS ORCHESTRATION NETWORK THREAT INTELLIGENCE MOBILE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Observe Decide Orient Act Security Nerve Center
© 2018 SPLUNK INC. Splunk Security Portfolio DATA PLATFORM ANALYTICS OPERATIONS Platform for Machine Data
© 2019 SPLUNK INC. Adaptive Operations Framework Partner ecosystem enables the Security Nerve Center Mission Deeply integrate with the best security technologies to improve cyber defenses and maximize operational efficiency. Approach Gather, analyze, share, and take action using end-to-end context across across multiple security domains. NETWORK THREAT INTELLIGENCE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Splunkbase Apps & Add-Ons Splunk Enterprise Security Adaptive Response Actions Splunk Phantom Apps & Playbooks DATA / ANALYTICS OPERATIONS 240+ INTEGRATIONS / 1,200+ APIS
© 2019 SPLUNK INC. Phantom Security Operations
© 2019 SPLUNK INC. Operationalizing Security With Phantom Integrate your team, processes, and tools together. Work smarter by automating repetitive tasks allowing analysts to focus on more mission-critical tasks. Respond faster and reduce dwell times with automated detection, investigation, and response. Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant.
© 2019 SPLUNK INC. Automation Automate repetitive tasks to force multiply team efforts. Execute automated actions in seconds versus hours. Pre-fetch intelligence to support decision making.
© 2019 SPLUNK INC. 200+ APPS & GROWING 1000+ API’S Orchestration Coordinate complex workflows across your SOC.
© 2019 SPLUNK INC. Create case templates that replicate your SOPs. Manage your response to threats with precision. Embed automation within a case task. Case Management
© 2019 SPLUNK INC. SplunkSANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT A Phantom Case Study “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO How it Works Automated Malware Investigation
© 2019 SPLUNK INC. DEMO
© 2019 SPLUNK INC. 1. Use Phantom with Splunk or Splunk Enterprise Security to accelerate Incident Investigation and Response 2. Use Adaptive Operations Framework to realize your security nerve center 3. Splunk offers market proven, comprehensive solutions for Incident Response 4. Use with all Security domains and related IT domains to solve incident response use cases and more Splunk offers options to accelerate incident response with orchestration and automation Key Takeaways
© 2019 SPLUNK INC. ► Hands-on Workshop ► 4,5 hours ► You will have your own Phantom AWS instance Phantom 4 Rookies - Workshop abuis@splunk.com
© 2019 SPLUNK INC. https://usergroups.splunk.com/ Check website for upcoming events München Area User Group Connect with Local Splunkers Get More Information Here at the SplunkZone
© 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.

More Related Content

PPTX
Einführung in Security Analytics Methoden
Splunk
 
PPTX
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
PPTX
Accelerate Incident Response with Orchestration & Automation
Splunk
 
PPTX
Machine Learning in Action
Splunk
 
PPTX
Machine Learning in Action
Splunk
 
PPTX
Accelerate incident Response Using Orchestration and Automation
Splunk
 
PPTX
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
PPTX
Splunk and Multicloud
Splunk
 
Einführung in Security Analytics Methoden
Splunk
 
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
Accelerate Incident Response with Orchestration & Automation
Splunk
 
Machine Learning in Action
Splunk
 
Machine Learning in Action
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Predictive, Proactive, and Collaborative ML with iT Service Intelligence
Splunk
 
Splunk and Multicloud
Splunk
 

What's hot (16)

PPTX
Drive More Value from your SOC Through Connecting Security to the Business
Splunk
 
PPTX
Introduction into Security Analytics Methods
Splunk
 
PPTX
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
Splunk
 
PPTX
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
PPTX
Turning Data into Business outcomes
Splunk
 
PPTX
Worst Splunk practices...and how to fix them
Splunk
 
PPTX
What's New with the Latest Splunk Platform Release
Splunk
 
PPTX
Splunk4Leaders: How to Supercharge your Decision Making Capability
Splunk
 
PDF
Get more from your Machine Data with Splunk AI and ML
Splunk
 
PPTX
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
PPTX
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
PPTX
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
PPTX
Get More From Your Data with Splunk AI + ML
Splunk
 
