WIXLIB

TheEssential Guideto SecurityHow to Get Started Using Splunkfor Security to Solve YourEveryday Challenges

Table of ContentsIntroduction .5What’s YourPlan forCybersecurity?Are you simply “planningfor the worst, but hopingfor the best?”Splunk in the Security Operations Center (SOC).6Understanding the Fundamentals .8Splunk’s Analytics-Driven Security Journey.8Splunk’s Security Suite. 10The Security Use Cases . 12Embarking on Your Analytics-Driven Security Journey. 15Stage 1: Collection. 11010110Stage 2: Normalization.20Stage 3: Expansion.22Stage 4: Enrichment.24Stage 5: Automation and Orchestration. 26Stage 6: Advanced Detection.28Solve Common Security Challenges With the SplunkSecurity Operations Suite.30Incident Investigation and Forensics. 32 Detect Lateral Movement With WMI.32 Identify Multiple Unauthorized Access Attempts.35Security Monitoring.38 Detect Public S3 Buckets in AWS.38 Find Multiple Infections on Host.42Advanced Threat Detection.44 Detect Connection to New Domain.44 Find Emails With Lookalike Domains.48SOC Automation. 52 Automate Malware Investigations.52 Automate Phishing Investigations and Responses.54Incident Response.56 Detect New Data Exfil DLP Alerts for User.56 Identify Basic Dynamic DNS Detection.59Compliance. 62 Detect New Data Exfil DLP Alerts for User.62 Find User Logged Into In-Scope System They Should Not Have.65Fraud Analytics and Detection.68 Detect Compromised User Accounts.68 Find Anomalous Healthcare Transactions.71Insider Threat Detection. 73 Detect Large Web Upload.73 Detect Successful Login of Account for Former Employee. 76

So how can youbest defend yourorganization andhunt down newadversaries?Ultimately, by taking a holisticapproach to your defensesystem across the enterprise.IntroductionWhat’s your plan for cybersecurity? Are you simply “planningfor the worst, but hoping for the best?” With digital technologytouching every part of our lives and new threats popping up daily, it’simperative that your organization is precise, informed and preparedwhen it comes to defending your assets and hunting your adversaries.High-profile breaches, global ransomware attacks and the scourge ofcryptomining are good enough reasons why your organization needsto collect, leverage and understand the right data. You’ll also need toimplement the right processes and procedures, often alongside newtechnologies, methods and requirements–all with an ever-increasingvelocity and variety of machine data.So how can you best defend your organization and hunt down newadversaries? Ultimately, by taking a holistic approach to your defensesystem across the enterprise. This is why Splunk believes everyorganization needs a security nerve center, implemented by followinga six-stage security journey that we will describe for you.Let’s break down what that means.5

Splunk in the Security OperationsCenter (SOC)Data-driven businesses take advantage of the investigate, monitor,analyze and act (IMAA) model to advance their security by optimizingtheir people, processes and technology. It includes using all the datafrom the security technology stack, which can help you investigate,detect and take rapid, coordinated action against threats in a manual,semi-automated or fully-automated fashion. When security teamsinvest in their security infrastructure, their security ecosystemand skills become stronger, making it possible to expand securitypractices into new areas and proactively deal with threats.The Splunk Data-to-Everything Platform and Splunk’s securityportfolio brings together multiple cybersecurity areas, as well asothers outside of security, to foster collaboration and implementbest practices for interacting with your data. Security teams can useSplunk solutions to drive statistical, visual, behavioral and exploratoryanalytics that inform decisions and actions. From there, the platformallows for a modern workflow, from collecting data all the way toSplunk Adaptive Responseinvoking actions to address cyberthreats and challenges.Sound good?Great. So how do I make all of this happen in the real world, you ask?To get you started, we put together this short guide to introduce youto the top security use cases organizations face and to show you howSplunk’s analytics-driven platform can help you solve your securitychallenges. This guide is divided into three sections:1. Understanding the Fundamentals. Here you will find anintroduction to the security journey and a quick primer onsecurity use cases with each use case mapped to relevantSplunk solutions.2. Embarking on Your Analytics-Driven Security Journey. Herewe explain the six stages of the data-driven security journey–andwhat you should be able to do, and how well, at each stage.3. Solving Common Security Challenges With Splunk. Herewe walk through examples of how to solve common securitychallenges associated with: Incident investigation and forensics Security monitoring Advanced threat detectionNetworkWeb ProxyFirewallThreatIntelligence SOC automation Incident response, compliance Fraud and analytics detection Insider threatWAF & AppSecurityOrchestrationInternet NetworkSecurityReady to create a kick-ass security practice?We thought so.EndpointsIdentity andAccessFigure 1: Splunk Enterprise Security includes a common framework for interacting with data and invokingactions. The Adaptive Operations Framework enables security teams to quickly and confidently applychanges to the environment. Splunk Enterprise Security can automate the response as well, enabling thesecurity infrastructure to adapt to the attacker using a range of actions appropriate to each domain.67

