Splunk [Security, Compliance and Fraud Track] 2019 .conf Videos w/ Slides

Our security research, engineering and product teams have been hard at work building new capabilities to bolster your Splunk security stack. Find out what they’ve been up to since .conf18, and watch a demonstration of the latest innovations in Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk Phantom. There are other awesome developments that we can’t share now but are excited to share with you at .conf. Speaker(s) Kyle Champlin, Senior Product Manager, Splunk Patriz Regalado, Sr. Product Marketing Manager, Splunk Rob Truesdell, Sr Director, Product Management, Splunk Chris Simmons, Director of Product Marketing, Splunk Koulick Ghosh, Product Manager, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2366.pdf?podcast=1577146217 Product: Splunk Enterprise Security, Splunk User Behavior Analytics, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Never used Splunk before, have no Splunk admins and you’ve just bought Splunk Enterprise Security? That was us, and now we're using Splunk in ways that we could've only dreamed of using IBM QRadar. In this session we’ll share our implementation story, how we worked with Splunk to accelerate our learning curve, and how we went from 0 to 3TB in 3 months with no Splunk admins. We'll also cover how Splunk allows us to onboard data sources that we couldn't with QRadar. Speaker(s) Nick Ho, Sales Engineer, Splunk Ross Rutherford, Information Security Engineer, Western Union Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1264.pdf?podcast=1577146217 Product: Splunk Cloud, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Beginner

Does your small team also run a full-featured SOC that supports a global company? In this session we’ll show you how we’ve used Splunk Cloud and Splunk Enterprise Security to bring together all the relevant security intelligence from our technology stack, transforming our security operations from ad hoc and tactical to strategic and compliance-driven. We’ll discuss key takeaways from our journey, such as the benefits of ingesting data properly from the outset so you can reap the rewards as you scale; how we leverage multiple use cases out of single data sources; and how we created easy-to-understand visualizations that convey our firm’s security posture to management. Speaker(s) Edward Asiedu, Senior Professional Services Consultant, Splunk Craig Gilliver, Head Of SecOps, Johnson Matthey Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1511.pdf?podcast=1577146217 Product: Splunk Cloud, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Join us to see the latest developments with Splunk’s Security Operations Suite. We’ll share background on the underlying architecture as well as a showcase of new features. Learn how your security use cases are solved with scale and performance. Speaker(s) Rob Truesdell, Sr Director, Product Management, Splunk Atom Coffman, Starbucks Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1706.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Splunk User Behavior Analytics, Phantom Track: Security, Compliance and Fraud Level: Beginner

Today SOCs are in desperate need of a different alerting approach. Texas Instruments (TI) decided to transform its SOC by using risk-based alerting to generate fewer, higher fidelity alerts, and by aligning to the MITRE ATT&CK™ framework, which provides more situational awareness to analysts. This risk-based approach reduces false positives and the situational numbness associated with the legacy whitelisting process. Splunk and TI will walk you through TI's SOC successes as it transitioned to risk-based alerting. TI will detail a few real-life risk-based rule examples, discuss learning curves to fast track your transition, and discuss how MITRE ATT&CK™ fits in with this approach. After this session, you will have the foundation to embark on your risk-based alerting journey, allowing you to increase detection mechanisms, increase your coverage of the ATT&CK™ techniques, and improve the overall effectiveness of your SOC. Speaker(s) Jim Apger, Staff Security Architect, Splunk Jimi Mills, Security Operations Center Manager, Texas Instruments Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1803.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

We will share our journey, lessons, and observations from the past year of implementing compliance at the MITRE Corporation. We'll recap our path from initially learning about Defense Federal Acquisition Regulation Supplement (DFARS), also known as NIST 800-171, to complying with it. We'll share insights from the process that may help you in your compliance journey, but we'll also discuss how your journey might be different than ours, as one size never fits all with compliance. Speaker(s) Bob Clasen, Computer Engineer, MITRE Eugene Katz, Splunk Evangelist, MITRE Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1372.pdf?podcast=1577146216 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

