How Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage

A group of hackers recently cost Madison County, Indiana $200,000 and another group demanded $73,000 from the San Francisco Municipal Transport Agency (SFMTA) over the Thanksgiving holiday to decrypt frozen data. What was the common factor connecting the two attacks? A popular form of malware known as ransomware.

Why You Should Care About Ransomware

Ransomware is often used to extort funds directly from victims. Ransomware literally takes systems hostage, requiring a “ransom” to free those systems back to a usable state. This can be a very lucrative business for cyber criminals.

Ransomware, like other malware, gets into your network via bad actors who figure out a way to deliver it into your environment without “sounding an alarm” – for example, …

» Continue reading

Data Integrity is back, baby!

I’m sitting in my living room near Boulder, and watching the Republican Presidential Debate happening right down the road at the University of Colorado. Each candidate is doing their best to portray themselves as a candidate with integrity that’s ready to lead our country into the future. But this far into the debate, the responses are getting pretty repetitive…

So it’s a perfect time to check out something with some real integrity – the new Data Integrity feature added to Splunk 6.3, now generally available from Splunk. This allows you to prove that your indexed data has not been tampered with after indexing. Some historical background…we used to have two features that were similar, one called Block Signing

» Continue reading

Look at all the pretty colors!

Well, it’s Sunday here in Las Vegas, and  .conf2014 is about to go down. I’m sitting in one of our Splunk University classes at the MGM, with many of our fine customers.

The class is our Power User Bootcamp, and we just finished talking about Splunk’s tagging, event types, and lookup functionalities. One of our more security-minded customers asked “hey – that ability to assign a color to event types in the Splunk search GUI is pretty cool – I’d like to use that to prioritize the events I’m looking at based on the risk profile assigned to a user. From a lookup. Can I do that?”

A second customer said “I like that idea.”

So, since this …

» Continue reading

Finding shellshock (CVE-2014-6271, 7169, 7186, 7187) with Splunk forwarders

UPDATE 9/24/14 (evening): I changed the script a little bit to include platform information in the output by using the uname command and bash version information in the output with –version. This should work on Linux and OSX.

UPDATE 9/25/14: The first script below is specific to find the original shellshock: CVE-2014-6271. The second shellshock vulnerability, CVE-2014-7169, requires a different test. See the script later in the post to cover this.

UPDATE 9/26/14: A whole bunch of useful comments have been added to this post. I have added information at the end of the post in response. I have further updated the scripts. Also, I should point out – if you are looking for information about how Splunk products are

» Continue reading

Dude! Did you see that YouTube video?

NOTE: Rather than read this post, you can come see this use case presented live at our upcoming Worldwide User Conference in Las Vegas. My colleague Andrew Gerber from Wipro will be reviewing this and a few other recent use cases we have worked on together.

For the past 14 years (yes, I am old) I have worked out of a home office. This means that during my workdays, I can freely receive YouTube cat video links from my high-school ex-girlfriends, grab some carrot sticks and hummus from the kitchen, and watch as many of them as I care to using my trusty copy of Internet Explorer 6. The reason I can do this? No pesky corporate web proxy monitoring …

» Continue reading

Custom Icons in Splunk 6 Tables

“Daddy. DADDY! We’re out of Sriracha. Does Costco sell Sriracha? Can you go get some before you start working today?”

That was my five-year-old son at breakfast this morning, after he turned the Sriracha bottle upside down and banged the heck out of the bottom of the rooster-adorned bottle with his tiny fist, trying to get the last bits of the dark-red chili sauce deposited onto his scrambled eggs.

While I’m certain we will solve the 2014 Sriracha Crisis at the Brodsky household, the whole episode reminded me of a question (stick with me, you’ll see why) that a Splunk customer asked me a few months ago, which went something like this:

“When creating a dashboard in Splunk 6,

» Continue reading

Search Command> diff

What’s the grooviest Splunk search command goin’ round? It’s diff man, can you dig it?

That’s right, diff. What other command is based on a *nix file comparison utility that’s been around since the early 70’s?

Splunk’s diff operates just like good ol’ diff does on a *nix platform – it compares two inputs and tells you what the differences are, in a very distinct format. But where *nix diff normally compares two files, Splunk’s diff compares the content of two events.

We can use diff to compare one field in an event to that same field in another event, or we can go for broke and have diff compare “_raw” – or the content of the entire event …

» Continue reading