webinar: neues zur splunk app for enterprise security
TRANSCRIPT
Copyright © 2015 Splunk Inc.
The Splunk App for Enterprise Security Holger Sesterhenn, Sen. Sales Engineer, CISSP MaChias Maier, Security Product MarkeEng, EMEA
2
Ihr Webcast Team
Ma#hias Maier Security Product MarkeEng, EMEA
Holger Sesterhenn Sen. Sales Engineer
Copyright © 2015 Splunk Inc.
Safe Harbor Statement During the course of this presentaEon, we may make forward looking statements regarding future events or the expected performance of the company. We cauEon you that such statements reflect our current expectaEons and esEmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaEon are being made as of the Eme and date of its live presentaEon. If reviewed aSer its live presentaEon, this presentaEon may not contain current or accurate informaEon. We do not assume any obligaEon to update any forward looking statements we may make. In addiEon, any informaEon about our roadmap outlines our general product direcEon and is subject to change at any Eme without noEce. It is for informaEonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaEon either to develop the features or funcEonality described or to include any such feature or funcEonality in a future release.
Copyright © 2015 Splunk Inc.
How Can Splunk Help?
Roadmap Security Strategy
Security Posture
Visual Security AnalyEcs
Advanced Threats
Insider Threat
Roadmap Security Strategy
Source: Mandiant M-‐Trends Report 2012/2013/2014
67% VicEms noEfied by an external
enEty
100% Valid credenEals
were used 229
Median # of days before detecEon
The Ever-‐Changing Threat Landscape
Copyright © 2015 Splunk Inc.
Intrusion DetecEon
Firewall
Data Loss PrevenEon
AnE-‐Malware
Vulnerability Scans
AuthenEcaEon
TradiEonal Security Strategy
Copyright © 2015 Splunk Inc.
Connect the Dots Across All Data
Servers
Storage
Desktops Email Web
TransacEon Records
Network Flows
Hypervisor Custom Apps
Physical Access
Badges
Threat Intelligence
Mobile
CMBD DHCP/DNS
Intrusion DetecEon
Firewall
Data Loss PrevenEon
AnE-‐Malware
Vulnerability Scans
AuthenEcaEon
Copyright © 2015 Splunk Inc.
ConnecEng the “Data Dots” via MulEple/Dynamic RelaEonships
Persist, Repeat
Threat Intelligence
Auth—User Roles
Host Ac@vity/Security
Network Ac@vity/Security
ACacker, know relay/C2 sites, infected sites, IOC, aCack/campaign intent and aCribuEon
Where they went to, who talked to whom, aCack transmiCed, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process owner, registry mods, aCack/malware arEfacts, patching level, aCack suscepEbility
Access level, privileged users, likelihood of infecEon, where they might be in kill chain
Delivery, exploit installa@on
Gain trusted access
Exfiltra@on Data gathering Upgrade (escalate) lateral movement
Persist, repeat
AnalyEcs-‐Driven Security
Risk Based Context and Intelligence
ConnecEng Data and People
Copyright © 2015 Splunk Inc.
Sample Nasdaq -‐ Heartbleed
Complement, replace and go beyond tradi@onal SIEMs
Security Intelligence Use Cases
13
SECURITY & COMPLIANCE REPORTING
REAL-‐TIME MONITORING OF KNOWN THREATS
MONITORING OF UNKNOWN
THREATS
INCIDENT INVESTIGATIONS & FORENSICS
FRAUD DETECTION
INSIDER THREAT
Roadmap Security Strategy • ConnecEng Data and People
Security Posture
15
What’s New in Splunk App for Enterprise Security 3.3
BeCer DetecEon of Advanced Threats
• STIX/TAXII & OpenIOC threat intelligence
• IOC/arEfacts research
Improved CollaboraEon
• Export correlaEon searches, KSIs, swim lanes
BeCer DetecEon of Malicious Insiders
• User acEvity monitoring dashboard and swim lanes
• Access anomalies
Faster Incident Response
• Added funcEonality to Incident Response page
Bene
fit
Feature
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats
Copyright © 2015 Splunk Inc.
hCp://sExproject.github.io/about/
Copyright © 2015 Splunk Inc.
STIX/TAXII and Open IOC 101 • Info sharing across companies and
industries
• Standardized XML • Contains TTPs, IOCs, COA • IOCs include IPs, web/e-‐mail
domains, hashes, processes, registry key, cerEficates
• hCp://sExproject.github.io/about/
Copyright © 2015 Splunk Inc.
Threat Intelligence in Splunk
Copyright © 2015 Splunk Inc.
TAXII Services
Source: hCp://hailataxii.com
Copyright © 2015 Splunk Inc.
Sample TAXII Feeds User Community Organisa@on
Cyber Threat XChange Health InformaEon Trust Alliance
Defense Security InformaEon Exchange Defense Industrial Base InformaEon and Sharing and Analysis OrganizaEon
ICS-‐ISAC Industrial Control System InformaEon Sharing and Analysis Center
NH-‐ISAC NaEonal Health Cybersecurity Intelligence Planorm
NaEonal Health InformaEon and Analysis Center
FS-‐ISAC / Soltra Edge Financial Services InformaEon Sharing and Analyses Center (FS-‐ISAC)
Retail Cyber Intelligence Sharing Center, Intelligence Sharing Portal
Retail InformaEon Sharing and Analysis Center (Retail-‐ISAC)
More: hCp://sExproject.github.io/supporters/
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats • Knowledge Sharing and AdopEon
Insider Threat
Copyright © 2015 Splunk Inc.
DetecEng Suspicious User AcEvity • Spot suspicious user acEvity • Malicious insider or external threat using stolen credenEals • High aggregate risk score • Uploaded data to non-‐corp sites • Emailed data to non-‐corp domains • Visits to blacklisted sites • Remote access • Anomalous help desk Ecket
Roadmap Security Strategy • ConnecEng Data and People
Security Posture • SituaEonal Awareness
Visual Security AnalyEcs • Contextual Analysis
Advanced Threats • Knowledge Sharing and AdopEon
Insider Threat • Stop Data Breaches
Copyright © 2015 Splunk Inc.
Case Study: Telenor " Challanges:
– Millions of customers, thousands of servers and routers and they had missing details in operaEve tasks.
– CommunicaEon between departments was challanging. – Errors and issues sporadically slipped unnoEced.
" Breakthroughs: – Team noEced WebMail accounts being abused to send
hundreds of thousands of SMS messages abroad – Baselining normal and track DeviaEon – Understand aCackers and their behaviour to take them
down proacEve.
Norway's largest telecom services provider 160 Mio mobile subscribers globally
Copyright © 2015 Splunk Inc.
Thank You! Q&A