automated siem (soar) improve the incident response · © 2017 splunk inc. automated siem (soar)...
TRANSCRIPT
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Automated SIEM (SOAR)
Improve the Incident Response
Alex Pilger (CISSP,GMON), Technical Partner Manager ([email protected])
Monitor Detect Investigate Respond
© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
© 2017 SPLUNK INC.
Common Security Operations Challenges
Escalating volume
of security alerts
Resource shortage of 1
million security professionals
Endless assembly line
of point products
Static independent controls
with no orchestration
Speed of detection, triage, &
response time must improve
Costs continue
to increase
AlertsResources Products
Static Speed Costs
© 2017 SPLUNK INC.
What is SOAR?
Integrate your team, processes,
and tools together.
Work smarter by automating repetitive tasks allowing analysts
to focus on more mission-critical tasks.
Respond faster and reduce dwell times with automated
detection, investigation, and response.
Strengthen defenses by integrating existing security
infrastructure together so that each part is an active participant.
SOAR = Security Orchestration, Automation, and Response
© 2017 SPLUNK INC.
Collaborative SOC
Solve across multiple domains
Establish security operations
Specific problem
Nerve center for security
Cloud
SecurityEndpoints
OrchestrationWAF & App
Security
Threat Intelligence
Network
Web Proxy
Firewall
Identity and Access
© 2017 SPLUNK INC.
Splunk Security Portfolio
Enterprise Security
3rd Party Apps &
Add-ons (700+)
User Behavior Analytics
Network data
RDBMS (any) data Windows host data
Exchange data
ES Content Update
PCI Compliance
Search and
Investigate
Monitoring &
Alerting
Dashboards
and Reports
Incident &
Breach Response
Splunk Security Apps & Add-ons
Security Essentials
App for AWS
ML Toolkit
Google Cloud
Microsoft Cloud
Windows Infrastructure
Discover
Anomalous
Behavior
Detect Unknown
Threats
Automation &
Orchestration
Threat
Detection
Security
Operations
Phantom
Premium Solutions
Platform for Operational Intelligence
© 2017 SPLUNK INC.
Decision Making Acting
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
AUTOMATED AUTOMATED WITH PHANTOM
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
ObservePoint Products
OrientAnalytics
SOAR for Security OperationsFaster execution through the loop yields better security
ACTION RESULTS /
FEEDBACK LOOP
© 2017 SPLUNK INC.
INEFFICIENT & INCONSISTENT
PROCESS
STAFFING CHALLENGES
INCREASING EXPOSURE
Security Operations Challenges
BEFORE PHANTOM
SITUATION
• Limited & stretched resources
• Complex infrastructure with wide range of
technologies from multiple security vendors
• Alert fatigue
• Expanding/changing attack surface
EFFICIENCY REPEATABLE & AUDITABLE
DECREASING DWELL TIMES
Outcomes with Phantom
AFTER PHANTOM
SITUATION• Resources can focus on strategic security activities
• Faster investigations across complex infrastructure
• Increase SecOps process and team efficiency
• Reduce the attack surface risk through automation
▶ Reduced alert investigation times from 30-45 minutes to less than one minute
▶ Applied a consistent approach to alert management and investigation, eliminating human error
▶ Increased resource efficiency by turning manual, repetitive tasks into automated processes
Splunk Phantom
© 2017 SPLUNK INC.
Security Use Case Study – Full Automation
Monitor Detect
1
2
3
4
5
6
78
9
10
detonate file
url reputation
ip reputation
query other recipients
check user profile
update notable event
potential
phishing
create ticketcollaboration
response
Investigate
Respond
© 2017 SPLUNK INC.
Manually:
Time per Play: 45 Minutes
With SOAR:
Time per Play: 30-60 Seconds + human review time
Average time saving:
Approx 40 mins
With SOAR: Employees Report Phishing Emails
© 2017 SPLUNK INC.
▶ Gathering together all details of an event will help to determinate if there is a real security incident – and if so – how you will need to respond.
Security Event TriageIn the context of Phantom
Identify
Map
Eradicate
Identify the artifacts of the incident using a SIEM solution
like SPLUNK ES
Map all key indicators / artifacts and gather them in to
a Phantom Container.
Having all artifacts collected, Phantom can begin swiftly
with the automated process and orchestrate the right
actions / assets.
© 2017 SPLUNK INC.
SOC Playbooks
Splunk for the SOC - Overview
Machine Data
Monitor Detect Investigate Respond
Universal Indexing
Tier 1 - Alert AnalystNotable Event Triage
Tier 2 - Incident ResponderTier 3 - SME / Hunter
Orchestrate / Automate
1 2 3
1 Detection- Correlation
- Statistics
- Machine Learning
- Risk
2 Investigation- Manual: Forensics / SPL
- Auto: Phantom SOAR
Playbook automation
3 Response- Basic: Workflow Actions /
ES Adaptive Response
- Advanced: Phantom
SOAR
- Collaboration:
Ticketing/
Collaboration Tool
EnterpriseOn-Premise, Cloud, Hybrid
© 2017 SPLUNK INC.
Boss of the SOC III & SplunkLive! 2019
Interessiert daran, herauszufinden, wie Splunk Ihnen Antworten liefern kann? Dann ist SplunkLive! die Gelegenheit für Sie, direkt von
Splunk und den Splunk Ninjas unserer Kunden mehr zu erfahren sowie mit unseren Partnern zu interagieren. Hören Sie von den
Möglichkeiten, wie Sie Mehrwert aus Ihren Maschinendaten gewinnen und so die Antworten erhalten, die Sie benötigen.
Wer sollte teilnehmen:
SplunkLive! ist speziell für Teilnehmer konzipiert:
▶ welche die Splunk Plattform zum ersten Mal erforschen
▶ die mit der "Splunk Reise" gerade beginnen
▶ die verstehen wollen, wie Ihr Unternehmen mehr mit Splunk erreichen kann
SPLUNKLIVE! MÜNCHEN
Event Details
Wann?
26. März 2019 von 09:00 bis 17:00
Wo?
Sofitel München Bayerpost
Bayerstrasse 12
80335 München
SPLUNKLIVE! FRANKFURT
Event Details
Wann?
14. Mai 2019 von 09:00 bis 17:00
Wo?
Frankfurt Marriott Hotel
Hamburger Allee 2
60486 Frankfurt am Main >> Anmeldung >> Anmeldung
Boss of the SOC (BOTS) ist ein Event, der in Teams von bis
zu je 4 Spielern durchgeführt wird und von Splunk gehostet
wird. Die Teilnehmer nutzen Ihre eigenen Laptops (das
Betriebssystem ist beliebig, so lange es Splunk im Browser
laden kann), um über den gesamten Nachmittag auf die
Online BOTS Umgebung zuzugreifen!
Boss of the SOC III
Event Details
Wann?
25. März 2019 von 13:00 bis 19:00
Wo?
Sofitel München Bayerpost
Bayerstrasse 12
80335 München >> Anmeldung
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Thank YouAlex Pilger (CISSP, GMON)
Technical Partner Manager
Email: [email protected]
Mobile: +49 175 3571113
Skype:alpskyping