Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s new in Splunk 7.0?.

Similar presentations


Presentation on theme: "What’s new in Splunk 7.0?."— Presentation transcript:

1 What’s new in Splunk 7.0?

2 Splunk Enterprise 7.0 The easiest way to aggregate, analyze, and get answers from your machine data Automate, collect, index, and visualize your machine data in real time. Monitor Discover insights from any machine data–structured or unstructured. Investigate Analyze, predict, and act on outcomes from your machine data. Build Intelligence Additionally, improved visualistaions, custom apps in Splunk cloud Most of our customers begin their Splunk journey with our flagship product, Splunk Enterprise. We are continuing to invest in this platform, and we are continuing to identify ways to make this engine better. I am pleased to announce a significant milestone - the release of Splunk Enterprise 7.0! Splunk Enterprise 7.0 is the easiest way to aggregate, analyze, and get answers from your machine data. We categorize the product into three focus areas: MONITOR: Splunk Enterprise 7.0 lets you get home early by automating the collection, indexing, alerting, and visualization of the real-time machine data that is critical to your organization’s operations and performance. These are the things that happen in the background, and happen all the time. INVESTIGATE: Splunk Enterprise 7.0 is the ideal solution for the investigator in your organization. You can discover insights from any machine data—structured or unstructured—and you can do this without problems even as the volume and complexity of your data increases. BUILD INTELLIGENCE: Splunk Enterprise 7.0 is machine learning for the masses. This is our aspiration; this is the direction that we’re heading in. It is the leading platform for analyzing, acting on, and predicting future outcomes from machine data. Let’s take a closer look….

3 Splunk Enterprise 7.0 The easiest way to aggregate, analyze, and get answers from your machine data Automate, collect, index, and visualize your machine data in real time. Monitor Discover insights from any machine data–structured or unstructured. Investigate Analyze, predict, and act on outcomes from your machine data. Build Intelligence

4 Monitor Metrics and Events Two distinct machine data sources that have been hard to integrate…until now Metrics Numbers describing a particular process or activity Measured over intervals of time– i.e., time series data Common metrics sources: System metrics (CPU, memory, disk) Infrastructure metrics (AWS CloudWatch) Web tracking scripts (Google Analytics) Application agents (APM, error tracking) Events Immutable record of discrete events that happen over time Come in three forms: plain text, structured, binary Common event sources: System and server logs (syslog, journald) Firewall and intrusion detection system logs Social media feeds (Twitter…) Application, platform and server logs (log4j, log4net, Apache, MySQL, AWS) [29/Aug/ :47:05:316503] "POST /cart.do?uid=84e8d742-a31d69&action=remove&&product_id=BS-2&JSESSIONID=SD6SAL4FF1ADFF9 HTTP 1.1" " product_id=BS-2" "Mozilla/5.0 (Intel Mac OS X 10_12_2) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36" 98 Sample Log Equivalent to 1 metric value Timestamp Metric Name Value Dimensions os.cpu.user hq:us-west-1 Sample Metric With Splunk Enterprise 7.0 and the latest Splunk solutions, it will be much easier to work with metrics, which are sets of numerical, time series data used to track a particular process or activity. You might think, “Splunk has always dealt with metrics.”  We’re all familiar with graphs and charts in Splunk. Let me explain how this is different with Splunk Enterprise 7.0.

5 Taking the meh out of metrics
Monitor Splunk Metrics Taking the meh out of metrics Metrics car telemetry dashboard– example of high volume data, large # of searches in one dashboard 20x and beyond performance improvement for monitoring and alerting using metrics data Sample use cases: CPU utilization, temperature fluctuations in devices, app downloads All Splunk Platform benefits apply: Visualizations and alerting Role-based access controls Data onboarding Clustering, Scaling, Alerting Leverage open source for existing sourcetypes (statsd, collectd) Supports SaaS apps + legacy/on-premises systems Splunk was initially designed for people who are trying to find something in a mess of unstructured data (the needle in a haystack). What about the scenario when you know what you’re looking for and where to look - like temperature fluctuations in a car, or CPU utilization over time (or the weight of all the straws in a haystack) - and you simply need to find this information quickly? We’ve rebuilt the Splunk engine to enable you to achieve this velocity. With Splunk Enterprise 7.0, metrics are now supported as first-class data. Use of the new metrics index boosts the speed of monitoring and alerting by at least 20X versus previous releases. This new support for metrics in Splunk Enterprise 7 enables faster, easier machine data analytics. Let’s take a look….

