Security Jiujitsu

More documents

Recommendations

Info

Agenda Four types of security correlaEon rules you probably want 1. CorrelaEon across many sourcetypes and events – Generate high fidelity alerts 2. Privileged user monitoring – Detect lateral movement and prioriEze risky users 3. Conquering alert faEgue – Don’t be beaten by tens of thousands of alerts per day 4. Threat Intel hits – Immediately detect bad actors in your environment 4
For Each Scenario • Focus on Visibility, Analysis, and AcEon • Driven by customer use cases and/or real deployments! • Backed by A Splunk App! 5
Page 1 and 2: Copyright © 2015 Splunk Inc.
Page 3: Personal IntroducEon David Veuve
Page 7 and 8: Who Are You? 1. Security Engine
Page 9 and 10: Security CorrelaEon In Splunk
Page 11 and 12: Splunk CorrelaEon Rules Easy in
Page 13 and 14: Visibility, Analysis, AND AcEon
Page 15 and 16: CorrelaEon Across MulEple Source
Page 17 and 18: Search Example Raw Search 71 S
Page 19 and 20: Techniques - Expand Base Search
Page 21 and 22: Techniques - The Other Stats S
Page 23 and 24: Techniques - Higher Confidence
Page 25 and 26: How Does it Scale? Tstats vers
Page 27 and 28: About Endpoint Logs Curious abo
Page 29 and 30: Privileged User Monitoring
Page 31 and 32: Visibility AuthenEcaEon Data Mod
Page 33 and 34: Analysis Alert when users who
Page 35 and 36: Analysis - Part Two -‐ Exa
Page 37 and 38: Analysis - Part Three (ES Spec
Page 39 and 40: Conquering Alert FaEgue
Page 41 and 42: Visibility A typical Eer one a
Page 43 and 44: Analysis Technique - StaEsEcal
Page 45 and 46: Analysis Technique - StaEsEcal
Page 47 and 48: Analysis Technique - Combine Mu
Page 49 and 50: Analysis Techniques - Machine L
Page 51 and 52: Threat Feeds
Page 53 and 54: Great Threat Feed Tools Enterpr
Page 55 and 56:
But That’s Not all for Threa
Page 57 and 58:
We Looked at a Lot of Things
Page 59 and 60:
Give Me Feedback! Rate it in
Page 61 and 62:
Appendix Network HunEng
Page 63 and 64:
Techniques -‐ Frequency Unde
Page 65 and 66:
Techniques -‐ Coherence Cohe
Page 67:
Analysis | tstats prestats=t su
show all

Security Jiujitsu

Create successful ePaper yourself

Delete template?

Save as template?