PPTX
Splunk und Multi-Cloud
Splunk
 
PPTX
Extending Splunk to Business use cases with Process Mining
Splunk
 
PPTX
Adventures in Monitoring and Troubleshooting
Splunk
 
Drive More Value from your SOC Through Connecting Security to the Business
Splunk
 
Introduction into Security Analytics Methods
Splunk
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
Splunk
 
Turning Data Into Business Outcomes with the Splunk Platform
Splunk
 
Turning Data into Business outcomes
Splunk
 
Worst Splunk practices...and how to fix them
Splunk
 
What's New with the Latest Splunk Platform Release
Splunk
 
Splunk4Leaders: How to Supercharge your Decision Making Capability
Splunk
 
Get more from your Machine Data with Splunk AI and ML
Splunk
 
SplunkLive! Stockholm 2019 - Customer presentation: Norlys
Splunk
 
Splunk Cloud and Splunk Enterprise 7.2
Splunk
 
Exploring Frameworks of Splunk Enterprise Security
Splunk
 
Get More From Your Data with Splunk AI + ML
Splunk
 
Splunk und Multi-Cloud
Splunk
 
Extending Splunk to Business use cases with Process Mining
Splunk
 
Adventures in Monitoring and Troubleshooting
Splunk
 
Ad

Similar to Splunk Incident Response, Orchestrierung und Automation (20)

PPTX
Accelerate incident Response Using Orchestration and Automation
Splunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
PPTX
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
PPTX
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
Splunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
PPTX
Security Automation & Orchestration
Splunk
 
PDF
Splunk-Presentation
PrasadThorat23
 
PPTX
Make Your SOC Work Smarter, Not Harder
Splunk
 
PPTX
Splunk Phantom SOAR Roundtable
Splunk
 
PPTX
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
Splunk
 
PPTX
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
PPTX
Still Suffering from IT Outages? Accept Failure, Learn from Failure and Get R...
Splunk
 
PPTX
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
PPTX
Splunk at Weill Cornell Medical College
Splunk
 
PPTX
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
PPTX
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
PPTX
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Accelerate incident Response Using Orchestration and Automation
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
SplunkLive! Munich 2018: Use Splunk for incident Response, Orchestration and ...
Splunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
Splunk
 
SplunkLive! Frankfurt 2018 - Use Splunk for Incident Response, Orchestration ...
Splunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
Splunk
 
Security Automation & Orchestration
Splunk
 
Splunk-Presentation
PrasadThorat23
 
Make Your SOC Work Smarter, Not Harder
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
Splunk
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk
 
Still Suffering from IT Outages? Accept Failure, Learn from Failure and Get R...
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
Splunk at Weill Cornell Medical College
Splunk
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
Splunk
 
SplunkLive! Munich 2018: Legacy SIEM to Splunk, How to Conquer Migration and ...
Splunk
 
SplunkLive! Paris 2018: Use Splunk for Incident Response, Orchestration and A...
Splunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
Splunk Discovery: Warsaw 2018 - Legacy SIEM to Splunk, How to Conquer Migrati...
Splunk
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Approach and Philosophy of On baking technology
30anthuong17
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Splunk Incident Response, Orchestrierung und Automation

