Heutzutage 
haben über 50 % der Unternehmen mit mehr als 2.500 Mitarbeitern IT-Sicherheitsteams eingerichtet. Ihr Ziel: Die Widerstandsfähigkeit gegen Cyberangriffe gewährleisten. Und das ist bei der stetig wachsenden Anzahl und Komplexität der Cyberattacken bitter nötig. So schützen diese Teams
- Wertvolle Assets ihrer Unternehmen
- Mitarbeiter
- Kunden
- Zulieferer
- und stellen oft sogar sicher, dass Cyberangriffe auf kritische Infrastrukturen und Dienste (z. B. Versorgungsunternehmen) nicht direkt ein ganzes Land lahmlegen.
Erst kürzlich haben wir ein Webinar gehalten, in dem wir erklärt haben, warum es für SOC-Manager wichtig ist, den Reifegrad und die Fähigkeiten innerhalb des IT-Sicherheitsbetriebs regelmäßig zu definieren und zu dokumentieren. Die Frage ist jedoch auch: Was kommt nach der Planung? Die Antwort ist einfach: die Ausführung. Und genau deshalb kann ich die .conf dieses Jahr kaum erwarten!
Das Spektrum an Themen und Referenten ist riesig - von Kunden aus der EMEA-Region bis hin zu Splunk-eignen Security-Experten. Sie alle teilen ihre Erfahrungen, innovative Ideen und einfallsreiche Best Practices. Was ihr davon habt? Einen einzigartigen Pool an kostenlosem Wissen, das jedes Security Operations Team happy macht. Und angewendet macht dieses Wissen eure Digitalisierungsprojekte ein großes Stück sicherer. Ansehen und ausprobieren lohnt sich also!
Hier meine Top-Empfehlungen der EMEA Security-Sessions (bitte beachtet, dass die .conf wie jedes Jahr in englischer Sprache stattfindet, deswegen sind die Session-Beschreibungen unten auch auf englisch):
Shell - Daniel Ferreira
SEC1075 - “Effective & Affordable Cyber-Security Vulnerability Management With Splunk Enterprise”
Daniel is a Lead Vulnerability Analyst at Royal Dutch Shell. He will showcase how Shell use Splunk in an effective and affordable way for Cyber-Security Vulnerability Management. The first task of any security team is to know what you have to look out for, which assets, users, systems, cloud accounts and services. His team works in a highly complex environment with hundreds of subsidiaries. He demonstrates how you can use the power of Splunk to quickly answer any security related question across any subsidiary.
CERT Energy Israel - Efi Kaufmann
SEC1395 - “Anomaly Mining in Windows Event Logs”
Efi is the CTO for Israel’s Ministry of Energy Cyber Security Center. He is responsible for the implementation of Splunk-based capabilities to evaluate the security posture and resilience of the Israel energy sector and to assist in their cyber defense effort. But how do you cope if you get log and activity data from hundreds of energy providers log? Efi and his team utilize the power of the Splunk Machine Learning Toolkit (MLTK). He will use Windows event log examples to showcase how any SOC can improve detection capabilities.
HSBC & Adarma - Hannah Cornford and Tom Wise
SEC1440 - “Risk-Based Response: Maturing your Security Operations With Risk Awareness and Splunk SOAR (Phantom)”
Hannah leads a global team responsible for delivering innovative automated solutions in HSBC’s global SOC. Her slogan is: “No API? Not interested”. She collaborated with Tom Wise, works at our Splunk Partner Adarma, has been a Splunk Trust member since 2019 and was the first Certified Splunk Phantom (now Splunk SOAR) Consultant in EMEA. Many Splunk Security Ninjas know the beauty of Risk Based Alerting in Splunk ES which focuses mostly on the detection side - Hannah and Tom have evolved this concept to SOAR with “Risk-Based Response”. Hannah and Tom will show you what exactly it is and how to “make speedier and more accurate decisions using dynamic risk-based decisions”.
Thales - Gabriel Vasseur
SEC1441 - “How We Maintain Our Correlations in Splunk Enterprise Security at Thales UK”
Gabriel is a Senior Cyber Security Analyst with Thales UK. After 9 years in the antispam and antivirus industry, he joined the team at Thales to help develop the CSOC platform. At Thales the team built and implemented over 150+ correlations in Splunk ES - all at various levels of maturity, complexity and consistency depending on how much they knew at the time of creation. So what is needed and how to effectively manage, audit and increase the quality? Gabriel showcases how he pimped Splunk ES through it’s Open Framework with a peer review functionality and more. Everything is prepared and ready to take home for the audience.
Splunk - Dr. Josh Cowling & Stefanos Bogdanis
SEC1495C - “DoH or DoH Not, There Is No Try. Is Machine Learning the Force You Need To Save Your Detections From the Encryption Empire?”
Josh is a Staff Solutions Architect at Splunk in the UK. Prior to Splunk he worked in engineering and data science with dangerous lasers and x-rays for industrial and medical applications. He presents together with Stefan, a consulting solutions engineer supporting the UK Team. Stefan is a PhD candidate and researches the explainability of ML/AI assisted intrusion detection systems. Fun fact: Stefan is also an avid breakdancer. The NSA warns against using DNS over HTTPS (DoH) - they will explain what DoH is, identify what impact it has on visibility for security teams and present their work on how security teams are able to tell if any DoH Traffic is used within their network. Using a data set from the Canadian Institute of Cyber Security, they will show how machine learning can be applied to differentiate between legit and benign DoH traffic.
Splunk - Johan Bjerke and Cynthia Li
SEC1643A - “Splunk Security Essentials: An Approach to Industry Threat Detection Engineering”
Johan is a Principal Security Strategist and Security SME at Splunk working from Sweden. He supports the largest customers in EMEA solving complex security challenges. He is the lead developer of the popular Security Essentials App as well as the Splunk App for Web Analytics. He’ll present together with Cynthia, the Sr. Product Manager for Splunk Security Essentials, InfoSec App as well as Security Content Service. In their session they will share best practices for prioritising security detections and which need to be implemented first, using an Industry sector approach.
Splunk - Erick Contreras and Rod Soto
SEC1153C - “Fighting Ransomware With Splunk Attack Range”
Erick is a Senior Threat Research Engineer at Splunk based in Munich and recently joined us from the Airbus SOC. He has a 12 year background on malware analysis/reverse engineering, digital forensics and detection development in blue teams. Together with Rod, a well known speaker in the infosec community, they will show how to tackle different ransomware campaigns. They will present real life examples run against Splunk Attack Range machines to analyze, discover, detect and they will use playbooks for defense. In addition they will talk about how to share guidance and detections with the community.
Happy Splunking & wir sehen uns auf der .conf21!
Allen Konversationen auf der #splunkconf21 folgen!
*Dieser Artikel wurde aus dem Englischen übersetzt und editiert. Den Originalblogpost findet ihr hier: No Time To Die In SecOps: (00)7 Must Watch .conf21 from EMEA.
