My favorite part of any spy movie is the gadgets. You see a spy in normal attire, without knowing that the jacket is bulletproof and the watch shoots amnesia darts. That spy is prepared for anything. Writing security searches in SPL is much the same—so you can call me Q. In past Security Ninjutsu sessions, we’ve covered many foundational elements common among security searches. This year, we are bringing the ninja, and it’s going to be epic. We’ll spend 60 minutes covering all the awesome search techniques used by Splunk Security Ninjas from around the world. There will be a massive PDF. Attendance of prior Ninjutsu sessions not required, though available at dvsplunk.com.
.conf 2016 -- Security Ninjutsu Part Three: Real-World Correlation Searches
Throughout the Security Ninjutsu series, we used real world searches created by Splunk technical resources working with their customers. Now we will discuss the reverse: actual correlation searches built by customers on their own (easy, medium, hard). For each, we will explain what caused them to create the use case, how they built the query, tweaked and filtered and what action they took as a result. What happens when attackers stop being nice, and start being real? Come find out. (Optional: View prior Security Ninjustu series talks here: https://dvsplunk.com/ninjustsu)
At .conf2014 in Security Ninjutsu, we covered four real customer scenarios that allowed security users to leverage advanced correlation and anomaly detection, moving beyond basic incident response. You needn't have attended last year's session because this year we will cover four totally new use cases! We will be diving into analytics (basic through advanced) and threat discovery, easy apps for hunting, new bidirectional threat intel integrations and more! Through each of the examples, we will review the data sources, discuss how to analyze them, and see what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.
Splunk's analytical capabilities allow security users to leverage advanced correlation and anomaly detection moving beyond basic incident response. Splunk can also take action, ranging from integration with ticketing systems to automatic blocking and beyond. This session will walk the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain. Through each of the examples, we will review the data, how to analyze it, and what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.
Whether you're looking to reduce breaches, set up monitoring to anticipate attacks, or build more predictive capabilities, you will learn to apply the power of Splunk’s search processing language (SPL) via the Splunk Security Essentials
App. We'll also present how to tighten your security with actionable searches that you can use immediately. All of the examples will have demo data, but you will see how you can apply custom data in your own environment. In this
session, you will learn how to:
– Optimize and make Splunk search work for you, so you can quickly gain insights into your data to identify and describe security impacts and potential threats
– Detect unusual and potentially malicious activity using Splunk Enterprise statistical and behavioral analysis capabilities
– Find unusual activities
You know the use cases, you understand stats. You might strut through the halls of .conf events as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk with upwards of a 1000x performance improvement: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to a ludicrously fast speed. This talk will explain how and when to leverage acceleration, and improving user experience, value and TCO for all kinds of use cases.
You know the use cases. You understand stats. You might strut through the halls of .conf2016 as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk software with upwards of 1000x performance improvements: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to ludicrous speed, but there’s a learning curve. This talk will explain how and when to leverage acceleration for all kinds of use cases in a simple way, taking it from the highest echelons of SPL Ninjutsu and bringing it to everyone.
There is a feature that many customers could deploy to simplify their deployments, ease user adoption and enhance their level of security, but few customers actually use it. That feature is Single Sign-on, and it can be deployed via the free Active Directory Federation Service (ADFS) available to almost everyone. This session will walk attendees through the basics of SSO, with an explanation and live demonstration of how ADFS works with Splunk, so that they can go back to their companies and enhance their Splunk experience.