Would you be able to detect a sophisticated adversary targeting your Kubernetes clusters and workloads tonight? How do busy teams with stacked backlogs find time to learn how to attack Kubernetes clusters, detect those attacks, and build defenses to reduce the attack surface? We will demonstrate an effective purple team methodology that "uses every part of the buffalo" by 1) executing attacks on Kubernetes using the open source tool Peirates, 2) tracking the attack artifacts from the adversary simulation in Splunk, 3) teaching the defenders how the attack was performed and where to look for forensic artifacts, and 4) working together in the purple-est way possible to improve detection and response capabilities using Splunk Enterprise Security, Splunk Phantom, and Peirates.

Speaker(s)
Brian Genz, Senior Manager, Threat & Vulnerability Mgmt., Splunk
Jay Beale, CTO, InGuardians

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2286.pdf?podcast=1577146233

In this session we will discuss using Splunk to detect a range of Linux-based adversary techniques from MITRE’s ATT&CK™ framework. We will also demonstrate how event sequencing can be used to map a path through the ATT&CK™ matrix and improve overall detection fidelity. We will provide auditd configuration suggestions for Linux endpoints to support greater coverage.

Speaker(s)
Doug Brown, Senior Information Security Analyst, Red Hat

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1156.pdf?podcast=1577146233

Do you love the idea of the MITRE ATT&CK™ framework, but you’re not sure how to use it in your Splunk-centric security program? This talk will teach you practical ways to use the framework in your own organization and the Splunk security tools that will help you do so. We'll start the talk by identifying an adversary and some of their known techniques, and then we'll show how to choose an appropriate set of detections and how to test whether those detections are working as expected. You'll leave the talk better able to take advantage of threat intelligence, cover the right set of ATT&CK™ tactics and adversary groups, and eliminate organizational blind spots.

Speaker(s)
BOTSFATHER Kovar, Principal Security Strategist, Splunk
John Stoner, Principal Security Strategist, Splunk
Dave Herrald, Principal Security Strategist, Splunk

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1927.pdf?podcast=1577146233

We developed an automation framework that classifies and mitigates emails reported to the SOC. The framework acts as an engine that consumes multiple data sources, including a supervised machine learning model and a risk scoring algorithm to assess with high confidence if an email is phishing, spam, or benign. We will discuss the benefits of our approach to phishing mitigation, such as enhancing our SOC's ability to automatically identify, prioritize, and mitigate malicious phishing attempts against employees before any damage is done. The session will outline the overall design of the framework, detail the primary components that are used within Splunk Phantom and Splunk Enterprise Security, and will outline the supervised machine learning model that we trained to aide the automation engine.

Speaker(s)
Mackenzie Kyle, Manager - Cybersecurity Operations Center, JPMorgan Chase
Benji Arnold, Sr. Security Analyst , JPMorgan Chase
Dennis Rhodes, Sr. Security Analyst, JPMorgan Chase

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1128.pdf?podcast=1577146233

So you have a SIEM with security data, e.g. firewalls, proxy, endpoint data, etc. Now what? How do you effectively operationalize your investment? This session provides recipes, principles, patterns, and strategies for using Splunk and data-driven analytics to move your security monitoring and compliance effectiveness up the maturity curve. This session will cover how to identify key mixes of data sources, core OOTB content to use, and how to layer capabilities aligned with your maturity. We will help you go beyond the endless alerts and investigations and start creating value by reducing the impact of potential security events. We're excited to show you that there's no need for a PhD in security assurance and operations—just Splunk and a solid plan.

Speaker(s)
Paul Davilar, Security Consultant, Splunk
Paul Pelletier, Sr. Security Consultant, Splunk

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1391.pdf?podcast=1577146233

Splunk’s new, cloud native architecture SmartStore simplifies Indexer maintenance by 10X by disaggregating compute from storage. Learn how SmartStore with Pure Storage FlashBlade delivers dynamic scaling, storage efficiency and high performance to accelerate operational intelligence and security management. This session will cover new capabilities enabled by SmartStore, performance considerations and deployment best practices.

Speaker(s)
Vaughn Stewart, Pure Storage

Slides PDF link - https://conf.splunk.com/files/2019/slides/FN2529.pdf?podcast=1577146233

Advanced attackers that live off your land add insult to what can be very serious injury. In this session we'll show you how to use behavioral analysis to identify advanced attackers that evade traditional signature-based detection methods. We do so in our organization by using Splunk to combine insights from traditional data sources to detect activity across multiple phases of the MITRE ATT&CK™ framework. We'll focus on how to build queries  tune them for your environment, and start catching these threat actors with behavioral detections as soon as you get back from .conf.

Speaker(s)
Haylee Mills, Security Engineer, Charles Schwab

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC1556.pdf?podcast=1577146233

Where did you come up with the idea for your last use case? Traditional approaches to use case ideation focus on identifying new use cases based on the data already available to the security operations center. However, the threat landscape is constantly changing, and attackers are constantly getting more sophisticated. To detect these advanced threats, our use cases must be based on both business and threat context. In this session, we will share our approach to building innovative use cases based on real-world threats. Starting with industry-specific threat intelligence, we identify the threat actors and their specific tactics, techniques, and procedures. With these insights, we identify use cases relevant to the business, map them to both existing and new data sources, and prioritize implementation based on the specific threats.

Speaker(s)
John Rubey, Accenture

Slides PDF link - https://conf.splunk.com/files/2019/slides/SECS2797.pdf?podcast=1577146233

In this session, we tackle data breaches and information exfiltration from cloud file stores. Beyond the attacks that make headlines and result in millions of stolen personal records, we will also focus on the far less publicized risks related to exposure of intellectual property, infrastructure details or finances. We will share our experience in building a defensive strategy that now detects highly-covert exfiltration attempts.To this end, we first shed a lot of light on how companies use general-purpose file stores, such as Box, Office365 or Google Drive. We cover the types of files that commonly get stored in the cloud, file sharing practices, access properties, as well as uses of cloud stores by various departments. There are a lot of unexpected insights which eventually invalidate common security assumptions.As the boundary between good and bad gets blurred, we will provide you with a peek into how to design an effective data-driven defense. This approach helped us hone our detection to just tens of validly suspicious exfiltration files in a massive cloud store.

Speaker(s)
Stanislav Miskovic, Security Data Science, Splunk
Ignacio Bermudez Corrales, Senior Data Scientist, Splunk

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2083.pdf?podcast=1577146233

Do you have complex or obscure data? Do users, without the necessary domain knowledge, struggle to work with this data? Perhaps a Data Model can help bridge the knowledge gap. This session will use valuable (but complex…and even scary) mainframe metrics as a working example of how to get users up and running fast by leveraging the power of a data model. But, these principles are not just for mainframe. They can equally apply to other data types and scenarios. Not all users are well-versed in complex data structures and fields, but some are…so combine Subject Matter Expert (SME) knowledge with this great Splunk facility to make everyone’s life simpler. Deliver real results in a very short time with little overhead or burden on users.

Speaker(s)
Ian Hartley, Technology Architect, Syncsort

Slides PDF link - https://conf.splunk.com/files/2019/slides/IT2579.pdf?podcast=1577146233