© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Automated SIEM (SOAR)

Improve the Incident Response

Alex Pilger (CISSP,GMON), Technical Partner Manager (apilger@splunk.com)

Monitor Detect Investigate Respond

© 2017 SPLUNK INC.

Agenda

Motivation

Splunk Security Strategy

Phantom at a Glance

Phantom Demo

© 2017 SPLUNK INC.

During the course of this presentation, we may make forward-looking statements regarding future events or

the expected performance of the company. We caution you that such statements reflect our current

expectations and estimates based on factors currently known to us and that actual events or results could

differ materially. For important factors that may cause actual results to differ from those contained in our

forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live

presentation. If reviewed after its live presentation, this presentation may not contain current or accurate

information. We do not assume any obligation to update any forward-looking statements we may make. In

addition, any information about our roadmap outlines our general product direction and is subject to change

at any time without notice. It is for informational purposes only and shall not be incorporated into any contract

or other commitment. Splunk undertakes no obligation either to develop the features or functionality

described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in

the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.

Forward-Looking Statements

THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.

© 2017 SPLUNK INC.

Motivation for SOAR

© 2017 SPLUNK INC.

Common Security Operations Challenges

Escalating volume

of security alerts

Resource shortage of 1

million security professionals

Endless assembly line

of point products

Static independent controls

with no orchestration

Speed of detection, triage, &

response time must improve

Costs continue

to increase

AlertsResources Products

Static Speed Costs

© 2017 SPLUNK INC.

What is SOAR?

Integrate your team, processes,

and tools together.

Work smarter by automating repetitive tasks allowing analysts

to focus on more mission-critical tasks.

Respond faster and reduce dwell times with automated

detection, investigation, and response.

Strengthen defenses by integrating existing security

infrastructure together so that each part is an active participant.

SOAR = Security Orchestration, Automation, and Response

© 2017 SPLUNK INC.

Splunk Security Strategy

© 2017 SPLUNK INC.

Collaborative SOC

Solve across multiple domains

Establish security operations

Specific problem

Nerve center for security

Cloud

SecurityEndpoints

OrchestrationWAF & App

Security

Threat Intelligence

Network

Web Proxy

Firewall

Identity and Access

© 2017 SPLUNK INC.

Splunk Security Portfolio

Enterprise Security

3rd Party Apps &

Add-ons (700+)

User Behavior Analytics

Network data

RDBMS (any) data Windows host data

Exchange data

ES Content Update

PCI Compliance

Search and

Investigate

Monitoring &

Alerting

Dashboards

and Reports

Incident &

Breach Response

Splunk Security Apps & Add-ons

Security Essentials

App for AWS

ML Toolkit

Google Cloud

Microsoft Cloud

Windows Infrastructure

Discover

Anomalous

Behavior

Detect Unknown

Threats

Automation &

Orchestration

Threat

Detection

Security

Operations

Phantom

Premium Solutions

Platform for Operational Intelligence

© 2017 SPLUNK INC.

Splunk > Phantom

© 2017 SPLUNK INC.

Decision Making Acting

SIEM

THREAT INTEL PLATFORM

HADOOP

GRC

AUTOMATED AUTOMATED WITH PHANTOM

FIREWALL

IDS / IPS

ENDPOINT

WAF

ADVANCED MALWARE

FORENSICS

MALWARE DETONATION

FIREWALL

IDS / IPS

ENDPOINT

WAF

ADVANCED MALWARE

FORENSICS

MALWARE DETONATION

TIER 1

TIER 2

TIER 3

ObservePoint Products

OrientAnalytics

SOAR for Security OperationsFaster execution through the loop yields better security

ACTION RESULTS /

FEEDBACK LOOP

© 2017 SPLUNK INC.

INEFFICIENT & INCONSISTENT

PROCESS

STAFFING CHALLENGES

INCREASING EXPOSURE

Security Operations Challenges

BEFORE PHANTOM

SITUATION

• Limited & stretched resources

• Complex infrastructure with wide range of

technologies from multiple security vendors

• Alert fatigue

• Expanding/changing attack surface

EFFICIENCY REPEATABLE & AUDITABLE

DECREASING DWELL TIMES

Outcomes with Phantom

AFTER PHANTOM

SITUATION• Resources can focus on strategic security activities

• Faster investigations across complex infrastructure

• Increase SecOps process and team efficiency

• Reduce the attack surface risk through automation

▶ Reduced alert investigation times from 30-45 minutes to less than one minute

▶ Applied a consistent approach to alert management and investigation, eliminating human error

▶ Increased resource efficiency by turning manual, repetitive tasks into automated processes

Splunk Phantom

© 2017 SPLUNK INC.

