Copyright©2016SplunkInc.

BuildingtheAnalyticsDrivenSOC

Girish Bhat

gbhat@splunk.com

2

SafeHarborStatementDuring the course of this presentation, wemaymake forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffermaterially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentationmay not contain current or accurate information. We do notassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytime without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.

33

> Dave Herrald dherrald@splunk.com|@daveherrald

- Senior Security Architect, Splunk Security Practice

- 20+ years in IT and security-Information security officer, security architect, pen tester, consultant, SE, system/network engineer

- GIAC GSE #79, former SANS Mentor

#whoami

Agenda

4

Alookattraditionalsecurityoperations

1Bestpracticesandemergingtrends

2Thesecurityopstechnologystack

3SplunkandtheAnalyticsDrivenSOC

4

5

Splunk– LeaderinSecurityCompany(NASDAQ:SPLK)• Founded2004,firstsoftwarereleasein2006• HQ:SanFrancisco/RegionalHQ:London,HongKong• Over2,000employees,basedin12countries

BusinessModel/Products• Freedownloadtomassivescale• SplunkEnterprise,SplunkCloud,SplunkLight• SplunkEnterpriseSecurity,UserBehaviorAnalytics

12,000+Customers• Customersin100countries• 80+oftheFortune100• Largestlicense:Over1 Petabyteperday

6

Splunk:ThePlatformforMachineData

DeveloperPlatform

Reportand

analyze

Customdashboards

Monitorandalert

Adhocsearch

OnlineServices

WebProxy

DataLossPrevention

Storage Desktops

PackagedApplications

CustomApplications

Databases

CallDetailRecords

SmartphonesandDevices

FirewallAuthentication

Fileservers

Endpoint

ThreatIntelligence

Asset&CMDB

Employee/HRInfo

DataStoresApplications

ExternalLookups

Badgingrecords

Emailservers

VPN

7

SplunkSecuritySolutions

SECURITY&COMPLIANCEREPORTING

MONITORINGOFKNOWNTHREATS

ADVANCEDANDUNKNOWNTHREAT

DETECTION

INCIDENTINVESTIGATIONS&

FORENSICS

FRAUDDETECTION

INSIDERTHREAT

MORE…

SECURITYAPPS&ADD-ONS SPLUNKUSERBEHAVIORANALYTICS

Wiredata

Windows= SIEMintegration

RDBMS(any)data

SPLUNKENTERPRISESECURITY

SPLUNKAPPFORPCI

8

Source:EYGlobalInformationSecuritySurvey2015

9

How-toguides…

TraditionalSecurityOperations

11

TraditionalSecurityProgram:TheBigPicture

11

12

TraditionalSecurityProgram:TheBigPicture

12

It’scomplicated…

13

TraditionalSecurityCriticalPath

13

Risk&Compliance

SecurityArchitecture

SecurityEngineering

SecurityOperations

(IncludesSOC)

SecurityOperations:partofthebiggerpicture…

14

TraditionalSOC

“Alerttriage”

“Alertpipeline”

15

WhatisaSOC?

● A place?● A personorateam?● A setofpractices?● Asetoftools?

16

SecurityOperations

Theorganizationalcapabilitytodetectandrespondtothreats.

17

ASOCbyanyothername…

Theorganizationalcapabilitytodetectandrespondtothreats.

● VSOC● CyberDefenseCenter● CyberFusionCenter● CybersecurityOperationCenter● MultifunctionNOC/SOC● CommandSOC● CrewSOC?https://www.gartner.com/doc/3479617

18

ThreeInterrelatedComponentsofSecurity

18

Process

PeopleTechnology

19

BottomLine

Technologyexiststoservepeopleandprocesses.

20

ChallengeswiththetraditionalSOC(1)

Efficacy

21

ChallengeswiththetraditionalSOC(2)

Staffing

22

ChallengeswiththetraditionalSOC(3)

Remember

this?

Risk&Compliance

SecurityArchitecture

SecurityEngineering

SecurityOperations

(IncludesSOC)

23

ChallengeswiththetraditionalSOC(3)

Silo-ization

24

ChallengeswiththetraditionalSOC(4)

Cost…andopportunitycost

TrendsinSecurityOperations

26

NewCapabilitiesintheSOC● AlertManagement● IncidentResponse● Toolchainengineering● Threatintelligence

(consumptionand creation)

● Threathunting● Vulnerabilitymanagement● Redteam

SOC++

AlertManagement

IR/CSIRT

ToolchainEngineering

ThreatintelHunting

Vuln.Management

RedTeam

27

WhatAboutManagedSecurityServices?● AlertManagement● IncidentResponse● Toolchainengineering● Threatintelligence

(consumptionand creation)

