Security - Baseline eLearning (PDF) - Oct 2013.pdf

Security Baseline eLearning

Global Field Enablement - Copyright © 2013 Splunk, Inc.

Modules 1

2

3

4

5

Who do we sell to?

Why do they buy? Why do they buy?

How does it work?

How do we compete and succeed?

How do you price?

• Market Trends • Market Opportunity • Buyer Personas

• Current Challenges and Consequences • Future Vision and Business Outcomes


• Splunk Positioning • Features

2

• Case Study Examples • Competition • Discovery Questions

• Pricing SKUs • Examples

Module 1 1 Who do we sell to?


• Market Trends • Market Opportunity • Buyer Personas

3

Security is Making $$ at Splunk About 30% of Splunk bookings Customers are getting our “Big Data for security” and “more than a SIEM” messages Security continues to make headlines:


4

Advanced Threats in the Headlines Cyber Criminals

Nation States

Insider Threats

“160 million credit cards later, cutting edge hacking ring cracked” – NBC News, July 2013 “Banks Seek U.S. Help on Iran Cyber attacks” – Wall Street Journal, Jan 2013 “Verizon: Most Intellectual Property Theft Involves Company Insiders” – Dark Reading, Oct 2012


5

Target Market Overall, SIEM is a $1B+ market

Service Desk $1.4B

– We compete for SIEM dollars with a solution that is rapidly eclipsing SIEMs in importance!

– Overlap and cross selling opportunities that involve security

Desktop Mgmt $1.3B Non SaaS Cloud Services $5.6B

Change & Config Mgmt $4.9B

Event Correlation & Analysis $1.4B Network Mgmt $3.4B


6

“Build” Application Mgmt. $6B+

End User Experience Monitoring $240MM Database Mgmt $2.3B

Application Mgmt $3.4B

Web Analytics $1.0 B SIEM/ log Mgmt $1.5B Server Mgmt $420MM

“Risk” Secure & Comply $1B+

Desktop Virtualization $0.49B

Server Virtualization Mgmt $2.4B

“Run” Infrastructure and Ops $21B+

Meet Your Top Prospects

Target Buyers

CISO

• •

Influencers

VP/Dir Information Security

Security Analyst

How do we prevent attacks? How can I prevent data loss and revenue impact?


How can I ensure Compliance as part of a broader Security message?

7

Physical Security Officer

Are my assets secure?

Key Learning Points – Module 1 Security Market

Buyers

Influencers

• Security is top of mind • Require a Big Data Approach

• It’s the CISO you want to talk to (the Chief Information Security Officer)

• Security Analysts will sometimes get involved • Overlap and cross selling opportunities that involve security


8

Module 2 2 Why do they buy?


• Current Challenges and Consequences • Future Vision and Business Outcomes

9

Security Information & Event Management is comprised of… Security Information Management (SIM)

Security Event Management (SEM)

Real-time monitoring, correlations, alerting Incident investigations and management Use case: threat management

Long-term data storage Log / data analysis Compliance Reporting Use case: compliance


10

Before Splunk State Customer Challenges • • •

• •

Traditional SIEMs have significant limitations and fail to deliver Advanced threats evade detection IT Security is outgunned by the adversaries IT Security is reactive, not proactive Data loss occurs frequently and often goes unnoticed

Business/IT Consequences • •

• • •


11

Reduced revenue as data loss results in brand damage and customers leaving Higher costs from data loss related to regulatory fines, lawsuits, or intellectual property loss Higher costs from inefficient incident investigations, downtime, and threat clean up Weak security posture Board and executives are under pressure

After Splunk State Future Vision Scalable solution that can index all data types and quickly search it Fast, efficient incident investigations and security reporting Ability to do real-time correlations, alerts, and advanced threat detection Ability to do real-time correlations, alerts, and advanced threat detection Single, enterprise-wide solution with all data used for many use cases


Business Outcomes •

All relevant data available for investigations and threat detection • Reduced costs from faster and less manual work, as well as faster threat eradication • Reduced costs and less lost revenue from data loss • Improved ROI and departmental collaboration

12

Key Learning Points – Module 2 Customer Challenges

SIEM • SIEM is comprised of two different products Security Information Management and Security Event Management.

• Traditional SIEMs are being outsmarted


13

Splunk’s Benefit • Single enterprise solution for all data and use cases. • All data is security relevant

Module 3 3 How does it work?


