Splunk: Using Big Data for Cybersecurity

Size: px

Start display at page:

Download "Splunk: Using Big Data for Cybersecurity"

Thomasina Felicity Mathews
9 years ago
Views:

1 Next Session Begins at 14:40 Splunk: Using Big Data for Cybersecurity Joe Goldberg Splunk

2 Splunk: Using Big Data for Cybersecurity Joseph Goldberg Splunk

Advanced Threats in the Headlines Cyber Criminals Nation States Insider Threats Another Day, Another Retailer in a Massive Credit Card Breach Bloomberg Businessweek, March

3 Advanced Threats in the Headlines Cyber Criminals Nation States Insider Threats Another Day, Another Retailer in a Massive Credit Card Breach Bloomberg Businessweek, March 2014 Iranian hackers compromised airlines, airports, critical infrastructure firms Computerworld, Dec 2014 Edward Snowden Tells SXSW He'd Leak Those Secrets Again NPR, March 2014

2014 Iranian hackers compromised airlines, airports, critical infrastructure firms

of systems accessed 69% Of victims were notified by external

4 Advanced Threats Are Hard to Detect 100% Valid credentials were used 205 Median # of days before detection 40 Average # of systems accessed 69% Of victims were notified by external entity Source: Mandiant M-Trends Report 2012, 2013, 2014,

5 All Machine Data is Security Relevant Threat Intelligence Web Desktops Servers Traditional SIEM DHCP/ DNS CMBD Hypervisor Badges Firewall Authentication Vulnerability Scans Custom Apps Network Flows Storage Mobile Intrusion Detection Data Loss Prevention Anti- Malware Physical Access Transaction Records 5

Authentication Vulnerability Scans Custom Apps Network Flows Storage Mobile

6 Big Data Solution Big Data Architecture Data Inclusion Model All the original data from any source No database schema to limit investigations/detection; flat file data store Distributed architecture scales horizontally to PB+ day on commodity H/W Search and reporting flexibility Advanced correlations Math/statistics to baseline and find outliers/anomalies Real-time indexing and alerting 6

architecture scales horizontally to PB+ day on commodity H/W Search and reporting flexibility

7 Solution: Splunk: Big Data Platform Online Services Smartphones and Devices Firewall Packaged Applications Custom Applications Badging records Storage VPN IDS Call Detail Records Ad hoc search Monitor and alert Report and analyze Real-Time Custom dashboards Data Loss Prevention Web Any amount, any location, any source Proxy Desktops File servers Schemaon-the-fly Vuln scans Databases Anti malware servers Endpoint Real-Time Authentication Universal indexing Asset & CMDB No back-end RDBMS Employee / HR Info External Lookups No need to filter data Developer Platform Threat Network Segments / Data Intelligence Honeypots Stores 7

source Proxy Desktops File servers Schemaon-the-fly Vuln scans Databases Anti malware Email servers Endpoint Real-Time Authentication Universal indexing Asset

8 Thousands of Security Customers; MQ SIEM Leader Gartner MQ for SIEM

9 Top Splunk Security Use Cases Splunk Can Complement OR Replace an Existing SIEM INCIDENT INVESTIGATIONS & FORENSICS SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS MONITORING OF UNKNOWN THREATS INSIDER THREAT FRAUD DETECTION 9

SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN

10 Splunk Security Intelligence Platform Splunk Enterprise Security 315+ security apps Palo Alto Blue Coat Networks Proxy SG Cisco Security Suite OSSEC F5 Security NetFlow Logic Juniper FireEye Active Directory Sourcefire Splunk User Behavior Analytics 10

SG Cisco Security Suite OSSEC F5 Security NetFlow Logic

11 Splunk App for Enterprise Security Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds Incident Investigations & Management Alerts & Dashboards & Reports Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration 11

Investigations & Management Alerts & Dashboards & Reports Statistical

12 Splunk Is Used Across IT and the Business Strong ROI & facilitates cross-department collaboration Application Delivery IT Operations Security, Compliance and Fraud Business Analytics Industrial Data and Internet of Things 12

Delivery IT Operations Security, Compliance and Fraud

13 Splunk for Security Key Differentiators Traditional SIEM is the Opposite Single product, UI, data store Traditional Splunk SIEM Software-only; install on commodity hardware Quick deployment + ease-of-use = fast time-to-value Can easily index any data type All original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster threat investigations and detection, incl finding outliers/anomalies Open platform with API, SDKs, Apps Use cases beyond security support collaboration and ROI 13

original/raw data indexed and searchable Big data architecture enables scale and speed Flexible search and reporting enables better/faster

14 Try Splunk for free! Next Steps Download Splunk at Traditional Splunk SIEM Go to Splunk.com > Community > Documentation > Search Tutorial In 30 minutes will have imported data, run searches, created reports More security information at Splunk.com > Solutions > Security & Fraud Contact sales team at Get Splunk t-shirt at front of booth 14

com > Community > Documentation > Search Tutorial In 30 minutes will have imported data, run

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS Joe Goldberg Splunk Session ID: SPO-W09 Session Classification: Intermediate About Me Joe Goldberg Current: Splunk - Security Evangelist