● Threathunting● Vulnerabilitymanagement● Redteam

SOC++

AlertManagement

IR/CSIRT

ToolchainEngineering

ThreatintelHunting

Vuln.Management

RedTeam

28

AutomationintheSOC

• Response– maybe• Contextgathering– definitely• Automate“Tier1”• Placesahighpremiumontoolchainintegration

29

ProcessesintheSOC

https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf

30

MaturingUseofThreatIntelligence

Threatlist+ rawnetwork data=DNS

webproxyemail

endpoint…

The“Threatlistwindtunnel”

31

EffectiveThreatIntelligenceConsumption

alerts+threatintel =insightHunting Newdetection

mechanism

32

Network(Meta)data

33

Network(Meta)data

NetFlow(orvariant)Succinct5-tuple+trafficsizeEasytm toanalyzeGoodcontextforbuckNopayload

PCAPVoluminousGroundtruthLotsofstorage/overheadUltimatecontextFullpayload

Stream/BroSuccinct5-tuple+trafficsizeEasilysearchable!

Tune-ableAdaptivefidelityCustomizablePayloadelements

34

ThreatHunting(ActiveDefense)

…effortbyanalystswhopurposelysetouttoidentifyandcounteractadversariesthatmayalreadybeintheenvironment.

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

35

HowareSOCTeamsHunting?

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

● Startwithahypothesis thatconsiders:§ Assets(oftencrownjewels)§ Threats§ Vulnerabilities§ Countermeasures

● Requireslotsofdata● Flexibleplatformtoask/answerquestions● Datascience/ML/Analytics

36

HowareSOCTeamsHunting?

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

Mostimportant,huntersareinnovativeanalystswhounderstandtheirthreatlandscapeandtheirorganizationwellenoughtoasktherightquestionsandfindtheanswers.

37

DataScience,ML,andAnalytics

TheSecurityOperationsToolchain

39

LogDataPlatform• Singlesourceoftruth• Retentionandintegrity• Anydatasource• Easycorrelation• Automation/integration• Performantandscalable• Fullfidelity

• Normalized?• Hunting• Forensicinvestigation• Alerting• Dashboards• Visualization• Analytics(ML?)

DataNormalizationisMandatoryforyourSOC

“Theorganizationconsumingthedatamustdevelopandconsistently

useastandardformatforlognormalization.”– JeffBollingeret.

al.,CiscoCSIRT

Yourfieldsdon’tmatch?Goodluckcreatinginvestigativequeries

41

AssetInventoryandIdentityData

Oftenmultiplesourcesofrecord– that’sOK• CMDB,Vuln scans,Passivedetection,DHCP,NAC• Activedirectory,LDAP,IAM

NetworkdiagramsCategorization• PCI,ICS,Administrative,Default,

ComprehensiveyetlightweightandeasytomaintainMustbeeasytocorrelatetologdata

42

CaseandInvestigationManagement• Ticketingsystem• Workflow• Supportsprioritization• Supportscollaborativeinvestigation• Providesmetrics• Supportsautomation• Auditable

43

CommonSOCDataSources• Firewall• Networkmetadata• Authentication• Server• Windows/Linux

• Endpoint• EDR,AV,HD/RAMimages

• IDS/IPS• VPN• Application• Threatintel• Vulnerability• AssetsandIdentities

SplunkastheSecurityOperationsNerveCenter

45

SplunkastheSecurityOperationsNerveCenter

46

1.AdoptanAdaptiveSecurityArchitecture

ToPrevent,Detect,Respond andPredictneed:- Correlationacrossallsecurityrelevantdata- Insights fromexistingsecurityarchitectures- Advancedanalyticstechniquessuchasmachinelearning

PlatformforOperationalIntelligence

4000+AppsandAdd-Ons

SplunkSecuritySolutions

47

2.ThreatIntelligence– SplunkThreatIntelFrameworkAutomatically collect,aggregateandde-duplicatethreatfeedsfromabroadsetofsources

SupportforSTIX/TAXII,OpenIOC,Facebookandmore

BuildyourowndatatocreateyourownThreatIntel

OutoftheboxActivity andArtifact dashboards

Prioritize,contextualizeandanalyzethreatsandremediate

LawEnforcementFeeds

ISACFeed

AgencyFeeds

CommercialService

CommunityFeed

Open-SourceFeed

OtherEnrichmentServices

• Monitorandtriagealerts• Determineimpactonnetwork,assets

• Useforanalysis/IR• Collect/provideforensics• Usetohunt/uncover/linkevents

• Shareinfowithpartners

48

3.UseAdvancedAnalytics– NativeMLandUBASimplifydetectionandfocusonrealalerts

Accelerateanomalyandthreatdetection– minimizeattacksandinsiderthreat

UseMachineLearningtoolkit- solutionstosuityourworkflow

PremiumMachinelearningsolution- UserBehaviorAnalytics– FlexibleworkflowsforSOCManager,SOCanalystandHunter/InvestigatorwithinSIEM

