Raw Threat Intel Docs in Enterprise Security 3.3
For those that would like to visibly see a raw version of STIX/OpenIOC docs being consumed by the Threat Intel Framework in Enterprise Security 3.3, I thought I’d post a bit of an unofficial work around that could potentially be used to do this. It occurred to me that if a user wanted Splunk to index the raw STIX/OpenIOC documents, all they would need to do is have Splunk monitor the Threat Intelligence Manager directory that Enterprise Security is using to consume the OpenIOC/STIX documents. As an example, I will show how this can be done using the “da_ess_threat_default” entry, which is the Threat Intelligence Manager for the STIX documents that Enterprise Security 3.3 ships with out of the box.…
Monitoring and alerting for activities of expired user accounts
When it comes to insider threats and user activity monitoring, I see a very common use case that works extremely well across multiple industries. I want to share it with you in this blog post.
Monitoring and alerting for activities of expired user accounts
Your company can have a lot of different user accounts – not just the internal employed worker. There might be more focus on external contractors who move in and out more often or even B2B portals with intellectual property exchange.
If you need to monitor expired accounts, it comes down to the following:
You need to have the username, expire date and user activity data. To get the expire date information is some homework.
Here are two pieces advice:
Get the expiry
Secure Cloud Data Processing
Companies outsourcing data storage and management to cloud services are being confronted with a new concern. How can data be stored and accessed in a way such that individuals and businesses privacy is maintained?
Traditional cryptographic encryption applications are limited to the transmission of data to and from the cloud and occasionally with data at rest in some sort of cloud storage.
But most companies aren’t content to simply store data in the cloud – they want to analyze it! And performing almost any analysis requires that the data first be decrypted. Therefore, persistent attackers will still have an opportunity to compromise sensitive data.
In 1978, Rivest, Adleman and Dertouzos asked,
“Can one compute on encrypted data, while keeping it …
Survey Results: Big Opportunity for Big Data in Cybersecurity
Last week, MeriTalk, a public-private partnership focused on improving the outcomes of government IT, released a survey in collaboration with Splunk to explore how big data analytics play a key role in preventing cyber threats on government networks. With high-profile breaches garnering more public attention, we decided to do a deeper dive on how government cybersecurity professionals are currently monitoring threats on their network and areas in which they can improve. We surveyed 302 Federal, State and Local IT leaders to reveal current cybersecurity strategies and next steps organizations can take to improve security. The outcome? Government agencies understand there is value in using big data to support security, but very few agencies are taking full advantage of this …
Virtual Gov Day: What Did You Miss?
Last Wednesday marked our first Virtual Gov Day webinar, hosted by Carahsoft, where Splunk experts and customers showed attendees how valuable machine data can be in addressing daily IT challenges. Together, we learned how hundreds of government agencies use Splunk software to mitigate cybersecurity risk, optimize service delivery, maintain uptime of critical applications and reduce costs. For those who were unable to participate, I thought a brief summary of the discussion would be helpful.
Drive Disruption, Drive Change
Alan Webber, Research Director for IDC Government Insights, kicked off the web event highlighting how government agencies can use Splunk to reestablish their foundation and cultivate innovation. From Alan’s perspective, “there is a new focus in government agencies, and …
Threat Activity in Enterprise Security 3.3
In this blog post I will be showing how the Threat Activity dashboard can be leveraged to help manage threat intelligence objects to remove false positive matches. To start, lets suppose a hosting services IP was placed into threat intel for monitoring purposes. As a result, we have a high number of notable events representing intel matches against the hosting service address. You don’t want analysts to spend time investigating matches against this IP because you don’t have enough information yet to deem communication to and from this address as malicious. What we need is a method of capturing and maintaining threat content, while providing a whitelist or filter to prevent false positive matches that add to the workload of …
Threat Artifacts in Enterprise Security 3.3
In this blog post I will be going over a simple use case for the Threat Artifacts dashboard that was introduced in Enterprise Security 3.3. To start, the Threat Artifacts dashboard was built to assist analysts in the investigation of events, as well as research into malicious entities, and is meant to serve as a window into the threat intelligence that is stored in the Splunk App for Enterprise Security. I kind of like to think of it as a Threat Intelligence Library.
The dashboard contains a “Threat Artifact” ToggleInputView that allows a user to select the type of form inputs they wish to use to search through their intel. These are as follows:
- Threat ID
Threat Intelligence Collections in Enterprise Security 3.3
For all those security enthusiasts out there that write their own, or wish to write their own, OpenIOC and STIX documents, this is a mapping of the Threat Intelligence KV Collections in Enterprise Security 3.3 to their respective OpenIOC/STIX objects. Hopefully this helps provide a little insight into which objects will be extracted into this release of the Threat Intelligence Framework, and which will not be. In addition, the table will also tell you which KVStore fields ES uses for matching against the threat data you’re ingesting in Splunk.
Note that if a cell contains a hyphen (-) that it is likely because there was not an associated field from that particular intel document (OpenIOC/STIX) for representing that specific type …
How Government Healthcare Agencies Should Approach Their Vulnerabilities
The pressures government healthcare agencies have felt for years are surfacing aggressively. This is due, in part, to recent data hacks and the need to protect sensitive information, but the increasing pressure to operate efficiently with smaller budgets plays a significant role as well. Providing valuable care to patients and adhering to compliance and security requirements are added challenges agencies must tackle despite their limited resources.
Exposing government healthcare agencies’ data leads to vulnerabilities that affect the security of public safety, as well as the safety of the U.S. government as a whole. To combat attacks and meet the various security needs, agencies need greater visibility into their data. Accessibility is also key. It is imperative to have the capability …
Splunk Enterprise Selected Best Fraud Prevention Solution in 2015 SC Awards
It has been an exciting week for all of us at Splunk who were fortunate enough to attend this year’s RSA Conference, focused on cybersecurity. From the wonderful Splunk stories by customers visiting our booth, to the engaging presentations from our partners and customers, RSA is always guaranteed to be a highlight on the Splunk Security calendar. (Our unique t-shirts never fail to build some buzz either!).
During the week we were also honored at the SC Magazine 2015 U.S. awards by winning the Best Fraud Prevention solution. A cross-section of SC Magazine readers selected the finalists and winners in the Reader Trust Award categories, and we are honored that this also marked the third consecutive year that …