.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own. Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo. So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including: Top challenges faced in improving security posture Key KPIs implemented in order to measure success Strategies and approaches applied in the SOC How MITRE ATT&CK and Splunk Enterprise Security were utilised Next steps in their maturity journey ahead

1. © 2022 SPLUNK INC.
Following .italo's Tracks to a More
Mature SOC
SOC, Amore Mio!

2. © 2022 SPLUNK INC.
Who am I
• I am currently working as CISO at Italo. In my previous experience, I
worked as Manager for PwC and Deloitte for several clients as
Poste Italiane, Technogym and Gamenet and before that as a
Security Engineer for Ferrovie dello Stato.
My Role
• I started in Italo in 2018 as IT Security Manager. After 1 year, Italo
established the Cyber Security Function and appointed me as CISO
with the aim to significantly increase the maturity level of cyber
security through the onboarding of both new talents as well as
outsourced security platforms and services.
My Mission
• I have been working with Splunk since I was in Ferrovie and now I
finally have the opportunity to replace the shared SIEM provided by
our external SOC with Splunk technology.
When I met Splunk
Enrico
Maresca

3. © 2022 SPLUNK INC.
Italo – Anniversary
Italo is an Italy OES (i.e., Operator of an Essential
Service) for high-speed rail, and the first operator in the
world to use Alstom’s new AGV train, holder of the world
speed record for wheeled rail vehicles.
PASSENGERS
100 mln
CITIES CONNECTED TO
ITALO’S NETWORK
48
STATIONS CONNECTED TO
ITALO’S NETWORK
53
DAILY CONNECTIONS
116
ITALO’S FLEET (AGV and
EVO)
51

4. © 2022 SPLUNK INC.
Our Corporate Security IT: people, and frameworks
Insource Outsource
IT Security Italo Layer

5. © 2022 SPLUNK INC.
The Italo main IT Initiatives
- Modernization and Resilience of key digital “channels” (e.g., Web
Portal, Mobile App, Ticketing Machines, ..) that are strategic for the
Italo business
- Implementation of the new CRM – MS Dynamics on Cloud
- Because of Italo must be Compliant with the NIS Directive,
implementation of a framework based on the NIST Cybersecurity
Framework and ISO 27001

6. © 2022 SPLUNK INC.
Our challenges to improve the Security posture
Alert noise and fatigue that, with the number of people of the Security team, make higher the
Risk to not take care of real Threats that can impact the company business
False Positive incidents versus False Negative ones that, with classic alert correlation-rules,
make Security people to spend time on not real Threats (i.e., false positive) while potential
Attacks are not detected (i.e., false negative)
Relevant Security Information access from collected Log data for Alert investigation (i.e., attack
perimeter identification, manual correlation with other generated Alerts, ..) that, with a legacy
SIEM data investigation features, make Security visibility hard to achieve quickly while this
must be maintained through ad-hoc customization
Risk protection and exposure measurement that, with technology-based Security controls,
make difficulty to report internally where we’re and where to invest (i.e., our Security roadmap)
to improve Security posture according to company industry and related attacks (e.g., MITRE
ATT&CK Security framework controls-based approach)

7. © 2022 SPLUNK INC.
An operationalizable strategy for a new desired state
Alert noise and fatigue
minimize both while maintaining current Security team
False Positive, False Negative
reduce number of positive ones while improving detection
Security Information access
increase threat insights view from collected Log data
Risk protection and exposure
drive and measure current / future Security controls according to
retail industry real-World (e.g., MITRE ATT&CK) observed cyber
attacks
q MTTA (Mean Time to Acknowledge)
q MTTC (Mean Time to Contain)
q MTTR (Mean Time to Resolve)
q MTTC (Mean Time to Contain)
q MTTD (Mean Time to Detect)
q MTTC (Mean Time to Contain)
q MTTR (Mean Time to Resolve)
ü TTP (Tactics, Techniques, and
Procedures)
ü KSI (Key Security Indicators)
min
50%
of
improvement

8. © 2022 SPLUNK INC.
Why it’s so hard and challenging?
Complex IT Landscape
collecting data from X technologies we have to protect is complex
Data Quality
ensuring that the RIGHT data for analytics is arriving from the source is key
Trust but Verify
we want to consume out-of-the-box analytics - but we want to be able to
understand it, adjust it and verify the logic is the right one for our environment
Nosy MITRE ATT&CK Techniques
some techniques used by hackers are very noisy - prioritization and response
strategy needed