Learn from our experience implementing Splunk Phantom so that you can speed up your automation journey. We'll examine key decisions we made with our implementation and the good and the bad that resulted. We'll also cover our automation efforts in event triage, incident response and everything in between, with walkthroughs of our top playbooks. Additionally, we'll present how we tackled Splunk alert ingestion and what Phantom could look like in a cloud-first deployment. Speaker(s) John Murphy, Security Analyst, NAB Chris Hanlen, Lead Cyber Security Specialist, NAB Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1506.pdf?podcast=1577146216 Product: Splunk Enterprise, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

After breaches, incident response teams often end up with an overwhelming amount of forensic evidence data, including disk images, memory captures, PCAP, and more. We'll show you how one of our IR/forensics teams is ingesting this data into Splunk to answer the who, what, where, when and why of breaches. Our presentation will show you how to use Splunk Enterprise and Splunk Enterprise Security for Incident Response (IR) workflow tracking and reporting on multi-source forensic data captures. Speaker(s) Josh Wilson, Consulting Engineer, August Schell Dave Martin, Supervisory Special Agent, Federal Bureau of Investigation Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1796.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

The Census is the nation’s largest peacetime mobilization effort and determines congressional representation. Census data is used by businesses, governments and civic organizations to inform decision-making and this year the Census is going mobile and online for the first time. This means that security is a top priority in ensuring the success of the 2020 Decennial. This segment of the conference will explore security related topics to include vulnerabilities, scalability and performance, with a special focus on Data Privacy, Compliance and Reputational Threat Management. If all things data and IT Security excite you, then this session is for you. Census executives Atri Kalluri and Zack Schwartz will provide a behind the scenes overview of the systems supporting the 2020 Decennial, including Splunk, and real world case studies on how the Census Bureau is adopting best practices across IT security and social media monitoring to ensure the security of respondent data. Speaker(s) Atri Kalluri, Senior Advocate, Response Security and Data Integrity, U.S. Census Bureau Zack Scwhartz, IT Program Manager, U.S. Census Bureau Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2638.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

Last year, after our outrageously successful talk "Pull Up Your SOCs: A Splunk Primer on Building or Rebuilding your Security Operations", we wanted to revisit this topic to cover changes in Security Operations that have taken place over the last 12 months. Whether you’re starting from scratch or rebuilding your security program, the first twelve months of standing up your security operations is absolutely critical to success. Speaker(s) Dimitri McKay, Staff Security Architect | Jedi Master, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2186.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

As the types of devices and applications used in IT organizations increase exponentially, scaling the analytics-driven SOC becomes even more imperative. In this session Splunk Professional Services will help you learn from its past experiences architecting Splunk Enterprise Security environments for scale into the terabytes per day. We will share technical details on improvements to search technology and Data Model Acceleration in Splunk Enterprise that will help you increase performance and decrease total cost of ownership. We will also take a deep dive under-the-hood into Splunk Enterprise Security Frameworks in which you should make special considerations for high volume.  Finally, we'll share important metrics on how to monitor the ongoing health of your Enterprise Security deployment, ensuring you stay on track over time, even in periods of rapid growth. Speaker(s) Marquis Montgomery, Principal Security Architect, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2120.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Organizations today struggle with quickly and consistently applying behavior-based threat intelligence across their security tools. The hours needed to stitch together this information manually leave analysts unprepared to quickly turnaround questions from management about their vulnerability to threats that their management sees in the news. In this session we will demonstrate how to use Splunk Phantom to reduce that time lag by automating your threat hunts. Specifically, we will show you how to use Yet Another Recursive Algorithm (YARA) rules on endpoint and network security tools automatically and simultaneously. We will use a case study to show the benefits achieved from this playbook: better reporting, more robust procedures, faster time to detect malware variants, and generally more efficient and effective threat hunts. Speaker(s) Robb Mayeski, Security Automation Magician , EY Will Burger, Security Automation Consultant, EY Haris Shawl, EY Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1280.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Join this session to learn the do’s and dont’s of rolling an effective cloud security visibility platform for a global organization. We will cover topics such as why we moved away from our previous SIEM provider, deploying and managing a cloud-based SIEM, and effectively using a third party organization to provide tier 1 and 2 event and incident support. Speaker(s) Simon O’Brien, Principal Sales Engineer, Splunk Grant Slender, Chief Information Security Officer, QIC Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1205.pdf?podcast=1577146216 Product: Splunk Cloud, Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Intermediate

