Podcasts about track security

Splunk User Behavior Analytics (UBA) contains the largest library of unsupervised machine learning in the market. In this session we'll show how to analyze data from both cloud and on-premises data sources in both types of deployment (cloud/on-premises) to convey the unique benefits of Splunk UBA. We'll discuss real world examples that showcase the importance of using UBA and all other tools at your disposal for day-to-day threat hunting. Specifically, we'll show how to use Splunk Enterprise, Splunk Enterprise Security, and Splunk UBA together to hunt and detect anomalies that can reveal significant threats. We'll wrap up with best and worst practices from deployments seen throughout the world. Speaker(s) Tom Smit, Staff Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1248.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics, AI/ML Track: Security, Compliance and Fraud Level: Intermediate

Are your analysts spending too much time clearing through notable events? Ours were too, but today our analysts are living the dream: they have all the details they want right there on the Incident Review screen, all while our alerts fine-tune themselves (with workflow action human input). Come and see how we achieved Incident Review Screen 2.0. by using Splunk's Machine Learning Toolkit to transition to smarter correlation searches. Speaker(s) Lukasz Antoniak, Cyber Detection Crafting Chief, Viasat Ryan Rake, Viasat Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1673.pdf?podcast=1577146215 Product: Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Intermediate

Want to learn more about Splunk Phantom's platform architecture? Join us in this session for an in-depth technical review of all key processes, including ingestion, automation, action execution, health monitoring, the data store, and more. This session will give experienced users a much deeper understanding of the technology behind Splunk’s SOAR (Security Orchestration Automation & Response) platform. Speaker(s) Sourabh Sourabh, VP & Distinguished Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1709.pdf?podcast=1577146215 Product: Phantom Track: Security, Compliance and Fraud Level: Advanced

Going beyond basic perimeter defense, Threat Hunting cuts through the noise of endpoint telemetry and anti-virus data to find nation-state level Advanced Persistent Threats (APTs) that hide below the alert threshold. We will demonstrate, through 4 hunt analytic use cases, how to overcome the legacy challenge of relying on Packet Capture (PCAP) data to detect adversaries, highlighting the need to transform Hunt operations by combining Endpoint Detection and Response (EDR) telemetry data with knowledge of APT behavior to find hidden adversaries. This talk will provide a framework for planning and executing hunts, demonstrate why focusing on EDR telemetry data can add additional value over and beyond traditional network data, and how to strengthen hunting through a Purple Team approach. Speaker(s) Max Moerles, Cyber Threat Analyst , Booz Allen Hamilton Jay Novak, Threat Hunt Team Lead, Booz Allen Hamilton Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1250.pdf?podcast=1577146215 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

To secure the modern endpoint, you need sufficient data, the right visibility and analysis, and the technology necesary to stop an intrusion. We will leverage BOTSv4 data in this session to help you test and validate Splunk use cases related to hunting threats using endpoint data. We’ll cover several real world case studies as described in MITRE ATT&CK™, and we will simulate adversary groups by executing a single Atomic test and building an elaborate chain reaction. We will then show you in Splunk how to confirm your data quality and confirm you have what you need to detect and evict an adversary from your environment. We will demonstrate practical hunt techniques using BOTSv4 data and how to raise the flag when data is missing or is not required. Speaker(s) Michael Haag, Director of Advanced Threat Detection, Red Canary Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1952.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Cloud Track: Security, Compliance and Fraud Level: Good for all skill levels

