Scribd Logo
Upload

Welcome to Scribd!

  • Splunk-Overview - SIEM

    Uploaded by

    hacker_05
    33 views44 pages

    Original Title

    0. Splunk-Overview - SIEM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views44 pages

    Splunk-Overview - SIEM

    Uploaded by

    hacker_05

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 44

    © 2020 SPLUNK INC.

    The
    Data-to-Everything
    Platform

    Hung Pham Manh

    Splunk Certified Architect


    © 2019 SPLUNK INC.

    © 2020 SPLUNK INC.

    Every Company Has a


    New Data ATM
    Streams &
    Devices
    Universe of Real-time Data Sensor
    Data
    Creating More Opportunities and
    Threats than Ever Before
    Network Proxy
    Logs Data

    New Apps & Firewall


    App Logs Logs

    Database Transaction
    Logs Data

    Financial
    Account & New
    Operating Technology
    Systems
    © 2020 SPLUNK INC.

    Why Splunk?
    Traditional Splunk

    Schema at Write Schema at Read

    SQL Search

    ETL Universal Indexing

    Structured
    Unstructured
    RDBMS
    Volume Velocity Variety
    © 2019 SPLUNK INC.

    © 2020 SPLUNK INC.

    IT

    Security
    The
    Data-to-Everything
    Platform IoT

    Biz
    Analytics
    © 2020 SPLUNK INC.

    The Splunk Portfolio


     Splunk Enterprise Security  Splunk User Behavior Analytics  Splunk IT Service Intelligence
    (SIEM) (UEBA) (IT Operation)
    Splunk Premium  Splunk Phantom (SOAR)  Splunk Business flow
     Splunk for Industrial IoT
    Solutions
     Splunk for PCI Compliance  Splunk App for VMware  Splunk Analytics for Hadoop

    Rich Ecosystem of
    Apps & Add-Ons

    Platform for Operational Intelligence

    Syslog/ IoT Network Relational Mainframe


    Forwarders Mobile Hadoop
    TCP Devices Wire Data Databases Data
    © 2020 SPLUNK INC.

    Splunk: The Data-to-Everything Platform


    Bring data to every question, decision and action

    IT Operation Security & IoT Biz Analytics


    Compliance
    Cloud Monitoring Advanced Threat Real-Time Monitoring Business Process
    Detection and Diagnostics Mining
    Application Lifecycle
    Analytics Insider Threats ICS Security Customer Experience
    Optimization
    Application Release Incident Investigation Predictive Analytics
    Analytics and Forensics Incident Management
    Facilities Management
    Container Monitoring SOC Automation Digital Marketing
    Optimization
    Infrastructure Compliance
    Monitoring
    © 2020 SPLUNK INC.

    Splunk Enterprise Dashboards


    © 2019 SPLUNK INC.

    Splunk Enterprise
    Security (SIEM)
    Transforming security requires a new approach driven by analytics
    © 2020 SPLUNK INC.

    Splunk Positioned as a Leader (1)


    Gartner 2018 Magic Quadrant for Security Information and Event Management
    Seven Years in a Row as a Leader

    Splunk also has top scores in


    Critical Capabilities for SIEM report
    © 2020 SPLUNK INC.

    Splunk Positioned as a Leader (2)


    Gartner 2020 Magic Quadrant for Security Information and Event Management
    Seven Years in a Row as a Leader

    Splunk also has top scores in


    Critical Capabilities for SIEM report
    © 2020 SPLUNK INC.

    Splunk for Security


    Splunk Splunk User
    500+
    Enterprise Security Behavior Analytics
    Security Apps
    (ES) (UBA)
    PCI NetFlow Blue Coat
    Compliance Logic Proxy SG

    Palo Alto
    F5 Security OSSEC
    Networks

    Cisco
    Security Suite

    Active Symantec DNS


    Directory

    Enterprise
    © 2020 SPLUNK INC.

    Analytics-Driven SIEM

    FUNCTIONS MONITOR DETECT INVESTIGATE RESPOND

    PROCESS 1 Review 2 Determine 3 Decide 4 Act & Adapt

    SOLUTION Prioritize incidents Respond in a timely manner Effectively analyze


    Decide of what is most Do each step as fast as possible, with Each bit of data needs context
    important to follow up or as little people as possible and relationship to all others
    investigate

    Splunk Enterprise Security


    © 2020 SPLUNK INC.

    Splunk Enterprise Security - Types of add-ons (1)


    © 2020 SPLUNK INC.

    Splunk Enterprise Security - Types of add-ons (2)


    © 2020 SPLUNK INC.

    Splunk Enterprise Security - Types of add-ons

     Domain add-ons (DA)

     Supporting add-ons (SA)

     Technology add-ons (TA)


    © 2020 SPLUNK INC.

    Enterprise Security - Technology Ad-ons


    From input to main dashboard

    Splunk Enterprise Splunk Enterprise Security (ES)


    © 2020 SPLUNK INC.

    Enterprise Security – Data Models


    © 2020 SPLUNK INC.

    Enterprise Security – Data Models

    Why CIM?
    © 2020 SPLUNK INC.

    Enterprise Security – Data Models

    With CIM
    © 2020 SPLUNK INC.

