how to leverage splunk's security intelligence plarorm for security
TRANSCRIPT
![Page 1: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/1.jpg)
Copyright © 2013 Splunk Inc.
Enoch Long Prin Sec Strategist/Client Architect, Splunk(Fed) #splunkconf
How to Leverage Splunk’s Security Intelligence PlaKorm for Security OperaNons Environments
![Page 2: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/2.jpg)
Legal NoNces During the course of this presentaNon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauNon you that such statements reflect our current expectaNons and esNmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaNon are being made as of the Nme and date of its live presentaNon. If reviewed aYer its live presentaNon, this presentaNon may not contain current or accurate informaNon. We do not assume any obligaNon to update any forward-‐looking statements we may make. In addiNon, any informaNon about our roadmap outlines our general product direcNon and is subject to change at any Nme without noNce. It is for informaNonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaNon either to develop the features or funcNonality described or to include any such feature or funcNonality in a future release.
Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respecCve
owners.
©2013 Splunk Inc. All rights reserved.
2
![Page 3: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/3.jpg)
Enoch Long | Principal Security Strategist [email protected]
! EducaNon: Computer Science, Temple University ! Skills: Network Security, Cyber Content Developer, Cyber OperaNons
! Career: 10yrs ! Jobs: Cyber SME 7yrs, SOC Mgr 2yrs, Security Strategist 1yr ! Govt Agencies: NSA, DHS, NRO, Dept of Edu ! Defense Companies: Northrop Grumman, General Dynamics, AT&T ! Accomplishments: 2012 Modern Day Technology Leader of the Year, BEYA
3
![Page 4: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/4.jpg)
Agenda
! Overview of Splunk’s Security Intelligence PlaKorm ! Alignment of Security OperaNons to Splunk ! Overview of Security OperaNons “Third Eye” ! Security Intangibles ! QuesNons
4
![Page 5: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/5.jpg)
Security → Intelligence → PlaKorm
5
• Security – ApplicaNon Security – CompuNng Security – Data Security – InformaNon Security – Network Security
• Intelligence – Logic – CreaNvity – Visual Processing – Abstract Thought – Learning
• PlaKorm – MulN-‐tenanted – Framework – Flexible – Development – Scale – Diverse Use Cases
![Page 6: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/6.jpg)
Overview of Security OperaNons
![Page 7: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/7.jpg)
OrganizaNons within SecOps
7
Security Monitoring
Incident/Intelligence & Response
Counter Intel
![Page 8: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/8.jpg)
Splunk Alignment with Ops
8
Technology Alignment to OperaNons
![Page 9: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/9.jpg)
Security Monitoring Using Splunk
9
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
![Page 10: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/10.jpg)
Incident/Intelligence Response Using Splunk
10
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
![Page 11: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/11.jpg)
Counter-‐Intelligence Using Splunk
11
! Job Roles ! Job Skills ! The Mission ! Leveraging Splunk ! Scenario
![Page 12: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/12.jpg)
Overview Security Ops “Third Eye”
![Page 13: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/13.jpg)
"Third Eye" OrganizaNons
13
! Messaging Team ! AcNve Directory Team ! Firewall Team ! Web Server Team ! Data Loss PrevenNon Team ! AnN-‐Virus Team
Third Eye = is a mysNcal concept but in the security realm….it’s the inner eye…the invisible eye that monitors/protects the network….operaNons intelligence teams
![Page 14: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/14.jpg)
14
Splunk for OperaNons Intelligence Scenarios
![Page 15: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/15.jpg)
Mail Team
15
SOC Analyst Exchange Admins
CI Analyst
![Page 16: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/16.jpg)
AcNve Directory Team
16
SOC Analyst AD Admins
Incident Responder
![Page 17: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/17.jpg)
Firewall Team
17
SOC Analyst Firewall Admins
Incident Responder
![Page 18: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/18.jpg)
Web Server Team
18
SOC Analyst Web Server Admins
App Developer
![Page 19: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/19.jpg)
Security Intangibles
19
! Data Sources ! Common Mistakes ! Capability LimitaNons ! Lessons Learned
![Page 20: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/20.jpg)
Data Sources ! Tradi&onal logs
– Network device – Server – Web applica&ons – An&-‐virus – Mail logs
! Non-‐tradi&onal logs – Chat logs – Phone call logs – War-‐dialing logs – Custom script logs – HR database logs – Honey-‐pot – The “secret sauce”
20
Insight
![Page 21: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/21.jpg)
Common Mistakes
! Misalignment of personnel to product core capabiliNes
! Wrong data sources ! No content strategy ! Lack of tech integraNon ! Minimal usage of SDK/API framework
21
![Page 22: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/22.jpg)
Capability LimitaNons
! Out of the box content/updates
! Complex search language ! Real-‐Nme at large scale ! No core case NckeNng system
! Robust asset modeling tool
22
![Page 23: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/23.jpg)
Lessons Learned
! 1. Monitor role-‐based controls ! 2. PrioriNze data ! 3. PrioriNze concurrent searches
! 4. Align skills with Splunk capability
! 5. Not enough “backend” Splunk ninjas
23
![Page 24: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/24.jpg)
Next Steps
24
Download the .conf2013 Mobile App If not iPhone, iPad or Android, use the Web App
Take the survey & WIN A PASS FOR .CONF2014… Or one of these bags!
1
2
![Page 25: How to Leverage Splunk's Security Intelligence Plarorm for Security](https://reader034.vdocuments.us/reader034/viewer/2022052606/5868b81f1a28abdd708b4867/html5/thumbnails/25.jpg)
THANK YOU