Building an Analytics Enables SOC
1 like4,326 views
The document discusses building an analytics-driven security operations center (SOC) using Splunk. It begins with an overview of challenges with traditional SOCs, such as efficacy, staffing, siloization, and costs. It then covers trends in security operations like increased capabilities, automation, use of threat intelligence, and threat hunting. The document outlines components of the security operations toolchain including the log data platform, asset inventory, case management, and common data sources. It presents Splunk as a nerve center for security operations that can provide adaptive security architecture, threat intelligence framework, advanced analytics, automated processes, and proactive hunting and investigation. Finally, it shares examples of how customers have used Splunk to build intelligence-driven SO
More Related Content
Similar to Building an Analytics Enables SOC (20)
Building an Analytics Enables SOC
- 2. 2 Safe Harbor Statement During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 3. 3 3 > Dave Herrald [email protected]|@daveherrald - Senior Security Architect, Splunk Security Practice - 20+ years in IT and security -Information security officer, security architect, pen tester, consultant, SE, system/network engineer - GIAC GSE #79, former SANS Mentor # whoami
- 5. 5 Splunk – Leader in Security Company (NASDAQ: SPLK) • Founded 2004, first software release in 2006 • HQ: San Francisco / Regional HQ: London, Hong Kong • Over 2,000 employees, based in 12 countries Business Model / Products • Free download to massive scale • Splunk Enterprise, Splunk Cloud, Splunk Light • Splunk Enterprise Security, User Behavior Analytics 12,000+ Customers • Customers in 100 countries • 80+ of the Fortune 100 • Largest license: Over 1 Petabyte per day
- 15. 15 What is a SOC? ● A place? ● A person or a team? ● A set of practices? ● A set of tools?
- 17. 17 A SOC by any other name… The organizational capability to detect and respond to threats. ● VSOC ● Cyber Defense Center ● Cyber Fusion Center ● Cybersecurity Operation Center ● Multifunction NOC/SOC ● Command SOC ● Crew SOC? https://www.gartner.com/doc/3479617
- 26. 26 New Capabilities in the SOC ● Alert Management ● Incident Response ● Toolchain engineering ● Threat intelligence (consumption and creation) ● Threat hunting ● Vulnerability management ● Red team SOC++ Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
- 27. 27 What About Managed Security Services? ● Alert Management ● Incident Response ● Toolchain engineering ● Threat intelligence (consumption and creation) ● Threat hunting ● Vulnerability management ● Red team SOC++ Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
- 28. 28 Automation in the SOC • Response – maybe • Context gathering – definitely • Automate “Tier 1” • Places a high premium on toolchain integration
- 35. 35 How are SOC Teams Hunting? https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 ● Start with a hypothesis that considers: § Assets (often crown jewels) § Threats § Vulnerabilities § Countermeasures ● Requires lots of data ● Flexible platform to ask/answer questions ● Data science / ML / Analytics
- 39. 39 Log Data Platform • Single source of truth • Retention and integrity • Any data source • Easy correlation • Automation / integration • Performant and scalable • Full fidelity • Normalized? • Hunting • Forensic investigation • Alerting • Dashboards • Visualization • Analytics (ML?)