Looking to eliminate blind spots across your SAP environment and take proactive action to detect and mitigate attacks before mission-critical ERP applications are compromised? SAP recently teamed with Splunk to help a leading manufacturer build and validate a first-of-it’s-kind bi-directional integration between SAP Enterprise Threat Detection and Splunk. See a demo of how Enterprise Threat Detection’s open, extensible framework enables an exchange of alerts with Splunk to facilitate real-time attack investigations from either platform plus the ability to rapidly take action within the SAP landscape or broader heterogenous infrastructure.SAP Enterprise Threat Detection is a powerful native SAP HANA application that quickly identifies suspicious patterns at the application server and database level. When a potential SAP software-specific threat is identified, Enterprise Threat Detection can send an alert to Splunk to correlate with other application and infrastructure data for deeper investigation or trigger immediate action. Conversely, InfoSec teams using Splunk to rapidly identify anomalies across the broader security infrastructure can send alerts to Enterprise Threat Detection for forensics or to trigger appropriate actions in the SAP environment. The combination of Enterprise Threat Detection and Splunk enables organizations to more effectively combat security issues across the enterprise spanning applications and infrastructure. Speaker(s) Claw Clawson, SplunkYoda, Splunk Carl Yestrau, Director of Architecture for Partners, Splunk Anne Marie Colombo, Cybersecurity Solution Advisor, SAP Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2856.pdf?podcast=1577146216 Product: Track: Security, Compliance and Fraud Level:

Security requires visibility. uberAgent ESA provides just that. Built on top of the existing uberAgent User Experience Monitoring product, uberAgent Endpoint Security Analytics tags risky processes, detects potential threats resulting from configuration changes and provides deep insights into application and even script activity. Speaker(s) Helge Klein, Managing director, vast limits GmbH Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2534.pdf?podcast=1577146216 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Intermediate

Endpoint security is more than detecting malware.  Most insider threats, however, don’t involve malware, but other security issues associated with the user and endpoint.  Learn how Cisco’s own InfoSec team uses Cisco Endpoint Security Analytics Built on Splunk and Cisco NGFW integration to increase its endpoint security and threat visibility. Speaker(s) Scott Pope, Cisco Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2899.pdf?podcast=1577146216 Product: Splunk Cloud, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Initial compromises happen on your endpoints, so why are you not Splunking them? In this edition of Splunking The Endpoint, we will tell you exactly what to configure in Splunk, and where, why, and how to do so in order to get unparalleled visibility into threats targeting your network. Not only will we revisit popular operating system and open-source endpoint data sources like Sysmon and Osquery, but we'll also talk about various popular commercial EDR products and give you best practices for collecting data from them. Lastly, we'll help you address any doubts about scale problems and licensing costs.Please bring your laptop! We will dive through the latest Boss of the SOC (BOTS) endpoint data and demonstrate the detection techniques needed to answer BOTS questions. Everything you learn will be something you can take home and put into production immediately. Speaker(s) James Brodsky, Director, Global Security Kittens, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2007.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Business Flow, Splunk Data Fabric Search and Data Stream Processor Track: Security, Compliance and Fraud Level: Good for all skill levels

