Goodbye, October. Hello, June! .conf22 is coming to you earlier this year, and it’s going to be our best .conf yet! I know, we say that every year. But after two years away, we’re excited to be back in Las Vegas — live and in living color. And for those that can’t attend in person, we're also offering a virtual .conf experience. It’s the best of both worlds! You can join us in Las Vegas, June 13-16 or virtually, June 14-15.
For this year’s .conf, we’ve assembled an awesome lineup of security sessions across multiple categories. Splunk security experts, customers and technology partners are excited to share the latest innovations in security technologies across security analytics, security automation, threat intelligence, threat detection and response, fraud prevention, and more. Join us and attend sessions about how to address supply chain attacks, insider threats, OT security, zero trust — the list goes on.
There will be more than 50 security sessions on tap to choose from, but here are some of our favorites.
Boss of the SOC (BOTS)
BOTS is back, live at .conf22! You don’t want to miss our capture-the-flag-esque activity where participants leverage Splunk technology to answer a variety of questions about real-world scenarios that security analysts face daily. Sign up now, form your team, and join us in Las Vegas on Monday June 13th at 6:00 PM Pacific Daylight Time (PDT) — sign up now!
SEC1481C - Detecting Server Side Request Forgeries in AWS With Splunk® Enterprise, ES and Stream
In 2019 an attack against a high-profile financial institution resulted in the loss of personal data of over 100 million customers. The attackers had carried out a server-side request forgery (SSRF), which allowed the group to gain access. We'll cover high-level SSRF fundamentals, AWS and Splunk integration, and finally, how to use Stream, Splunk® Enterprise Security, and Splunk® Enterprise to detect the signs of such an attack as they're occurring.
SEC1459A - Splunk® Security Essentials - Gain Situational Awareness by Managing All Your Security Content
Organizations today are likely to have multiple disparate security tools, providing detection coverage for different technology stacks and for enabling defense in depth. A drawback of this method is the difficulties in gaining timely and accurate situational awareness in terms of total defensive coverage across these disparate tools. This session is for content creators, SOC managers, and CISOs who want to see how Splunk® Security Essentials can help you gain situational awareness by managing all your security content.
SEC1258C - Log4j Matchmaking: An Introduction To Generating Adversarial Logs
Still recovering from the Log4j blues? Let's not rehash the ruined holidays or sleepless nights. Instead, let's explore two separate open-source tools that may help us get more sleep next holiday season. Both tools, Splunk Attack Range and Synthetic Adversarial Log Objects (SALO), were developed by Splunk threat researchers. With these tools, we’ll show you how to automatically build infrastructure to test and generate adversarial logs targeting our fictitious network with a Log4j vulnerability. We will then use the information we gather to leverage SALO to generate synthetic logs mimicking this adversarial behavior without the need to build any infrastructure or execute any exploits.
SEC1189C - Home on the Range: Detection Engineering With Splunk Attack Range
To most people, developing, testing and tuning security threat detections would appear to be a daunting task. Where do you start, how do you make it consistent and repeatable, and how could something like this ever be fun? With Splunk Attack Range, all the hard work is done. Now you can get into the details of simulating attacks with Atomic Red Team and developing and testing your security threat detections with Splunk® Enterprise Security in a consistent, flexible and repeatable manner. With Splunk Attack Range you can also learn how risk-based alerting (RBA) works and how you can use it for better threat detection.
Security Orchestration, Automation and Response
SEC1304C - A Beginner’s Guide to SOAR: Automate 5 Basic Security Processes in Under 30 Minutes
Let’s face it, manually operating repetitive security processes every day is boring — creating fatigue and burnout for you and your team. Enriching URLs. IP reputation checks. Blocking domains and file hashes. These are critical tasks that can now be offloaded to machines to automate the basics. Join us to learn how to simply build five Splunk® SOAR playbooks to respond to today’s most common security alerts automatically. Prepare to launch and get ready to SOAR!