- 41. 41 Asset Inventory and Identity Data Often multiple sources of record – that’s OK • CMDB, Vuln scans, Passive detection, DHCP, NAC • Active directory, LDAP, IAM Network diagrams Categorization • PCI, ICS, Administrative, Default, Comprehensive yet lightweight and easy to maintain Must be easy to correlate to log data
- 42. 42 Case and Investigation Management • Ticketing system • Workflow • Supports prioritization • Supports collaborative investigation • Provides metrics • Supports automation • Auditable
- 43. 43 Common SOC Data Sources • Firewall • Network metadata • Authentication • Server • Windows / Linux • Endpoint • EDR, AV, HD/RAM images • IDS / IPS • VPN • Application • Threat intel • Vulnerability • Assets and Identities
- 46. 46 1. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict need: - Correlation across all security relevant data - Insights from existing security architectures - Advanced analytics techniques such as machine learning Platform for Operational Intelligence 4000+ Apps and Add-Ons Splunk Security Solutions
- 47. 47 2. Threat Intelligence – Splunk Threat Intel Framework Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources Support for STIX/TAXII, OpenIOC, Facebook and more Build your own data to create your own Threat Intel Out of the box Activity and Artifact dashboards Prioritize, contextualize and analyze threats and remediate Law Enforcement Feeds ISAC Feed Agency Feeds Commercial Service Community Feed Open-Source Feed Other Enrichment Services • Monitor and triage alerts • Determine impact on network, assets • Use for analysis / IR • Collect / provide forensics • Use to hunt / uncover /link events • Share info with partners
- 48. 48 3. Use Advanced Analytics – Native ML and UBA Simplify detection and focus on real alerts Accelerate anomaly and threat detection – minimize attacks and insider threat Use Machine Learning toolkit - solutions to suit your workflow Premium Machine learning solution - User Behavior Analytics – Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM
- 49. 49 4. Proactively Hunt and Investigate - Considerations ● Organizational maturity ● Domain and product experience ● Tools: Network, Endpoint, Threat Intel, Access ● Security relevant data, historical, raw data ● Flexibility and ad hoc
- 50. 50 5. Automate whenever feasible App Servers Network Threat Intelligence Firewall Internal Network Security Endpoints Use rules and machine learning to automate routine aspects of detection and investigation Extract insights from existing security stack by use of common interface Take actions with confidence for faster decisions and response Automate any process along the continuous monitoring, response & analytics cycle Splunk Adaptive Response
- 53. Customer Success
- 54. 54 Building an Intelligence Driven SOC Challenges • Existing SIEM not adequate - struggled to bring in appropriate data • Unable to perform advanced investigations, severe scale/performance issues • Looking to build a new SOC with modern solution Customer Solution • Centralized logging of all required machine data at scale and full visibility • Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users • Tailored advanced correlation searches & IR workflow • Faster and deeper incident investigations • Greater SOC efficiencies - all SOC/CSIRT working off same UI/data • Executive dashboards to measure and manage risk 54
- 55. 55 Citywide SOC for situational awareness Challenges • Slow responses to security incidents • Inadequate situational awareness of security events • Limited threat intelligence • Disparate logs from over 40 departments were difficult to aggregate Customer Solution : Splunk Cloud with Enterprise Security • Real-time, citywide, 24/7 network surveillance • Stronger protection of digital assets and infrastructure • Shared threat intelligence with federal agencies • Reduced headcount and lower operational costs
- 56. 56 Build an insourced SOC in months Challenges • Wide range of security requirements – Internal audits (financial, PCI) – Protect internal info and assets – Cloud firewall, DDOS • Cultural and Organizational – Security not a priority, Outsourced SecOps – Information hoarding and data silos Customer Solution : Splunk Enterprise Security • Changed culture - security first mindset with controls • Detect, prevent and respond to attacks in own environment, with 24/7 security analysis of customers • Rapid detection and deep investigation • Detect Web App attacks, discover compromised cards
- 57. 57 Maturing SOC Challenges • Legacy SIEM : Unstable, Inflexible, Clunky • Limited skilled resources • High false negative and false positive Customer Solution : Splunk Cloud with Enterprise Security • Developed processes : Rule set, naming • SOC process : Playbook, training, automated documentation • Enabled SOC to identify patterns of behavior in a single event rather than be bombarded by thousands of low-value incidents
- 58. Wrapping up
- 60. Copyright © 2016 Splunk Inc. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM The 8th Annual Splunk Worldwide Users’ Conference
- 62. 62 Can I play BOTS? 62 Yes! • RSA Conference 2017 • Splunk .conf 2017 • Online / continuous? Stay tuned New scenarios and data sets