Did you get more staff for heartbleed? How about Shellshock or the OPM breach? Neither did we. The threat landscape is growing faster than ever and we need to cover more bases without more people. Enter Splunk Phantom: automation and integration for the masses. This session will help you understand what you need to build an effective Phantom ecosystem. I will go over initial strategies, real world examples, and use cases, and we will also take a glance at some more robust development projects that show the power of Phantom's extensibility. Speaker(s) Mhike Funderburk, Senior Security Engineer, Stage 2 Security Brandon Robinson, Senior Security Architect, Stage 2 Security Luke Summers, Cyber Security Engineer, Stage 2 Security Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1949.pdf?podcast=1577146216 Product: Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Whether you have just SSE or all of Splunk's Premium Products, you can benefit from the ton of Security Content that Splunk produces. We'll start this session by setting a quick baseline on all of the fantastic detections that Security Essentials has had in the past, and then jump into the new prescriptive guides, MITRE ATT&CK™ integration, Auto-Dashboard-Magic, and all the related functionality that will help you plan your usage of any/all of Splunk's security products. We'll present all this information through the lens of helping you get the best possible detections deployed with the least amount of effort. Speaker(s) David Veuve, Principal Security Strategist, Splunk Johan Bjerke, Principal Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2013.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics Track: Security, Compliance and Fraud Level: Good for all skill levels

Maturing and scaling your security operations rests on your ability to process and analyze huge volumes of often unrelated data in real time. But today's tools notoriously overwhelm SOC analysts with the sheer number of alerts and high percent of false positives, resulting in confusion about what tools to use for investigation and response. In this session, members of Splunk's Security Research Team will discuss the next generation of Enterprise Security Content Updates that they developed, which integrate the entire Splunk for Security product suite to create a robust end-to-end defense—detection, investigation, and response. We will go over how to use these security guides, which will leverage Splunk Enterprise Security, Splunk Phantom, and Splunk User Behavior Analytics. We'll also highlight the Run Story feature we built to operationalize ESCU Analytics stories and share tools and techniques customers can use to write and test their own use cases. Speaker(s) Bhavin Patel, Security Software Engineer, Splunk Jose Hernandez, Security Researcher, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1775.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Splunk User Behavior Analytics, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

DATEV provides information services to ~2.5 million payrolling, accounting, and tax clients. Given the sensitivity of the personal and financial data that our clients process, DATAEV decided to establish a SOC to secure our clients' information, and we put Splunk at the core of its operations. In this session we will discuss four key elements relevant to building a successful SOC with Splunk. We'll first discuss how we formed our SOC and orchestrated its activities internally. We'll then discuss how we use MITRE's ATT&CK™ framework to prioritize activities, how we spread our SOC's security knowledge to all relevant groups at DATEV, and how we use Splunk to create real-time situational awareness for different SOC customers, for stakeholders, and for management. Speaker(s) Sebastian Schmerl, Head of Cyber Defense, Computacenter Christian Heger, SOC Architect / Technical Head of SOC & Analyst, DATEV eG Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1411.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Business Flow Track: Security, Compliance and Fraud Level: Good for all skill levels

Winston Churchill once said, “Success is not final, failure is not fatal: it is the courage to continue that counts." Then again, Churchill wasn’t in cybersecurity...While our successes are certainly never final, our failures can absolutely be fatal—to a company and our continued employment. What's a good way to actually measure success and failure, though, outside of not appearing on the front page of the paper? Well, as CrowdStrike notes, you have on average one minute to detect an attack in progress, ten minutes to understand it, and sixty minutes to contain it. We will show how to use this 1-10-60 Rule as a measuring metric and leverage the data and capabilities within Splunk and its ecosystem to ensure that we win the survival of the fastest. Speaker(s) Wissam Ali-Ahmad, Lead Solutions Architect, Splunk Tim Sullivan, Global Senior Strategic Solutions Architect, CrowdStrike Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1573.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Intermediate

This session will give you a comprehensive look into automating the investigation and remediation of AWS security events using Splunk Phantom. The session will start with an overview and then progress to a live technical walkthrough of setting up Phantom to remediate an AWS security event. Speaker(s) Matt Tichenor, Product Manager, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2187.pdf?podcast=1577146216 Product: Phantom Track: Security, Compliance and Fraud Level: Intermediate

