03.16.

23-15:28

Forward- This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect

Looking management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results,
Statements performance or achievements to be materially different from results, performance or achievements
expressed or implied by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described, in beta or in preview (used interchangeably), or to include any such feature
or functionality in a future release.

Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
All other brand names, product names or trademarks belong to their respective owners. © 2023 Splunk Inc. All rights reserved.
 © 2023 SPLUNK INC.

A Threat-Based
Approach to
Extracting the
Measurable Value
of Your Security Data
Sources
SEC1729C
Sam Hague
Security Delivery Manager | Accenture

Stan Kaplunov
Security Delivery Associate Director | Accenture
 © 2023 SPLUNK INC.

Sam Hague Stan Kaplunov

Security Delivery Manager Security Delivery Associate Director
Accenture Security Accenture Security
 © 2023 SPLUNK INC.

Using Value to Drive Improvements

What results will you achieve

Happier senior management

Optimized Increased
utilization of platform
your costs performance

Quantified
measurement of
Optimized log
monitoring
ingestion
coverage
 © 2023 SPLUNK INC.

Using Value to Drive Improvements

What improvements you can implement

Identify value and Improve the use Fix issues with Build advanced
build reporting of data models data quality detection
capabilities
 © 2023 SPLUNK INC.

Client Challenges and Objectives

What issues are you and your business facing?

CISOs UNDER PRESSURE

• Investors and regulators are increasing pressure on the board and
Regulatory
CISOs to reduce the risk Requirements Cyber Risk
• Incident response preparedness - what data do I need for SOC to
support incident response in accordance with regulations?
• Pressures to monitor more for less. The pace of data growth
outpaces the security budget increases.

SEC OPS TEAMS ASSOCIATED CHALLENGES License

Cost Utilisation
• CISOs are putting pressures on SOC teams to provide more Pressures

coverage for less $$ Quantify

Value
• How do you define value from your security data sources?
• Want to optimise ingestion volume but don't know what to strip out
= Challenges
of your logs.
• Where do you start and how do you prioritise the activities to deliver
the most value?
 © 2023 SPLUNK INC.

STEP 1
Identify, define and quantify your threat scenarios
 © 2023 SPLUNK INC.

Identify and Define Your Threat Scenarios

Take a step back. What are you trying to detect and how can this be achieved?

• To identify the value of your security data sources, you must understand your threat landscape.
• Threat scenarios may be generic, tailored to your specific industry or even your business itself.
• Identification of threat scenarios should encompass identification of critical assets and critical
identities.

Example Threat Scenarios

Unauthorised
Exfiltration of Access to DDoS of
Ransomware Industrial Critical
Company IP
Control Applications
Systems
 © 2023 SPLUNK INC.

Mapping Your Threat Scenarios to

®
MITRE ATT&CK
How do you track your threat coverage?
Ransomware Top 10 Techniques
Overview 1. T1486: Data Encrypted for Impact

• The MITRE ATT&CK® framework is a collection of 2. T1490: Inhibit System Recovery

knowledge that allows you to categorise cyber attack
3. T1027: Obfuscated Files or Information
tactics (objectives) and techniques (how to achieve the
4. T1047: Windows Management Instrumentation
objective).
• Allows you to quantify and map your threats against data 5. T1036: Masquerading

sources and detection content. 6. T1059: Command and Scripting Interpreter

7. T1562: Impair Defenses

Mapping your Content
8. T1112: Modify Registry
1. Identify which techniques should be
detected/prevented before you reach SIEM. 9. T1204: User Execution

2. Identify which of your data sources need to be used for 10. T1055: Process Injection
each detection.
CTID 2023 - Top ATT&CK Techniques (mitre-engenuity.org)
 © 2023 SPLUNK INC.

STEP 2
Identify and define your value factors
 © 2023 SPLUNK INC.

Defining and Measuring Value-Driven KPIs

What does value mean to you and your detection and response team?

Value Factors Identification of Factors

Total number of accurate correlation rules • Identify the data source of your correlation rules using the Splunk API.
• Use data such as total number of alerts and closure status to determine
accuracy and confidence.

MITRE ATT&CK® coverage of your data source • Map your use cases to MITRE ATT&CK® and build a coverage map.

Data usage in investigations, hunts, enrichment and incident response. • Confirm with your SOC team what the most used data source is.
• Review past incidents to see which sources were vital during response.

Quality and completeness of data • Use the Monitoring Console and internal logs to detect data quality
issues with event breaking, timestamp recognition, field extractions etc.
• Use logging standards to confirm the correct data is ingested.

Total license usage • Use the Monitoring Console and internal logs to identify license usage
by data source.

Legal department requirements • Talk with your compliance teams and review logging policies to
understand which data sources are in scope.
 © 2023 SPLUNK INC.

