Improving Visibility in Security Operations with Search-Driven Lookups
Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables. Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups. Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.
Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist? Enterprise Security has had the ability to correlate against a …
Splunk for Risk Management Framework
The term Risk Management Framework (RMF) can mean many things to many people. As the paper ‘Beyond Compliance —Addressing the Political, Cultural and Technical Dimensions of Applying the Risk Management Framework’ from MITRE Corporation points out it could mean a replacement of DIACAP within the DoD, it could mean a replacement to the C&A process or it could be an evolution from compliance to a more risk based approach.
In 2014, the Department of Defense (DoD) introduced the Risk Management Framework (RMF) to help federal agencies better manage the many risks associated with operating an information system. It is clear that a compliance-only oriented approach is not enough for a robust security posture, especially in the face of …
Full-Scale Operational Intelligence Through CDM
In the face of high-profile breaches and increasingly sophisticated hackers, the Federal Government’s Continuous Diagnostics and Mitigation (CDM) program is one of the most important and widely discussed cybersecurity initiatives in recent history.
Did you know that Splunk Enterprise will be used at 25 of the largest civilian departments and agencies covering 97% of the federal civilian government workforce?
On Wednesday, May 11, I spoke at the Face-to-Face Cybersecurity CDM event hosted by FCW to discuss how Splunk’s solutions and government’s CDM program fit together. As Nick Murray noted in a recent blog post, the CDM program makes tools and services available to agencies via a government wide contract to help them identify cybersecurity risks on an ongoing basis, prioritize …
Developing Correlation Searches Using Guided Search
Guided Search was released in Splunk Enterprise Security 3.1, nearly two years ago, but is often an overlooked feature. In reality, it is an excellent tool for streamlining the development of correlation searches. The goal of this blog is to provide a better understanding of how this capability can be used to create correlation searches above and beyond what Enterprise Security has to meet your unique security requirements.
So what is Guided Search?
It’s a “wizard”-like process to gather the key attributes that make up a correlation search. Essentially, there are five elements to Guided Search:
- Identify the data set to search
- Apply a time boundary
- Filter the data set (optional)
- Apply statistics (optional)
- Establish thresholds (optional)
Along the way, …
Detecting Vulnerable and Compromised Certificate Use/Abuse with Splunk Enterprise Security and Stream
Recently, we have received a number of questions about compromised SSL certificates. One of the challenges this problem presents for analysts is how to gain insight into what these compromised SSL certificates are transporting and with whom are they communicating.
If you were to encounter this situation, you might find yourself being asked the following questions:
- How would you identify which assets in your organization are affected?
- How could you arrive at a strategy to prioritize what to remediate first?
- How do we start looking for these certificates being used in communication across our networks and systems?
Detecting and Remediating
For users of Splunk, many of you know that the Splunk App for Stream can capture wire data. Stream can …
Information Exchange Boosts Threat Intelligence
The rash of recent government breaches and continued cyberthreats have accelerated the need for the exchange of information related to these and other known incidents. For many years, DHS has been working with industry and other federal agencies to provide more standardization of content so that security practitioners (and anyone else for that matter) are speaking the same language across multiple vendor platforms as it pertains to software, configurations and vulnerabilities, to name a few. An early example that pre-dates DHS was the Common Vulnerability Enumeration (CVE) that Mitre launched in 1999. These efforts can be challenging because gathering consensus and buy-in is never easy across a diverse set of organizations and so finding entities that can shepherd these specifications …