Risk-based alerting is gaining traction in the SOC: by using multiple-lower fidelity searches to yield higher-fidelity investigations, it allows analysts to rapidly prioritize investigations, correlate “risk objects” between alerts, identify gaps in monitoring, and generally understand attack narratives. We'll discuss the first steps needed to transition from the traditional one-to-one ticket investigation model to this holistic approach, i.e. how risk-based alerting works, a description of prerequisites, and dashboard optimization. We will also discuss how to start building a comprehensive search inventory based on Splunk analytics, MITRE, and your own threat intelligence. Speaker(s) Bryan Turner, IT Security Analyst, Publix Super Markets Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1538.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Attackers are increasingly using a 'living off the land' approach, often using crypto mining malware, EternalBlue, timing, or other attacks that leverage the Windows Management Instrumentation Command Line. These attacks typically don't generate any events via conventional Sysmon and PowerShell, so even if you're pulling in those logs you likely won't see them. Join this session to learn how to detect and protect your organization from these advanced WMI-based attacks. Speaker(s) Ryan Becwar, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1550.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Want to scale Splunk Enterprise Security to 100TB/day? We've done it! In Splunk labs, we built workloads that closely simulate our customers' usage patterns, and we scaled beyond a 100TB per day ingest rate with search head clustering. In this session we'll share key aspects of our Splunk Enterprise Security workload design: diverse source types, major data models, search scenarios, data enrichment, and hardware choices for search head and indexer. We will also share how different configurations impact search performance and how to tune Splunk Enterprise Security effectively with parameters such as max_searches_per_cpu, acceleration.max_concurrent, allow_skew, and maxBundleSize to name a few. Come see how we scaled to large volumes while efficiently utilizing hardware capacity for maximum performance. Speaker(s) Devendra Badhani, Sr Engineering Manager, Splunk Jesse Chen, Principal Performance Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1554.pdf?podcast=1577146215 Product: Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

It's not easy to detect malicious patterns within encrypted network traffic. JA3, a method of fingerprinting Secure Sockets Layer (SSL) traffic developed by SalesForce, aims to address this by profiling client (JA3) and server (JA3s) SSL connections. Since these fingerprints are unique and persistent, they provide a way to discover applications, fingerprint Operating Systems, and even discover malware. This presentation showcases how to use Splunk to streamline JA3 event data gathered from Bro/Zeek, use that in combination with host-level visibility provided by Carbon Black, and ultimately correlate network signatures with endpoint telemetry. You will learn how to use this method to get a better understanding of what processes are causing benign or malicious SSL connections on your network and how to hunt for unknown threats. Speaker(s) Mike Sconzo, Staff Threat Intel Engineer, Box Jayson Weiss, Security Engineer III, Box Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2056.pdf?podcast=1577146215 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Advanced

You finally got Authority To Operate (ATO) in the Cloud, and you're feeling the budgetary and political pressure to transition your workloads to AWS. But how do you actually transition a workload securely? This session covers the essentials of using Splunk to quickly increase your security posture and awareness in the Cloud. Learn from our experiences and leave with more confidence that you're asking smart questions of your data, monitoring and alerting on the right things, assigning responsibilities to your team appropriately, and have an actionable security plan in place to protect your Cloud assets. Speaker(s) Patrick Shumate, Solutions Architect, Splunk Stephen Alexander, Sr. Solutions Architect , Amazon Web Services Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1518.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Beginner

How do you know if your alerting and response processes adequately cover the tactics and techniques that your adversaries will use against you? If you're not sure, then how do to you continuously improve to adapt to ever-evolving threats? This session will provide practical guidance on leveraging models like the diamond model, MITRE ATT&CK™, and OODA to deconstruct your monitoring and response program so that you can make strategic improvements and mature it on a strong foundation. Using these frameworks will help your team recognize its own bias in developing use cases, understand how its alerting and response coverage maps to adversary tactics/techniques, and develop and prioritize new use cases. The session will wrap up discussing practical tips for creating a continuous improvement program that helps you leverage Splunk Enterprise Security and Splunk Phantom to maintain a strong security posture. Speaker(s) Ed Svaleson, Accenture Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1545.pdf?podcast=1577146215 Product: Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Are you a security analyst? Do you like bright and shiny new things? Attend this session to get the inside scoop on the latest and greatest coming out of our security product and engineering teams. Speaker(s) Rob Truesdell, Sr Director, Product Management, Splunk Chris Simmons, Director of Product Marketing, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2371.pdf?podcast=1577146215 Product: Track: Security, Compliance and Fraud Level: Good for all skill levels

Splunk's Incident Management Framework is used extensively in support of the notable event creation, and it serves as a bridge that associates the Risk, Asset & Identity, and Threat frameworks together. In this session we will discuss how incident management functions, what occurs behind the scenes to prepare events that are correlated, and how to present correlated events to analysts. Attendees will leave this talk with a greater understanding of the Incident Management Framework and methods to work more effectively with it within Splunk Enterprise Security. Speaker(s) John Stoner, Principal Security Strategist, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1544.pdf?podcast=1577146215 Product: Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

