Security Baseline eLearning
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Modules 1
2
3
4
5
Who do we sell to?
Why do they buy? Why do they buy?
How does it work?
How do we compete and succeed?
How do you price?
• Market Trends • Market Opportunity • Buyer Personas
• Current Challenges and Consequences • Future Vision and Business Outcomes
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Splunk Positioning • Features
2
• Case Study Examples • Competition • Discovery Questions
• Pricing SKUs • Examples
Module 1 1 Who do we sell to?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Market Trends • Market Opportunity • Buyer Personas
3
Security is Making $$ at Splunk About 30% of Splunk bookings Customers are getting our “Big Data for security” and “more than a SIEM” messages Security continues to make headlines:
Global Field Enablement - Copyright © 2013 Splunk, Inc.
4
Advanced Threats in the Headlines Cyber Criminals
Nation States
Insider Threats
“160 million credit cards later, cutting edge hacking ring cracked” – NBC News, July 2013 “Banks Seek U.S. Help on Iran Cyber attacks” – Wall Street Journal, Jan 2013 “Verizon: Most Intellectual Property Theft Involves Company Insiders” – Dark Reading, Oct 2012
Global Field Enablement - Copyright © 2013 Splunk, Inc.
5
Target Market Overall, SIEM is a $1B+ market
Service Desk $1.4B
– We compete for SIEM dollars with a solution that is rapidly eclipsing SIEMs in importance!
– Overlap and cross selling opportunities that involve security
Desktop Mgmt $1.3B Non SaaS Cloud Services $5.6B
Change & Config Mgmt $4.9B
Event Correlation & Analysis $1.4B Network Mgmt $3.4B
Global Field Enablement - Copyright © 2013 Splunk, Inc.
6
“Build” Application Mgmt. $6B+
End User Experience Monitoring $240MM Database Mgmt $2.3B
Application Mgmt $3.4B
Web Analytics $1.0 B SIEM/ log Mgmt $1.5B Server Mgmt $420MM
“Risk” Secure & Comply $1B+
Desktop Virtualization $0.49B
Server Virtualization Mgmt $2.4B
“Run” Infrastructure and Ops $21B+
Meet Your Top Prospects
Target Buyers
CISO
• •
Influencers
VP/Dir Information Security
Security Analyst
How do we prevent attacks? How can I prevent data loss and revenue impact?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
How can I ensure Compliance as part of a broader Security message?
7
Physical Security Officer
Are my assets secure?
Key Learning Points – Module 1 Security Market
Buyers
Influencers
• Security is top of mind • Require a Big Data Approach
• It’s the CISO you want to talk to (the Chief Information Security Officer)
• Security Analysts will sometimes get involved • Overlap and cross selling opportunities that involve security
Global Field Enablement - Copyright © 2013 Splunk, Inc.
8
Module 2 2 Why do they buy?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Current Challenges and Consequences • Future Vision and Business Outcomes
9
Security Information & Event Management is comprised of… Security Information Management (SIM)
Security Event Management (SEM)
Real-time monitoring, correlations, alerting Incident investigations and management Use case: threat management
Long-term data storage Log / data analysis Compliance Reporting Use case: compliance
Global Field Enablement - Copyright © 2013 Splunk, Inc.
10
Before Splunk State Customer Challenges • • •
• •
Traditional SIEMs have significant limitations and fail to deliver Advanced threats evade detection IT Security is outgunned by the adversaries IT Security is reactive, not proactive Data loss occurs frequently and often goes unnoticed
Business/IT Consequences • •
• • •
Global Field Enablement - Copyright © 2013 Splunk, Inc.
11
Reduced revenue as data loss results in brand damage and customers leaving Higher costs from data loss related to regulatory fines, lawsuits, or intellectual property loss Higher costs from inefficient incident investigations, downtime, and threat clean up Weak security posture Board and executives are under pressure
After Splunk State Future Vision Scalable solution that can index all data types and quickly search it Fast, efficient incident investigations and security reporting Ability to do real-time correlations, alerts, and advanced threat detection Ability to do real-time correlations, alerts, and advanced threat detection Single, enterprise-wide solution with all data used for many use cases
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Business Outcomes •
All relevant data available for investigations and threat detection • Reduced costs from faster and less manual work, as well as faster threat eradication • Reduced costs and less lost revenue from data loss • Improved ROI and departmental collaboration
12
Key Learning Points – Module 2 Customer Challenges
SIEM • SIEM is comprised of two different products Security Information Management and Security Event Management.
