I always get a thrill when people come up to me after attending Ninjutsu events to share successes and lessons learned, but I feel bad, because I'm the only one who gets to hear those stories. So this year, we're going FULL lessons learned. We're going to hit on the best parts of the Ninjutsu Series (fear not if you're brand new) and tell you exactly what you need to know, from the folks who've deployed their learnings successfully. It's like the sports highlight reel for a lifetime of building security detections. That sounds like a party right? As always, attendance of prior Ninjutsus not required, though they are available below.
Security Ninjutsu turns five! Last year, we told you every advanced SPL technique that we knew about, with a 23,000-word PDF chock full of detail. This year, we swing to the other side, and tell you about every advanced SPL search that we've ever seen customers love. This isn't bytes_out>35000, this is bytes_out>whoa that's cool! Of course, we will have sample data with every search, and every search will be present in Splunk Security Essentials. Come learn about all the latest and greatest, and be prepared to blow the SOCs off your team. And no, I am *not* sorry for the pun.
My favorite part of any spy movie is the gadgets. You see a spy in normal attire, without knowing that the jacket is bulletproof and the watch shoots amnesia darts. That spy is prepared for anything. Writing security searches in SPL is much the same—so you can call me Q. In past Security Ninjutsu sessions, we’ve covered many foundational elements common among security searches. This year, we are bringing the ninja, and it’s going to be epic. We’ll spend 60 minutes covering all the awesome search techniques used by Splunk Security Ninjas from around the world. There will be a massive PDF. Attendance of prior Ninjutsu sessions not required, though available at dvsplunk.com.
Throughout the Security Ninjutsu series, we used real world searches created by Splunk technical resources working with their customers. Now we will discuss the reverse: actual correlation searches built by customers on their own (easy, medium, hard). For each, we will explain what caused them to create the use case, how they built the query, tweaked and filtered and what action they took as a result. What happens when attackers stop being nice, and start being real? Come find out. (Optional: View prior Security Ninjustu series talks here: https://dvsplunk.com/ninjustsu)
At .conf2014 in Security Ninjutsu, we covered four real customer scenarios that allowed security users to leverage advanced correlation and anomaly detection, moving beyond basic incident response. You needn't have attended last year's session because this year we will cover four totally new use cases! We will be diving into analytics (basic through advanced) and threat discovery, easy apps for hunting, new bidirectional threat intel integrations and more! Through each of the examples, we will review the data sources, discuss how to analyze them, and see what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.
Splunk's analytical capabilities allow security users to leverage advanced correlation and anomaly detection moving beyond basic incident response. Splunk can also take action, ranging from integration with ticketing systems to automatic blocking and beyond. This session will walk the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain. Through each of the examples, we will review the data, how to analyze it, and what actions could be taken, providing reusable examples for how to level up your security capabilities with Splunk software.
Whether you have just SSE or all of Splunk's Premium Products, you can benefit from the ton of Security Content that Splunk produces. We'll start this session by setting a quick baseline on all of the fantastic detections that Security Essentials has had in the past, and then jump into the new prescriptive guides, MITRE ATT&CK™ integration, Auto-Dashboard-Magic, and all the related functionality that will help you plan your usage of any/all of Splunk's security products. We'll present all this information through the lens of helping you get the best possible detections deployed with the least amount of effort.
Splunk Security Essentials helps everyone be successful with everything — from basic security monitoring, to insider threats, to advanced threat detection. And it's constantly advancing! Let's walk through the latest and greatest capabilities for Security Essentials, and how you can go back to your environment and be more successful.
Whether you're looking to reduce breaches, set up monitoring to anticipate attacks, or build more predictive capabilities, you will learn to apply the power of Splunk’s search processing language (SPL) via the Splunk Security Essentials
App. We'll also present how to tighten your security with actionable searches that you can use immediately. All of the examples will have demo data, but you will see how you can apply custom data in your own environment. In this
session, you will learn how to:
– Optimize and make Splunk search work for you, so you can quickly gain insights into your data to identify and describe security impacts and potential threats
– Detect unusual and potentially malicious activity using Splunk Enterprise statistical and behavioral analysis capabilities
– Find unusual activities
You know the use cases, you understand stats. You might strut through the halls of .conf events as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk with upwards of a 1000x performance improvement: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to a ludicrously fast speed. This talk will explain how and when to leverage acceleration, and improving user experience, value and TCO for all kinds of use cases.
You know the use cases. You understand stats. You might strut through the halls of .conf2016 as an advanced SPLer. But you’ve heard a whisper on the wind, a next-level approach to building queries in Splunk software with upwards of 1000x performance improvements: tstats. tstats is the most powerful tool for taking your Splunk queries (of all kinds) to ludicrous speed, but there’s a learning curve. This talk will explain how and when to leverage acceleration for all kinds of use cases in a simple way, taking it from the highest echelons of SPL Ninjutsu and bringing it to everyone.
There is a feature that many customers could deploy to simplify their deployments, ease user adoption and enhance their level of security, but few customers actually use it. That feature is Single Sign-on, and it can be deployed via the free Active Directory Federation Service (ADFS) available to almost everyone. This session will walk attendees through the basics of SSO, with an explanation and live demonstration of how ADFS works with Splunk, so that they can go back to their companies and enhance their Splunk experience.