supercharge your soc with automation · splunk undertakes no obligation either to develop the...
TRANSCRIPT
Supercharge Your SOC with Automation
Robert Walker, Staff Security Architect, Splunk
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not be incorporated into any contract or
other commitment. Splunk undertakes no obligation either to develop the features or functionality described or
to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
AGENDA
3
•SOAR History and the Future
•What is SOEL?
•SOAR Loser?
•Hacking Your SOEL
•Q&A
KEY TAKEAWAYS
4
1. Pillars of Splunk
2. Understand SOEL and SOAR
3. Understand SOEL impacts and difference to
SOAR development
4. How to use SOEL to ensure your SOAR is
effective
© 2019 SPLUNK INC.
Every problem is a data problem
Investigate | Monitor | Analyze | Act
101001101001
© 2019 SPLUNK INC.
This digital evolution is changing everything There’s an explosion of data beyond anything our world has experienced
IoT
3D PRINTING SMART CITIES
CLOUD
DRONES
MACHINE LEARNING
SELF-DRIVING EVERYTHING
AUTONOMOUSEVERYTHING
DNA MAPPING AND GENETIC MANIPULATION
SMART PHONES
SMART APPLIANCES
SMART BUILDINGS
© 2019 SPLUNK INC.
163 Zetabyes10X the data we have today by 2025
There’s more data than ever before
© 2019 SPLUNK INC.
What makes Splunk unique as a data platform
INVESTIGATE
MONITOR
ANALYZE
ACT
© 2019 SPLUNK INC.
Splunk Security Portfolio
DATA PLATFORM ANALYTICS OPERATIONS
> Universal indexing
> Petabyte scale
> Multi-schema
> Search, alert, report, visualize
> Broad support
Machine Learning Toolkit
(MLTK)
ES CONTENT
UPDATE
© 2019 SPLUNK INC.
Data Capabilities In The SOC
INVESTIGATE
Incident investigationForensics
Threat hunting
MONITOR
Security monitoringCompliance
ANALYZE
Incident ResponseFraud
ACT
SOC AutomationOrchestration
Response
© 2019 SPLUNK INC.
Security Operations Problems
Escalating volume
of security alerts
Resource shortage of 1
million security
professionals
Endless assembly line
of point products
Static independent controls
with no orchestration
Speed of detection, triage, &
response time must improve
Costs continue
to increase
© 2019 SPLUNK INC.
Decision MakingContext
ActingDoing something
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
ObservePoint Products
OrientAnalytics
6 Million Dollar SOC…
13
What is SOEL?Security Operations Event Lifecycle
© 2018 SPLUNK INC.
Every SOC process has them
Security Operations
Events Lifecycle
Traditional Security Operation Actions
INGESTION OR
ALERTING
EXTERNAL
VALIDATION
INTERNAL
HUNTING
MONITORING
CHANGE RUN JOBS NOTIFICATIONS
© 2019 SPLUNK INC.
INGESTION OR
ALERTING
EXTERNAL
VALIDATION
INTERNAL
HUNTING
CHANGE /
MONITORINGRUN JOBS NOTIFICATIONS
Threat Intel
SIEM events
Phone calls
VirusTotal
OpenDNS
iSight
Logs
Endpoint
search
Firewall Rules
IDS Signatures
Endpoint Alerts
Proxy Blocks
Malware
Analysis
Forensics
Ticketing
Reports
Poll
Push
Look
UpHunt
Set
Block/Quarantine
Analyze
Get…
Send
Receive
Events Context Artifacts Artifacts Artifacts Measure
Acti
on
sA
rtif
ac
ts
© 2019 SPLUNK INC.
Splunk’s Future
SOC Vision
17
Are you a SOAR
loser?What is SOAR and why I am I missing out?
It’s only for the big companies with lots of well
documented responses…
DON’T BE A SOAR LOSER!Example of a industry-leading SOAR platform
SOAR = Security Orchestration, Automation, and Response
Security Orchestration is making music
Security Automation is a bread maker
Security Response is the life blood of the SOC to reduce Risk Impact
Hack your SOEL to get your SOAR on!
ARE YOU THE NEXT BEETHOVEN ?