Understanding theFundamentalsSTAGE 6Advanced DetectionApply sophisticated detection mechanismsincluding machine learningSTAGE 5Cyber criminals never rest, which means that you should constantlybe looking for new security use cases and insights to maintain highAutomation and Orchestrationlevels of protection in your environment.Establish a consistent and repeatable securityoperation capabilityWe’re here to help.STAGE 4Splunk’s Analytics-Driven Security JourneyEnrichmentAnyone who has been asked the question, “Are we secure?” knowsAugment security data with intelligence sources to betterunderstand the context and impact of an eventthat cybersecurity is a journey, not a destination. While the expeditionmay not have an end point, and there will always be challenges, thereSTAGE 3are things you can do to make the trip successful.ExpansionFirst, you must understand your environment and find a place toCollect additional data sources like endpoint activity andnetwork metadata to drive advanced attack detectionbegin. Ask yourself: What am I trying to protect? What is my criticaldata? How will I respond to the threats?STAGE 2The six-stage analytics-driven security journey, shown in Figure 2,Normalizationwill help you answer these questions and create a kick-ass securityApply a standard security taxonomy and add asset and identity datapractice that enables you to understand the gaps in your defenses,see the next challenge and take action to meet it head on.STAGE 1CollectionCollect basic security logs and other machine data from your environmentFigure 2: Splunk’s Analytics-Driven Security Journey89

Splunk’s Security SuiteSplunk’s Security SuiteWould you embark on a hiking expedition without a trail map and aSplunk EnterpriseIs a flexible platform addressing an array of security usecases, enabling you to monitor and analyze machine dataquickly from any source to deliver insights to act and theanalytics-driven foundation to strengthen your overallsecurity. Available in the cloud.Splunk EnterpriseSecurityA security information and event management (SIEM) solutionthat provides insights into machine data generated fromsecurity technologies such as network, endpoint and access;as well as malware, vulnerability and identity information.Available in the cloud.Splunk UserBehavior AnalyticsA machine-learning-powered solution that delivers answersorganizations need to find unknown threats and anomalousbehavior across users, endpoint devices and applications.Splunk SOARA security orchestration, automation and response(SOAR) platform that integrates with your existing securitytechnologies to provide a layer of “connective tissue”between them, making them smarter, faster and stronger.ApplicationsApps developed by Splunk, partners and our community toenhance and extend the power of the Splunk platform. TheSplunk App for Payment Card Industry (PCI) Compliance isan example. Available in the cloud.Splunk SecurityEssentialsExplore new use cases and deploy security detections fromSplunk Security Essentials to Splunk Enterprise and SplunkCloud and Splunk SIEM and SOAR offerings. Now a fullysupported app with an active Splunk Cloud license, startstrengthening your security posture and quicken your timeto-value with Splunk.Splunk EnterpriseSecurity ContentUpdatesFor customers with Splunk Enterprise Security (ES), thisdelivers security analysis guides, called “Analytic Stories,”that explain how to best use Splunk ES to investigate andtake action on new threats detected in your environment,what searches to implement and what you should be ableto achieve.backpack full of provisions and the right gear? Of course not. Just asno trip can be successful without the proper equipment, no securityjourney can be successful without the right technology.Splunk Mission ControlSplunkSIEM(ES and UBA)SplunkSOARSplunkSecurity Apps(SSE and InfoSec)Future SplunkSolutions andThird-Party ToolsData SourcesSplunk’s Security Suite helps security teams navigate unchartedwaters and quickly identify, investigate, respond to and adapt tothreats in dynamic, digital business environments. Splunk solutionscan be used by a tier-1 analyst to do basic research on a time period,keyword, IP address or machine name. The same products enableadvanced tier-2 and tier-3 analysts to perform advanced correlations,build analytical models or perform advanced forensics.1011