Enviar búsqueda
Cargar
Der Weg in den vollautomatisierten SOC Betrieb
•
Descargar como PPTX, PDF
•
0 recomendaciones
•
277 vistas
Splunk
Seguir
Splunk for Security
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 42
Descargar ahora
Recomendados
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
Splunk Enterprise Security
Splunk Enterprise Security
Md Mofijul Haque
Splunk Enterprise Security
Splunk Enterprise Security
Splunk
Security Automation & Orchestration
Security Automation & Orchestration
Splunk
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
Splunk IT Service Intelligence
Splunk IT Service Intelligence
Georg Knon
Analytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
Splunk Overview
Splunk Overview
Splunk
Recomendados
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
Splunk Enterprise Security
Splunk Enterprise Security
Md Mofijul Haque
Splunk Enterprise Security
Splunk Enterprise Security
Splunk
Security Automation & Orchestration
Security Automation & Orchestration
Splunk
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
Splunk
Splunk IT Service Intelligence
Splunk IT Service Intelligence
Georg Knon
Analytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
Splunk
Splunk Overview
Splunk Overview
Splunk
Splunk for ITOps
Splunk for ITOps
Splunk
Splunk-Presentation
Splunk-Presentation
PrasadThorat23
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
SplunkLive! Splunk for Security
SplunkLive! Splunk for Security
Splunk
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
Siem ppt
Siem ppt
kmehul
dlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Splunk
Splunk ITSI Sandbox Guidebook
Splunk ITSI Sandbox Guidebook
Splunk
Splunk for IT Operations
Splunk for IT Operations
Splunk
Threat Hunting
Threat Hunting
Splunk
Splunk overview
Splunk overview
Daniel Hernandez
Splunk Overview
Splunk Overview
Splunk
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0
Splunk
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
OPEN KNOWLEDGE GmbH
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
Georg Knon
Más contenido relacionado
La actualidad más candente
Splunk for ITOps
Splunk for ITOps
Splunk
Splunk-Presentation
Splunk-Presentation
PrasadThorat23
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Risi Avila
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
Splunk
SplunkLive! Splunk for Security
SplunkLive! Splunk for Security
Splunk
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
Siem ppt
Siem ppt
kmehul
dlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Splunk
Splunk ITSI Sandbox Guidebook
Splunk ITSI Sandbox Guidebook
Splunk
Splunk for IT Operations
Splunk for IT Operations
Splunk
Threat Hunting
Threat Hunting
Splunk
Splunk overview
Splunk overview
Daniel Hernandez
Splunk Overview
Splunk Overview
Splunk
Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0
Splunk
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
La actualidad más candente
(20)
Splunk for ITOps
Splunk for ITOps
Splunk-Presentation
Splunk-Presentation
PPT-Splunk-LegacySIEM-101_FINAL
PPT-Splunk-LegacySIEM-101_FINAL
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Exploring Frameworks of Splunk Enterprise Security
Exploring Frameworks of Splunk Enterprise Security
SplunkLive! Splunk for Security
SplunkLive! Splunk for Security
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Siem ppt
Siem ppt
dlux - Splunk Technical Overview
dlux - Splunk Technical Overview
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Building Service Intelligence with Splunk IT Service Intelligence (ITSI)
Splunk ITSI Sandbox Guidebook
Splunk ITSI Sandbox Guidebook
Splunk for IT Operations
Splunk for IT Operations
Threat Hunting
Threat Hunting
Splunk overview
Splunk overview
Splunk Overview
Splunk Overview
Security operation center (SOC)
Security operation center (SOC)
IT Sicherheitsgesetz 2.0
IT Sicherheitsgesetz 2.0
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Similar a Der Weg in den vollautomatisierten SOC Betrieb
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
OPEN KNOWLEDGE GmbH
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
Georg Knon
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC - Christian Wild Management Consultants
Internet of Things Architecture
Internet of Things Architecture
Christian Waha
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
QAware GmbH
Cloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und Loesungen
Daniel Steiger
End-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal Soszynski
Carsten Muetzlitz
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
OPITZ CONSULTING Deutschland
ScriptRunner - Eine Einführung
ScriptRunner - Eine Einführung
Heiko Brenn
Machine Learning
Machine Learning
Splunk
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Carsten Muetzlitz
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
Carsten Cordes
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Hans Peter Knaust
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Precisely
Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)
Agenda Europe 2035
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Informatik Aktuell
Splunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit Splunk
Splunk
IHK Vortrag Sichere Cloudanwendungen Passion4IT 270922023.pdf
IHK Vortrag Sichere Cloudanwendungen Passion4IT 270922023.pdf
FLorian Laumer
Splunk corporate overview German 2012
Splunk corporate overview German 2012
jenny_splunk
SplunkLive Zurich Overview
SplunkLive Zurich Overview
Georg Knon
Similar a Der Weg in den vollautomatisierten SOC Betrieb
(20)
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Auf gehts in die Cloud: „Das kann doch nicht so schwer sein!“
Splunk Webinar: Maschinendaten anreichern mit Informationen
Splunk Webinar: Maschinendaten anreichern mit Informationen
CWMC Insights 2020|14 - Einführung IIoT Security
CWMC Insights 2020|14 - Einführung IIoT Security
Internet of Things Architecture
Internet of Things Architecture
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Steinzeit war gestern! Wege der Cloud-nativen Evolution.