9. © 2022 SPLUNK INC.
The Solution to improve Italo Security
Italo SOC Team

10. © 2022 SPLUNK INC.
MITRE ATT&CK
• ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge.
• Tactics: represent the “why” of an ATT&CK technique or sub-technique. It is the
adversary’s tactical goal: the reason for performing an action. For example, an
adversary may want to achieve credential access. (ROWs in ATT&CK matrix)
• Techniques: represent “how” an adversary achieves a tactical goal by performing an
action. For example, an adversary may dump credentials to achieve credential access.
(COLUMNs in ATT&CK matrix)
• Sub-techniques: are a more specific description of the adversarial behaviour used to
achieve a goal. They describe behaviour at a lower level than a technique. For
example, an adversary may dump credentials by accessing the Local Security
Authority (LSA) Secrets.
Few things you need to know

11. https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

12. © 2022 SPLUNK INC.
https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

13. © 2022 SPLUNK INC.
Techniques used by APT Groups in
ATT&CK
I can’t spend 3 million Euros on writing
detections for all these different attacks.

14. © 2022 SPLUNK INC.
Operationalization of MITRE framework to Detect Cyber
Threat, and to Measure the company Risk exposure

15. © 2022 SPLUNK INC.
Risk Exposure: Manufacturing Analysis
What should I care about, if I am a Manufacturing customer?

16. © 2022 SPLUNK INC.
Evil Corp Log Sources
Firewall Logs
Proxy Logs
Windows Server Logs
Router & Switch Logs
Linux Server Logs
Other
40%
18%
12%
10%
10%
10%
> 5% Detections
50% Detections
15% Detections
> 1% Detections
10% Detections
Windows Server Logs
DNS Logs
Proxy Logs
Linux Server Logs
Firewall Logs
Other
40%
18%
12%
10%
10%
10%
Log Sources based on Detection Strategy.
Makes Sense.

17. © 2022 SPLUNK INC.
Goal
Contextualized Detection Strategy
N
Data
source
is targeted by uses
logged in
is detected by
is needed for
I think I can present that Detection Strategy
to the Board.
Transportation
Industry
Y
Techniqu
e
Z
Detection
s
X
Group
s

18. © 2022 SPLUNK INC.
Leveraging MITRE ATT&CK with Splunk
MITRE Att&ck
Tactics and
Techniques
Data Sources
Detection
Rules

19. © 2022 SPLUNK INC.
Operationalization of MITRE ATT&CK with Splunk
The “Security Consultant” of
SSE on top of Splunk ES

20. © 2022 SPLUNK INC.
Built-in Filtering

21. © 2022 SPLUNK INC.
Stop the attacks
at the beginning
of the chain
Visibility in case of
attacks that had
success

22. © 2022 SPLUNK INC.
Windows Security Drill down
Data introspection of SSE to drive Alerts
activation based on coming Log quality

23. © 2022 SPLUNK INC.
Network communication Drill down
Data introspection of SSE to drive Alerts
activation based on coming Log quality

24. © 2022 SPLUNK INC.
Cyber Threat Detection filtered for the Transportation
Industry and used for the Splunk ES pilot

25. © 2022 SPLUNK INC.
Extended Data Sources
selection for Transportation
Industry, and its Risk-protection
coverage

26. © 2022 SPLUNK INC.
Benefit of Risk-based alerting provided by Splunk

27. © 2022 SPLUNK INC.

28. © 2022 SPLUNK INC.
Aggregated view of all elements of an alert

29. © 2022 SPLUNK INC.
Italo Executive Security view, Risk exposure metrics

30. © 2022 SPLUNK INC.
Wrap Up & Key Benefits
• Tailored solution: Splunk SIEM design based on real MITRE ATT&CK context
specific to the transportation industry, leveraging the native MITRE framework
integration in Splunk
• Clear risk exposure: in any moment in time the real risk exposure is represented in
clear and measurable shape, by dedicated dashboard views, in order to drive the right
business decisions in a timely manner
• SOC Efficiency : SOC Analyst aren’t overwhelmed by hundreds of alerts per day by
leveraging the Risk Based Alerting feature of Splunk, which provide smart aggregation
and scoring to bring only the high-fidelity Alerts to the Analyst attention
• Time Efficiency: Splunk SIEM and MITRE framework design grant NTV Security
Team the ability to take the most effective decisions in timely manner, drastically
reducing the MTTD/MTTR from hours/days to minutes

31. © 2022 SPLUNK INC.
Our journey with the support of Splunk
Monitoring
IT
Operations
MITRE
approach
to SIEM
Security
SOC
evolution
with
Splunk
SOAR
Security
Evolution
Today