• Traditional SIEMs are being outsmarted
Global Field Enablement - Copyright © 2013 Splunk, Inc.
13
Splunk’s Benefit • Single enterprise solution for all data and use cases. • All data is security relevant
Module 3 3 How does it work?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Splunk Positioning • Features
14
Splunk Security Uses Over Time
Proactive
Find advanced, hidden threats Often complement an existing SIEM
Simple real-time correlations and alerts
Security/risk Reporting Security Event Investigation and Forensics
Often we are the SIEM
Reactive
Time Global Field Enablement - Copyright © 2013 Splunk, Inc.
15
Case #1 - Incident Investigation/Forensics January
•
Often initiated by alert in another product
•
May be a “cold case” investigation requiring machine data going back months
•
•
What happened and was it a false positive?
–
How did the threat get in, where have they gone, and did they steal any data?
–
Has this occurred elsewhere in the past?
truncating integer value > 32 bits Jan ASCII from client=unknown
Take results and turn them into a real-time search/alert if needed
Global Field Enablement - Copyright © 2013 Splunk, Inc.
March
client=unknown[99 .120.205.249]Jan 2616:27 (cJFFNMS
Need all the original data in one place and a fast way to search it to answer: –
February
DHCPACK=A SCII from host=85.196. 82.110
16
April
Case #2 – Security/Compliance Reporting Many types of visualizations Easy to create in Splunk – Ad-hoc auditor reports
– New incident list – Historical reports – SOC/NOC dashboards
– Executive/auditor dashboards
Global Field Enablement - Copyright © 2013 Splunk, Inc.
17
Case 3 – Correlations and Alerts Event 1 +
Event 2 +
Event 3 +
Data Loss Prevention tool identifies a server as containing confidential information Firewall on an internal PC indicates the PC is being port scanned from an internal IP address
Active Directory identifies a brute force passwordguessing attack on the server
Within X hours, a new Administrator role is created on the server
Possible hacker on the server trying to steal the confidential data
Network-based firewall indicates it is being port scanned from the same internal IP address
Within X hours, important key settings have been changed on the suspicious machine associated with the internal IP address
The machine associated with the IP address may have been compromised by a threat which is doing internal reconnaissance The server is likely to be successfully compromised
Vulnerability scanner shows Intrusion Detection System that an internal server has an sees an external attack on unpatched OS that specific server that exploits the vulnerability in the OS
Global Field Enablement - Copyright © 2013 Splunk, Inc.
18
Threat
Case 4 – Advanced Persistent Threat Patterns ‘Unknown’ threats – APT / malicious insider
Infiltration
Back Door
Recon
Data Gathering
Exfiltration
• Spear-phishing and social engineering • Zero-day vulnerabilities • Custom malware • Actions hidden behind normal user credentialed activity • Move slowly and quietly Evade detection
Phishing or web driveby. Email has attached malware or link to malware
Malware installs remote access toolkit(s)
Malware obtains credentials to key systems and identifies valuable data
Data is acquired and staged for exfiltration
Data is exfiltrated as encrypted files via HTTP or FTP
Global Field Enablement - Copyright © 2013 Splunk, Inc.
19
APT Step 1: Collect ALL The Data in One Location
Security Data All Relevant Security
Relevant Data
SIEM
Global Field Enablement - Copyright © 2013 Splunk, Inc.
“Normal” user and machine generated data behind credentials. Includes “Unknown” threats.
“Security” data, or alerts from point security products. “Known” threats.
20
APT Step 2: Identify Threat Activity What’s the modus operandi of the attacker?
What/who are the most critical data assets and employees? What patterns/correlations of weak-signals in ‘normal’ IT activities would represent ‘abnormal’ activity? What in my environment is different/new/changed?
What is rarely seen or standard deviations off the norm?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
21
Splunk: The Security Intelligence Platform Many Security Use Cases
All Your Machine Data
Advanced Threat Detection Real-time correlations and alerts Security and risk reporting Incident Investigation/forensics Global Field Enablement - Copyright © 2013 Splunk, Inc.