Cloud Connectivity - Herausforderungen und Loesungen
Cloud Connectivity - Herausforderungen und Loesungen
End-to-End Hochverfügbarkeit by Michal Soszynski
End-to-End Hochverfügbarkeit by Michal Soszynski
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
Event Driven Architecture - OPITZ CONSULTING - Schmutz - Winterberg
ScriptRunner - Eine Einführung
ScriptRunner - Eine Einführung
Machine Learning
Machine Learning
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
Security by Design - von der Single Instanz über DWH, In-Memory, Big Data mit...
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
IT-Sicherheit und agile Entwicklung? Geht das? Sicher!
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Whitepaper über IT-Sicherheit in Industrie 4.0 Projekten der DST consulting
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Bestmögliche Absicherung für Ihre Remote-Mitarbeiter
Peter Hanke (Netapp Austria)
Peter Hanke (Netapp Austria)
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Thorsten Bruhns – IT-Tage 2015 – Monitoring von Oracle-Datenbanken mit check_mk
Splunk Webinar: Machine Learning mit Splunk
Splunk Webinar: Machine Learning mit Splunk
IHK Vortrag Sichere Cloudanwendungen Passion4IT 270922023.pdf
IHK Vortrag Sichere Cloudanwendungen Passion4IT 270922023.pdf
Splunk corporate overview German 2012
Splunk corporate overview German 2012
SplunkLive Zurich Overview
SplunkLive Zurich Overview
Más de Splunk
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
Splunk
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
Splunk
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
Splunk
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
Splunk
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Splunk
Más de Splunk
(20)
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
Der Weg in den vollautomatisierten SOC Betrieb
1.
© 2021 SPLUNK
INC. Der Weg in den vollautomatisierten SOC Betrieb Splunk for Security Udo Götzen, CISSP Staff Sales Engineer Beginn 16:30 Uhr
2.
© 2021 SPLUNK
INC. Der Weg in den vollautomatisierten SOC Betrieb Splunk for Security Udo Götzen, CISSP Staff Sales Engineer
3.
© 2021 SPLUNK
INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
4.
© 2021 SPLUNK
INC. Data Lakes Master Data Management ETL Point Data Management Solutions Data Silos IT Security IoT Biz Analytics The Data-to-Everything Platform for Machine Data © 2021 SPLUNK INC.
5.
© 2021 SPLUNK
INC. IT/OT Operations Server, Network, App, DBs Business Analytics Business Units Up to 80% of the total data commonly indexed for Security is critical to enable IT Ops use case Up to 50% of the total data commonly indexed for IT Ops can be leveraged to enable Business Analytics use cases Up to 80% of the total data commonly indexed for IT Ops is critical for App Dev to produce faster release cycles with less errors Application Development / DevOps Testers, Developers Helvetia Dark Data Security SOC, Security Analysts Data to Everything Platform A main benefit of the Splunk platform is the data reuse across Security, IT/OT Operations and Business
6.