Are you a security analyst? Do you like bright and shiny new things? Attend this session to get the inside scoop on the latest and greatest coming out of our security product and engineering teams. Speaker(s) Rob Truesdell, Sr Director, Product Management, Splunk Chris Simmons, Director of Product Marketing, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2295.pdf?podcast=1577146215 Product: Track: Security, Compliance and Fraud Level: Good for all skill levels

“You should be looking at Indicators of Compromise!” exclaims your CISO, regulator, vendor, and mom. No problem, right? You have the most expensive security intelligence vendor and all you have to do is correlate in your expensive SIEM. If you've tried this, then you are laughing with me. Come hear my exploration into implementing IOCs at a major US insurance company and a major US bank. I’ll address the differences between Indicators of Compromise vs Indicators of Attack, and I will show you how not to use the MITRE ATT&CK™ framework, plus some tips on how it use it well. My goal is to save you from falling into the same pitfalls when dealing with Indicators of Crap. Speaker(s) Xavier Ashe, VP, Security Engineering, SunTrust Banks Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1111.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Detecting abnormal behavior is an important objective in security monitoring, but is extremely challenging as we mostly are expected to detect "unknown unknowns." We can, however, use an entity's past behavior to measure how much of what we observe today deviates from normal behavior. In this way we can detect unknown, hidden and insider threats early on to stay ahead of advanced threats. This talk presents a unified, scalable framework for anomaly detection that is built on the frequent itemset mining technique. The premise is that if we can align an event with more frequent patterns observed in history, then the event is unlikely to be an anomaly. By mining through an extensive set of features and feature co-occurrences, the model can accurately capture the normal behaviors. Any new behaviors can then be scored. At which point, any new rare co-occurrences of events can be detected and sent to analysts and SOC teams for rapid investigation. Speaker(s) Nancy Jin, Data Scientist, Splunk Ping Jiang, Sr. Software Engineer in Test, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1230.pdf?podcast=1577146215 Product: Splunk User Behavior Analytics Track: Security, Compliance and Fraud Level: Intermediate

Splunk's Security Research Team collects attack data in the wild from across the globe and analyzes new and unusual techniques, tactics, and procedures employed by threat actors. We use this data to help customers build tailored defenses—defenses that automatically detect, investigate, and respond to suspicious activities in real time. In this session we will discuss how Splunk security researchers created our own honeypot and data collection framework in response to research demonstrating that honeypots were twice as effective as open-source intelligence feeds at detecting new threats (http://tinyurl.com/y335po8d). We will provide an introduction to honeypots and explain how we architected and built KLAPP-Back, a high-interaction SSH honeypot. We will also discuss how KLAPP-Back helped us build better detection analytics and seed Splunk Enterprise Security, Splunk Phantom, and Splunk User Behavior Analytics use cases with attacker data. Speaker(s) Bhavin Patel, Security Software Engineer, Splunk Jose Hernandez, Security Researcher, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1357.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Intermediate

Threat hunting is hard, and threat hunting in an enterprise network with thousands of endpoints is even harder. We will demonstrate how we leveraged Splunk Enterprise to build an Advanced Threat Hunting platform designed for large scale threat hunting of 100,000 or more endpoints. Using Splunk Enterprise allows us to combine analytics, data enrichment, and custom workflows to display in one platform the most important data to analysts. Our threat hunting platform addresses the challenges of data retention and collection, high false positive rates, and analyst fatigue, all while lowering the time to detection of malicious incidents and improving the efficiency of enterprise SOC operations. Speaker(s) Dan Rossell, Analyst, Booz Allen Hamilton Ashleigh Moriarty, Lead Technologist, Booz Allen Hamilton Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1071.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit Track: Security, Compliance and Fraud Level: Intermediate

We will share experiences and best practices for implementing notable events, the various Splunk Enterprise Security frameworks, and adaptive response actions, and we'll share our approach for building a program to consistently develop, measure, and iterate on correlation searches. We will discuss how to integrate lessons learned from incidents, red team engagements, threat intelligence, threat hunting, and requirements from business units into the program. Example tactics we'll cover include leveraging low-fidelity detections to develop higher-fidelity and higher-value ones, managing detection content simply and easily through macros, and building a formula to assess the efficacy of your detection content. Speaker(s) Chris Ogden, Principal Threat Detection Engineer, Sony Corporation of America Drew Guarino, Senior Threat Detection Engineer, Sony Corporation of America Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1674.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, AI/ML Track: Security, Compliance and Fraud Level: Good for all skill levels