Indicators of High Value & Low Value

What factors should you be considering?

High number of accurate correlation rules Low number/inaccurate correlation rules

Data does not provide any coverage

Data allows you to detect key threats
against threats

Not mapped to the Common Information

Accurate, useful dashboards and reports
Model (CIM)

Data used frequently for hunting and

Data not used for hunts and investigations
investigations

Data presents low value from an IR

Used to drive enrichment/automation
investigation point of view

Field extractions, timestamps and event

Parsing, transforms and time stamp errors
breaking correct

Low volume data source High volume data source

 © 2023 SPLUNK INC.

STEP 3
Start extracting and measuring value from your own data
 © 2023 SPLUNK INC.

Dependencies & Prerequisites

What do you need to be doing to get started?

Understand Your Digital Ecosystem

1 A basic knowledge of your enterprise IT, network architecture and digital business environments.

Minimum Viable Security Visibility

2 Enough visibility to create accurate correlation rules and detection content to identify suspicious/malicious
activity.

Logical Data Structure in Splunk

3 Data is ingested using a logical data structure and mapped to the CIM model.

Sufficient Rule Hygiene

4 Production correlation rules are easily identifiable from non-production correlation rules and have/can be
mapped to MITRE ATT&CK®.
 © 2023 SPLUNK INC.

Example Deployment
Based on real world engagements and client challenges

Use Cases Visualizations

7 custom correlation Security operations create,
rules. 64 out of the deploy and maintain all
box correlation rules reports and dashboards

License Usage Legal / Regulatory

500GB with 90% Several data sources are
utilization across 7 required for legal or
indexes Deployment regulatory matters

Splunk® Cloud with

Enterprise Security
 © 2023 SPLUNK INC.

Correlation
Rules
What data source(s) do
your rules use?

Retrieve data from the Splunk

API. Use SPL to search your
correlation rules and extract
the relevant indexes, source
types and data models used to
power the rules. Visualize
these in a dashboard.
 © 2023 SPLUNK INC.

MITRE
®
ATT&CK
Coverage
What threats do your
correlation rules detect?

Using the MITRE ATTACK App

for Splunk and Splunk Security
Essentials, map your
correlation rules to the MITRE
ATT&CK® techniques they
detect and view your
coverage.
 © 2023 SPLUNK INC.

®
Top 5 MITRE ATT&CK Techniques

Coverage No
Coverage
 © 2023 SPLUNK INC.

Data Quality
Are there any issues with
your data sources?

Use the Splunk Monitoring

Console to validate the quality
of your data. This will allow
you to detect issues with line
breaking, timestamps,
aggregations and metrics,
narrowing down issues to a
single host or source.
 © 2023 SPLUNK INC.

License
Usage
How much license are
your data sources using?

Use Splunk _internal and

_metrics indexes to identify the
license usage for each of your
data sources, narrowed by
index, sourcetype or host.
 © 2023 SPLUNK INC.

Sample Data Source Assessment

Pulling your data together
Data Source No. of Correlation No. of MITRE No. of Priority Data Data License Legal / Total
Correlation Rule Quality Techniques Techniques Usage Quality Usage Regulatory Score
Rules

Operating 7 10.00% 10
High 75 6 High High Yes
Systems

Cloud Activity
2 High 25 5 High High 1.00% Yes 9
01

Firewall 4 Low 50 4 High Medium 21.40% Yes 5

EDR 2 High 150 10 Low High 0.20% No 8

Database
0 N/A 15 3 Low Medium 6.60% No 4
Security

DNS 0 N/A 35 2 Medium Medium 48.00% No 2

Cloud Activity
6 Medium 25 5 Medium High 4.40% Yes 7
02
 © 2023 SPLUNK INC.

Results Achieved
Our real world successes

• Increased ROI of 25-50%

• Reduction in audit and compliance findings in scope
for SIEM
Who we’ve seen • Identification of security coverage gaps
success with • Identification of suspicious and malicious activity
• Optimized creation and deployment of detection
EMEA
content
Telecommunications
• Reductions in false positives and analyst fatigue
EMEA Financial
Institutions

UK Public Services
 © 2023 SPLUNK INC.

Further
Questions?
Q. What would you add to your own
data source assessment?
 © 2023 SPLUNK INC.

Call to Action! What can you do next?

• Concerned about the coverage and visibility of

your SIEM? Identify your key data sources!

• Is your job performance evaluated by the value

you get from Splunk? Tell your CISO you’ve got
an idea on how to increase this value!

• Will you get a bonus if you increase your ROI?

Start optimizing your logs today!
See the full demo at our booth
 © 2023 SPLUNK INC.

Thank You