Conduct your team, processes and
tools together
▪ Work smarter by automating repetitive tasks and focus
on more mission-critical tasks
▪ Respond faster and reduce dwell times with automated
integration, investigation, and response
▪ Strengthen defenses by integrating existing security
infrastructure
20
Hacking your
SOEL?Discovering your SOEL to help modernize your SOC
HOW TO HACK YOUR SOEL
0Monitor
Discover
RespondMeasure
Automate
Transform
Learn
USE CASE OVERVIEW
Security Analyst Use Cases
Privileged user
monitoring
Botnet Detection Fraud detection in E-
Payment
Unauthorized Service
Monitoring
Identify Patient-Zero Vulnerability
Management Posture
Fraud detection
Online Banking
Update Monitoring
Detecting Zero Day
Attacks
Threat Intelligence
Correlation
Fraud detection in
proper service usage
Website defacement
Detect and Stop Data
Exfiltration
User Account Sharing Defense in depth
investigations
Spam to external
Phishing Attacks Incident Investigation
across team’s
Give team’s the
visibility they need
SQL Injections Dynamic Risk and
Pattern Management
Monitoring of expired
user accounts
Hunter Use Cases
On Demand APT
Scanning
SSL certificate
analytics
User Agent String
analytics
CISO Use Cases
In the news! Information Driven
Security
Compliance reporting Centralized
Situational
Awareness
© 2019 SPLUNK INC.
Hacking your SOEL
Suspicious
REVIEW BODY AND
HEADER INFO
QUERY
RECIPIENTS
HUNT FILE
HUNT URL
FILE / URL
REPUTATION
FILE ASSESSMENTREMOVE EMAIL
REVIEW EMAIL
© 2019 SPLUNK INC.
Hacking your SOEL
Email FILE / URL
REPUTATION
DETONATE
UNKNOWN URL / FILE
HUNT FILE
HUNT URL
TASK ANALYST
PHISH / HOST
ASSESSMENTREMOVE EMAIL
INGEST EMAIL
PARSE FILES, URLS,
EMAIL HEADERS
© 2019 SPLUNK INC.
INGEST INVESTIGATE CONTAIN NOTIFY DOCUMEN
TPOLL
PUSH
INGEST
SET STATUS
SET SEVERITY
CREATE
ARTIFACTS
SAVE OBJECTS
SET TAGS
FILE ANALYSIS
DOMAIN ANALYSIS
URL ANALYSIS
HOST ANALYSIS
IP ANALYSIS
LOGON ANALYSIS
RUN QUERY
GET EVENTS
DISABLE USER
BLOCK HASH
BLOCK URL
BLOCK DOMAIN
BLOCK IP
QUARANTINE
HOST
BLOCK PROCESS
DISABLE VPN
EMAIL SOC
LEADERSHIP
CHAT IT HELP
DESK
ENGINEERING
PROMPT SOC
TASK SOC
CREATE TICKET
UPDATE TICKET
CLOSE TICKET
TRANSFER TICKET
QUERY TICKETS
CREATE
ARTIFACTS
CLOSE OBJECTS
”Customer Success is our commitment and your content”
KEY TAKEAWAYSCAN YOU AFFORD NOT TO SOAR WITH YOUR SOEL?
26
1.Understand SOEL and SOAR
2.Understand SOEL impacts and difference to SOAR
3.How to use SOEL to ensure your SOAR is effective
27
Q&A
28
Thank You
29
Appendix
© 2019 SPLUNK INC.
File Analysis PlaybookProcess hacking – which one is first?
► INPUT: Receive a hash and/or file
► INTERACTIONS:
► ARTIFACTS:
• P1:
• P2:
• P3:
► ACTIONS:
© 2019 SPLUNK INC.
File Analysis PlaybookDefine the Artifacts for Decide and Act!
► INPUT: Receive a hash and/or file
► INTERACTIONS:
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware (Block now)
• P2: Analyze, Sandbox, (De)Escalate (Prompt, Review)
• P3: Cache Results, Display Report (Required Manual Analysis)
► ACTIONS:
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS:
VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:• P1: Analyze, Prompt, Block
Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:
Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat
Intel)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:• P1: Analyze, Prompt, Block Known
malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat Intel)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Create ticket
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat Intel)
2
2
2
22
2
2
2
2
2
2
2
4
3
3
3
3
4
4
3
3
5
Ingest
Investigate
Contain
Notify
Record
Utility
2
3
4
5
6