Splunk User Behavioral Analytics (UBA) is a machine learning driven solution that helps organizations find hidden threats and anomalous behavior across users, devices, and applications. In this session we'll answer questions that came up during our large-scale deployment such as, once you've got UBA installed, how do you know if it is working well in your environment? And how long after installation does it take for the system to be operational and produce results? We'll also share best practices for validating outputs and tuning the system. This session will help you jumpstart your understanding of UBA and help you get your UBA deployment into production and detecting threats faster. Speaker(s) Teresa Chila, Data Scientist, Chevron Maria Sanchez, Technical Support Engineer, User Behavioral Analytics (UBA), Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1490.pdf?podcast=1577146215 Product: Splunk User Behavior Analytics, AI/ML Track: Security, Compliance and Fraud Level: Good for all skill levels

This session will give you the tools to tackle compliance with Splunk Enterprise Security. The session will showcase why you might want to grant different compliance views to your teams based on the compliance standard they are responsible for adhering to, and how to do so. We'll also cover how to present the compliance standards that a notable event relates to and how to grant your compliance officers visibility into only the notable events that are relevant to them. Speaker(s) Jason Timlin, Professional Services, Splunk Darren Dance, Staff PS Consultant, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1852.pdf?podcast=1577146215 Product: Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

Security architectures typically involve many layers of tools and products that are not designed to work together, leaving gaps in how security teams bridge multiple domains to coordinate defense. The Splunk Adaptive Operations Framework (AOF) addresses these gaps by connecting security products and technologies from our partners with Splunk security solutions including Splunk Enterprise Security (ES) and Splunk Phantom. Join this session to learn how the Splunk AOF benefits both users and security technology providers by enabling rich context for all security decisions, collaborative decision-making, and orchestrated actions across diverse security technologies. Speaker(s) Alexa Araneta, Product Marketing Manager, Splunk John Dominguez, Product Marketing Director, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2372.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

To tame an event queue that's ballooning out of control, you need to know first which rules and data sources are generating a disproportionate number of alerts, and second the security value you're getting from those rules and data sources. Any changes made to rules or telemetry analyzed without that knowledge risk making your organization more vulnerable. In this session we'll discuss how Splunk empowers us to perform advanced analytics on everything from alert conversion rates to human time expenditure on alerts so that we can optimize all processes related to alerting. As long as we know what to measure and where to look, Splunk can help us tune our security operations centers to reduce monotony and false positives without diminishing our ability to detect actual threats. Speaker(s) Keshia LeVan, Detection Engineer, Red Canary Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2105.pdf?podcast=1577146215 Product: Splunk Cloud, Splunk Machine Learning Toolkit Track: Security, Compliance and Fraud Level: Advanced

20+ million subscribers, 290PB network traffic daily, and tens of millions of IoT, IPTV and ICT devices—a bigger network means more attacks from all over the world. Learn how SK Broadband, the biggest telco/ISP provider in South Korea, leverages Splunk Enterprise Security (ES) to protect their subscribers from countless DDoS and malware attacks. We will cover detailed use cases for analyzing a high volume of data—500 million security events over 7 billion logs per day—as well as how we met a high bar of operational efficiency by customizing our ES deployment. Speaker(s) Daesoo Choi, Senior Sales Engineer, Splunk Kyoung Geun Lee, SoC Senior Manager, SK Broadband Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2274.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit Track: Security, Compliance and Fraud Level: Intermediate

Failure to log everything needed for maximum visibility in your environment can leave huge gaps in your ability to remediate threats. But running an enterprise-level logging program can be difficult: how do you know if you're logging everything necessary to detect threats? Are all of your technologies configured to send the right logs? Are they all logging to Splunk? In this session we will help you answer these and other critical questions of your logging program, which will ultimately help you remediate issues and better use log analysis to mitigate threats. Speaker(s) Kevin Kaminski, Threat Management R&D Lead, ReliaQuest Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2179.pdf?podcast=1577146215 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