We've run a risk-based approach with our security alerts for over a year, and we're excited to review our progress with you. We'll discuss how we increased the number of behavioral indicators by 300% while reducing our alerts by 50%. We'll also discuss how we expanded our risk approach to handle on premise and cloud environments within the same framework, which yielded a single alerting mechanism that leverages all of our data enrichment. We'll also share the roadmap for our risk-based approach, which incorporates risk rules that utilize algorithms to identify risks not discovered by traditional detection approaches. Speaker(s) Stuart McIntosh, Threat Intelligence, Outpost Security Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1908.pdf?podcast=1577146216 Product: Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Advanced

Nick Hayes, VP of Strategy at IntSights, will take you on a tour of the dark web and explain how CISOs can successfully implement a dark web intelligence strategy to neutralize threats outside the wire and at the earliest stages of the cyber kill chain. Now equipped with IntSights External Threat Intelligence, learn how you can take advantage of it through seamless integrations with your Splunk SIEM and Phantom toolsets. Enrich your threat data with internal network security observables, expedite incident reviews and prioritization, and automate your threat prevention and response with SOAR and integrated playbooks. Speaker(s) Nick Hayes, IntSights Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2887.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Aflac measures risk to provide financial protection to more than 50 million people worldwide. Join this session to learn how Aflac mitigates fraud by using Splunk's Machine Learning Toolkit (MLTK) to find outliers and cluster events. Using Splunk and the MLTK reduced the time needed to conduct necessary analyses (e.g. link analysis) from weeks and months to just minutes—we will share with you how we use Splunk's MLTK to iterate quickly, develop new anomaly detection techniques, and improve our overall fraud mitigation perfomance. Speaker(s) Matthew Harper, Director, Cyber Crime Prevention, Aflac Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1904.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Advanced

What happens when the call is coming from inside the house? Data exfiltration by insiders is a dangerous threat, but one that often doesn't get the same level of attention as the sexier external ones. We'll start this session with a brief overview of why and how users exfiltrate information, and we'll progress to tactics, such as effective SPL searches, for operationalizing insider threat detection. You'll leave this session better able to catch insider threats in the in the act of exfiltration instead of days, weeks, or months later. Speaker(s) David Doyle, Splunk Puncher, Bechtel Eric Secules, Forensic Investigator, Bechtel Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1179.pdf?podcast=1577146216 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

This presentation will discuss how Security Operation Centers (SOCs) will need to change to meet the cybersecurity challenges of the 2020s. The speaker will draw on his experience as a founder of the first SOC-as-a-Service company that delivers managed security services using Splunk. Most industry analysts envision that the next generation of SOCs will leverage AI, Big Data, and the Cloud, but how far can automation take us and is the concept of an autonomous SOC really practical? How will the SOC of the Future address the global shortage of cyber professionals? How will the role of security analysts need to change? Will the SOC of the Future still need to be housed in dedicated physical facilities? The speaker will provide a blueprint of Proficio’s vision of the SOC of the Future using Splunk and provide a playbook for IT leaders and aspiring IT leaders on how to drive continuous improvement in productivity and measurable outcomes. Speaker(s) Brad Taylor, Proficio Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2839.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics Track: Security, Compliance and Fraud Level: Good for all skill levels

Intel is transforming its approach to security by deploying a new Cyber Intelligence Platform (CIP) based on Splunk, Kafka, and other leading-edge technologies. Our new platform ingests data from hundreds of data sources and security tools, providing context-rich visibility and a common work surface, and improving the efficiency of our entire information security organization. This session will address how we partnered with Splunk architects to deploy and realize benefits from this solution in just five weeks. We will detail how our solution uses real-time data, streams processing, machine learning tools and consistent data models to decrease time to detect and respond to sophisticated threats. This session will cover everything from our platform's business value to its solution architecture. Speaker(s) Jac Noel, Security Solutions Architect, Intel Aubrey Sharwarko, Data Scientist, Intel Jerome Swanson, Security Data Scientist, Intel Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2253.pdf?podcast=1577146216 Product: Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

Deception, automation, and real-time data exploitation help security organizations go on offense vs attackers. In this session we will discuss how to use a variety of deception techniques to gather threat intelligence, how to create an automated response, and how to test response playbooks to validate that responses work as expected. Speaker(s) Vincent Urias, Researcher, Sandia National Laboratories Will Stout, Researcher, Sandia National Laboratories Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2203.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Splunk Machine Learning Toolkit, Phantom, AI/ML Track: Security, Compliance and Fraud Level: Intermediate