49

4.ProactivelyHuntandInvestigate- Considerations● Organizationalmaturity

● Domainandproductexperience

● Tools:Network,Endpoint,ThreatIntel,Access

● Securityrelevantdata,historical,rawdata● Flexibilityandadhoc

50

5.Automatewheneverfeasible

App Servers

Network

ThreatIntelligence

Firewall

InternalNetworkSecurity Endpoints

Userulesandmachinelearningtoautomateroutineaspectsofdetectionandinvestigation

Extractinsights fromexistingsecuritystackbyuseofcommoninterface

Takeactionswithconfidenceforfaster decisionsandresponseAutomateanyprocessalongthecontinuousmonitoring,response&analyticscycle

SplunkAdaptiveResponse

51

WhatisSplunkEnterpriseSecurity?

51

EnterpriseSecurityAssetandIdentity

Correlation

NotableEvent

ThreatIntelligence

RiskAnalysis

AdaptiveResponse

AcollectionofFrameworks

52

SplunkSecurityPartnershttps://www.splunk.com/partners/

CustomerSuccess

54

BuildinganIntelligenceDrivenSOCChallenges• ExistingSIEMnotadequate- struggledtobringinappropriatedata• Unabletoperformadvancedinvestigations,severescale/performanceissues• LookingtobuildanewSOCwithmodernsolution

CustomerSolution• Centralizedloggingofallrequiredmachinedataatscaleandfullvisibility• Retainallrelevantdatafrom10+datasources whichisusedby25+SOC/CSIRTusers• Tailoredadvancedcorrelationsearches&IRworkflow• Fasteranddeeperincidentinvestigations• GreaterSOCefficiencies - allSOC/CSIRTworkingoffsameUI/data• Executivedashboardstomeasureandmanagerisk

54

55

CitywideSOCforsituationalawarenessChallenges• Slowresponsestosecurityincidents

• Inadequatesituationalawarenessofsecurityevents

• Limitedthreatintelligence

• Disparatelogsfromover40departmentsweredifficulttoaggregate

CustomerSolution:SplunkCloudwithEnterpriseSecurity• Real-time,citywide,24/7networksurveillance

• Strongerprotectionofdigitalassetsandinfrastructure

• Sharedthreatintelligencewithfederalagencies

• Reducedheadcountandloweroperationalcosts

56

BuildaninsourcedSOCinmonthsChallenges• Widerangeofsecurityrequirements

– Internalaudits(financial,PCI)– Protectinternalinfoandassets– Cloudfirewall,DDOS

• CulturalandOrganizational– Securitynotapriority,OutsourcedSecOps– Informationhoardinganddatasilos

CustomerSolution:SplunkEnterpriseSecurity• Changedculture- securityfirstmindsetwithcontrols

• Detect,preventandrespondtoattacksinownenvironment,with24/7securityanalysisofcustomers

• Rapiddetectionanddeepinvestigation

• DetectWebAppattacks,discovercompromisedcards

57

MaturingSOCChallenges• LegacySIEM:Unstable,Inflexible,Clunky

• Limitedskilledresources

• Highfalsenegativeandfalsepositive

CustomerSolution:SplunkCloudwithEnterpriseSecurity• Developedprocesses:Ruleset,naming

• SOCprocess:Playbook,training,automateddocumentation

• EnabledSOCtoidentifypatternsofbehaviorinasingleeventratherthanbebombardedbythousandsoflow-valueincidents

Wrappingup

FreeCloudTrial

FreeSoftwareDownload

FreeEnterpriseSecurity

Sandbox

Getstartedinminutes– splunk.com

1 32

Copyright©2016SplunkInc.

• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers

PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP

SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM

The8th AnnualSplunkWorldwideUsers’Conference

Copyright©2016SplunkInc.

62

CanIplayBOTS?

62

Yes!

• RSAConference2017

• Splunk.conf2017

• Online/continuous?Staytuned

Newscenariosanddatasets

63

ResourcesCitedHowtoPlan,Design,OperateandEvolveaSOC

https://www.gartner.com/doc/3479617CraftingtheInfoSecPlaybook

https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406SplunkSOCAdvisoryServices

https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdfTenStrategiesofaWorld-ClassCybersecurityOperationsCenter

https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdfMaturingWorkday’sSOCwithSplunk

https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdfTheFiveCharacteristicsofanIntelligenceDrivenSecurityOperationsCenter

https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-centerTheWho,What,Where,When,WhyandHowofEffectiveThreatHunting

https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785

ExploringtheFrameworksofSplunkEnterpriseSecurityhttps://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf

Thankyou!

dherrald@splunk.com|@daveherrald