This session covers how an actual phishing attack from APT29 came together. We will discuss how incident responders can learn more about the attack and build out a timeline of key events. We will also explain how DNS based security plays an important role in proactively blocking threats and how integrations with Splunk can help you with effective threat hunting. Speaker(s) Mark Stanford, Cisco Systems Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC3014.pdf?podcast=1577146214 Product: Track: Security, Compliance and Fraud Level:

The boss saw Ironman and wanted to create a JARVIS-like assistant for our SOC...so we built him one using Splunk. In this session we will share how we developed a Splunk virtual assistant to improve SOC efficiency and support the SOC 2.0 model of continual improvement. SOC JARVIS solves problems such as: How does a SOC manage its attack detection ideas and knowledge? How does an analyst understand the impact of their search changes on alert volumes? How does the SOC manage feedback between analysts and search authors? Learn how to use Splunk in a novel way to address these problems so that you can make your SOC workflows more efficient and let analysts spend more time threat hunting and improving how they detect attacks. Speaker(s) Jono Pagett, Head of Cyber Defence Centre, Bank of England Peter Littler, Cyber Security Analyst, Bank of England Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1597.pdf?podcast=1577146214 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Intermediate

Would you be able to detect a sophisticated adversary targeting your Kubernetes clusters and workloads tonight? How do busy teams with stacked backlogs find time to learn how to attack Kubernetes clusters, detect those attacks, and build defenses to reduce the attack surface? We will demonstrate an effective purple team methodology that "uses every part of the buffalo" by 1) executing attacks on Kubernetes using the open source tool Peirates, 2) tracking the attack artifacts from the adversary simulation in Splunk, 3) teaching the defenders how the attack was performed and where to look for forensic artifacts, and 4) working together in the purple-est way possible to improve detection and response capabilities using Splunk Enterprise Security, Splunk Phantom, and Peirates. Speaker(s) Brian Genz, Senior Manager, Threat & Vulnerability Mgmt., Splunk Jay Beale, CTO, InGuardians Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2286.pdf?podcast=1577146214 Product: Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Advanced

In this session we will discuss using Splunk to detect a range of Linux-based adversary techniques from MITRE’s ATT&CK™ framework. We will also demonstrate how event sequencing can be used to map a path through the ATT&CK™ matrix and improve overall detection fidelity. We will provide auditd configuration suggestions for Linux endpoints to support greater coverage. Speaker(s) Doug Brown, Senior Information Security Analyst, Red Hat Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1156.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Advanced

Do you love the idea of the MITRE ATT&CK™ framework, but you’re not sure how to use it in your Splunk-centric security program? This talk will teach you practical ways to use the framework in your own organization and the Splunk security tools that will help you do so. We'll start the talk by identifying an adversary and some of their known techniques, and then we'll show how to choose an appropriate set of detections and how to test whether those detections are working as expected. You'll leave the talk better able to take advantage of threat intelligence, cover the right set of ATT&CK™ tactics and adversary groups, and eliminate organizational blind spots. Speaker(s) BOTSFATHER Kovar, Principal Security Strategist, Splunk John Stoner, Principal Security Strategist, Splunk Dave Herrald, Principal Security Strategist, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1927.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Beginner

Do you want to use machine learning to enhance your datacenter security monitoring, but you don’t know where to start? Then this is the talk for you. Come learn how high secure datacenter operations benefit from operationalizing machine learning. With the help of the Splunk's Machine Learning Toolkit, your security analysts can take different approaches to use case creation and gain new insight into what's going on in your environment. We'll detail the challenges, benefits and use cases of using machine learning for datacenter security monitoring, and we'll answer questions such as: Where does it make sense to apply machine learning, and where should we stick with classic searches? Can we detect meaningful anomalies in system behavior? Is it possible to cluster our account activities and find unusual patterns? This is a practical session of security monitoring use cases, deep diving into the ideas, concepts and the SPL behind them. Speaker(s) Oliver Kollenberg, Security Consultant, Siemens Philipp Drieger, Staff Machine Learning Architect , Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1374.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Advanced