Most of us have had (or still have) nightmares about an alert that someone's exfltrating data from our organization. We've lived that nightmare at Harris, and we've learned from it. In this session, we'll discuss how we used red and purple teaming to improve our security posture post-breach. Learn from our experience so that you can strengthen your team's alerting, staff comptency, and policies, and reduce the risk of a breach at your company. Speaker(s) Nate Piquette, Sr. Detection & Response Engineer, L3Harris Technologies Adam Parsons, Sr. Detection & Response Engineer, L3Harris Technologies Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1375.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a defender to replay attack scenarios using AttackIQ in a simulated environment. SIEMulator’s Attack Range environments are all configured with Splunk forwarders and the apps necessary to create and store data in CIM data models. We'll show you how to use the SIEMulator to produce shareable data that can help security analysts replicate scenarios and effectively detect, investigate, and respond to threats. Speaker(s) Phil Royer, Research Engineer, Splunk Rod Soto, Principal Security Research Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1671.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Splunk User Behavior Analytics, Phantom Track: Security, Compliance and Fraud Level: Advanced

Vectra customers and security researchers respond to some of the world’s most consequential threats. And they tell us that there’s a consistent set of questions they must answer when investigating any attack scenario.Yet, security data today is broken and unable to effectively answer those questions. It is either incomplete or storage and performance intensive. Most teams don’t have the information necessary to properly answer the questions required to support their use cases; whether it be for threat hunting, investigations or supporting custom tools and models.In this session, hear about real-world use cases where security teams use machine learning engines to derive unique security attributes and how it is embedded into security workflows. Speaker(s) Kevin Sheu, Vectra Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2589.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Cloud Track: Security, Compliance and Fraud Level: Good for all skill levels

As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using Splunk and RFC’s like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration. This technique is universally applicable. A precondition is access to the DNS logging. By means of this technique, insight can be obtained where the phishing e-mails are sent from and to whom the phishing e-mails are sent. In this talk we will start by explaining which standards are available to increase e-mail security and how we have build an app in Splunk, including dashboard and a wizard to create the necessary DNS records to gain insight information about the abuse of our domains. Speaker(s) Karl Lovink, Lead Security Operations Center, Dutch Tax and Customs Administration Arnold Holzel, Senior Security Consultant, SMT Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1106.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Advanced

We helped our client use Splunk to disrupt theft rings plaguing its retail stores. We'll present how we took in public wifi data, tracked MAC addresses that appeared in multiple stores, and ultimately created a system in Splunk that alerted in-store loss prevention teams when individuals likely to be involved in theft rings entered the store. We'll go over the steps taken to operationalize our theft deterrence program so that you can adopt it in your organization or modify it to fit your needs. Speaker(s) Nic Haag, Splunk Professional Services Consultant, Aditum Partners Logan Foshee, Threat Analyst, Lowe's Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1336.pdf?podcast=1577146216 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Advanced

We believe that to best defend against global security threats, an organization needs defenders who represent the diverse world that we live in. Every business will benefit greatly by bringing more people to the table with varying skills, backgrounds, leadership and views to combat the diverse adversaries out there. Here at Splunk, we have created initiatives like the "Developing Superwomen in Cybersecurity" program that works to diversify and equalize the cybersecurity workforce to women and other underrepresented groups. Come hear how we are taking action by making cybersecurity accessible to all with this program and some practical advice on how you can do the same when you go back to your organization! You'll receive tips on how to make information security inclusive to all with ways of engaging your staff at various levels and receive a blueprint for running your own gamified security experiences, allowing you to up-level staff while embracing their unique talents and backgrounds. Speaker(s) Kelly Kitagawa, Customer Success Manager, Splunk Lily Lee, Staff Security Specialist, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SECD2004.pdf?podcast=1577146216 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