6 Splunk Enterprise 7.0 The easiest way to aggregate, analyze, and get answers from your machine data Automate, collect, index, and visualize your machine data in real time. Monitor Discover insights from any machine data–structured or unstructured. Investigate Analyze, predict, and act on outcomes from your machine data. Build Intelligence

7 Splunk Event Annotation
Investigate Splunk Event Annotation Surfacing more visual insights from your data Metrics with Event Annotation Adds context to any time chart (e.g., line, column, area) Correlates logs and metrics in a single view Enables you to pull markers and labels from many sources (e.g., log data, lookup files, or external sources) With Splunk, you can pretty much graph or chart anything. Splunk Enterprise 7.0 takes this further. Event Annotation unifies and correlates log events, annotations, and metrics—often from disparate sources—into a single view so you can understand these events with more clarity (e.g., what might have resulted in this particular event - e.g. spike or drop in data. And what additional events might have driven this change) One example of the ever improving ways to help you visualize your data… and help you get to the answers faster. Feature details: Event annotations can only be applied to time-series charts (line, column, area). Driven by a secondary search, event annotations expect the following fields as part of the search result: _time [required] - time is a required field in order to render events on the chart. annotation_label - this field is optional, but recommended, in order to provide a description of the specific event. annotation_category - this field is optional and only useful if you want to include multiple event types, such as service starts versus stops. Custom visualizations must be updated to explicitly support this new behavior. In this release, event annotations can only be configured using SimpleXML. in this release, PDFs are not supported for event annotations.

8 Splunk Enterprise 7.0 The easiest way to aggregate, analyze, and get answers from your machine data Automate, collect, index, and visualize your machine data in real time. Monitor Discover insights from any machine data–structured or unstructured. Investigate Analyze, predict, and act on outcomes from your machine data. Build Intelligence

9 Splunk Machine Learning
Leading platform for analyzing, predicting, and acting on outcomes from your machine data SPLUNK SEARCH PREMIUM SOLUTIONS MACHINE LEARNING TOOLKIT Platform for Operational Intelligence Platform for turning machine data into answers Splunk incorporates Machine Learning across our portfolio: in our Search Language (SPL); packaged ML in Premium Solutions including ITSI (anomaly detection in time series data, configured by the user by clicking On/Off ); and custom ML for the platform via our Machine Learning Toolkit – free Splunkbase download

10 Splunk Machine Learning Toolkit
Build Intelligence Splunk Machine Learning Toolkit Guided and easy-to-use interface, modeling assistance and ready-to-use examples Showcases: Interactive examples for common IT, security, business and IoT use cases Assistants: Guided model building, testing and deployment Models: Includes 25+ standard algorithms Commands: SPL commands to fit, test and operationalize models Free: Machine Learning Toolkit available via the SplunkbaseTM app ecosystem MLTK is a free app / download from the Splunkbase ecosystem.

11 Splunk Machine Learning Toolkit 3.0
Build Intelligence Splunk Machine Learning Toolkit 3.0 Guided and easy-to-use interface, modeling assistance and ready-to-use examples Model management fully integrated with Splunk's role-based access controls Out-of-the-box algorithms and parameter tuning added for forecasting time series data Re-factored API makes it easier to import custom algorithms, and export as SplunkbaseTM apps MLTK + Spark Integration for large-scale model training (beta) Predict Numeric Fields Detect Numeric Outliers Forecast Time Series Cluster Numeric Events

12 Splunk Security Portfolio

13 Splunk: Security Nerve Center
Network Web Proxy Threat Intel Workflow App Identity Internal Network Security Endpoints We touched earlier on this concept of going from "passive notifier" to a "nerve center" or "command center” The other key function of a nerve center is its ability to signal and orchestrate. Customers needs a full security stack to protect their enterprise; Regardless of the vendor, the form factor, deployment architecture, We are the machine data brain that helps bring the security tech stack together and make them all smarter and work in tandem Maybe add animation? – first Firewall, server… then add other sources What sort of sources would you need to inform security intelligence – other data sources Ask “Which one of your vendors does this?” Search splunkbase to demo Effectively leverage security infrastructure to gain a holistic view

14 Adaptive Response Initiative
Mission: Bring together the best security technologies to help combat advanced attacks Challenge: Gather / analyze, share, act based on end-to-end context, across security domains Approach: Connect intelligence across best-of-breed: improve security posture quickly validate threats systematically disrupt kill chain Firewall Network Web Proxy Threat Intelligence App workflow Internal Network Security Endpoints Note the two-way communication (did you spot that on the previous slide?) – using adaptive response Splunk can, for example, tell a Palo Alto firewall to quarantine a host based on data in Splunk Identity