© 2021 SPLUNK
INC. Die 1. Etappe der Sicherheitsreise Empfehlungen, welche Datenquellen erfasst werden sollten Netzwerk Endpunkt Authentifizierung Web-Aktivitäten Die Einsicht in den Netzwerkverkehr ist für jedes Sicherheitsteam entscheidend. In diesem frühen Stadium ist es vorrangig, zu sehen, welche Arten von Datenverkehr in Ihrem Netzwerk bestehen. Es ist wichtig, sowohl den erlaubten Datenverkehr als auch die Kommunikationsversuche zu sehen, die blockiert wurden. Endpunktprotokolle ergänzen die Netzwerktransparenz und geben Aufschluss über bösartige Aktivitäten, wie z. B. die Ausführung von Malware, einen Insider, der eine nicht autorisierte Aktivität durchführt, oder einen Angreifer, der sich in Ihrem Netzwerk aufhält. Im ersten Schritt ist es wichtig, diese Daten von Servern aller Betriebssystemen zu erfassen (in einer späteren Etappe sind Daten der Desktops und Notebooks unverzichtbar). Authentifizierungsprotokolle können Ihnen sagen, wann und von wo aus Benutzer auf Ihre Systeme und Anwendungen zugreifen. Da die meisten erfolgreichen Angriffe schließlich die Verwendung gültiger Anmeldedaten beinhalten, sind diese Daten entscheidend, um zwischen einer gültigen Anmeldung und einer Kontoübernahme zu unterscheiden. Viele Angriffe beginnen damit, dass ein Benutzer eine bösartige Website besucht, oder enden damit, dass wertvolle Daten auf eine Website transferiert werden, die der Angreifer kontrolliert. Die Transparenz darüber, wer wann auf welche Seiten zugreift, ist für die Untersuchung entscheidend. Beispiele: • Palo Alto Networks • Cisco • Check Point • Fortinet Beispiele: • Windows Event Logs • Linux System Logs • Linux Auditd • Mac System Logs Beispiele: • Windows Active Directory • Cloud Identity & Access Management (IAM) Beispiele Next Gen Firewall- Verkehrsfilter: • Palo Alto Networks • Cisco • Check Point • Fortinet Web Proxy: • Bluecoat • Websense
7.
© 2021 SPLUNK
INC. Splunk Security Essentials Identify Bad Guys: • 850+ security analytics methods • Free on Splunkbase – use on Splunk Enterprise • Target external and insider threats • Advanced threat detection, compliance, and more • Scales from small to massive companies • Data source onboarding guidance • MITRE ATT&CK and Kill Chain mappings • Save from app, send hits to ES / UBA Solve use cases you can today for free, then use Splunk UBA for advanced ML detection. https://splunkbase.splunk.com/app/3435/
8.
© 2021 SPLUNK
INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
9.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
10.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
11.
© 2021 SPLUNK
INC. Notable Events and Incident Review ▶ STREAMLINE INCIDENT MGMT PROCESS • Consolidated incident management allows effective lifecycle management of security incidents. ▶ RAPID DECISION MAKING SUPPORT • Automatically aligns all security context together for fast incident qualification and provides predefined analysis paths. ▶ REFINE SECURITY MGMT PROCESS • Investigation management and customizations to support complex process integration requirements.
12.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
13.
© 2021 SPLUNK
INC. How To Populate Asset & Identities Long Term Success User Lifecycle Management / CMDB / HR System 1 2 3 Active Directory / LDAP / DHCP Automated building and learning through indexed events Nmap / Vulnerability Scanner CSV Upload / Maintaining it in the GUI
14.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
15.
© 2021 SPLUNK
INC. Risk Framework EXPOSE RISK FACTORS TO ANALYSTS • Rationalize and analyze behaviors and relationships across all data. • Investigate risk factors to anticipate threats and prevent future threats. ABILITY TO PRIORITIZE / DECIDE BASED ON RISK • Transparent evidence translate to quantitative numbers. • Ability map scores to different objects including events and aggregate based on a criteria. (Functions, Business units, Physical Quantitative metrics are applied to distinguish importance of certain situation for advanced detection +80 Asset Identity Other Attributes TOTAL RISK SCORE Occurrence of matching correlations searches
16.
© 2021 SPLUNK
INC. Alert Volumes Are Overwhelming SOCs • Abandoned alerts • Suppressed alerts • Slow detection / response • Analyst burnout Over 40% of orgs receive 10,000+ alerts per day; experience 50%+ false positives
17.
