How to Leverage Splunk s Security Intelligence PlaKorm for Security OperaNons Environments

Transcription

1 Copyright 2013 Splunk Inc. How to Leverage Splunk s Security Intelligence PlaKorm for Security OperaNons Environments Enoch Long Prin Sec Strategist/Client Architect, Splunk(Fed) #splunkconf

2 Legal NoNces During the course of this presentanon, we may make forward- looking statements regarding future events or the expected performance of the company. We caunon you that such statements reflect our current expectanons and esnmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in this presentanon are being made as of the Nme and date of its live presentanon. If reviewed ayer its live presentanon, this presentanon may not contain current or accurate informanon. We do not assume any obliganon to update any forward- looking statements we may make. In addinon, any informanon about our roadmap outlines our general product direcnon and is subject to change at any Nme without nonce. It is for informanonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obliganon either to develop the features or funcnonality described or to include any such feature or funcnonality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respeccve owners Splunk Inc. All rights reserved. 2

3 Enoch Long Principal Security Strategist EducaNon: Computer Science, Temple University! Skills: Network Security, Cyber Content Developer, Cyber OperaNons! Career: 10yrs! Jobs: Cyber SME 7yrs, SOC Mgr 2yrs, Security Strategist 1yr! Govt Agencies: NSA, DHS, NRO, Dept of Edu! Defense Companies: Northrop Grumman, General Dynamics, AT&T! Accomplishments: 2012 Modern Day Technology Leader of the Year, BEYA 3

4 Agenda! Overview of Splunk s Security Intelligence PlaKorm! Alignment of Security OperaNons to Splunk! Overview of Security OperaNons Third Eye! Security Intangibles! QuesNons 4

5 Security Intelligence PlaKorm Security ApplicaNon Security CompuNng Security Data Security InformaNon Security Network Security Intelligence Logic CreaNvity Visual Processing Abstract Thought Learning PlaKorm MulN- tenanted Framework Flexible Development Scale Diverse Use Cases 5

6 Overview of Security OperaNons

7 OrganizaNons within SecOps Security Monitoring Incident/Intelligence & Response Counter Intel 7

8 Splunk Alignment with Ops Technology Alignment to OperaNons 8

9 Security Monitoring Using Splunk! Job Roles! Job Skills! The Mission! Leveraging Splunk! Scenario 9

10 Incident/Intelligence Response Using Splunk! Job Roles! Job Skills! The Mission! Leveraging Splunk! Scenario 10

11 Counter- Intelligence Using Splunk! Job Roles! Job Skills! The Mission! Leveraging Splunk! Scenario 11

12 Overview Security Ops Third Eye

13 "Third Eye" OrganizaNons! Messaging Team! AcNve Directory Team! Firewall Team! Web Server Team! Data Loss PrevenNon Team! AnN- Virus Team Third Eye = is a mysncal concept but in the security realm.it s the inner eye the invisible eye that monitors/protects the network.operanons intelligence teams 13

14 Splunk for OperaNons Intelligence Scenarios 14

15 Mail Team SOC Analyst Exchange Admins CI Analyst 15

16 AcNve Directory Team SOC Analyst AD Admins Incident Responder 16

17 Firewall Team SOC Analyst Firewall Admins Incident Responder 17

18 Web Server Team SOC Analyst Web Server Admins App Developer 18

19 Security Intangibles! Data Sources! Common Mistakes! Capability LimitaNons! Lessons Learned 19

20 Data Sources!! Insight Tradi&onal logs Network device Server Web applica&ons An&- virus Mail logs Non- tradi&onal logs Chat logs Phone call logs War- dialing logs Custom script logs HR database logs Honey- pot The secret sauce 20

21 Common Mistakes! Misalignment of personnel to product core capabilines! Wrong data sources! No content strategy! Lack of tech integranon! Minimal usage of SDK/API framework 21

22 Capability LimitaNons! Out of the box content/ updates! Complex search language! Real- Nme at large scale! No core case NckeNng system! Robust asset modeling tool 22

23 Lessons Learned! 1. Monitor role- based controls! 2. PrioriNze data! 3. PrioriNze concurrent searches! 4. Align skills with Splunk capability! 5. Not enough backend Splunk ninjas 23

24 Next Steps 1 Download the.conf2013 Mobile App If not iphone, ipad or Android, use the Web App 2 Take the survey & WIN A PASS FOR.CONF2014 Or one of these bags! 24

25 THANK YOU