Embed Size (px)
Citation preview
Copyright © 2016 Splunk, Inc.
Operationalizing Threat Intelligence
Learn How to Accelerate Threat Detection, Investigation & Response
Fill out the Postcard and win a SONOS Play:1 today
"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },
Are you using Splunk already?
What are common SecOps problems?
Malicious activities go undetected or are difficult to prevent
All threats look equally ominous
Long cycles to detect and respond
4
Security teams need to quickly identify and remediate issues – from early warning to breach investigation
Why Threat Intelligence?
Difficult to keep up with rapidly evolving threat landscapeKnow your adversaries so that you can develop strategies to remediate attacks Internal resources – people, tools, process are unable to keep upUse 3rd party knowledge – collective intelligence ?Uncover compromised systems and search for advanced threatsScope and investigate potential threat
5
What Does Threat Intelligence Consist Of?
”Feeds” – sources of threat intelligence
Platform or product with ability to ingest feeds
Visualize of threat indicators
Ability to correlate across all context
6
Widening the Net
7
Law Enforcement
Feeds
Broad CoverageMultiple ThreatIntelligenceFeeds FromVarious Sources
ISACFeeds
Agency Feed
Commercial Service
Community Feed
Open-Source Feed
Other Enrichment
Services
Each feed provides unique perspective on threat
Each feed provides different benefit
Multiple feeds provide better “coverage”
Law Enforcement
Feeds
TAXIICybox
XML
distribute
OpenIOC
Formattedtext
Emails
RSS
CSV
Flat file
push
pull
redistribute
retrieve
Broad Coverage viaMultiple ThreatIntelligenceFeeds FromVarious Sources
STIX
REST
Proprietary
Proprietary
Unstructuredtext
transmissiontype
transport / messaging
Data formatsUse (task)ISAC
Feed 1 ISACFeed 2
Agency Feed 1
Agency Feed 2
Commercial Service 2
Commercial Service 1
Community Feed
Open-Source Feed
Other Enrichment
Services
Other Enrichment
Services
Gather intel on darknetsGather intel per industry
Onboard new intelCentralize all intel
Monitor and triage alertsUpdate ticket status / details
Auto-search, real timeAuto-search, historical
Use for analysis / IRCollect / provide forensics
Use to hunt / uncoverUse to hunt / link events
Determine impact on networkDetermine impact on assetsDetermine impact on dataShare info with partners
It does not have to be this complex
Threat Intel feeds
9
Law Enforcement
Feeds
ISACFeed 1 ISAC
Feed 2
Agency Feed 1
Agency Feed 2
Commercial Service 2
Commercial Service 1
Community Feed
Open-Source Feed
Other Enrichment
Services
Other Enrichment
Services
Focus on using Threat Intel to investigate and remediate not on how to bring the data in
Collect, manage Categorize Correlate Search
Data Management Threat Activity Correlation Data / Notable Events Data Search
Threat Intelligence Framework
Framework built-in Splunk Enterprise Security
Threat Intel
Splunk Threat Intelligence Ecosystem
Splunk Security Ecosystem as of 2015-11-0211
Threat Data Sources• Agencies• Relationships • Vendor Subscriptions • ISACs
Customer Success #1
12
Splunk Threat
Intelligence
Framework
• Malicious IP / URLs Blocked• Compromised Credentials
Remediated• Impostor and New Domains
Identified
Result: Actionable Intelligence
Summary• 25% of Threat Intelligence data feeds are actionable• 90% of infections are blocked, most malware alerts “eliminated” with no impact to use• Found compromised accounts/activity
Threat Data Sources • 50+ Pre-packaged free feeds• Own content
Customer Success #2
13
Splunk ES Threat
Intelligence Framework
Automated IoC blocking
Summary• Automated detection and block of indicators of compromise• Improved efficiency• Reduced time to remediation
Other 3rd party feeds
Facebook Threat Exchange
Splunk helps you to Operationalize Threat Intel
Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources. Integrated support for standards such as STIX/TAXII and OpenIOCBuild your own data to create your own Threat IntelligenceOut of the box Activity and Artifact dashboardsPrioritize, contextualize and analyze threats and remediate faster
14
MBDA Germany Drives Security Intelligence With Splunk Enterprise Security
Enabling the security operations center (SOC) team to work very efficientlySince deploying ES, the average time to analyze a CERT message has been reduced from an average of 372 minutes to just 15. Real-time alerts identify attacks that would previously have gone undetectedAnalysis of historical data informs future security measures, resulting in a more resilient security posture overall
““Splunk dramatically reduces security risks at MBDA Germany. The software helps us to work much more
efficiently, gain visibility across our entire network, react more quickly to security breaches and use insights
from our data analysis to inform our future security strategy.”.”
— Head of IT and Project Manager Information Technology, MBDA Germany
Fill out the Postcard and win a SONOS Play:1 today
"currentTrack":{ "artist":"College", "title":"Teenage Color - Anoraak Remix", "album":"Nightdrive With You", "albumArtURI":"/getaa?s=1&u=x-sonos-spotify%3aspotify%253atrack%253a3DjBDQs8ebkxMBo2V8V3SH%3fsid%3d9%26flags%3d32", "duration":347, "uri":"x-sonos-spotify:spotify%3atrack%3a3DjBDQs8ebkxMBo2V8V3SH?sid=9&flags=32" },
Copyright © 2016 Splunk, Inc.
Thank you
