This document provides an overview and agenda for a Splunk presentation on operational security intelligence. The presentation covers Splunk security capabilities including threat intelligence via lookups, the common information model for normalizing security data from multiple sources, and analyzing advanced Windows attacks via specific event IDs. It also discusses using security-related apps from Splunkbase. The document contains several legal disclaimers about forward-looking statements and roadmap information.
2. 2
2
> James Overman joverman@splunk.com
• Splunk Sales Engineer
• Over 20 years in IT infrastructure &
security
• CISSP
• Worked for leading security integrators and
vendors
whoami
3. 3
LEGAL NOTICE
During the course of this presentation, we may make forward-looking statements regarding future
events or the expected performance of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or
accurate information. We do not assume any obligation to update any forward-looking statements
we may make. In addition, any information about our roadmap outlines our general product direction
and is subject to change at any time without notice. It is for informational purposes only and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to
develop the features or functionality described or to include any such feature or functionality in a
future release.
6. New approach to security operation is needed
• Human directed
• Goal-oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process, &
technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
THREAT Attack Approach Security Approach
6
TECHNOLOGY
PEOPLE
PROCESS
15. 15
Incident Analysis & Investigation
• Often initiated by an alert in another
product
• Investigation requiring rapid ad hoc
searching across data over time
• Need all the original data in one place and a
fast way to search it to answer:
– What happened and was it a false positive?
– How did the threat get in, where have they gone
and did they steal any data?
– Has this occurred elsewhere in the past?
• Take results and turn them into a real-time
search/alert if needed
client=unknown[9
9.120.205.249]<1
60>Jan 2616:27
(cJFFNMS
DHCPACK
=ASCII
from
host=85.19
6.82.110
truncating integer
value > 32 bits
<46>Jan
ASCII from
client=unknown
January February March April
44. • Tstats can search distributed .tsidx files
• Use the search term – FROM
datamodel=<datamodelname>
• For example:
• | tstatsavg(foo) FROM
datamodel=buttercup_games WHERE
bar=valuex
• You should expect dramatically faster search results
using this method
Tstats and/or pivot– use them!
60. 60
SEPT 26-29, 2016
WALT DISNEY WORLD, ORLANDO
SWAN AND DOLPHIN RESORTS
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and Security
Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control
Room & Clinic, and MORE!
The 7th Annual Splunk Worldwide Users’ Conference
PLUS Splunk University
• Three days: Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!