SEC1676B - Splunk® SOAR + SIEM - An Automation Powerhouse for Cyber Incident Response
With attacks becoming more sophisticated, time is a key factor when managing incidents in a big enterprise where different security controls generate thousands of alerts. This has led to a challenge where detection needs to happen in under a minute and containment within 60 minutes, which is nearly impossible with SIEM only. Here, a combination of Splunk® SOAR + SIEM helps create a framework by streamlining security incident response with accelerated response capabilities. This approach using automation reduced our threat detection time by 87%, response time by 94%, and remediation time by 70%. Join this session to see how we did it, and how you can leverage automation in your organization.
SEC1647C - Fusing Intelligence Into Splunk® SOAR
Attend this session to learn how Splunk® Intelligence Management ingests, normalizes and prioritizes intelligence from over 70 sources to simplify Splunk® SOAR automation playbooks. We will review how you can manage intelligence upstream to enhance phishing triage flows, enrich investigations, and improve priority scoring for more targeted automated responses.
SEC1507C - Accelerate Investigations With Intelligence Management
SOC teams are integrating multiple intelligence sources into the tools they work with daily, but data from each source comes in different structures and formats. Teams have to rely on the tedious, time-consuming collection, data cleaning, and manual curation techniques of their intelligence sources to ensure that their tools aren’t generating unnecessary alerts from that data. This session highlights how Splunk Intelligence Management (formerly TruSTAR) aggregates intelligence from multiple sources to be enriched, normalized and prioritized using Intelligence Flows. That normalized, prioritized data is leveraged directly in Splunk® Enterprise Security to accelerate investigations and improve alert prioritization.
Prevent, Detect, Investigate, and Respond
SEC1609C - Purple Teaming - Build, Attack, and Defend Your Organization
Have you wanted to know if your current detections were working or if you had detection coverage for a particular attack technique? Have you tried to break down the silos between your red and blue teams? Have you wondered what it takes to build a purple Team? Purple teaming is threat intelligence-driven, combining the efforts of red and blue teams to mimic adversarial attacks and identify gaps in your organization’s security posture. Find out how to build a purple team program and how it can benefit your team in detecting badness faster. Learn how to simulate adversary behaviors, test your current threat detection and response process, and hunt through your data with Splunk and open source tools!
SEC1509C - Building Cyber Resiliency Through Better Detection, Investigation, and Remediation
In the event of an attack, security teams need a security operations platform with advanced analytics, integrated intelligence and automation solutions to piece together what happened quickly, the impact it had on the organization, and how to respond. This session will walk attendees through a security event to show how the Splunk security operations solutions work together to deliver better detection, investigation, and response.
Splunk Partner Ecosystem and Integrations
SEC1456B - Splunk in P&U: Empowering OT and the Grid
As the nation's critical infrastructure becomes more interconnected with IT, the collection and aggregation of event data for operations and security have become increasingly invaluable. Splunk is being implemented as a new age historian for energy companies with an ever-increasing need for full visibility. While Operators monitor voltage, SOC analysts must learn to monitor for security and operational threats in an environment that maintains a stable grid, all in the wake of geopolitical tension, extreme climate and national electrification. In this talk, participants learn how Splunk can be implemented in critical infrastructure, from the data center to substation, to maintain the core tenants of safety, reliability, and availability.
SEC1514B - Understanding the Latest Ransomware Threats To Protect Your Organization
Ransomware groups are constantly evolving their tactics to gain leverage and monetize breaches. Attacks with high-impact, headline-making incidents continuously grow in volume and scope. Discover and learn how to build an effective defense based on advanced threat protection, zero trust, and analytics. Join threat researchers from Zscaler and Splunk as they discuss their research on the latest ransomware developments and trending attack techniques.
.conf22 will blow your SOCs off! See you there.
Follow all the conversations coming out of #splunkconf22!