In this session, we tackle data breaches and information exfiltration from cloud file stores. Beyond the attacks that make headlines and result in millions of stolen personal records, we will also focus on the far less publicized risks related to exposure of intellectual property, infrastructure details or finances. We will share our experience in building a defensive strategy that now detects highly-covert exfiltration attempts.To this end, we first shed a lot of light on how companies use general-purpose file stores, such as Box, Office365 or Google Drive. We cover the types of files that commonly get stored in the cloud, file sharing practices, access properties, as well as uses of cloud stores by various departments. There are a lot of unexpected insights which eventually invalidate common security assumptions.As the boundary between good and bad gets blurred, we will provide you with a peek into how to design an effective data-driven defense. This approach helped us hone our detection to just tens of validly suspicious exfiltration files in a massive cloud store. Speaker(s) Stanislav Miskovic, Security Data Science, Splunk Ignacio Bermudez Corrales, Senior Data Scientist, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2083.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics Track: Security, Compliance and Fraud Level: Advanced

Malware infection, lateral movement, data exfiltration, oh my! If you’ve spent any time around the wizarding world of security, you know how much effort goes into preventing dark magic from happening. What if you could use machine learning to stay one step ahead of the adversary? Fasten your seatbelts, because in this talk we will show you how Splunk can utilize machine learning models to take your security detections to the next level. We’ll demonstrate how Splunk's Machine Learning Toolkit can be used to train, validate, and then deploy models to identify anomalies and discover clusters of bad behavior via user-friendly guided workflows—all this while training your models with more data then you’ve ever been able to before. Prepare to leave Las Vegas equipped to incorporate machine learning in your organization’s security detections and jump from reactive to proactive. Mischief managed! Speaker(s) Melisa Napoles, Sales Engineer, Splunk Erika Strano, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2129.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Good for all skill levels

Ever wondered how to integrate or scale Splunk Enterprise Security (ES) and Splunk Phantom? Join us as we explore best practices involved in setting up clustered environments for ES and Phantom that yield a highly available and scalable security platform. You will leave this session better able to create scalable ES and Phantom deployments, tools, commands, cheat sheets, and troubleshooting methods at your own organizations. Speaker(s) Mayur Pipaliya, Forward Deployed Software Engineer, Splunk Ankit Bhagat, Forward Deployed Software Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2233.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Advanced

When is a 20MB email to an external Gmail account dangerous? It all depends on context. Understanding what normal behavior is will reveal whether specific behavior is malicious or ordinary. We’ll walk you through how using Splunk’s Machine Learning Toolkit and Splunk Enterprise Security together provides actionable insight for analysts to improve security. We'll also detail how we caught insider threats in our environment with these tools. Speaker(s) Karthik Subramanian, Principal Senior Cybersecurity Engineer, SAIC Tyler Williams, Cybersecurity Data Analyst, SAIC Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1305.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Advanced

Have you ever been positive you had found evil, only to realize it was normal after hours of triage and work? We have all heard and love “KNOW NORMAL FIND EVIL,” but how hard is it to actually know normal? The MITRE ATT&CK Framework gives defenders a better map to “find evil,” but how can this framework be used to “know normal”?Rick will discuss how knowing normal in a world of abnormal is harder than one thinks, and how addressing the actual root cause of evil can improve the technology industry as a whole. Speaker(s) Rick McElroy, Principal Security Strategist , Carbon Black Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2917.pdf?podcast=1577146215 Product: Splunk Enterprise Security, Splunk IT Service Intelligence, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Whether you're a new or experienced Splunk Phantom user, you'll learn from the high-value, often overlooked features we discuss in this session. We'll showcase some of Phantom's most overlooked valuable features, as well as experienced users' top ranked features. Join us to learn more about how you can optimize your use of Splunk’s SOAR (Security Orchestration Automation & Response) platform. Speaker(s) Phil Royer, Research Engineer, Splunk Kavita Varadarajan, Product Manager - Phantom, Splunk Sam Hays, Sr. Technical Community Manager , Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1705.pdf?podcast=1577146215 Product: Phantom Track: Security, Compliance and Fraud Level: Intermediate