Driving more value from your Security Operations Center (SOC) Platform James Hanlon Director, Splunk Security Markets Specialization, EMEA
What is the value of the security operations in 2018? 2017 S P L U N K INC. For most SOCs and businesses, this is less than clear
Emergent SOC technology enables a new approach to realize more value from security Investments Cloud Security Operations (CSO) Breach & Attack Simulation Tools (BAS) Threat Intelligence Platform (TIP) Network Traffic Analysis (NTA) Data Analytics Platform User & Entity Behavioral Analytics (aka AI or ML) Security Automation, Orchestration & Response (SOAR) Network Intrusion Detection & Prevention System (NIDPS) Endpoint Detection & Response (EDR) Cloud Security Access Broker (CSAB) Vulnerability Management (VM)
What s most important to you? 2017 S P L U N K INC.
Inspection & Visibility Recognize More EDR VM NTA CASB Analysis & Detection Understand More Data Analytics SIEM UEBA ML & AI Actionability & Management Do More SOAR TIP CSO Different Technologies Provide Different Value to the SOC
Let your SOC SOAR Security Orchestration, Automation & Response
A pause: AI & ML for security
ML provides contextual threat detection value ML for Advanced and Insider Threat Security Detection 2017 S P L U N K INC. Account Takeover Suspicious Behavior Lateral Movement Cloud Security External Alarm Disabled account activity Suspicious badge activity Suspicious account lockout High downloads Aggregation of external alarms Terminated user activity Account recovery detection Privilege escalation after powershell High deletions with security analytics Interactive logins by svc accounts activity Unusual file access VPN logins by svc accounts Data Exfiltration Unusual USB device High USB attachments Local account creation Password policy circumvention Multiple auths and failures File relay Data destruction Data collection Watering hole Security Context Behavior-based fingerprinting of user roles and assets Suspicious new access
AI & ML for Security A Caution 2017 S P L U N K INC. http://www.cleverhans.io/security/privacy/ml/2017/02/15/why-attacking-machine-learning-is-easier-than-defending-it.html
Analytics is Now A Foundational Security Operations Capability 2017 S P L U N K INC. Gartner 2017
2017 S P L U N K INC.
Characteristics of a Data Analytics Platform Any Question, Any Data, In Real Time. Single Platform, Many Lenses Performance at Scale Open Ecosystem Hybrid Machine Learning
Extending Analytics for Security Operations 2018 SPLUNK INC. Machine Learning for Security Security Automation, Orchestration & Response ANALYTICS OPERATIONS SOC Operations DATA PLATFORM Data Analytics Platform 010100101010101010110101011010101010101101010110110101010101101010010100101 010101010110101011010101010101101010110110101010101101010010100101010101010 110101011010101010101101010110110101010101101010111010110100100100001010011
Converged Analytics for Business Value
Extracting Value Through Converged Data Analytics Security, IoT & Industrial Data Analytics
Last Thought: Connecting the SOC of 2020 to the Business with Emergent Technology & Converged Data Analytics 2017 S P L U N K INC. Corporate Mission & Goals Corporate/IT Initiative 1 Corporate/IT Initiative 2 Corporate/IT Initiative 3 Corporate/IT Initiative N Adversary, threat, Controls, Vulnerability or IT Risk Driven SOC strategies Business Enabler Security Strategy & Metrics (Data Analytics Enabled) SecOps / SOC Strategy & Metrics (Operational Security) Reducing this gap provides business enabling alignment for Security & SOC teams
Summary & Thank You