Published on November 21, 2019
1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Introduction to Incident response with Splunk>Phantom Splunk Live! Stockholm, 2019-11-13 Tibor Földesi | Security Analyst at Norlys a.m.b.a Twitter: @Multi_Task_King
2. © 2019 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved. Forward-Looking Statements
3. © 2019 SPLUNK INC. About me ▶ Security Automation Analyst at Norlys a.m.b.a ▶ Main areas: ▶ Log analytics ▶ SIEM content engineering ▶ Incident response ▶ Automation & Orchestration ▶ Threat Intel ▶ Splunk ES + Phantom user since 2016 ▶ Fan of everything in infosec, but bored of repetitive tasks
4. © 2019 SPLUNK INC. About Norlys a.m.b.a ▶ Ex-Sydenergi, -Stofa, -Eniig, -Boxer, -Evonet, -N1 ▶ 709k owners ▶ 704 board members ▶ 2500 employees ▶ 1.5M customers ▶ 12 locations ▶ Biggest power utility and and telecommunications concern in Denmark
5. © 2019 SPLUNK INC. What really is Splunk Phantom?
6. © 2019 SPLUNK INC. How We Got Started ▶ "Every battle is won or lost before it is fought." - Sun Tzu ▶ Our team had a clear vision ▶ Gather a relatively small team of talents with diverse knowledge pool ▶ Collect all the logs in Splunk ▶ Automate all the repetitive tasks ▶ Drink a lot of coffee tonic instead of work
7. © 2019 SPLUNK INC. Our Story ▶ Situation: ▶ We had to build log analytics and incident response capabilities from the ground up for a relatively big company in Denmark. ▶ Struggling with: ▶ Repetitive tasks, myriad of tools, slow webUIs, creating and maintaining internal processes ▶ Wanted: ▶ A Mission Control for investigations with in-depth documentation and automation capabilities. ▶ Enter Phantom: ▶ With Phantom we are now able to automate the boring tasks and document every step, it doesn’t matter if it’s automated or manual
8. © 2019 SPLUNK INC. Our 5 Step Journey with Splunk Phantom 1. Using Phantom for documentation and adding everything manually 2. Using applications in Phantom for semi-automate investigation processes 3. Chaining applications/actions together for creating playbooks 4. Customizing the playbooks with some custom code, if needed 5. Connecting Splunk and Phantom for more closer integration Most notable alerts from Splunk ES are now forwarded to Phantom – automated ticket creation Most of the tickets are automatically initiating enrichment actions – automated ticket enrichment Advanced incident handling capabilities: Mission Control allows us to document and maintain our processes inside Phantom
9. © 2019 SPLUNK INC. Servers Endpoints Network Devices Apps / API Splunk>Phantom in real life
10. © 2019 SPLUNK INC. Use Cases at Norlys (Part 1) Production server group containment with 4 eyes principle Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis Grab browsing history from endpoint
11. © 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2018) ▶ Same analyst can actually approve the contain action twice ▶ No 2 factor authentication ▶ Early, but working version of a great idea
12. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis
13. © 2019 SPLUNK INC. Production server group containment with 4 eyes principle (2019)
14. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2018) ▶ This playbook required too many resources and used a lot of custom code ▶ Hard to maintain and to debug, but possible ▶ Is there a better and more automated way?
15. © 2019 SPLUNK INC. Grab quarantined file from an endpoint and upload it to the malware sandbox for analysis (2019)
16. © 2019 SPLUNK INC. Grab browsing history from endpoint (2018) ▶ Early version, lot of custom code ▶ How can we improve it?
17. © 2019 SPLUNK INC. Grab browsing history from endpoint (2019)
18. © 2019 SPLUNK INC. Create HUD for AV alerts Chat tool notification if a ticket was created automatically Initiate memory capture remotely on an endpoint Use Cases at Norlys (Part 2)
19. © 2019 SPLUNK INC.
20. © 2019 SPLUNK INC. Chat tool notification if an automated ticket was created
21. © 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint
22. © 2019 SPLUNK INC. Initiate memory capture remotely on an endpoint ▶ No user interaction ▶ Relatively fast ▶ Auto check if finished with a scheduled playbook
23. © 2019 SPLUNK INC. Mission Control in Phantom on-premise
24. © 2019 SPLUNK INC. KPIs ▶ Our goal is not to work, just to drink coffee ▶ Mostly, we measure success if: ▶ We don’t have to disturb the users - actual KPI ▶ We don’t have to physically obtain the machines for forensics ▶ We can at least semi-automate investigation and documentation tasks (more the better) ▶ Sneaker-net vs API speed - the real advantage ▶ Hours/days vs 30 seconds
25. © 2019 SPLUNK INC. 1. Splunk offers professional services for Phantom – highly recommended 2. Have a separated development environment 3. If you hit walls, custom code option is there 4. The Community Edition is FREE 5. Join the friendly and helpful phantom- community Slack channel Key Takeaways
26. © 2019 SPLUNK INC. Links for getting started ▶ Phantom community webpage: https://my.phantom.us/ ▶ Phantom community Slack: https://phantom-community.slack.com/ ▶ Documentation: https://my.phantom.us/4.6/docs/ ▶ Online trainings on Splunk Education: ▶ https://education.splunk.com/catalog?category=phantom-courses
27. © 2019 SPLUNK INC. News from Splunk .conf19 ▶ Applications are now open-source ▶ Per-seat license model ▶ Python 3 migration work underway (currently only 2.7) ▶ Mission Control (for Splunk cloud environment) ▶ Mobile app is now available with Phantom 4.6
28. © 2019 SPLUNK INC.
29. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Thank You.