In October I had the absolute privilege of going to Las Vegas to attend my first Splunk .Conf conference with the rest of the 13Fields team. Not only my first conference but my first trip to America- and it definitely did not disappoint!
There was so much I could write about, but for this blog then .Conf, for me, can be split into three sections:
I want to focus on each of these points and break them down into what made my Conf19 experience so memorable.
Firstly, what is ‘Boss of the SOC’ or BOTS for short? Simply, it’s a capture-the-flag style event for blue teams to attempt to diagnose and identify security breaches of an imaginary company called Frothly. To complete a series of questions and challenges, we need to leverage Splunk, Enterprise Security, UBA, and Phantom, and then combine these with our own knowledge and experiences to deep-dive into the raw data and amass the most points as a team!
This capture-the-flag event has grown in popularity over the years to the point where over 300 teams were in attendance. Not only was this my first .Conf, it was my first BOTS; luckily, I was able to be on a team with two of my colleagues (Jamie and Paul) and a very talented ex-colleague and good friend of ours (Adam), who have all done BOTS events before. The event started on the Monday evening, a day before the full conference opened.
With over 1000 people seated in their groups and fed we were ready for the 5 hour competition…
From the second the event started you could see the talent of the teams in the room; the questions appeared in the portal and we were away. There were four sets of questions all surrounding different but corresponding situations. Without giving the game away for everyone doing the event in the future, the questions surrounded the premise of an organised penetration test and the attempts to gain access. As usual, there was a fictional company where we were acting as the security team to try and identify different indicators of compromise.
The event seamlessly ties together the different Splunk technologies, giving everyone a way to see what can be done with the right data. Having trained and achieved the UBA and ES accreditations, it meant that I was able to navigate and use these to help. The Machine Learning Toolkit App (MLTK) was used effectively to show where outliers may be, and- for the first year- Phantom really shone through as well. However, the event was not explicitly for people who can use Splunk: the key really was to locate and find the IOCs, and although experience and understanding in Splunk was definitely beneficial and helped teams some distance, it was not enough alone.
After all of our hard work we pulled off a top 10 finish to place 7th; a proud achievement when we are going up against some of the most mature customers and Splunk partners in the world, and I cannot wait to do another one.
Firstly, I must say a huge well done to everyone that talked; there were a lot of people at the conference and delivering such amazing, quality talks and demos with all the distractions and people is no small feat!
I’m not going to dig into every talk, but instead discuss the ones that stick out in memory; we are going to release a number of further blog posts about specific groups of talks that really stood out to us in the next few weeks (stay tuned).
Now I can’t start a talk section any other way than the keynotes- there were three amazing keynotes, the first opening the event in an explosive and exciting way, with Doug Merritt coming out on stage to a full drum set; seriously!? Don’t believe me?
Points for originality…
— Dion Hinchcliffe (@dhinchcliffe) October 22, 2019
— Steven Ambrose (@ambio) October 22, 2019
The keynote on day one was an introduction of what was to come and a view of how far Splunk has come as a business over the 10 years since the first .conf09 with only 300 people in attendance to almost 12000 at .conf19 .
Day two’s keynote focused on technical demos of everything from Splunk Enterprise 8.0, Enterprise Security, IT Service Intelligence, Phantom and their newest security product, Mission Control. There was something there for everyone, no matter the sector or their current use with Splunk. Be sure to check out the website for the current releases.
In the main, my talks were more focused around security related topics or insights from Splunkers, Partners and Customers alike and there was a LOT on offer. For each talk we’ll link back to the amazing .Conf site where you can check out the slides and videos of each talk for yourself
“Feed the Beast” by Max Moerles and Jay Novak from Booz Allen Hamilton looked at creating and utilizing endpoint-centric threat hunt use cases.
In today’s ever growing security state, it is key to know what we can do with the logs we have. It is incredible easy to be told to ingest more and more data. This isn’t feasible or available for everyone. Jay and Max work hands on threat-hunting for their clients. The talk highlighted the difference between hunting and detection: we need both to survive and both for different reasons. They worked from the MITRE framework to give a few examples like how you can detect privilege escalation and broke them down into simple steps to hunt for what they needed.
“Hunting Threats with UBA” a talk by a Splunker, Richard Towle, and two Splunk users from LyondellBasell, Johnathan Guillotte and Christopher Schuler.
The first section of the talk was a brief introduction of what UBA is and why it can help a business develop its security maturity. Moving from that, Jonathan and Christopher went through their experience with UBA and what has made it successful.
The last talk I am going to discuss is “The SOC of the Future” by Brad Taylor, the CEO of Proficio.
The talk gave recommendation based on Proficio’s experience deploying successful SOCs. Brad went through the decision steps of what you need to be asking yourself and your teams, going from technology to people- and in his approach, he really highlighted the need for an investment all round the organisation. After discussing deployment approaches, Brad then walked us through Proficio’s recommendations on how to carry out Threat investigations. As an ex-SOC analyst myself, the entire talk was well-rounded and it was great to see the processes and thought that should go on in the background.
I recommend spending some time on the #splunkconf site to watch all of these talks and more right here : https://conf.splunk.com/watch/conf-online.html?search=&search.event=conf19#/
The conference always has been hyped up by a lot of previous attendees and I expected big things, not only with the event, but with the location. When you hear the words Las Vegas, you can’t help that. Las Vegas did not disappoint!
We had a few events planned, one being Cirque du Solei. The event crosses music, gymnastics and acrobatics in a magical way the leaves everyone in awe of the talent in the room. Before the main conference we had time to explore Vegas and see the strip, and as someone who has never been to the USA it blew my mind- the size of the buildings can’t compare to anything. The big comparison is always which Eiffel Tower is bigger, Paris or Vegas, and this certainly triggered multiple conversations.
Moving onto the Splunk event itself, it is very fair to say that they did not hold back, the marketing and events team did a wonderful job. From the minute you entered the event you were taken down memory lane with the conf hoodies from the last 10 years, detailing the journey #splunkconf has been on.
Every corridor, room, and sign were tied together perfectly with Splunk’s new branding and colours.
Other than the keynotes which have been discussed, there was the Halloween search party in “SplunkVille”, the custom-built Splunk village just off the main strip, to entertain around 10,000 guests. There were two main sections, the inside ‘tent’ with a Splunk-themed (temporary) tattoo studio, store, houses to ‘trick or treat’, and live band. The outdoor section had a live band with karaoke, a full arcade area with everything from 4 player foozball and VR and finally a food truck area with so many options. Let’s just say it was one great party.
To wrap up, I’ve had first-hand experience of organising conferences before; working in the background to make it all happen, and I can only begin to imagine what doing an event of that size means. The entire event was planned brilliantly, and I cannot wait to see what next year at conf20 brings to up the game! You can already check out the details on splunkconf20 right here https://conf.splunk.com/ ; it’s a no brainer. See you there next year!