© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk for Cyber Security
Cyber Security Trade Mission to Canada
Sebastien Ferreira
Director of Sales, Federal and Eastern Canada
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
CyberCriminals
MaliciousInsiders
NationStates
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Advanced Threats Are Hard To Find
Cyber Criminals
Nation States
Insider Threats
100% Valid credentials were used
40Average # of systems accessed
229Median # of days before detection
67%Of victims were notified by
external entity
Source: Mandiant M-Trends Report 2012/2013/2014
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Advanced Threats are Hard to Find
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process,
& technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
Threat
Attack Approach Security Approach
Technology
People
Process
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
Threat
Attack Approach Security Approach
Technology
People
Process
Advanced Threats are Hard to Find
Analytics-driven Security
Connecting Dataand People
Risk-Based Context and Intelligence
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ Continuously Protect thebusiness against:
• Data Breaches
• Malware
• Fraud
• IP Theft
▶ Comply with audit requirements
▶ Provide enterprise Visibility
▶ 70% to 90% improvement withdetection and research of events
▶ 70% to 95% reduction in securityincident investigation
▶ 10% to 30% reduction in risksassociated with data breaches,fraud and IP theft
▶ 70% to 90% reduction incompliance labor
Advanced Threats are Hard to Find
Top Goals Top Splunk Benefits
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Advanced Threats are Hard to Find
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/ DNS
Hypervisor Custom Apps
PhysicalAccess
Badges
Threat Intelligence
Mobile
CMDB
Intrusion
Detection
Firewall
Data Loss
Prevention
Anti-Malware
Vulnerability
Scans
Traditional
Authentication
© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Solution: Splunk, the Engine for Machine Data
Custom dashboards
Report and analyze
Monitor and alert
DeveloperPlatform
Ad hoc search
References – Coded fields, mappings, aliases
Dynamic information – Stored in non-traditional formats
Environmental context – Human maintained files, documents
System/application – Available only using application request
Intelligence/analytics – Indicators, anomaly, research, white/blacklist
Real-Time
Machine Data
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Security Intelligence Use CasesComplement, replace and go beyond traditional SIEMs
Security &
Compliance
Reporting
Real-time
Monitoring of
Known Threats
Detecting
Unknown
Threats
Fraud
Detection
Insider
Threat
Incident
Investigations
& Forensics
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Connect the “Data-Dots” to See the Whole Story
Persist, Repeat
Attacker, know relay/C2 sites, infected sites, IOC,
attack/campaign intent and attribution
Where they went to, who talked to whom, attack transmitted,
abnormal traffic, malware download
What process is running (malicious, abnormal, etc.)
Process owner, registry mods, attack/malware artifacts,
patching level, attack susceptibility
Access level, privileged users, likelihood of infection,
where they might be in kill chain
• Third-party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall
• IDS / IPS
• Vulnerability scanners
• Web Proxy
• NetFlow
• Network
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating System
• Database
• VPN, AAA, SSO
Delivery, Exploit
Installation
Gain Trusted
Access
Upgrade (escalate)
Lateral MovementData Gathering Exfiltration Persist, Repeat
ThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
phishing
Download
from
infected site
1
2
5
67
8
3
4
Threat Intelligence Data
Host or ETDR Data
Web or Firewall Data
Threat
Intelligence
DataThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
EMAIL WEB EMAIL WEB
Start Anywhere, AnalyzeUp-Down-Across-Backwards-Forward
Delivery Exploitation & Installation Command & Control Accomplish Mission
• Third-party Threat Intel
• Open source blacklist
• Internal threat intelligence
• Firewall
• IDS / IPS
• Vulnerability scanners
• Web Proxy
• NetFlow
• Network
• Endpoint (AV/IPS/FW)
• Malware detection
• PCLM
• DHCP
• OS logs
• Patching
• Active Directory
• LDAP
• CMDB
• Operating System
• Database
• VPN, AAA, SSO
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Security Ecosystem for Coverage and Protection
ThreatIntelligence
Auth - User Roles
Host Activity/Security
Network Activity/Security
Command & ControlExploitation & InstallationDelivery Accomplish Mission
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ Limited view of security threats. Difficult to collect non-security data; costly, custom collectors; data store schema
▶ Inflexible search/reporting hampers investigations and threat detection
Limitations of Existing SIEMs
▶ Scale/speed issues impede ability to do big data analytics
▶ Difficult to deploy and manage; often multiple products
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ Single product, UI, data store
▶ Software-only; install on commodity hardware
▶ Quick deployment + ease-of-use = fast time-to-value
▶ Can index any data type
▶ All original/raw data indexed and searchable
▶ Big data architecture enables scale and speed
▶ Flexible search and reporting enables better/faster threat investigations and detection
Splunk Key Differentiators vs Traditional SIEMs
Open platform with API, SDKs, Apps
Use cases beyond security/compliance
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Enterprise SecurityPre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
16
Dashboards & Reports Incident Investigations and Management
Statistical Outliers & Risk Scoring Asset & Identity Aware
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
1Risk-based security
Security Posture
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
1Risk-based security
Continuous Monitoring for Security Domains
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
1Risk-based security
Risk-Based Analytics
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
1Risk-based security
Fast Incident Review and Investigation
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Broad and Deep Investigation
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ Centrally automate retrieval, sharing and response action
resulting in improved detection, investigation and
remediation times
▶ Improve operational efficiency using workflow-based
context with automated and human-assisted decisions
▶ Extract new insight by leveraging context, sharing data
and taking actions between Enterprise Security and
Adaptive Response partners
Adaptive Response: Analytics-DrivenDecisions, Automation
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Qualys
Recorded Future
Okta
DomainTools
Cyber Ark
Tanium
Carbon Black
ForeScout
RedSeal
AlgoSec
Resolve
CloudLock
Insight from Across Ecosystem
Acalvio
Palo Alto Networks
Anomali
Phantom
Cisco
Fortinet
Threat Connect
Ziften
Proofpoint
CrowdStrike
Demisto
OpenDNS
Symantec
Effectively leverage security infrastructure to gain a holistic view
Workflow
Identity
Network
Internal Network Security
App
Endpoints
Web Proxy Threat Intel
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ Four Years in a Row as a Leader
▶ Furthest overall in Completeness of Vision
▶ Splunk also scores highest in 2016Critical Capabilities for SIEM reportin all three Use Cases
Splunk Positioned as a LeaderGartner 2016 Magic Quadrant for Security Information and Event Management*
*Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security
Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was
published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire
document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or
service depicted in its research publications, and does not advise technology users to select only those vendors with the
highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization
and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this
research, including any warranties of merchantability or fitness for a particular purpose.
© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Splunk scores highest in 2016 Critical Capabilities for SIEM* report
*Gartner, Inc., Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research
document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research
publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not
be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Thank you