Alerts in cloud environments require your team to quickly and precisely gather evidence and isolate affected environments. The GE Digital Predix Incident Response (IR) team found an abundance of content for analyzing forensic evidence from Windows environments, but they noticed a gap in content built for performing investigations on Linux-based hosts. The Predix IR team will discuss the tools they have built to contain a compromised Linux-based hosts, gather evidence, and analyze that evidence in Splunk. Utilizing splunk searches, lookups, and visualization components to look both narrowly into the data set as well as broadly across the rest of the environmental data in splunk to identify known bad or potentially suspicious activities that may warrant further investigation by an analyst.  Speaker(s) David Rutstein, Principal Analyst, GE Alina Dejeu, Incident Responder, GE Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1479.pdf?podcast=1577146214 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Intermediate

We developed an automation framework that classifies and mitigates emails reported to the SOC. The framework acts as an engine that consumes multiple data sources, including a supervised machine learning model and a risk scoring algorithm to assess with high confidence if an email is phishing, spam, or benign. We will discuss the benefits of our approach to phishing mitigation, such as enhancing our SOC's ability to automatically identify, prioritize, and mitigate malicious phishing attempts against employees before any damage is done. The session will outline the overall design of the framework, detail the primary components that are used within Splunk Phantom and Splunk Enterprise Security, and will outline the supervised machine learning model that we trained to aide the automation engine. Speaker(s) Mackenzie Kyle, Manager - Cybersecurity Operations Center, JPMorgan Chase Benji Arnold, Sr. Security Analyst , JPMorgan Chase Dennis Rhodes, Sr. Security Analyst, JPMorgan Chase Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1128.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Advanced

Prevention and detection solutions are vital to maintain a healthy network but not sufficient.When a security incident occurs, the ability to investigate rapidly and recover is crucial but is manually intensive, especially when dealing with networks spanning on premise, public, and private cloud environments.Once an incident is detected, then what?Learn how RedSeal integrates within Splunk Enterprise Security and Phantom framework to provide you with immediate answers to burning questions. Speaker(s) Noam Syrkin, Sr. Technical Marketing Engineer, RedSeal Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2841.pdf?podcast=1577146214 Product: Splunk Enterprise, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

You've probably heard examples of Splunk Phantom automating 90% of Tier 1 processes, but did you know that Phantom improves human-lead processes too? Come learn about the hidden value of validation and utility playbooks from Penn State University’s Enterprise Security Manager and Splunk’s Lead Technologist for Higher Education. Validation playbooks are automated tests run to validate a human judgement or request. Utility playbooks are short easy-to-create playbooks in Phantom that an analyst  runs during an investigation.  We’ll cover when to use validation and utility playbooks, how to get started creating them, and ideas for other playbooks you can use to improve your daily operations. Speaker(s) Craig Vincent, Lead Technologist,SLED, Splunk Chris Decker, Enterprise Security Manager, Penn State University Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2205.pdf?podcast=1577146214 Product: Splunk Enterprise, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

We use Splunk data to help previously siloed groups at Qualcomm work better together. We will discuss specific high value, multipurpose data sources that we ingest, and how we use them to foster collaboration across teams. You will leave this session with a better sense of data sources that you analyze for security that can also help you work better with everyone from developers, to help desk staff, to executive management. Speaker(s) Ben Marcus, Sr. Staff IT Engineer, Qualcomm Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2280.pdf?podcast=1577146214 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Beginner

As organizations shift away from legacy Governance, Risk, and Compliance (GRC) approaches towards an integrated risk management (IRM) strategy, cyber risk management paradigms must also shift. This presentation will address why firms are shifting to IRM and how the shift to IRM will affect security organizations globally. We will showcase strategies used by forward-leaning peers and thought leaders to operationalize integrated risk management programs in their organizations. Speaker(s) Matt Coose, Qmulos Anthony Perez, Director of Field Technology - Public Sector, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1930.pdf?podcast=1577146214 Product: Splunk Enterprise Track: Security, Compliance and Fraud Level: Good for all skill levels