22
Traditional SIEM Limitations Splunk Traditional SIEM Can be multiple products Often costly, physical appliances Difficult to deploy; long time to value Reliant on vendor’s collectors DB schema and normalization limits investigations and correlations Scalability issues due to DB Lack of search & reporting flexibility limits ability to find outliers/anomalies Specializes in ‘Known Threat’ detection Closed platform with no APIs, SDKs, Apps Only security/compliance use cases Global Field Enablement - Copyright © 2013 Splunk, Inc.
23
Industry Accolades Best SIEM Solution
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Best Enterprise Security Solution
24
Best Security Product
2.
One Solution; Three Main Offerings Splunk App for Enterprise Security (cost)
Majority of customers use 1 & 3 below
3. Other security Apps (free)
1. Splunk Enterprise (cost)
Global Field Enablement - Copyright © 2013 Splunk, Inc.
25
Splunk App for Enterprise Security Pre-built searches, alerts, reports, dashboards, workflow
Dashboards and Reports
Incident Management View & Workflows
Asset and Identity Aware
Statistical Outliers Global Field Enablement - Copyright © 2013 Splunk, Inc.
26
Key Learning Points – Module 3 Common Uses of Splunk for Security
Machine Data • Machine data is one of the fastest, growing, most complex and most valuable segments of big data. • All Machine Data is security relevant
• Security Event Investigation and Forensics • Security/risk Reporting • Simple real-time correlations and alerts • Find advanced, hidden threats
Global Field Enablement - Copyright © 2013 Splunk, Inc.
27
One Solution – 3 offerings • Splunk Enterprise • Splunk App for Enterprise Security • Additional specialty Apps
Module 4 4 How do we compete and succeed?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Case Study Examples • Competition • Discovery Questions
28
Replacing a SIEM @ Cedar Crestone Challenges: Inflexible SIEM – – – – •
Difficult to index non-security or custom app data without Prof Serv SIEM could not provide who/what/where context Inflexible parsing, visualizations, and reporting Limited correlations rules and ability to tailor them
Enter Splunk: Flexible SIEM covering many use cases – – – –
Easily index any data from any source. Saved $200k+ in Prof Serv & connector costs Flexible search and reporting, including anomaly detection and custom dashboards Helps customers be compliant, including for PCI and SOX Used by security and operation teams for strong ROI
“
We replaced a SIEM that we had before with Splunk and the Splunk App for Enterprise Security. The other SIEM’s vision seemed right but it was extremely brittle and got more so over time. Dan Frye, VP Security
Global Field Enablement - Copyright © 2013 Splunk, Inc.
“
•
29
Replacing a SIEM @ Cisco •
Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives
Enter Splunk: Flexible SIEM and empowered team – – – – –
Easy to index any type of machine data from any source Over 60 users doing investigations, RT correlations, reporting, advanced threat detection All the data + flexible searches and reporting = empowered team 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data Estimate Splunk is 25% the cost of a traditional SIEM
“
We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have.
“
•
Gavin Reid, Leader, Cisco Computer Security Incident Response Team Global Field Enablement - Copyright © 2013 Splunk, Inc.
30
SIEM Performance Comparison @ Cisco Query Time vs. Indexed Data 400
356
350
350
300 250
Splunk SIEM 1
200
150 100 50
0
10
17 Avg Query Time (seconds)
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Data Indexed (GB/day)
31
$500k Security ROI @ Interac •
Challenges: Manual, costly processes – Significant people and days/weeks required for incident investigations. $10k+ per week. – No single repository or UI. Used multiple UIs, grep’d log files, reported in Excel – Traditional SIEMs evaluated were too bloated, too much dev time, too expensive
Enter Splunk: Fast investigations and stronger security – – – –
Feed 15+ data sources into Splunk for incident investigations, reports, real-time alerts Splunk reduced investigation time to hours. Reports can be created in minutes. Real-time correlations and alerting enables fast response to known and unknown threats ROI quantified at $500k a year. Splunk TCO is less than 10% of this.
