Improve Your Ability to Detect, Scope and Respond to Advanced Attacks with Splunk ES 4.0

Screen Shot 2015-10-27 at 9.34.40 AMFor as long as I’ve been in security, vendors have talked about the “emerging threat landscape” and warned organizations not to be passive or to settle for “good enough” security. Never in my career have those words been truer than they are today. In fact, today’s threats are so different than those of the past that security professionals are now required to approach investigations in a radically different way.

Today’s threats are dynamic in nature, often comprising a series of activities over a long period of time. This makes them difficult to investigate, requiring the analyst to be equally as dynamic in his or her activities to fully scope the infection. It’s also rare these days that a threat only is assigned to only one analyst; more typically, the investigation is a team activity. This, of course, completely changes the dynamic of the investigation – but if done right, it will dramatically improve the efforts, and therefore the organization’s security posture.

Recognizing these needs, today Splunk announced Splunk Enterprise Security (ES) 4.0 to help streamline the investigation of advanced threats by helping analysts focus their efforts on the steps the attacker took; and to better understand, visualize, and communicate attack details. This is all done through two separate yet complementary features – the investigator journal and the investigation timeline. The investigator journal keeps track of the activities you take throughout the investigation, so you can focus on tracking the attacker’s activities. You can review your history at any time and add any relevant activities to the investigation timeline, along with raw events and even your own notes. The investigator timeline provides a visual display of all of these items, so you can clearly see the relative time relationship between the various events to determine root cause and next steps.


But this is the point at which an infomercial would exclaim, “but wait, there’s more!” As I mentioned earlier, most investigations require multiple analysts. Today, if your manager assigns you to an in-process investigation, you have to duplicate a lot of efforts to figure out what’s going on. But ES 4.0 enables new analysts to be assigned at any time, and that analyst will gain read/write access to the investigation timeline. As a result, you can click through the entire report to get the original analyst’s perspective, and place your own events, actions, and annotations onto the same timeline to share your perspective of the scenario. Simply stated, by working together, you leverage one another’s expertise to speed the analysis and investigation.

See the Investigator Journal and Investigation Timeline in action…

And, of course, your manager will love it to, because at the end of the investigation you have a comprehensive report that can be used as a training tool for new or junior analysts, to teach them how to effectively handle similar attacks in the future.

So to recap, it helps you better understand and visualize advanced threats while streamlining your investigation; helps you and your colleagues collaborate to faster resolution; and helps new analysts come up to speed more quickly. So you all get smarter, faster. You can’t lose!

Click here to learn more!


Jeff Aboud
Solutions Marketing – Security Markets
Splunk Inc.