Outpost Security Solutions for the Public Sector

• Pre-loaded with 7 use cases

• Each use case specifies detections and data models

• Rapid point & click use case deployment

• Detections

o Over 50 pre-loaded RBA detections (Risk Rules)
o Complete with initial scoring values and risk messages
o Detections cover Authentication, Cloud, Email, Endpoint, Network and Web Data Models
o Framework Mapping – each detection is mapped to MITRE ATT&CK, CIS 20, NIST CSF & Cyber Kill Chain using the annotation framework

• Rapid Deployment

o Initial use case can be enabled and tuned in less than two weeks
o Pre-loaded searches to populate Assets & Identities and Threat Intel feeds
o Implementation assistance is available from Outpost Security or your trusted Splunk Partner

• Advanced GUI & Dashboards for IR & ES Configuration

o Risk Object Detail page w/ risk event messages and automatic enrichment
o One-click investigation drill-downs including related objects and raw event views
o RBA Overview dashboard to show detection performance and tuning opportunities
o Health Check Dashboard that tracks configuration of data sources, data models, Assets & Identities, Threat Intel matches, detections, and notables

• Enhanced Assets & Identities Framework. Macro driven and customizable with minimal maintenance Risk Rule Library

• Preloaded Risk Rule library. Over 100 risk rules, w/ new rules added quarterly

• Enhanced Risk Notable Rules

o Built-in logic that makes notables “self-aware” and aware of other notables.
o Configure logic per your business rules to minimize repeat notables.

• Advanced IR GUI & Dashboards

o Risk Object Detail page w/ risk event messages and automatic enrichment
o One-click investigation drill-downs including related objects and raw event view

• High Resolution Suppression

o Suppression engine that gives analysts the ability to suppress notables at the event field level
o Enterprise features such as auto-age out, event suppression history, bulk updating, and change tracking

• RBA Health Review Dashboards

o Source code recording and change tracking for Outpost RBA SPL
o Risk Rules, Risk Notable Rules, Suppressions, and Dashboards
o Alert modeling tool for advanced detection development and tuning

• Change Tracking

o Source code recording and change tracking for Outpost RBA SPL
o Coverage of Risk Rules, Risk Notable Rules, Suppressions, and Dashboards

{start{Documentation Engine o Risk Rule documentation feature built in Splunk (ADS Framework)
o Automatic population of key fields (configurations and variables) of risk rules, with additional user input fields.
o Single click linking from Risk Object Detail page for quick analyst reference.

• Review current state of data available

• Review current state of data model configurations

• Develop detailed list of recommendations to go from current state to ideal state

• Recommendations per data model to include:

o Scoping accelerations
o Scoping data retention periods
o Setting indexes
o Ensuring correct tags & field values

• Receive approval to implement recommendations + Implement changes per data model

• Deliverables

o Data model configurations
o Summary report of previous state and changes implemented
o Data model summary dashboard embedded into Splunk

• Data Models in Scope:

o Authentication
o Email
o Endpoint
o IDS
o Malware
o Network Resolution (DNS)*
o Network Sessions (DHCP/VPN)*
o Network Traffic
o Web
o *Depending on customer specifications / data present

• Review current detection set (risk rules)

• Review detection outputs – risk index events and notables

• Review data sources available/used for detection coverage

• Develop detailed list of recommendations per detection

• Recommendations to include:

o Potential filters for detections
o Risk scoring adjustments
o Dynamic improvements of risk messages

• Receive approval to implement recommendations + Implement changes per detection

• Monitor tuning and change results for effectiveness

• Identify additional tuning opportunities

• Deliverables

o Summary report of implemented recommendations
o Including metrics per risk rule of performance
o Recommendations for additional detections to increase visibility and leverage potentially underutilized data sources