The M.O. of Insider Threats


Public concern for defending against cyber threats has grown exponentially over the past five years. However, perhaps the most recognizable U.S. government breach during that time was perpetrated by an insider, Edward Snowden. I recently participated in a webinar that explored how public and private sector organizations should be auditing their data for insider threats. During the conversation, I provided a high-level breakdown of insider threats to help organizations think ahead as they implement new processes and technology solutions to detect threats within their networks.

Who might be considered an insider threatening your system?
There are multiple attributes to consider when identifying potential insider threats. The individual could be a current or former employee, a contractor or business associate. The …

» Continue reading

Getting Started with Splunk MINT

Splunk MINT logo

Mobile apps are changing the way we experience IT. According to a March 2015 report from 451 Research, over 80% of enterprises in the US plan to deliver custom-built mobile apps in the next two years.  The challenge? Mobile apps don’t operate like traditional browser-based web apps. Mobile apps actively run on your mobile device and when they fail, there’s little evidence of it. Mobile apps also engage a lot more APIs, each of which could be a source of app failure.

That’s where Splunk MINT comes in. Splunk MINT gives mobile developers the ability to get real-time insight on crashes, mobile app performance, user sessions, transactions, and much more. Application Management teams get better insight on where problems …

» Continue reading

ESG Report: An Analytics-based Approach to Cybersecurity

esg-logoIn their report, “An Analytics-based Approach to Cybersecurity,” Enterprise Strategy Group explains why organizations continue to experience costly data breaches and how some lack the right cybersecurity strategies, skills, processes, and technologies needed to best tackle cyberattacks. The report highlights two key areas of weakness – incident response and limitations of legacy SIEM solutions.

Incident response is a simple concept yet many companies felt they were weak in capabilities such as performing root cause analysis, scoping an outbreak to contain and remediate the infection and then determining how to prevent similar attacks in the future. This means that any attack that gets into the organization will have a good change to persist within that organization, and once the …

» Continue reading

Hunk – Delivering Value to Your Business

Regardless of your title, if your job involves preparing data stored mainly in HDFS among other stores, so that your end-users can query and visualize it, Hunk is probably right for you.  Two common themes among data officers are:
1.  We are building a data lake.
2.  It takes too long to prepare the data.

So, you’ve built your data lake, now what?

If you’re using one of the many point solution tools, in order to gain insights from your data, you must first go through an ETL process. This requires expertise in a programming language, imposing structure on the data, loading it in Hive or a relational database, and using your favorite visualization tool. As the data …

» Continue reading

.conf2014 Highlight Series: Lesser Known Commands in Splunk Search Processing Language (SPL)


.conf2015 registration is open!

As we get closer to .conf2015: The 6th Annual Splunk Worldwide Users’ Conference in Las Vegas this September, we’re excited to continue our series of .conf2014 retrospectives. This week we revisit Kyle Smith’s presentation covering less popular but powerful commands in Splunk Search Processing Language (SPL).

Skill Level:
Good for All Skill Levels

Solution Area:
Search Language

Splunk Enterprise

Presentation Overview:
From one of the most active contributors to Splunk Answers and the IRC channel, this session covers those less popular but still super powerful commands, such as “map”, “xyseries”, “contingency” and others. This session also showcases tricks such as “eval host_{host} = Value” to dynamically create fields based on other field values, and …

» Continue reading

Raw Threat Intel Docs in Enterprise Security 3.3

For those that would like to visibly see a raw version of STIX/OpenIOC docs being consumed by the Threat Intel Framework in Enterprise Security 3.3, I thought I’d post a bit of an unofficial work around that could potentially be used to do this. It occurred to me that if a user wanted Splunk to index the raw STIX/OpenIOC documents, all they would need to do is have Splunk monitor the Threat Intelligence Manager directory that Enterprise Security is using to consume the OpenIOC/STIX documents. As an example, I will show how this can be done using the “da_ess_threat_default” entry, which is the Threat Intelligence Manager for the STIX documents that Enterprise Security 3.3 ships with out of the box.…

» Continue reading

Smart AnSwerS #22

Hey there community and welcome back to Smart AnSwerS, the 22nd installment of its kind.

I just got back to the office from a two week vacation to find my desk surrounded by a jungle of plants, my chair wedged horizontally on the side of my desk, an inflatable giraffe with a St. Patrick’s Day hat, and a cardboard cutout of a snooty waiter. Somehow, I wasn’t surprised with the number of pranksters surrounding me, so it was expected haha. I also came back to 800+ posts that have gone live on Answers since my departure! I’m glad the community is as lively as ever, though, it will take me some time to sift through all that content, …

» Continue reading

SplunkLive! Chicago: A Great Day for Splunkers and Blackhawks Fans

SplunkLiveLogoGenericWhat brings IT leaders back to SplunkLive! events year after year is hearing from our talented customers about ways that they drive value within their organizations using Splunk. This month’s SplunkLive! Chicago was no exception as over 400 Splunk experts and newbies descended on the Windy City to learn, teach and share their own success stories.

Highlights included:


  • Martin Lavoie, online technology group deputy director with Ubisoft, explained how Splunk enables his group to identify and fix issues in their API quickly, helping developers to deliver a better gaming experience.
  • Joseph Barnes from the University of Illinois at Urbana-Champaign described how his team delivered a single, scalable solution to monitor and analyze multiple uncontrolled logging environments.
  • Dan Schreiber and Ed
» Continue reading

Top Five Insights about Splunk Cloud


One of the things I really like about attending industry events and conferences around the world is the opportunity to speak with certain members of the press face to face in small group settings.  We get to share some really good information and I get valuable insight into their world.  Recently, I met with a few reporters just prior to the international launch of Splunk Cloud and to share a bit more about what we are doing to help accelerate the adoption of cloud-based solutions and how Splunk is tapping into the growing market need. Here’s an inside look at what many reporters and analysts were interested in learning:


  1. Splunk Cloud recently launched internationally through its partnership with Amazon
» Continue reading

Splunk at Surescripts: Finding the cure for fraud

surescripts-logo-600x315I had a root canal last month, and it was not fun – at all. Fortunately, the endodontist prescribed some industrial-grade pain medications to help. When I picked up my medicine at Walgreens, that prescription had already gone through some serious hoops – getting verified and validated by the provider, the benefits manager, the payer (aka, insurance) and the pharmacy. That’s where Surescripts comes in – they provide the platform that connects all of the relevant parties together so my prescription can be authorized and I can stop half my face from throbbing.

This process is ripe for abuse – to the tune of billions of dollars each year. As the largest health information network in the United States, …

» Continue reading