“
“
•
Splunk is a product that provides a looking glass into our environment for things we previously couldn’t see or would otherwise have taken days to see. Josh Diakun, Security Specialist, Information Security Operations
Global Field Enablement - Copyright © 2013 Splunk, Inc.
32
Security and Compliance @ Barclays Challenges: Unable to meet demands of auditors – – – – •
Scale issues, hard to get data in, and impossible to get data out beyond summaries Not optimized for unplanned questions or historical searches Struggled to comply with global internal and external mandates, and to detect APTs Other SIEMs evaluated were poor at complex correlations, data enrichment, reporting
Enter Splunk: Stronger security and compliance posture – – – –
Fines avoided as searches easily turned into visualizations for compliance reporting Faster investigations, threat alerting, better risk measurement, enrichment of old data Scale and speed: Over 1 TB/day, 44 B events per min, 460 data sources, 12 data centers Other teams using Splunk for non-security use cases improves ROI
“
We hit our ROI targets immediately. Our regulators are very aggressive, so if they say we need to demonstrate or prove the effectiveness of a certain control, the only way we can do these things is with Splunk. Stephen Gailey, Head of Security Services
Global Field Enablement - Copyright © 2013 Splunk, Inc.
“
•
33
Find In-depth Customer Stories (ROI) From the Content tab, type in “Customer Story” (Internal)
Global Field Enablement - Copyright © 2013 Splunk, Inc.
34
Key Competitor Scorecard Weaknesses
Strengths
Threat
• • • •
Complex, long implementation cycles SIEM is separate log and SIEM products Data exploration nearly non-existent Post-HP acquisition have lost much talent, show minimal innovation, losing market share
• SIEM leaders quadrant • 100s of supported data sources • SIEM portfolio includes network and app monitoring products • New Big Data offering including Hadoop and InfoSphere
• • • • •
2
• SIEM leaders quadrant • SIEM portfolio includes network , DB, and app monitoring products • Big push by McAfee since purchase
• • • •
Connectors are brittle and out of date Limited scalability Difficult to create custom content SIEM is separate log and SIEM products New offering is an unproven, complex “FrankenSIEM” of multiple products Poor track record of adapter support Limited flexibility with reporting Difficult to create custom content SIEM is separate log and SIEM products
3
• • • •
• SMB, not seen much in the enterprise • Difficult to create custom reports
3
• Security portfolio includes DLP and eGRC • Re-architected offering as “RSA Security Analytics” incl Hadoop and rest of portfolio • New offering demos well
2
3
• • • •
SIEM leaders quadrant Largest installed base RT correlation, lots of rules 100s of supported data sources
Global Field Enablement - Copyright © 2013 Splunk, Inc.
SIEM leaders quadrant Strong traction in compliance Easy to use & deploy Lots of out of the box content
35
• New offering is an unproven, complex “FrankenSIEM” of multiple products • Old version - Cumbersome, difficult to deploy, scale issues, customers find little value in it
Discovery Questions Objective Understand the customer use cases and problems so you can position the right solution. Common Splunk use cases include security investigation, forensics, correlations, advanced threat detection, fraud. Understand what incumbent solutions they have and what their pain is. Identify the entry points. Examples: New to SIEM, Replacing a SIEM, Looking to augment a SIEM, Need a data investigation tool. Understand the customer’s security model and business practice maturity. Use this to understand how they think about security. Are they a check box customer or building a comprehensive security practice. Understand the importance the prospect places on out of the box capabilities versus flexibility.
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Questions to Ask 1. 2.
What is your security use case? What are you looking at Splunk to help you improve?
1.
What kinds of security technologies do you have, including a SIEM, to evaluate security threats? What problems do you have that you can’t achieve with your existing solution?
2.
1. 2. 3.
What data source do you have that are used in security investigations? What is the SLA for response to a threat in your environment? How many people do you have within your security team and what functions do they have – security analysts, security operations?
1. 2. 3.
What value do you place on out of the reports and dashboards? What value do you place on ad hoc reporting flexibility? How important is out of the box alerting and threat intelligence versus flexibility to create your own alerts?
36
Problem / Solution Matrix Solution to lead with
Customer use case
Splunk
Security forensics / investigations (highly capable customer) Security forensics / investigations (low capability customer) Security reporting / visualizations Event correlation and real-time alerting Pre-built reports, dashboard, correlation rules Incident workflow Fraud Detection Network Monitoring Technology specific monitoring
Global Field Enablement - Copyright © 2013 Splunk, Inc.