• Splunk Positioning • Features

14

Splunk Security Uses Over Time

Proactive

Find advanced, hidden threats Often complement an existing SIEM

Simple real-time correlations and alerts

Security/risk Reporting Security Event Investigation and Forensics

Often we are the SIEM

Reactive

Time Global Field Enablement - Copyright © 2013 Splunk, Inc.

15

Case #1 - Incident Investigation/Forensics January

•

Often initiated by alert in another product

•

May be a “cold case” investigation requiring machine data going back months

•

•

What happened and was it a false positive?

–

How did the threat get in, where have they gone, and did they steal any data?

–

Has this occurred elsewhere in the past?

truncating integer value > 32 bits <46>Jan ASCII from client=unknown

Take results and turn them into a real-time search/alert if needed


March

client=unknown[99 .120.205.249]<160 >Jan 2616:27 (cJFFNMS

Need all the original data in one place and a fast way to search it to answer: –

February

DHCPACK=A SCII from host=85.196. 82.110

16

April

Case #2 – Security/Compliance Reporting Many types of visualizations Easy to create in Splunk – Ad-hoc auditor reports

– New incident list – Historical reports – SOC/NOC dashboards

– Executive/auditor dashboards


17

Case 3 – Correlations and Alerts Event 1 +

Event 2 +

Event 3 +

Data Loss Prevention tool identifies a server as containing confidential information Firewall on an internal PC indicates the PC is being port scanned from an internal IP address

Active Directory identifies a brute force passwordguessing attack on the server

Within X hours, a new Administrator role is created on the server

Possible hacker on the server trying to steal the confidential data

Network-based firewall indicates it is being port scanned from the same internal IP address

Within X hours, important key settings have been changed on the suspicious machine associated with the internal IP address

The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissance The server is likely to be successfully compromised

Vulnerability scanner shows Intrusion Detection System that an internal server has an sees an external attack on unpatched OS that specific server that exploits the vulnerability in the OS


18

Threat

Case 4 – Advanced Persistent Threat Patterns ‘Unknown’ threats – APT / malicious insider

Infiltration

Back Door

Recon

Data Gathering

Exfiltration

• Spear-phishing and social engineering • Zero-day vulnerabilities • Custom malware • Actions hidden behind normal user credentialed activity • Move slowly and quietly Evade detection

Phishing or web driveby. Email has attached malware or link to malware

Malware installs remote access toolkit(s)

Malware obtains credentials to key systems and identifies valuable data

Data is acquired and staged for exfiltration

Data is exfiltrated as encrypted files via HTTP or FTP


19

APT Step 1: Collect ALL The Data in One Location

Security Data All Relevant Security

Relevant Data

SIEM


“Normal” user and machine generated data behind credentials. Includes “Unknown” threats.

“Security” data, or alerts from point security products. “Known” threats.

20

APT Step 2: Identify Threat Activity What’s the modus operandi of the attacker?

What/who are the most critical data assets and employees? What patterns/correlations of weak-signals in ‘normal’ IT activities would represent ‘abnormal’ activity? What in my environment is different/new/changed?

What is rarely seen or standard deviations off the norm?


21

Splunk: The Security Intelligence Platform Many Security Use Cases

All Your Machine Data

Advanced Threat Detection Real-time correlations and alerts Security and risk reporting Incident Investigation/forensics Global Field Enablement - Copyright © 2013 Splunk, Inc.

22

Traditional SIEM Limitations Splunk Traditional SIEM  Can be multiple products  Often costly, physical appliances  Difficult to deploy; long time to value  Reliant on vendor’s collectors  DB schema and normalization limits investigations and correlations  Scalability issues due to DB  Lack of search & reporting flexibility limits ability to find outliers/anomalies  Specializes in ‘Known Threat’ detection  Closed platform with no APIs, SDKs, Apps  Only security/compliance use cases Global Field Enablement - Copyright © 2013 Splunk, Inc.

23

Industry Accolades Best SIEM Solution


Best Enterprise Security Solution

24

Best Security Product

2.

One Solution; Three Main Offerings Splunk App for Enterprise Security (cost)

Majority of customers use 1 & 3 below

3. Other security Apps (free)

1. Splunk Enterprise (cost)


25

Splunk App for Enterprise Security Pre-built searches, alerts, reports, dashboards, workflow

Dashboards and Reports

Incident Management View & Workflows

Asset and Identity Aware

Statistical Outliers Global Field Enablement - Copyright © 2013 Splunk, Inc.

