Use Splunk to detect and defeat fraud, theft, and abuse
In case you haven’t heard, an emerging and fast-growing use case for Splunk is using Splunk for anti-fraud, theft, and abuse (which I will just call “fraud”). Many Splunk customers across a wide range of industries Splunk their machine data and log files for a wide range of anti-fraud use cases, including fraud investigations, detection, and analytics/reporting. They also put the event data from other point anti-fraud tools into Splunk and use Splunk to: (1) break down the siloed nature of these point tools to present a more unified view on fraud, and (2) correlate fraud events with other data sources. Splunk’s flexibility enables it to be an anti-fraud solution and/or enhance existing fraud tools.
A few weeks ago, Splunk …
Battling APTs with the Kill Chain Method
Recently I had the privilege of presenting to a monthly meeting of the Raleigh, NC chapter of the ISSA. My presentation focused on educating the audience of security professionals on advanced persistent threats (APTs) and how they can use the kill chain method to battle them. I’d like to share some of the key points and highlights here in an effort to help readers better defend themselves against motivated attackers.
There are 3 main points about APTs that must be established before we dive into the kill chain method itself, namely:
1) Unlike automated, technology-driven attacks of years past, APTs are driven by a combination of people, processes, and technology. APTs are therefore goal-oriented (financial, political, etc.), human-directed, coordinated, …
Risk Analysis With Enterprise Security 3.1
The Risk Analysis Framework was introduced as a new feature in Splunk App for Enterprise Security 3.1, and provides users with the ability to utilize a risk scoring system for assigning varying levels of risk to a multitude of different assets and identities.
In the context of the Risk Analysis Framework- assets, identities, and anything else you would consider assigning a risk score to, is referred to as a Risk Object. Risk Objects are categorized under different Risk Object Types. For example, if ‘brians_laptop’ was our Risk Object it would be categorized under the ‘system’ Risk Object Type. Out of the box, Enterprise Security 3.1 comes configured with 3 different risk object types: ‘system’ for assigning risk …
Updated Keyword App
Last year I created a simple app called Keyword that consists of a series of form search dashboards that perform Splunk searches in the background without having to know the Splunk search language. You can read about the original app here and see how it easy it is to use. This year, I added some dashboards for the Rare Command, but I didn’t think it was newsworthy to blog about it.
Then, Joe Welsh wrote a blog entry about using the cluster command in Splunk, which allows you to find anomalies using a log reduction approach. Joe’s example using Nagios is easy to follow and gives the novice a useful approach to get rare events. So, using this approach, I …
Deploying Splunk Securely with Ansible Config Management – Part 1
More times than not I have seen corporations struggle with config management and it is key for concise mitigation and remediation plan. Interfacing with a variety of Splunk customers the corporations whom do implement a config management system usually have a different tactic on how to manage Splunk while doing it in a secure fashion. In this series of blog posts which will hopefully walk you through a simple deployment of Ansible all the way to the most complex use-cases I have seen. I will first be covering how Ansible can be leverage to manage a simple Splunk deployment on your own hosts. Part 2 we will cover how this can be done in a larger scale with EC2 …
Splunk Named a Leader in Gartner Magic Quadrant for SIEM…again!
This week Splunk was named a leader in Gartner’s 2014 Magic Quadrant for Security Information and Event Management (SIEM) for the second year in a row. For the MQ, Gartner evaluated Splunk® Enterprise and the Splunk App for Enterprise Security and also spoke to multiple Splunk customers as part of the process. To read the Gartner report, please register here.
We are very proud of this award, as it reflects the success that you, the security and compliance customers of Splunk, have had with our product. We now have thousands of security and compliance customers across the world using Splunk for a wide range of use cases including log management, incident investigations, forensics, real-time correlations and alerting, advanced …
Splunk and the latest OpenSSL vulnerabilities
Hi Splunk users,
Last Monday, we became aware of a new set of vulnerabilities announced in OpenSSL. We have reviewed the issues, and have determined that we must update the version of OpenSSL we currently ship to address these issues.
Note: Not all the listed issues are of concern for Splunk. For example, we do not use DTLS. However, “SSL/TLS MITM vulnerability (CVE-2014-0224)” is relevant to Splunk and should be addressed.
We have now posted the following releases containing the fixed version of OpenSSL:
Generating Elliptical Curve Certs for Splunk
Very often we get questions about generating stronger Cert/Keys for Splunk. Specifically from users who run a vulnerability scanner against their Splunk instance. By default, Splunk ships with a 1024 bit strength RSA Cert. This is the same certificate authority cert across all Splunk binaries. Splunk recommends customers use their own CA and cert/key pair in the securing Splunk documentation. It is good practice to sign certs by your own CA.
I recommend an EC (Elliptical Curve) key/pair. For more about EC have a look here. Here are a few pros and cons of using EC certs:
- Perfect Forwarding Secrecy (PFS) support
- Shorter Keys which are as Strong as RSA key but are easier on the
Splunk for Healthcare – Splunk attains 2014 ONC-HIT Certification
In my tenure as Healthcare Domain Expert at Splunk, I have seen many Healthcare customers using Splunk for EHR and HIPAA audit reporting. New regulations require you to use Certified technology or “field certify” your solution. So, Splunk felt that the best way to serve our Healthcare Provider customers was to get Splunk software certified.
The specific module certification is 170.314 (d)(3) Audit Reporting. This is the same certification that other industry solutions have, like FairWarning, IATRIC Security Manager, and P2Sentinel.
What does this mean to you? Healthcare providers can now use the leading technology platform for machine data, log management and operational intelligence without having to get “field certification”. Our customers have found Splunk to be a fraction of …
Cisco Security Suite 3.0.3 now includes Cisco Sourcefire
The Cisco Security Suite app continues to get updated for Splunk 6.x. The latest addition is support for Cisco Sourcefire. Information from your eStreamer server (e.g. Defense Center) is visualized including:
- Intrusion events
- Sensor information
- Policy information
- Flow summaries
- File / Malware events
- Correlation events
So now, the Cisco Security Suite supports:
- Cisco ASA and PIX firewall appliances, the FWSM firewall services module
- WSA web security appliance
- Cisco IronPort Email Security Appliance (ESA)
- Cisco Identity Services Engine (ISE)
- Cisco Sourcefire
Also, with each release, we incorporate more feedback about documentation. Documentation can be found within the Cisco Security Suite app itself and on the Documentation tab on http://apps.splunk.com/app/525/.
Be sure to check out Splunk Answers as well for community …