© 2021 SPLUNK
INC. But What Alternatives Do SOCs Have? Alert Directly from Analytics Tune Analytics Analytics/ Correlations Alert Fatigue There are no perfect correlation searches; alert fatigue seems inevitable
18.
© 2021 SPLUNK
INC. 2018: Risk-Based Alerting to the Rescue Observation Analytics/ Correlations Dramatically reduce alert volumes while increasing analyst productivity and efficiency Risk Index
19.
© 2021 SPLUNK
INC. 2018: Risk-Based Alerting to the Rescue Analytics/ Correlations Dramatically reduce alert volumes while improving your security posture Risk Index Risk Notable Alerting Risk Score Mitre ATT&CK Tactic BU Outliers Observation
20.
© 2021 SPLUNK
INC. How Does This Look in Practice? Traditionally, the events below would be considered too noisy and would be abandoned Potential spearphishing observed Suspicious command disabling controls Suspicious Powershell observed AWS ACLs opened up all access AWS user provisioning observed AWS buckets created AWS permanent creation observed 6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
21.
© 2021 SPLUNK
INC. How Does This Look in Practice? With risk-based alerting, these events become context that informs high-fidelity alerts Risk Notable Generate alert for any user or system that exceeds a risk score of 100 in a 24 hour period Aggregated user risk score >100 ALERT With one click, view all of the risk events that contribute to the alert Potential spearphishing observed 10 pts Suspicious command disabling controls 15 pts Suspicious Powershell observed 20 pts AWS ACLs opened up all access 10 pts AWS user provisioning observed 15 pts AWS buckets created 15 pts AWS permanent creation observed 20 pts 6:55AM 6:58AM 7:03AM 1:55PM 2:03PM 2:07PM 2:15PM
22.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
23.
© 2021 SPLUNK
INC. Threat Intelligence Framework Finding hidden IOCs using comprehensive threat intelligence mappings • Multiple sources • Multiple transmission types • Multiple transports • Multiple data formats INTEL SOURCES 1. IP 2. Emails 3. URLs 4. Files names/ hashes 5. Processes names 6. Services 7. Registry entries 8. X509 Certificates 9. Users CATEGORIZE Index, Extract, Categorize Manage / Audit threat sources • List status • List mgmt. • List location COLLECT MANAGE Data Management SEARCH Ad-hoc search, analyze, investigate, prioritize Data Search CORRELATE Match all IOCs in existing log data Generate alert for any matches KSI and trends Security Dashboard Correlation Data / Notable Events
24.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
25.
© 2021 SPLUNK
INC. Analytic Story Details Story description and information Top bar contains metadata around the Analytic Story, right window shows association to various security frameworks, and the description and narrative explain what it’s about Run the searches in the story Clicking ’Run Analytics’ runs all the searches in the story and gives you a count of the number of results returned
26.
© 2021 SPLUNK
INC. Analytic Story Details Configure in ES Takes you to the associated ’Edit Correlation Search’ page in ES Search Details This is the area you can see the exact search, related details, and optionally run it More searches The associated contextual, investigative, and supporting searches are all available here as well Search Metadata Information on data models used and examples of Technologies that can provide the necessary data © 2018 SPLUNK INC.
27.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
28.
© 2021 SPLUNK
INC. Splunk Adaptive Response Framework WAF & App Security Orchestration Network Threat Intelligence Internal Network Security Identity and Access Endpoints Firewall Web Proxy
29.
© 2021 SPLUNK
INC. What Is Enterprise Security? Mainframe Data Relational Databases Mobile Forwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence Notable Events Asset & Identity Risk Analysis Threat Intelligence Use Case Library Adaptive Response
30.
© 2021 SPLUNK
INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Automatisieren und Reagieren ●Automatisierung und Orchestrierung ●Ausführen von Playbooks ●Einholen von Security Kontext ●Schnelleres Reagieren ●Abwehrmaßnahmen stärken ●Zusammenarbeit intensivieren Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
31.
© 2021 SPLUNK
INC. SOAR for Security Operation Faster execution through the loop yields better security Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics
32.
© 2021 SPLUNK
INC. SOAR for Security Operation Faster execution through the loop yields better security Decision Making Acting SIEM THREAT INTEL PLATFORM HADOOP GRC AUTOMATED MANUAL (TODAY) FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION FIREWALL IDS / IPS ENDPOINT WAF ADVANCED MALWARE FORENSICS MALWARE DETONATION TIER 1 TIER 2 TIER 3 Observe Point Products Orient Analytics
33.