26

Key Learning Points – Module 3 Common Uses of Splunk for Security

Machine Data • Machine data is one of the fastest, growing, most complex and most valuable segments of big data. • All Machine Data is security relevant

• Security Event Investigation and Forensics • Security/risk Reporting • Simple real-time correlations and alerts • Find advanced, hidden threats


27

One Solution – 3 offerings • Splunk Enterprise • Splunk App for Enterprise Security • Additional specialty Apps

Module 4 4 How do we compete and succeed?


• Case Study Examples • Competition • Discovery Questions

28

Replacing a SIEM @ Cedar Crestone Challenges: Inflexible SIEM – – – – •

Difficult to index non-security or custom app data without Prof Serv SIEM could not provide who/what/where context Inflexible parsing, visualizations, and reporting Limited correlations rules and ability to tailor them

Enter Splunk: Flexible SIEM covering many use cases – – – –

Easily index any data from any source. Saved $200k+ in Prof Serv & connector costs Flexible search and reporting, including anomaly detection and custom dashboards Helps customers be compliant, including for PCI and SOX Used by security and operation teams for strong ROI

“

We replaced a SIEM that we had before with Splunk and the Splunk App for Enterprise Security. The other SIEM’s vision seemed right but it was extremely brittle and got more so over time. Dan Frye, VP Security


“

•

29

Replacing a SIEM @ Cisco •

Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives

Enter Splunk: Flexible SIEM and empowered team – – – – –

Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM

“

We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.

“

•

Gavin Reid, Leader, Cisco Computer Security Incident Response Team Global Field Enablement - Copyright © 2013 Splunk, Inc.

30

SIEM Performance Comparison @ Cisco Query Time vs. Indexed Data 400

356

350

350

300 250

Splunk SIEM 1

200

150 100 50

0

10

17 Avg Query Time (seconds)


Data Indexed (GB/day)

31

$500k Security ROI @ Interac •

Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive

Enter Splunk: Fast investigations and stronger security – – – –

Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this.

“

“

•

Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations


32

Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – •

Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting

Enter Splunk: Stronger security and compliance posture – – – –

Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI

“

We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. Stephen Gailey, Head of Security Services


“

•

33

Find In-depth Customer Stories (ROI) From the Content tab, type in “Customer Story” (Internal)


34

Key Competitor Scorecard Weaknesses

Strengths

Threat

• • • •

Complex, long implementation cycles SIEM is separate log and SIEM products Data exploration nearly non-existent Post-HP acquisition have lost much talent, show minimal innovation, losing market share

• SIEM leaders quadrant • 100s of supported data sources • SIEM portfolio includes network and app monitoring products • New Big Data offering including Hadoop and InfoSphere

• • • • •

2

• SIEM leaders quadrant • SIEM portfolio includes network , DB, and app monitoring products • Big push by McAfee since purchase

• • • •

Connectors are brittle and out of date Limited scalability Difficult to create custom content SIEM is separate log and SIEM products New offering is an unproven, complex “FrankenSIEM” of multiple products Poor track record of adapter support Limited flexibility with reporting Difficult to create custom content SIEM is separate log and SIEM products

3

• • • •

• SMB, not seen much in the enterprise • Difficult to create custom reports

3

• Security portfolio includes DLP and eGRC • Re-architected offering as “RSA Security Analytics” incl Hadoop and rest of portfolio • New offering demos well

2

3

• • • •

SIEM leaders quadrant Largest installed base RT correlation, lots of rules 100s of supported data sources


SIEM leaders quadrant Strong traction in compliance Easy to use & deploy Lots of out of the box content

35

• New offering is an unproven, complex “FrankenSIEM” of multiple products • Old version - Cumbersome, difficult to deploy, scale issues, customers find little value in it

Discovery Questions Objective Understand the customer use cases and problems so you can position the right solution. Common Splunk use cases include security investigation, forensics, correlations, advanced threat detection, fraud. Understand what incumbent solutions they have and what their pain is. Identify the entry points. Examples: New to SIEM, Replacing a SIEM, Looking to augment a SIEM, Need a data investigation tool. Understand the customer’s security model and business practice maturity. Use this to understand how they think about security. Are they a check box customer or building a comprehensive security practice. Understand the importance the prospect places on out of the box capabilities versus flexibility.


