Page 1
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Automating Incident Response
With Splunk Phantom
by Mark Cooke, General Electric
September 2018 | Version 3.0
Page 2
© 2018 SPLUNK INC.
$WHOAMI
Mark Cooke
▶ Staff Incident Responder at GE
▶ Worked in IR for 4 years
▶ Python hacker
▶ Phantom playbook developer
Page 3
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
General Electric Imagination at work
+300K
+300K
1
50
3
24/7
Page 4
© 2018 SPLUNK INC.
Agenda
Highlights of today’s discussion
Page 5
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Agenda
▶ Driving factors for automation
▶ Preparing for automation
▶ Implementing automation
▶ Demonstrating automation
Overview
Page 6
© 2018 SPLUNK INC.
Driving Factors for Automation and Orch.
Goals for automating IR
Page 7
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Driving Factors for Auto & Orch. Analysts should primarily analyze data, NOT collect and move data around
Automate
Centralize Enrich Guide
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
Analyst Time [CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
Analyst Time
Page 8
© 2018 SPLUNK INC.
Preparing for Automation and Orch.
Designs and visions for automating IR
Page 9
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Design and Vision Gathering and moving data
Design Logic:
▶ Consistent fields for automation
▶ Focused searches
▶ Manageable data set
▶ Fewer searches to move data
Correlation
search
Required
fields
Summary
index
Phantom
app
Page 10
© 2018 SPLUNK INC.
Design and Vision Dividing and segmenting data flows
Semi-Automated ▶ Select playbooks and actions run automatically
▶ Analysts make triage, response and remediation decisions
Manual ▶ Steps and scripts are all completed manually
▶ Analysts make triage, response and remediation decisions
Automated
▶ Select scripts run automatically
▶ All decisions for triage, response and remediation are decided automatically
Response Guidance
▶ Guide analysts through triage,
response and remediation decisions
▶ Builds baseline for required actions
▶ Records incident data and actions
Page 11
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Design and Vision Putting it all together
▶ Enrich alert
▶ Decide path
▶ Ownership
▶ Triage
▶ Analysis
▶ Disposition
▶ Guided response
▶ Packaged response
▶ Core detection
▶ Summarized index
▶ Forwarding to Phantom
Phantom
Alert Pipeline
Incident Auto
Incident Alert
Page 12
© 2018 SPLUNK INC.
Implementing Automation and Orch.
Components for making this work
Page 13
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Playbook Development Developing playbooks
Playbook
Actions
Packaged
responses
Playbooks
Categories
Page 14
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Consis
tency
Speed
[X VALUE] [X VALUE] [X VALUE] [X VALUE]
host_investigation [X VALUE]
[X VALUE]
[X VALUE] proxy block, [X VALUE]
[X VALUE],
[X VALUE]
[X VALUE]
[X VALUE]
[X VALUE]
0
1
2
3
4
5
6
0 2 4 6 8 10 12 14 16
Playbook Highlights
Page 15
© 2018 SPLUNK INC.
Demo
Automation and orchestration in action
Page 16
© 2018 SPLUNK INC.
Demo – Alert Enrichment
Gathering and collecting data
Page 17
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 18
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 19
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 20
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 21
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 22
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 23
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 24
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 25
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 26
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 27
© 2018 SPLUNK INC.
Demo – Alerting
Triaging our enriched alerts
Page 28
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 29
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 30
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 31
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 32
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 33
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 34
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 35
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 36
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 37
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 38
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 39
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 40
© 2018 SPLUNK INC.
Demo – Response
Responding to the threat
Page 41
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 42
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 43
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 44
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 45
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 46
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 47
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 48
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 49
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 50
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 51
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 52
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 53
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 54
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 55
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 56
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 57
© 2018 SPLUNK INC.
Incident Automation
Automating the response process
Page 58
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 59
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 60
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 61
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 62
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 63
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 64
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 65
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 66
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
Page 67
© 2018 SPLUNK INC.
Playbook Impacts
Accomplishments from implementing automation and orchestration
Page 68
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Ticket creator
Network containment
Domain/IP blocks
Alert history and auto
categorization
Playbook Impacts Estimated hours saved per month
22 Hours
30 Hours
30 Hours
32 Hours
Page 69
© 2018 SPLUNK INC.
Conclusion
Page 70
© 2018 SPLUNK INC.
© 2018 SPLUNK INC. CONFIDENTIAL INFORMATION. DO NOT DISTRIBUTE.
© 2018 SPLUNK INC.
Conclusion Implementing automation and orchestration
By implementing automation and orchestration through Phantom we’re aiming to:
▶ Focus analysts time on analysis
▶ Focus analysts time on finding threats
▶ Reduce risk through speed and consistency
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
[CATEGORY NAME]
10%
[CATEGORY NAME]
40%
Analyst Time
Page 71
© 2018 SPLUNK INC.
Don't forget to rate this session
in the .conf18 mobile app
Thank You!