SEC1729C
SEC1729C
23-15:28
Forward- This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
Looking management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results,
Statements performance or achievements to be materially different from results, performance or achievements
expressed or implied by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described, in beta or in preview (used interchangeably), or to include any such feature
or functionality in a future release.
Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.
All other brand names, product names or trademarks belong to their respective owners. © 2023 Splunk Inc. All rights reserved.
© 2023 SPLUNK INC.
A Threat-Based
Approach to
Extracting the
Measurable Value
of Your Security Data
Sources
SEC1729C
Sam Hague
Security Delivery Manager | Accenture
Stan Kaplunov
Security Delivery Associate Director | Accenture
© 2023 SPLUNK INC.
Optimized Increased
utilization of platform
your costs performance
Quantified
measurement of
Optimized log
monitoring
ingestion
coverage
© 2023 SPLUNK INC.
Identify value and Improve the use Fix issues with Build advanced
build reporting of data models data quality detection
capabilities
© 2023 SPLUNK INC.
STEP 1
Identify, define and quantify your threat scenarios
© 2023 SPLUNK INC.
• To identify the value of your security data sources, you must understand your threat landscape.
• Threat scenarios may be generic, tailored to your specific industry or even your business itself.
• Identification of threat scenarios should encompass identification of critical assets and critical
identities.
Unauthorised
Exfiltration of Access to DDoS of
Ransomware Industrial Critical
Company IP
Control Applications
Systems
© 2023 SPLUNK INC.
2. Identify which of your data sources need to be used for 10. T1055: Process Injection
each detection.
CTID 2023 - Top ATT&CK Techniques (mitre-engenuity.org)
© 2023 SPLUNK INC.
STEP 2
Identify and define your value factors
© 2023 SPLUNK INC.
MITRE ATT&CK® coverage of your data source • Map your use cases to MITRE ATT&CK® and build a coverage map.
Data usage in investigations, hunts, enrichment and incident response. • Confirm with your SOC team what the most used data source is.
• Review past incidents to see which sources were vital during response.
Quality and completeness of data • Use the Monitoring Console and internal logs to detect data quality
issues with event breaking, timestamp recognition, field extractions etc.
• Use logging standards to confirm the correct data is ingested.
Total license usage • Use the Monitoring Console and internal logs to identify license usage
by data source.
Legal department requirements • Talk with your compliance teams and review logging policies to
understand which data sources are in scope.
© 2023 SPLUNK INC.
STEP 3
Start extracting and measuring value from your own data
© 2023 SPLUNK INC.
Example Deployment
Based on real world engagements and client challenges
Correlation
Rules
What data source(s) do
your rules use?
MITRE
®
ATT&CK
Coverage
What threats do your
correlation rules detect?
®
Top 5 MITRE ATT&CK Techniques
Coverage No
Coverage
© 2023 SPLUNK INC.
Data Quality
Are there any issues with
your data sources?
License
Usage
How much license are
your data sources using?
Operating 7 10.00% 10
High 75 6 High High Yes
Systems
Cloud Activity
2 High 25 5 High High 1.00% Yes 9
01
Database
0 N/A 15 3 Low Medium 6.60% No 4
Security
Cloud Activity
6 Medium 25 5 Medium High 4.40% Yes 7
02
© 2023 SPLUNK INC.
Results Achieved
Our real world successes
UK Public Services
© 2023 SPLUNK INC.
Further
Questions?
Q. What would you add to your own
data source assessment?
© 2023 SPLUNK INC.
Thank You