Incident response (IR) analysts are required to make multiple decisions on every alert and incident. Whether the decision is to escalate, respond, or to discard the alert, each one of those decisions is critical to protecting their environment. With the integration of SOAR platforms like Splunk Phantom into IR teams, many of those decisions can now be automated for analysts. These decisions can save hours of work for analysts and allow for focus on more critical alerts. However, there are still questions to answer before implementing these decisions. What data is needed to make confident decisions? Where in the process should these decisions be made? How can existing decisions be improved? How should new decisions be integrated? The General Electric IR team has worked to answer these questions by using Splunk Enterprise and Splunk Phantom. In this session, we will show how our team approached these questions, implemented solutions, and integrated decisions for our analysts to save time and focus their efforts. Speaker(s) Mark Cooke, Staff Incident Responder, GE Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1446.pdf?podcast=1577146214 Product: Splunk Enterprise, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

This is one of multiple sessions in a series at .conf this year focused on getting valuable intel and insights from your Azure and Office 365 environments. Throw on your hoodie and join Ryan as we Splunk our way through all things Azure, Office365, security, compliance, and visibility in the Microsoft-as-a-Service world. Speaker(s) Ry Lait, Senior Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1432.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Cloud, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

So you have a SIEM with security data, e.g. firewalls, proxy, endpoint data, etc. Now what? How do you effectively operationalize your investment? This session provides recipes, principles, patterns, and strategies for using Splunk and data-driven analytics to move your security monitoring and compliance effectiveness up the maturity curve. This session will cover how to identify key mixes of data sources, core OOTB content to use, and how to layer capabilities aligned with your maturity. We will help you go beyond the endless alerts and investigations and start creating value by reducing the impact of potential security events. We're excited to show you that there's no need for a PhD in security assurance and operations—just Splunk and a solid plan. Speaker(s) Paul Davilar, Security Consultant, Splunk Paul Pelletier, Sr. Security Consultant, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1391.pdf?podcast=1577146214 Product: Splunk Enterprise Security, Splunk Machine Learning Toolkit, Phantom Track: Security, Compliance and Fraud Level: Intermediate

Advanced attackers that live off your land add insult to what can be very serious injury. In this session we'll show you how to use behavioral analysis to identify advanced attackers that evade traditional signature-based detection methods. We do so in our organization by using Splunk to combine insights from traditional data sources to detect activity across multiple phases of the MITRE ATT&CK™ framework. We'll focus on how to build queries  tune them for your environment, and start catching these threat actors with behavioral detections as soon as you get back from .conf. Speaker(s) Haylee Mills, Security Engineer, Charles Schwab Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1556.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Intermediate

Where did you come up with the idea for your last use case? Traditional approaches to use case ideation focus on identifying new use cases based on the data already available to the security operations center. However, the threat landscape is constantly changing, and attackers are constantly getting more sophisticated. To detect these advanced threats, our use cases must be based on both business and threat context. In this session, we will share our approach to building innovative use cases based on real-world threats. Starting with industry-specific threat intelligence, we identify the threat actors and their specific tactics, techniques, and procedures. With these insights, we identify use cases relevant to the business, map them to both existing and new data sources, and prioritize implementation based on the specific threats. Speaker(s) John Rubey, Accenture Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2797.pdf?podcast=1577146214 Product: Splunk Enterprise, Splunk Enterprise Security Track: Security, Compliance and Fraud Level: Good for all skill levels

In this session, we tackle data breaches and information exfiltration from cloud file stores. Beyond the attacks that make headlines and result in millions of stolen personal records, we will also focus on the far less publicized risks related to exposure of intellectual property, infrastructure details or finances. We will share our experience in building a defensive strategy that now detects highly-covert exfiltration attempts.To this end, we first shed a lot of light on how companies use general-purpose file stores, such as Box, Office365 or Google Drive. We cover the types of files that commonly get stored in the cloud, file sharing practices, access properties, as well as uses of cloud stores by various departments. There are a lot of unexpected insights which eventually invalidate common security assumptions.As the boundary between good and bad gets blurred, we will provide you with a peek into how to design an effective data-driven defense. This approach helped us hone our detection to just tens of validly suspicious exfiltration files in a massive cloud store. Speaker(s) Stanislav Miskovic, Security Data Science, Splunk Ignacio Bermudez Corrales, Senior Data Scientist, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2083.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk User Behavior Analytics Track: Security, Compliance and Fraud Level: Advanced