    Enterprise Security – Data Models Sample


    Cisco PIX log

    – 2009-09-02 15:14:11 10.235.224.193 local4:warn|warning


    fw07 %PIX-‐4-‐106023: Deny icmp src internet:213.208.19.33
    dst eservices-‐test-‐ses-‐public:193.8.50.70 (type 8, code 0) by
    access-‐group "internet_access_in”

    CIM model (Network_Traffic)

    – 2009-‐09-‐02 15:14:11 name="Deny icmp" event_id=106023


    vendor=CISCO product=PIX log_level=4
    dvc_ip=10.235.224.193 dv_host=fw07
    syslog_facility=local4 syslog_priority=warn
    src_ip=213.208.19.33 dest_ip=193.8.50.70
    src_network=internet dest_network=eservices-‐test-‐ses-‐public
    icmp_type=8 icmp_code=0 protocol=icmp
    rule_number="internet_access_in"
    Splunk Enterprise Security
    © 2020 SPLUNK INC.

    Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds

    Alerts & Dashboards & Reports Incident Investigations & Management

    Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration
    © 2020 SPLUNK INC.

    Security Posture

    1
    Risk-based
    security
    © 2020 SPLUNK INC.
    © 2020 SPLUNK INC.

    Continuous Monitoring for Security Domains

    1
    Risk-based
    security
    © 2020 SPLUNK INC.

    Risk-Based Analytics

    1
    Risk-based
    security
    © 2020 SPLUNK INC.

    Broad and Deep Investigation


    © 2020 SPLUNK INC.

    Enrich Security Analysis With the


    Threat Intelligence Framework

    1
    Risk-based
    security
    © 2020 SPLUNK INC.

    Incident Workflow: Concepts


    1. Assign an owner
    Investigators are responsible for

    1
    changing workflow status values as
    2. Investigate they work incidents

    Risk-based
    3. Implement corrective measures

    security
    ES Admins can define, add new status values and assign values to
    different roles, so the statuses in your environment may differ
    New - not yet being worked
    In progress - investigation underway Note
    When a notable is assigned an owner
    Pending - various: work in progress, awaiting action, etc. it is tracked as an incident in the
    kvstore.
    Resolved - fixed, awaiting verification
    Closed - fix verified
    © 2020 SPLUNK INC.

    Incident Workflow: Procedures


    As needed, add selected event(s) to an
    investigation. It will appear under Related
    Investigations in the event details view.

    2
    1 Select Click Edit
    one or Selected
    more
    events Set Status,
    Urgency,
    3 Owner,
    and
    Comment

    Click As needed, click an icon on the investigation bar


    4 Save to view an investigation,
    changes add a new one, or
    perform a quick search
    © 2020 SPLUNK INC.

    Investigation Workbench Panel


    Filter
    artifacts
    Change / Add Panel Change time range

    Toggle Panel Description

    1 3 When exploring, click a value to add as artifact


    Select Artifact(s) Enter details and click
    4 Add to Scope

    Expand Panel View

    2
    © 2020 SPLUNK INC.

    Investigation Bar and Inline Timeline View


    View and Edit the Investigation Timeline from Incident Review

    Inline Investigation Timeline

    Investigation Action
    Entries History
    Select Timeline Zoom
    Edit Hover to
    investigation Expand
    Investigation Jump to start
    Name or Click to
    Add New
    Status Select
    Investigation

    Investigation Bar Notes


    1
    Click to Add
    Toggle Inline Artifact Quick
    Investigation Search
    Timeline
    Response & Action
    © 2020 SPLUNK INC.

    Adaptive Response Actions (Examples)

    Category: Information gathering, Information conveyance, Permissions control


    Task: Create, Update, Delete, Allow, Block
    Subject: What will be acted upon (network, endpoint, etc)
    Vendor: Providing the action. Ex; Splunk, Ziften, Palo Alto Networks, etc
    © 2020 SPLUNK INC.

    Accelerate Detection, Investigation and Response


    Response & Action (Sample)
    © 2020 SPLUNK INC.

    Splunk’s Delivers Automated – Network Security (1)

    1
    3 2

    6 6
    © 2020 SPLUNK INC.

    Splunk’s Delivers Automated – Network Security (2)


    © 2020 SPLUNK INC.

    Splunk’s Adaptive Response – FW Fortinet (1)


    © 2020 SPLUNK INC.

    Splunk’s Adaptive Response – FW Fortinet (2)


    © 2020 SPLUNK INC.

    Splunk’s Adaptive Response – FW Fortinet (3)


    Splunk ES – Glass Table
    © 2020 SPLUNK INC.

    Splunk Enterprise Security - Glass Table


    • Depict topology and data flow with metrics superimposed over
    each component
    • Key indicators and ad-hoc values can be set to a time range
    – These values are called metrics on a glass table
    – Metrics are displayed in visual widgets

    • Use glass tables to:


    – Create security operations center displays
    – Show the status of critical metrics
    – Display key indicators in a variety of visual styles
    – Use custom icons and graphics to enhance the display
    © 2020 SPLUNK INC.

    Splunk Enterprise Security - Glass Table


    Select Toggle edit
    time mode
    Custom
    icons Gauge indicators

    Contextual
    graphics

    Text
    Metrics with
    threshold
    colors and
    trend metrics

    Timelines
    © 2019 SPLUNK INC.

    Thank You
    Hung Pham Manh

    Splunk Certified Architect

    You might also like