FAC T S H E E T
Splunk® User Behavior Analytics
Detect Cyber Attacks and Insider Threats – Powered by Caspida
H I G H L I G H T S Key Use Cases
• Cyber Attack Detection
• Improve detection of known, unknown and hidden • Insider Threats
cyber attacks and insider threats.
• On-line Account Takeovers
• Increase security analyst effectiveness by Data Sources
prioritizing threats and reduced false positives. • Identity and Privileged User Activity: entity ID and
authentication events (Active Directory, single sign-
• Easy to use for SOC analysts and incident on, VPN, etc.), and privileged account management
responders. applications
• Activity: HTTP transactions, intra-network activities
(firewall, web gateway, VMs, proxy, DPL, etc.)
New Layer of Cyber Defense • SIEM: existing SIEM and log management products (HP/
ArcSight, LogRhythm, IBM/QRadar, etc.)
Splunk User Behavior Analytics helps organizations
• Hadoop Ecosystem: existing Hadoop data repositories
find known, unknown and hidden threats using (Cloudera, HortonWorks, etc.)
machine learning, behavior baseline, peer group • Malware Detection: existing sandbox or dynamic analysis
analytics, and advanced correlation to find lurking products (FireEye, Palo Alto Wildfire, etc.)
APTs, malware infections, and insider threats. It • External Threat Feeds: external threat feeds (FS-ISAC,
addresses security analysts and hunter workflows, Google CIF, etc.)
requires minimal administration, and integrates with • Cloud, Mobile: mobile device events, remote application
logs, AWS CloudTrail, Box, etc.
existing infrastructure to locate hidden threats.
• Endpoint: application and security logs from laptops,
Behavior-Based Threat Detection desktops and servers
• Multi-entity behavior profiling and peer group analytics – • Custom Apps: live event streaming via JavaScript, Java,
users, devices, service accounts and applications REST, Syslog
• Threat and anomaly detection with sophisticated kill-chain
visualization
• Machine learning – no signatures, no human analysis
FAC T S H E E T
Sample Threats Prevented
Virtual machine and Unusual SaaS and remote
Suspicious login activity Privileged account abuse Data exfiltration
container breach user behavior
Rogue mobile device Privileged app infiltration, AWS and cloud asset Malware CnCs or bad IP Systems infected with
transmitting malware data theft compromise addresses malware
Streamlined Threat Workflow Architecture
• Splunk User Behavior Analytics reduces billions of raw
Splunk User Behavior Analytics is built as a platform that
events to thousands of anomalies, which result in tens
includes Hadoop ecosystem for scalable, cost-efficient and
of threats that the security team can review and resolve
open data persistence. The platform is designed for real-time
quickly
and large-scale event analysis, includes time-series databases
• Powerful security semantics-aware machine learning and graph databases for processing and representing security
algorithms, dynamic statistical methods, and correlations connections within the network. The platform provides RESTful
identify hidden threats for review APIs for integrating with third-party products to ingest data
automatically, as well as to drive action for remediation and
• Context, location and container aware such that security
prevention. The product is proven to scale over hundreds of TBs
anomalies are detected and correlated into threats with
and billions of events.
low rate of false positives
Deployment Options
Kill Chain Detection and Attack Vector Discovery
• On-premise VM or software
• Automatic identification of abnormal APT/breach activity
(CnC, lateral communication, etc.) and suspicious kill- • WS and vCloud Air public cloud
chains, e.g. pass-the-hash attacks
Why Behavioral Analytics from Splunk?
• Detection of lateral (east-west) patterns of malware or
malicious insider proliferation Machine learning, statistical profiling and other anomaly
detection techniques need a foundation. A massively scalable
• Real-time flagging of anomalous activity, e.g. suspicious
and readily available data platform is required to support
URL activity or land-speed violations of logins
advanced analytics, one that provides users accessibility, quality
• Behavior-based detection of device or system and data coverage from a range of security and enterprise
irregularities, e.g., VM or AWS container threat activity systems. The entire lifecycle of security operations: prevention,
detection, response, mitigation, to the ongoing feedback
• Detection of botnet or Command-and-Control activity, e.g.,
loop, must be unified by continuous monitoring and advanced
Trojans or polymorphic malware
analytics to provide context-aware intelligence. The threat
detection capabilities in Behavioral Analytics extend the search/
Threat Review and Exploration pattern/expression (rule) based approaches currently in Splunk
• Threat path sequencing, highlighting abnormal/suspicious and Splunk Enterprise Security for detecting threats.
paths and frequencies
Splunk can provide the data platform as well as the security
• Advanced correlations across models resulting in critical analytics capabilities needed to allow organizations to monitor,
threat identification alert, analyze, investigate, respond, share, and detect known and
• Self-learning and adaptive algorithms – machine learning unknown threats regardless of organizational size or skillset.
and statistical
• Interactive threat exploration and supporting evidence
presentation Learn more about Splunk User Behavioral Analytics
by contacting ubainfo@splunk.com.
250 Brannan St., San Francisco, CA 94107 info@splunk.com | sales@splunk.com 866-438-7758 | 415-848-8400 splunkbase.splunk.com
www.splunk.com
© 2015 Splunk Inc. All rights reserved. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Hunk, Splunk Cloud, Splunk Light, SPL and Splunk MINT are trademarks
and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. Item # FS-Splunk-UBA-107