15 Security Portfolio Apps and Ecosystem Splunk Enterprise
Splunk Enterprise Security Content Updates Splunk Insights for Ransomware Splunk Security Essentials for Ransomware

16 Security Ecosystem Threat Intel Network Endpoints Identity & Context
This is probably one of the most exciting things for me being the SE that gets to work with such a wide range of solutions. We have also been able to now see new categories of solutions emerge that we are actively pursuing partnerships with As we’ve likely said a few times, we really appreacite the time you all are investing into the Splunk ecosystem Splunk Security Ecosystem as of

17 Splunk Enterprise Security
Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds Alerts & Dashboards & Reports Incident Investigations & Management Statistical Outliers & Risk Scoring & User Activity All of this rich capability is delivered through Pre-built searches, dashboards, reports and workflows. Your analysts are enable to investigate alerts, maintain a continuous monitoring posture and hunt for unusual activity Manage and investigate incidents by correlating event data and contextual information from any data source Pre-built statistical capabilities identify unusual activity and reduce false positives Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations Enterprise Security delivers pre-built reports, dashboards, workflows across all security domains. Including wire data, end points, network, access and identity management This is how you’d implement a SIEM on top of the Splunk Platform – Enterprise Security Over 45 pre-built searches 37 predefined dashboards 160 reports Supporting common security metrics Threat Intel & Asset & Identity Integration

18 Splunk Enterprise Guidelines
When the customers just wants to monitor some of their environment for security. Account Lockouts, AD changes… When the customer has a low level of knowledge about security. When the customer does not have enough relevant data sources to populate the dashboards in ES. When other existing apps might be enough to satisfy their security requirements.

19 Splunk Enterprise Security
Guidelines When replacing an existing SIEM. When the customer knows about security and what a SIEM actually is. When the customer specifically has been asked to get a SIEM. In certain cases when the customer wants a tool to make them become compliant with external compliancy frameworks. When the customer has enough data sources to power the dashboards in ES.

20 Splunk Positioned as a Leader
Gartner 2017 Magic Quadrant for Security Information and Event Management* Five Years in a Row as a Leader Splunk is a market leader for SIEM solutions and Splunk analytics-driven security has become widely adopted in the industry. Splunk’s vision and leadership in analytics-driven security continues to drive the market requirements for advanced analytics and incident response capabilities *Gartner, Inc., 2017 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner disclaimer: Gartner, Inc., 2016 Magic Quadrant for Security Information and Event Management, and Critical Capabilities for Security Information and Event Management, Oliver Rochford, Kelly M. Kavanagh, Toby Bussa. 10 August 2016 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Splunk. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

21 Enterprise Security Content Updates
A subscription service delivering pre-packaged Security Content for use with Splunk Enterprise Security Regular updates to help security practitioners more quickly address ongoing and time- sensitive customer problems and threats Regular updates to address evolving security threats in the form of searches and dashboards

22 Splunk Insights for Ransomware
The first release of the “Splunk Insights” concept – targeted at smaller IT / security shops Use case-specific version of Splunk Enterprise Software Data can only be used to combat ransomware Competitively priced with ransomware solutions Additional layer of security augments point solutions Use case-restricted licensing Not based on volume per day licensing 1-year term, restricted use license of Splunk Enterprise Benefits of the Solution Central visibility & analysis of ransomware Use relevant data – endpoint, network, etc. – to identify, assess potential ransomware activity Faster, streamlined investigation of ransomware activity Investigative capabilities pulls together multiple technologies across security and IT Hunt for ransomware – make proactive decisions Leverage IR best practices to hunt down issues that look likely to be related to ransomware For organizations who need to be prepared for the next ransomware attack Easy to buy, competitive pricing with ransomware solutions Splunk Insights for Ransomware provides additional layer of security visibility Centered on the importance of posture, investigation, response This additional layer of security will augment point solutions Does not replace “prevent” mechanisms or other malware or hygiene tools 1-100 monitored accounts monitored accounts monitored accounts monitored accounts monitored accounts monitored accounts

23 Splunk Security Essentials for Ransomware
A free app on Splunkbase A template for a ransomware solution/dashboard

24 Splunk Certification

25 Certifcation Update Note that (at time of writing!) no plans to update 6.x certifications SE1 required for Oxygen Access (crucial!) SE3 required for new Subject Matter Expert content

26 Customer Path - Customers

27 Certification Path – Sales Engineer

28 e.g. Splunk Sales Engineer II

29 Thank You


Download ppt "What’s new in Splunk 7.0?."

Similar presentations


Ads by Google