Fighting the Eternal Challenge: Dealing with Alert Fatigue and Getting Insights into Security Productivity. Lessons for a Fast Start in Automation and Orchestration.

1. © 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C .
Accelerating The Pathway
to Better Threat Analytics:
From Getting Started to
Cloud Security Analytics
and Machine Learning
Algorithms
Security Breakout

2. © 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C .
Fighting the Eternal
Challenge: Dealing with
Alert Fatigue and Getting
Insights into Security
Productivity
Security Breakout

3. © 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C .
Lessons for a Fast
Start in Automation
and Orchestration
Security Breakout

4. During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Data-to-Everything, D2E, and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
© 2 0 2 0 S P L U N K I N C .

5. © 2 0 2 0 S P L U N K I N C .
Speaker Intro
Sales Engineer
Lars Wittich
Product Marketing Director
CEH, CISSP, CISM
Matthias Maier

6. © 2 0 2 0 S P L U N K I N C .
What is worth to investigate?
Which asset or identity (user) to investigate first?
More detection mechanisms should not mean to
overburden the SOC Analysts with more alerts
Impacts:
SOC Efficiency and Effectiveness
• = Increased costs and burden on the Security Analysts
• = Increased RISK missing the important things
Key Challenges
Alert Fatigue

7. © 2 0 2 0 S P L U N K I N C .
Key Takeaways
Three strategies to prioritize your security alerts and anomalies that your threat
detection program produces:
SOC Metrics:
Measuring efficiency and effectiveness of your Alerting Strategy
1 2 3
Urgency =
Severity + Priority
Risk
Based
Machine
Learning

8. © 2 0 2 0 S P L U N K I N C .
Cloud Security Endpoints
OrchestrationWAF & App Security
Threat Intelligence
Network
Web Proxy Firewall
Identity and Access
Splunk as the Security Nerve Center
Optimize People, Process and Technology
Operations
Analytics
Data Platform

9. © 2 0 2 0 S P L U N K I N C .
Customer Delivery
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPlatform
Applications Future Splunk Solutions 3rd Party Plug-ins
Solutions
Mission Control
Cloud-Based Unified Security Operations
+
Security Operations Suite Architecture

10. © 2 0 2 0 S P L U N K I N C .
I N G E S TD E T E C T
P R E D I C T A U T O M AT E
O R C H E S T R AT ER E C O M M E N D
C O L L A B O R AT E I N V E S T I G AT E
M A N A G E C A S E S
R E P O R T
Artificial
Intelligence
Content
Machine
Learning

11. © 2 0 2 0 S P L U N K I N C .
!
!
!
!
!
!
!
!!
!!
!
!
!
!
!
!
!
!
! !
!
!
!!
!!
!
Today’s SOC

12. © 2 0 2 0 S P L U N K I N C .
Today’s Security Operations Workflow
A process that doesn’t scale
Firewall
IDS / IPS
Endpoint
Waf
Advanced Malware
Forensics
Malware Detection
Tier 1
Tier 2
Network Traffic
Intrusion Data
Endpoint
Threat Intel
Malware Authentication
Wire Data
Assets & Identities
SIEM

13. © 2 0 2 0 S P L U N K I N C .
What is worth to investigate?
• Which asset or identity (user) to investigate first?
• More detection mechanisms should not mean to
overburden the SOC Analysts with more alerts
Impacts:
SOC Efficiency and Effectiveness
• = Increased costs and burden on the Security Analysts
• = Increased RISK missing the important things
Key Challenges
Alert Fatigue

14. © 2 0 2 0 S P L U N K I N C .
Urgency Calculation
Urgency = Severity + Priority

15. © 2 0 2 0 S P L U N K I N C .
Urgency based on asset priority and alert severity
• Asset can be anything – Network segment, server, service, user..
• Alert can come from everything – Simple and Complex ML
correlations, other security tools…
Source for asset priority
from risk assessment
and risk management
• Asset Identification and
Asset Owners
• Valuation of Assets
• Loss Scenarios
Alert Strategy
Urgency Calculations
Advantage:
Alignment with business
priorities and outcomes

16. © 2 0 2 0 S P L U N K I N C .
Entering Splunk Enterprise Security
Priority: assignment of the relevant asset or identity
Severity: of the correlation search
Urgency: to prioritize the investigation of notable events

17. © 2 0 2 0 S P L U N K I N C .
Entering Splunk Enterprise Security
Demo Time
Where priorities for Assets and
Identities comes from
Where urgency of correlation rules
is configured
How to even adjust the urgency
matrix formula

18. © 2 0 2 0 S P L U N K I N C .

19. © 2 0 2 0 S P L U N K I N C .
Entering Splunk Enterprise Security
Demo Time
Where priorities for Assets and
Identities comes from
Can come from everywhere included in the
Assets and Identities Framework as a meta
field—priority
Where urgency of correlation rules
is configured
Within the adaptive response notable events
action including asset and identify field selections
How to even adjust the urgency
matrix formula
Lookup table called urgency_lookup

20. © 2 0 2 0 S P L U N K I N C .
Risk-based Alerting

21. © 2 0 2 0 S P L U N K I N C .
Alert Strategy
Risk-based alerting
Credits to Bryan Turner, IT Security Analyst, Publix

22. © 2 0 2 0 S P L U N K I N C .
Alert Strategy
Risk-based alerting
Credits to Bryan Turner, IT Security Analyst, Publix

23. © 2 0 2 0 S P L U N K I N C .
Alert Matrix
Risk-based alerting
Credits to Bryan Turner, IT Security Analyst, Publix
*Note: Use values that work best for YOUR environment

24. © 2 0 2 0 S P L U N K I N C .
Entering Splunk Enterprise Security
Demo Time
Notables prioritized based on risk scoring
Configuring risk attribution for notables
Creating risk incident rule
Monitor enterprise risk trends

25. © 2 0 2 0 S P L U N K I N C .