Questions to Ask 1. 2.

What is your security use case? What are you looking at Splunk to help you improve?

1.

What kinds of security technologies do you have, including a SIEM, to evaluate security threats? What problems do you have that you can’t achieve with your existing solution?

2.

1. 2. 3.

What data source do you have that are used in security investigations? What is the SLA for response to a threat in your environment? How many people do you have within your security team and what functions do they have – security analysts, security operations?

1. 2. 3.

What value do you place on out of the reports and dashboards? What value do you place on ad hoc reporting flexibility? How important is out of the box alerting and threat intelligence versus flexibility to create your own alerts?

36

Problem / Solution Matrix Solution to lead with

Customer use case

Splunk

Security forensics / investigations (highly capable customer) Security forensics / investigations (low capability customer) Security reporting / visualizations Event correlation and real-time alerting Pre-built reports, dashboard, correlation rules Incident workflow Fraud Detection Network Monitoring Technology specific monitoring


37

Enterprise Security

Other Apps

Selling Best Practices Qualify/Discovery > First Meeting/Demo > Evaluation/PoC – – – – – –

If using Splunk for other use cases, leverage this and internal champions Use discovery to uncover pain and determine offering(s) to sell Do not be afraid if they already have a SIEM; often they are not happy with it Broaden deal beyond just security Seed our points of differentiation and how we are more than a SIEM Avoid PoC by using demo, refs, internal champions

At minimum, limited deployment of Enterprise for investigations/reporting

But ideally also sell the App for Enterprise Security covering all data With Splunk success, limited deal can be extended and existing SIEM displaced


38

Key Learning Points – Module 4 Broaden the Scope

We can replace a SIEM

• All Machine Data is security relevant • Look cross use case as well as within Security

• We can replace an existing SIEM • Understand the Use Case • Don’t be afraid to compete


39

One Solution – 3 offerings • Understand when to position Splunk Enterprise alone or with the Splunk App for Enterprise Security Premium App

Module 5 5 How do you price?


• Pricing • Examples

40

Splunk Enterprise

Splunk Enterprise Annual or Perpetual


41

Splunk Enterprise Perpetual Name

Description

Support

How Licensing Is Done

Splunk Enterprise Perpetual

On-premise ENTERPRISE SPLUNK that the customer owns perpetually (forever)

• Enterprise Support ($) SKU: ES-GB-P 20% of Net License • Global Support ($$) SKU: GS-GB-P 25% of Net License • Annual Renewals: Support is renewed to access new releases.

Daily Volume: We license by amount of data indexed in a 24 hour period


42

Splunk Enterprise Annual Name

Description

Splunk Enterprise Annual (Term)

On-premise Enterprise Support ($) ENTERPRISE SPLUNK SKU: ES-GB-P that the customer 20% of Net License owns for a year


Support

How Licensing Is Done

43

Daily Volume: We license by amount of data indexed in a 24 hour period

Splunk App for Enterprise Security

Premium App Pricing Module


44

Key Learning Points – Module 5 Security • Security is the use case. Splunk Enterprise is the product you sell. You can also sell the Splunk App for Enterprise Security or the Splunk App for PCI.

Perpetual or Term • Splunk Enterprise can be purchased as a Perpetual or Annual license.


45

Data Indexed per Day • Splunk Enterprise is licensed by the amount of data indexed in a 24-hour period. Our unit of pricing measurement is measured in GB per day

Internal Enablement Global Field Enablement Portal – Security Partner Enablement Portal – Security


Opportunity Playbook - Security

46

Customer Facing Materials Marketing Workspace | Content Search


Splunk.com – Security Landing Page

47

Who Do I Contact? Product Marketing – Joe Goldberg, Senior Manager, all security/compliance – Mark Seward, Senior Director, all security/compliance

Product Management – Jack Coates, Product Manager

Security Strategists: highly qualified, strategic/large accounts – Fred Wilmot (team manager)

Global Field Enablement | Internal Training Deliverables – – – – –

[email protected] School of Splunk: Field Onboarding (Sales, Technical) School of Splunk: Field New Hire Training (Sales, Technical) School of Splunk: Field Enablement Portal (Sales, Technical, Partner) School of Splunk: Weekly Virtual (VEC) and Technical (TEC) Enablement Calls


48

THANK YOU!


Security - Baseline eLearning (PDF) - Oct 2013.pdf

Recommend Documents