© 2021 SPLUNK
INC. How SOAR Solves Security Operations Problems Too Many Alerts Clear 80% of alerts with no human interaction Phantom automates security alerts so your team can go from overwhelmed to in- control Limited Resource s Force multiply your team Automate repetitive tasks so you can do more with the people you already have Lack of Process Establish SOPs to be more effective Phantom has case management built-in to help customers build operational rigor Spee d From 30 mins to 40 seconds Phantom orchestration and automation makes everything work faster Cost s Definitive ROI and hard cost savings Phantom saves your team time, headache, and makes your current tools work better Too Many Siloed Products Unlock value from previous investments Phantom orchestrates workflows and response across all your products so that each one is actively participating in your defense strategy
34.
© 2021 SPLUNK
INC. SOAR Maestro App actions App actions App actions App actions App actions App actions App actions App actions App actions App actions Playbook
35.
© 2021 SPLUNK
INC. How it Works Automated Malware Investigation • “Automation with Phantom enables us to process malware email alerts in about 40 seconds vs. 30 minutes or more.” — Adam Fletcher, CISO A Phantom Case Study SANDBOX QUERY RECIPIENTS USER PROFILE HUNT FILE HUNT FILE FILE REPUTATION FILE ASSESSMENT RUN PLAYBOOK “REMEDIATE" EMAIL ALERT
36.
© 2021 SPLUNK
INC. SOAR Playbook Example
37.
© 2021 SPLUNK
INC. Die Security Data Journey Der Weg zum vollautomatisierten SOC Security Logging & Investigation ●Aufbau einer investigativen Datenplattform ●Korrelation von Ereignissen ●Überwachung von spezifischen Security Use Cases Automatisieren und Reagieren ●Automatisierung und Orchestrierung ●Ausführen von Playbooks ●Einholen von Security Kontext ●Schnelleres Reagieren ●Abwehrmaßnahmen stärken ●Zusammenarbeit intensivieren Analyse- gestütztes SIEM ●Plattformübergreifende Korrelation mit Ende-zu-Ende Sichtbarkeit ●Proaktive Überwachung ●analysegestütztes Framework ●Risikobasierte Alarmierung Collaborative SOC ●vollautomatisiertes Security Operations Center ●Zusammenführung von SIEM-, UEBA- und SOAR- Technologien ●Effektive Kommunikation und Zusammenarbeit Stufe 1 Stufe 2 Stufe 3 Stufe 4 Untersuchen Analysieren Handeln Zusammenarbeiten
38.
© 2021 SPLUNK
INC. Act Security Nerve Center Endpoints Threat Intelligence Network Web Proxy Firewall Identity and Access WAF and App Security Cloud Security Mobile SOAR SIEM Analyze Monitor Investigate
39.
© 2021 SPLUNK
INC. Security Portfolio • Risky Behavior Detection • Entity Profiling, Scoring • Kill chain, Graph analysis Enterprise Security Detect, Investigate & Response • Single pane of glass • Security Metrics & Incident Response • Adaptive Response • Collaboration Splunk Enterprise Investigate Realm of Known Human- driven Splunk UBA Detect Realm of Unknown ML- driven • Log Aggregation • Rules, statistics, correlation • Ad hoc searches and data pivot
40.
© 2021 SPLUNK
INC. Wertgewinn mit Splunk 70% Zeitverkürzung bei der Recherche von Sicherheitsereignisse n durch Korrelation 30% Reduzierung des Risikos in Verbindung mit IP- Diebstahl, Datenschutzverletzu ngen und Betrug 80% Reduzierung des Zeitaufwands für die manuelle Berichterstattung über die Compliance 80% Reduzierung des Zeitaufwands für manuelle, routinemäßige Sicherheitsaufgaben Im Durchschnitt erfahren die Kunden signifikante Verbesserungen bei der Erkennung, Triage und Untersuchung von Vorfällen, was das Gesamtrisiko reduziert.
41.
© 2021 SPLUNK
INC. https://events.splunk.com/security_workshops_de Enterprise Security Hands-On Workshop Risk-Based Alerting Hands-On Workshop
42.
Thank You © 2021
SPLUNK INC.
Descargar ahora