How To Gain Visibility into Office 365, Box

using Splunk Enterprise Security

Girish Bhat, Director, Security Product Marketing

Chinmay Kulkarni, Senior Software Engineer, Splunk ES

September 26, 2017 | Washington, DC

 Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
This image cannot currently be displayed.

Agenda
Section subtitle goes here
 Agenda

▶ Outlook - Hybrid World with Clouds

▶ Splunk Enterprise and Splunk Enterprise Security
▶ Why Common Information Model (CIM)?
▶ Mapping to CIM
▶ Enterprise Security ♥ CIM
▶ Demo
▶ Q&A
 Who is Girish?

▶ Security Product Marketing @Splunk

• Enterprise Security, Security Portfolio
• Splunk CISO customer advisory board program
• Security customer use case program
▶ Prior work involved authentication, IAM, compliance, VPN, DLP, IDS/IPS, mobile, SaaS, IaaS,
virtualization and network monitoring solutions
▶ Used to be a Product manager, Software Engineer and Hardware Engineer
 Who is Chinmay?

▶ Chinmay Kulkarni
• Engineering @ Splunk
• @chinmaymk
▶ I mostly write bugs features.
POLL
 SaaS Adoption Trends

▶ Office 365, Salesforce.com, Box, AWS are the top SaaS apps used by
Enterprises (Source: Okta)
▶ SaaS tools - limited visibility into user activity
▶ By 2018, the 60% of enterprises that implement cloud visibility and control tools
will experience one-third fewer security failures (Source: Gartner)
▶ By 2018, 40% of Office 365 deployments will rely on 3rd party tools to fill in gaps
in security and compliance (Source: Gartner)

8
Secure both Cloud and On-Premises Apps

On-premises
Apps Use

Source: Computer World Tech Forecast 2017

Splunk Enterprise vs Splunk Enterprise Security
Splunk Enterprise Splunk Enterprise Security

Monitor and Report ✓ ✓

Detect and Alert ✓ ✓

Analyze and Investigate ✓ ✓

Respond and Collaborate DIY ✓

Correlation Search DIY ✓

Asset/Workflow DIY ✓

Context for all workflow and tasks DIY ✓

Action/remediation DIY ✓
Threat Intelligence DIY ✓
DIY – Do It Yourself
Splunk ES v4.7: Insight from SaaS Services

▶ Get context from popular Enterprise SaaS apps, correlate

across SaaS and / on-premises sources to improve
investigation and incident response

▶ Determine scope of user activity, network activity, endpoint activity,

access activity & abnormal activity from Cloud services

▶ Discover, Monitor and Report on Cloud service activity within your

environment
 Mapping to Splunk Enterprise Security

TA CIM Correlation Searches Dashboards

O365 Change Analysis Abnormally High Number of Endpoint Changes By User access_anomalies
Authentication Account Deleted access_center
Anomalous Audit Trail Activity Detected access_search
Brute Force Access Behavior Detected and Detected Over One access_tracker
Day account_management
Concurrent Login Attempts Detected default_accounts
Default Account Activity Detected endpoint_changes
Excessive Failed Logins network_changes
Geographically Improbable Access Detected user_activity
High or Critical Priority Individual Logging into Infected Machine
Insecure Or Cleartext Authentication Detected
Network Change Detected and Network Device Rebooted
Same Error On Many Servers Detected
Short-lived Account Detected

12
 Mapping to Splunk Enterprise Security
Service CIM Correlation Searches Dashboards
Box Change Analysis Account Deleted access_anomalies
Inventory Brute Force Access Behavior: Detected and Detected Over One Day access_center
Authentication Cleartext Password At Rest Detected access_search
Concurrent Login Attempts Detected access_tracker
Default Account: Activity Detected and At Rest Detected account_management
Excessive Failed Logins default_accounts
Geographically Improbable Access Detected endpoint_changes
High or Critical Priority Individual Logging into Infected Machine network_changes
Insecure Or Cleartext Authentication Detected system_center
Short-lived Account Detected user_activity
Anomalous Audit Trail Activity Detected
Abnormally High Number of Endpoint Changes By User
Network Device Rebooted and Network Change Detected
Same Error On Many Servers Detected

13
 Scenario – Meta slide

▶ Take a hypothetical company – Home Mailbox office

▶ They want to use SharePoint
▶ Security Engineer Writes correlation searches for SharePoint data source
▶ CTO announces they are moving to box
▶ Security Engineer Rips his heir
▶ Comes to acceptance with situation
▶ Segway into data models/CIM
▶ How enterprise security uses CIM
▶ Demo for use case with O365
Life in Security
Life in Security
Life in Security
Home Mailbox Office
Home Mailbox Office

SharePoint is
the future.
No Problemo
So SharePoint
So SharePoint
So SharePoint
 Correlation Searches

file_size > 100MB

 Correlation Searches

file_size > 100MB

filename = *.mp4 OR filename = *.mov

OR filename = *.avi OR filename = *.wmv
 Correlation Searches

file_size > 100MB

filename = *.mp4 OR filename = *.mov

OR filename = *.avi OR filename = *.wmv

src_location != “United States”

file_name NOT IN (malware)

file_size > normal_upload_size

**disclaimer** not real rules.

Life in Security
Home Mailbox Office

Yeah..We’re
moving to box.
Home Mailbox Office
Acceptance
Acceptance
Abstraction!
Data Models!
 Common Information Model
▶ Collection of data models
▶ Normalization layer, speed benefits
▶ Batteries included:
• Network
• Authentication
• Change
• Create your own!
 How To Map To CIM
▶ props.conf

▶ tags.conf

docs.splunk.com/Documentation/CIM/latest/User/Overview
 Enterprise Security ♥ CIM
▶ Powers all correlation searches
▶ Dashboards use data model drilldowns
▶ Batteries included:
• Network
• Authentication
• Change
• Create your own!
This image cannot currently be displayed.

Splunk Demo
 Data Exfiltration
O365

▶ User logged in middle of the night

▶ User logged in outside of US
▶ Downloaded a file
▶ Uploaded that file to a personal app
 Unauthorized access
Box

▶ User accessed a file in box outside his department

▶ It triggered notable events
▶ We also noticed few other notables triggered
▶ It seems the account may have been compromised or we
have an insider threat (in-house hacker)!
 © 2017 SPLUNK INC.

1. Gain insight from Hybrid, Cloud and On-

Key Premises Services(Apps)
Takeaways
This is where the 2. CIM makes your life easier
subtitle goes
3. Office 365, Box and other cloud services
can be used with ES now
 © 2017 SPLUNK INC.

Thank You
Don't forget to rate this session in the
.conf2017 mobile app
Join the Pony Poll

ponypoll.com/***