26. © 2 0 2 0 S P L U N K I N C .
Entering Splunk Enterprise Security
Demo Time
Notables prioritized based on risk scoring
Improved analysis workflow
Configuring risk attribution for notables
Easy to deploy through any correlation search, also via search
commands possible
Creating risk incident rule
Reduced alerts and improved detections through creating an
abstraction layer for security alerts
Monitor enterprise risk trends
Scale analysts through focused priorities

27. © 2 0 2 0 S P L U N K I N C .
Utilizing Graph Mining for
Security Alerts
Powered by Machine Learning

28. © 2 0 2 0 S P L U N K I N C .
Alert Strategy
Machine Learning
1 2
Utilizing
graph mining
Time series
behavioral profiling
What
happened?
Who was
involved?
When
did it
start?
Where
was it
seen?
How did
it get in?
How do I
contain it?

29. © 2 0 2 0 S P L U N K I N C .
Two Stage Machine Learning
Splunk UBA Process
Unusual Machine
Access
External Alerts (e.g.
SIEM)
Unusual Network
Activity
Flight Risk User
Suspicious Data
Movement
Anomalies (Low Fidelity)
Lateral Movement
Suspicious Behavior
Compromised
Account
Malware Activity
Data Exfiltration
Threats (High Fidelity
Alerts)
Data
Machine Learning
(Logistic Regression,
Random Forest, etc.)
Stage 1
Machine Learning
(Graph Mining, Time Series
Behavioral profiling)
Stage 2
Unusual Network
Activity
Flight Risk User
Suspicious Data
Movement
Data Exfiltration

30. © 2 0 2 0 S P L U N K I N C .
Entering Splunk UBA
Demo Time
Review a network scanning alert
Applying machine learning to connect the dots
Send ”Real” Threats back to ES for Analyst Work

31. © 2 0 2 0 S P L U N K I N C .

32. © 2 0 2 0 S P L U N K I N C .
Entering Splunk UBA
Demo Time
Review a network scanning alert
Applying machine learning to connect the dots
Machine Learning Models with Graph Mining of dependencies
Send ”Real” Threats back to ES for Analyst Work
Central Interface for Security Information and Event Management

33. © 2 0 2 0 S P L U N K I N C .
SOC Metrics
How good are we on working on
security alerts?

34. © 2 0 2 0 S P L U N K I N C .
Measuring SOC Effectiveness
Security Operations Management
Effective Metrics = SMART
• Specific
• Measurable
• Attainable
• Relevant
• Timely
Performance Management
Time to remediate security incidents
• Mean Time To Detect (Dwell Time)
• Mean Time To Triage (End to End Analysis Time within SOC)
• Mean Time To Closure (End to End Response Time including
other operational units)

35. © 2 0 2 0 S P L U N K I N C .
Build in Measurements
Demo Time
Report on how long it takes to triage a notable
Report on how long it takes to closure

36. © 2 0 2 0 S P L U N K I N C .

37. © 2 0 2 0 S P L U N K I N C .
Build in Measurements
Demo Time
Report on how long it takes to triage a notable
Triage Time = “In Progress to Closed”
Report on how long it takes to closure
Closure Time = “New” to “Closed”

38. © 2 0 2 0 S P L U N K I N C .
Recommended Further Reads
Add asset and identity data to Splunk Enterprise Security
https://docs.splunk.com/Documentation/ES/6.0.0/Admin/Addassetandidentitydata
Getting Started with Risk-Based Alerting and MITRE
(Bryan Turner, IT Security Analyst, Publix) https://conf.splunk.com/files/2019/slides/SEC1538.pdf
Modernize and Mature your SOC with Risk-Based Alerting
(Jim Apger, Security Specialist Splunk / Jimi Mills, SOC Manager, Texas Instruments)
https://conf.splunk.com/files/2019/slides/SEC1538.pdf
Understand data flow in Splunk UBA
https://docs.splunk.com/Documentation/UBA/5.0.0/GetDataIn/Overview
Machine Learning Toolkit Overview in Splunk Enterprise Security
https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview

39. © 2 0 2 0 S P L U N K I N C .
Splunk Technology Covered in This Session
Customer Delivery
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPlatform
Applications Future Splunk Solutions 3rd Party Plug-ins
Solutions
Mission Control
Cloud-Based Unified Security Operations
+Splunk Enterprise
Security
Splunk User
Behavior
Analytics
+ Phantom

40. © 2 0 2 0 S P L U N K I N C .
Action Plan Next 90 Days
Tech Hands On
• Schedule ES hands
on workshop
• Leverages the Boss of
the SOC (BOTS) dataset
• Multiple scenarios
• From the creation of a
notable event to
investigate
Strategy
• Schedule PVP* with a
Splunk security expert
• * Prescriptive Value Path
Your Target State
- Today
= Identified Gap and
Project Roadmap
Security Program Review
• Understand your business
organizations goals.
• Gain an understanding on
business goals and the
business case for IT and
Data Security. Understand
the managements risk
appetite, asset
classifications and review
recent incidents.

41. © 2 0 2 0 S P L U N K I N C .
You!
Thank