Security Use Case Study – Full Automation

Monitor Detect

1

2

3

4

5

6

78

9

10

detonate file

url reputation

ip reputation

query other recipients

check user profile

update notable event

potential

phishing

create ticketcollaboration

response

Investigate

Respond

© 2017 SPLUNK INC.

Manually:

Time per Play: 45 Minutes

With SOAR:

Time per Play: 30-60 Seconds + human review time

Average time saving:

Approx 40 mins

With SOAR: Employees Report Phishing Emails

© 2017 SPLUNK INC.

▶ Gathering together all details of an event will help to determinate if there is a real security incident – and if so – how you will need to respond.

Security Event TriageIn the context of Phantom

Identify

Map

Eradicate

Identify the artifacts of the incident using a SIEM solution

like SPLUNK ES

Map all key indicators / artifacts and gather them in to

a Phantom Container.

Having all artifacts collected, Phantom can begin swiftly

with the automated process and orchestrate the right

actions / assets.

© 2017 SPLUNK INC.

SOC Playbooks

Splunk for the SOC - Overview

Machine Data

Monitor Detect Investigate Respond

Universal Indexing

Tier 1 - Alert AnalystNotable Event Triage

Tier 2 - Incident ResponderTier 3 - SME / Hunter

Orchestrate / Automate

1 2 3

1 Detection- Correlation

- Statistics

- Machine Learning

- Risk

2 Investigation- Manual: Forensics / SPL

- Auto: Phantom SOAR

Playbook automation

3 Response- Basic: Workflow Actions /

ES Adaptive Response

- Advanced: Phantom

SOAR

- Collaboration:

Ticketing/

Collaboration Tool

EnterpriseOn-Premise, Cloud, Hybrid

© 2017 SPLUNK INC.

LIVE DEMO

Automation and Orchestration

© 2017 SPLUNK INC.

Boss of the SOC III & SplunkLive! 2019

Interessiert daran, herauszufinden, wie Splunk Ihnen Antworten liefern kann? Dann ist SplunkLive! die Gelegenheit für Sie, direkt von

Splunk und den Splunk Ninjas unserer Kunden mehr zu erfahren sowie mit unseren Partnern zu interagieren. Hören Sie von den

Möglichkeiten, wie Sie Mehrwert aus Ihren Maschinendaten gewinnen und so die Antworten erhalten, die Sie benötigen.

Wer sollte teilnehmen:

SplunkLive! ist speziell für Teilnehmer konzipiert:

▶ welche die Splunk Plattform zum ersten Mal erforschen

▶ die mit der "Splunk Reise" gerade beginnen

▶ die verstehen wollen, wie Ihr Unternehmen mehr mit Splunk erreichen kann

SPLUNKLIVE! MÜNCHEN

Event Details

Wann?

26. März 2019 von 09:00 bis 17:00

Wo?

Sofitel München Bayerpost

Bayerstrasse 12

80335 München

SPLUNKLIVE! FRANKFURT

Event Details

Wann?

14. Mai 2019 von 09:00 bis 17:00

Wo?

Frankfurt Marriott Hotel

Hamburger Allee 2

60486 Frankfurt am Main >> Anmeldung >> Anmeldung

Boss of the SOC (BOTS) ist ein Event, der in Teams von bis

zu je 4 Spielern durchgeführt wird und von Splunk gehostet

wird. Die Teilnehmer nutzen Ihre eigenen Laptops (das

Betriebssystem ist beliebig, so lange es Splunk im Browser

laden kann), um über den gesamten Nachmittag auf die

Online BOTS Umgebung zuzugreifen!

Boss of the SOC III

Event Details

Wann?

25. März 2019 von 13:00 bis 19:00

Wo?

Sofitel München Bayerpost

Bayerstrasse 12

80335 München >> Anmeldung

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Thank YouAlex Pilger (CISSP, GMON)

Technical Partner Manager

Email: apilger@splunk.com

Mobile: +49 175 3571113

Skype:alpskyping

© 2017 SPLUNK INC.© 2017 SPLUNK INC.

Thank you!