Malware infection, lateral movement, data exfiltration, oh my! If you’ve spent any time around the wizarding world of security, you know how much effort goes into preventing dark magic from happening. What if you could use machine learning to stay one step ahead of the adversary? Fasten your seatbelts, because in this talk we will show you how Splunk can utilize machine learning models to take your security detections to the next level. We’ll demonstrate how Splunk's Machine Learning Toolkit can be used to train, validate, and then deploy models to identify anomalies and discover clusters of bad behavior via user-friendly guided workflows—all this while training your models with more data then you’ve ever been able to before. Prepare to leave Las Vegas equipped to incorporate machine learning in your organization’s security detections and jump from reactive to proactive. Mischief managed! Speaker(s) Melisa Napoles, Sales Engineer, Splunk Erika Strano, Sales Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2129.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Good for all skill levels

Ever wondered how to integrate or scale Splunk Enterprise Security (ES) and Splunk Phantom? Join us as we explore best practices involved in setting up clustered environments for ES and Phantom that yield a highly available and scalable security platform. You will leave this session better able to create scalable ES and Phantom deployments, tools, commands, cheat sheets, and troubleshooting methods at your own organizations. Speaker(s) Mayur Pipaliya, Forward Deployed Software Engineer, Splunk Ankit Bhagat, Forward Deployed Software Engineer, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2233.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Phantom Track: Security, Compliance and Fraud Level: Advanced

When is a 20MB email to an external Gmail account dangerous? It all depends on context. Understanding what normal behavior is will reveal whether specific behavior is malicious or ordinary. We’ll walk you through how using Splunk’s Machine Learning Toolkit and Splunk Enterprise Security together provides actionable insight for analysts to improve security. We'll also detail how we caught insider threats in our environment with these tools. Speaker(s) Karthik Subramanian, Principal Senior Cybersecurity Engineer, SAIC Tyler Williams, Cybersecurity Data Analyst, SAIC Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1305.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Machine Learning Toolkit, AI/ML Track: Security, Compliance and Fraud Level: Advanced

Have you ever been positive you had found evil, only to realize it was normal after hours of triage and work? We have all heard and love “KNOW NORMAL FIND EVIL,” but how hard is it to actually know normal? The MITRE ATT&CK Framework gives defenders a better map to “find evil,” but how can this framework be used to “know normal”?Rick will discuss how knowing normal in a world of abnormal is harder than one thinks, and how addressing the actual root cause of evil can improve the technology industry as a whole. Speaker(s) Rick McElroy, Principal Security Strategist , Carbon Black Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2917.pdf?podcast=1577146215 Product: Splunk Enterprise Security, Splunk IT Service Intelligence, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Whether you're a new or experienced Splunk Phantom user, you'll learn from the high-value, often overlooked features we discuss in this session. We'll showcase some of Phantom's most overlooked valuable features, as well as experienced users' top ranked features. Join us to learn more about how you can optimize your use of Splunk’s SOAR (Security Orchestration Automation & Response) platform. Speaker(s) Phil Royer, Research Engineer, Splunk Kavita Varadarajan, Product Manager - Phantom, Splunk Sam Hays, Sr. Technical Community Manager , Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1705.pdf?podcast=1577146215 Product: Phantom Track: Security, Compliance and Fraud Level: Intermediate

Manual sorting through spreadsheets, disparate applications, and scattered data sources to conduct link analysis for a fraud investigation is both painful and ineffective. There must be a better way, right? In this session we'll use Splunk Enterprise and Splunk Phantom to automate repeatable fraud investigation tasks, which will save your team time and better protect your assets from the bad guys. Speaker(s) Matthew Joseff, Director of Specialists - North Asia and Japan, Splunk Abhishek Dujari, Security Specialist, APAC, Splunk Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1104.pdf?podcast=1577146215 Product: Splunk Enterprise, Splunk Cloud, Phantom Track: Security, Compliance and Fraud Level: Good for all skill levels

Join us to see the latest developments with Splunk’s Security Operations Suite. We’ll share background on the underlying architecture as well as a showcase of new features. Learn how your security use cases are solved with scale and performance. Speaker(s) Rob Truesdell, Sr Director, Product Management, Splunk Atom Coffman, Starbucks Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1706.pdf?podcast=1577146216 Product: Splunk Enterprise Security, Splunk User Behavior Analytics, Phantom Track: Security, Compliance and Fraud Level: Beginner