37
Enterprise Security
Other Apps
Selling Best Practices Qualify/Discovery > First Meeting/Demo > Evaluation/PoC – – – – – –
If using Splunk for other use cases, leverage this and internal champions Use discovery to uncover pain and determine offering(s) to sell Do not be afraid if they already have a SIEM; often they are not happy with it Broaden deal beyond just security Seed our points of differentiation and how we are more than a SIEM Avoid PoC by using demo, refs, internal champions
At minimum, limited deployment of Enterprise for investigations/reporting
But ideally also sell the App for Enterprise Security covering all data With Splunk success, limited deal can be extended and existing SIEM displaced
Global Field Enablement - Copyright © 2013 Splunk, Inc.
38
Key Learning Points – Module 4 Broaden the Scope
We can replace a SIEM
• All Machine Data is security relevant • Look cross use case as well as within Security
• We can replace an existing SIEM • Understand the Use Case • Don’t be afraid to compete
Global Field Enablement - Copyright © 2013 Splunk, Inc.
39
One Solution – 3 offerings • Understand when to position Splunk Enterprise alone or with the Splunk App for Enterprise Security Premium App
Module 5 5 How do you price?
Global Field Enablement - Copyright © 2013 Splunk, Inc.
• Pricing • Examples
40
Splunk Enterprise
Splunk Enterprise Annual or Perpetual
Global Field Enablement - Copyright © 2013 Splunk, Inc.
41
Splunk Enterprise Perpetual Name
Description
Support
How Licensing Is Done
Splunk Enterprise Perpetual
On-premise ENTERPRISE SPLUNK that the customer owns perpetually (forever)
• Enterprise Support ($) SKU: ES-GB-P 20% of Net License • Global Support ($$) SKU: GS-GB-P 25% of Net License • Annual Renewals: Support is renewed to access new releases.
Daily Volume: We license by amount of data indexed in a 24 hour period
Global Field Enablement - Copyright © 2013 Splunk, Inc.
42
Splunk Enterprise Annual Name
Description
Splunk Enterprise Annual (Term)
On-premise Enterprise Support ($) ENTERPRISE SPLUNK SKU: ES-GB-P that the customer 20% of Net License owns for a year
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Support
How Licensing Is Done
43
Daily Volume: We license by amount of data indexed in a 24 hour period
Splunk App for Enterprise Security
Premium App Pricing Module
Global Field Enablement - Copyright © 2013 Splunk, Inc.
44
Key Learning Points – Module 5 Security • Security is the use case. Splunk Enterprise is the product you sell. You can also sell the Splunk App for Enterprise Security or the Splunk App for PCI.
Perpetual or Term • Splunk Enterprise can be purchased as a Perpetual or Annual license.
Global Field Enablement - Copyright © 2013 Splunk, Inc.
45
Data Indexed per Day • Splunk Enterprise is licensed by the amount of data indexed in a 24-hour period. Our unit of pricing measurement is measured in GB per day
Internal Enablement Global Field Enablement Portal – Security Partner Enablement Portal – Security
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Opportunity Playbook - Security
46
Customer Facing Materials Marketing Workspace | Content Search
Global Field Enablement - Copyright © 2013 Splunk, Inc.
Splunk.com – Security Landing Page
47
Who Do I Contact? Product Marketing – Joe Goldberg, Senior Manager, all security/compliance – Mark Seward, Senior Director, all security/compliance
Product Management – Jack Coates, Product Manager
Security Strategists: highly qualified, strategic/large accounts – Fred Wilmot (team manager)
Global Field Enablement | Internal Training Deliverables – – – – –
[email protected] School of Splunk: Field Onboarding (Sales, Technical) School of Splunk: Field New Hire Training (Sales, Technical) School of Splunk: Field Enablement Portal (Sales, Technical, Partner) School of Splunk: Weekly Virtual (VEC) and Technical (TEC) Enablement Calls
Global Field Enablement - Copyright © 2013 Splunk, Inc.
48
THANK YOU!
Global Field Enablement - Copyright © 2013 Splunk, Inc.