  • 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Accelerate Incident Response Using Orchestration and Automation Andreas Buis – Senior Sales Engineer 26.03.2019
  • 2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
  • 3. © 2019 SPLUNK INC. ANDREAS BUIS Senior Sales Engineer
  • 4. © 2019 SPLUNK INC. Incident Response Too many alerts Not enough insights Tools Too many No integration Skills Attracting Training Retaining Scale Orchestration & Automation Horizontal & Vertical Security Operations Practices Need to Change
  • 5. © 2019 SPLUNK INC. Incident Response Challenge
  • 6. © 2019 SPLUNK INC. Incident Response Takes Significant Time 6 Source: SANS 2017 Incident Response Survey Time from compromise to detection Time from detection to containment Time from containment to remediation 1-3 months 2–7 days
  • 7. © 2019 SPLUNK INC. Where Does Your Time Go? When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  • 8. © 2019 SPLUNK INC. Time-to-Contain + Time-to-Remediate = 86% When working an incident, which phase generally takes the longest to complete in your organization? Day in the life of a security professional survey © 2016 EMA, Inc.
  • 9. © 2019 SPLUNK INC. Tools
  • 10. © 2019 SPLUNK INC. How many security tools and technologies does your company use? Poll #1 < 10 10 - 25 26 - 50 51 – 75+
  • 11. © 2019 SPLUNK INC. Tools and Technologies Galore Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017 TOO MANY TOOLS On average, organizations are using between 25 and 30 different security technologies and services.
  • 12. © 2019 SPLUNK INC. Skills and Scale Orchestration and Automation
  • 13. © 2019 SPLUNK INC. Orchestration ► Security Orchestration is the machine-based coordination of security actions across tools and technologies. ► Brings together or integrates different technologies and tools ► Provides the ability to coordinate informed decision making, formalize and automate responsive actions Automation ► Security Automation is the machine- based execution of security actions. ► Focus is on how to make machines do task-oriented "human work” ► Improve repetitive work, with high confidence in the outcome ► Allows multiple tasks or "playbooks" to potentially execute numerous tasks Orchestration vs. Automation
  • 14. © 2019 SPLUNK INC. Do you use Security Orchestration Automation and Response (SOAR) ? Poll #2
  • 15. © 2019 SPLUNK INC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
  • 16. © 2019 SPLUNK INC. Automation & Orchestration Adoption Growing Source: CyberSecurity Analytics and Analytics in Transition, ESG, 2017
  • 17. © 2019 SPLUNK INC. Security Nerve Center Overview
  • 18. © 2019 SPLUNK INC. ANALYTICS ORCHESTRATION NETWORK THREAT INTELLIGENCE MOBILE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Observe Decide Orient Act Security Nerve Center
  • 19. © 2018 SPLUNK INC. Splunk Security Portfolio DATA PLATFORM ANALYTICS OPERATIONS Platform for Machine Data
  • 20. © 2019 SPLUNK INC. Adaptive Operations Framework Partner ecosystem enables the Security Nerve Center Mission Deeply integrate with the best security technologies to improve cyber defenses and maximize operational efficiency. Approach Gather, analyze, share, and take action using end-to-end context across across multiple security domains. NETWORK THREAT INTELLIGENCE ENDPOINTS IDENTITY AND ACCESS CLOUD SECURITY WAF AND APP SECURITY WEB PROXY FIREWALL Splunkbase Apps & Add-Ons Splunk Enterprise Security Adaptive Response Actions Splunk Phantom Apps & Playbooks DATA / ANALYTICS OPERATIONS 240+ INTEGRATIONS / 1,200+ APIS
  • 21. © 2019 SPLUNK INC. Phantom Security Operations
  • 22. © 2019 SPLUNK INC. Operationalizing Security With Phantom Integrate your team, processes, and tools together. Work smarter by automating repetitive tasks allowing analysts to focus on more mission-critical tasks. Respond faster and reduce dwell times with automated detection, investigation, and response. Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant.
  • 23. © 2019 SPLUNK INC. Automation Automate repetitive tasks to force multiply team efforts. Execute automated actions in seconds versus hours. Pre-fetch intelligence to support decision making.
  • 24. © 2019 SPLUNK INC. 200+ APPS & GROWING 1000+ API’S Orchestration Coordinate complex workflows across your SOC.
  • 25. © 2019 SPLUNK INC. Create case templates that replicate your SOPs. Manage your response to threats with precision. Embed automation within a case task. Case Management
  • 26. © 2019 SPLUNK INC. SplunkSANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT A Phantom Case Study “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” Adam Fletcher CISO How it Works Automated Malware Investigation
  • 27. © 2019 SPLUNK INC. DEMO
  • 28. © 2019 SPLUNK INC. 1. Use Phantom with Splunk or Splunk Enterprise Security to accelerate Incident Investigation and Response 2. Use Adaptive Operations Framework to realize your security nerve center 3. Splunk offers market proven, comprehensive solutions for Incident Response 4. Use with all Security domains and related IT domains to solve incident response use cases and more Splunk offers options to accelerate incident response with orchestration and automation Key Takeaways
  • 29. © 2019 SPLUNK INC. ► Hands-on Workshop ► 4,5 hours ► You will have your own Phantom AWS instance Phantom 4 Rookies - Workshop abuis@splunk.com
  • 30. © 2019 SPLUNK INC. https://usergroups.splunk.com/ Check website for upcoming events München Area User Group Connect with Local Splunkers Get More Information Here at the SplunkZone
  • 31. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.