From API to easy street within minutes

30? 20? …15? It all depends on how well you know your third-party API. The point is that polling data from third-party APIs is easier than ever. CIM mapping is now a fun experience.

Want to find out more about what I mean?  Read the rest of this blog and explore what’s new in Add-on Builder 2.1.0.

REST Connect… and with checkpointing

Interestingly  this blog happens to address a problem I faced back on my very first project at Splunk. When I first started at Splunk as a Sales engineer, I  worked on  building a prototype of the ServiceNow Add-on. Writing Python, scripted inputs vs mod input, conf files, setup.xml, packaging, best practices, password encryption, proxy and even checkpointing… the list goes …

» Continue reading

SSL Proxy: Splunk & NGINX

Who is this guide for?

It is a best practice to install Splunk as a non-root user or service account as part of a defense in depth strategy. This installation choice comes with the consequences of preventing the Splunk user from using privileged ports (Anything below 1024). Some of the solutions to this problem, found on Splunk Answers require iptables rules or other methods. In my experience, the iptables method is not that reliable, and many newer distributions of Linux are abandoning iptables in favor of firewalld as the default host firewall. In this guide, I will show you how to use Nginx, and Let’s Encrypt to secure your Splunk Search Head, while allowing ssl traffic on port 443.

splunk-logonginx-logole-logo

Prerequisites

» Continue reading

Adaptive Response: A Level Deeper for Continued Customer Success

Splunk at RSA Conference 2017bOver the past three or four years, we’ve been hearing more and more about analytics-driven security at RSA. Years ago, when Splunk first introduced the concept to the marketplace, we were living in a world where security practitioners were still focusing on prevention, rather than detection. Since then, advanced cyber adversaries have forced security analysts to change the way they think about posture. Security analysts no longer buy into the idea that there is a silver bullet for security, and vendors acknowledge that security is a team sport. With this shift in mindset comes a change in strategy, where end-to-end context and cross-vendor analytics are emphasized to better detect and respond to threats in real time. Detection is now king.…

» Continue reading

Find Malicious Insiders Before You Become a Headline

Screen Shot 2017-02-14 at 10.13.21 AMThe media is filled with reports of Russia’s possible influence over the U.S. presidential elections. While American security agencies are investigating the Kremlin’s possible involvement in a hack of the Democratic National Committee, a U.S. Intelligence Service unclassified report suggests the Russians motive, at least in part, may have been retaliation for the U.S. working with a malicious insider to leak news of a Soviet Olympic athlete doping scandal.

Regardless of whether the report is true, it reveals a growing concern over insider threats for foreign governments everywhere. Countries such as Canada are heavily investing to protect its citizens against insider and foreign attacks, while the U.S. Department of Defense Inspector General found in a recent audit that the U.S. …

» Continue reading

Splunk and Cisco Umbrella: See what you’ve been missing…

The following is a guest post by Rachel Ackerly, product marketing manager, Cisco Umbrella.

Screen Shot 2017-02-13 at 9.40.19 AM

Do you have eyes in the back of your head? (Unless you’re my mother, there is a good chance you don’t.) Many security products claim to provide visibility into what’s happening on your network, but how many actually deliver on that promise?

So how do you see what’s happening on the internet, beyond your perimeter? Isn’t that the question security professionals have been struggling with as the world becomes more mobile? Your employees connect to the internet from many different locations and devices. VPN is no longer necessary to get work done, they use Software-as-a-Service (SaaS) apps. But that leaves users more vulnerable to threats, …

» Continue reading

Analyzing BotNets with Suricata & Machine Learning

Since the official rollout at the year’s. conf of the Machine Learning Toolkit(MLTK), Splunkers have been pursing some interesting use cases ranging from IT operations, planning, security and business analytics. Those use cases barely scratch the surface of what is possible with machine learning and Splunk. As an example, I will use the machine learning toolkit and data collected from Suricata to analyze botnet populations. This population analysis will be used to create a model for predicting the Mirai botnet based on network features.

Suricata

Suricata is an open source threat detection engine, which can be run in passive mode for intrusion detection or inline for intrusion prevention. My lab environment is configured for intrusion detection, meaning Suricata will not …

» Continue reading

Day in the Life of a Security Analyst (Part 1)

data-privacy-dayOver the next three months, the Splunk Security team will be looking at the emerging role and hero of the Security Operations Center (SOC): the security analyst. This role has drastically changed over the past 10 years, and we will observe how a changing threat landscape and advancing technology have redefined what it means to be a security analyst.

We’re publishing our first post to coincide with Data Privacy Day, an annual, international effort aimed at creating awareness about the importance of privacy and protecting personal information. In this post, I speak with Splunk Security Analyst and Researcher, Kathy Wang, to discuss life as a security analyst in the early 2000’s.

Take me back 10 years. How did you

» Continue reading

Visual link analysis with Splunk and Gephi

As cyber-security risks and attacks have surged in recent years, identity fraud has become all too familiar for the common, unsuspecting user. You might wonder, “why don’t we have the capabilities to eliminate these incidents of fraud completely?” The reality is that fraud is difficult to characterize as it often requires much contextual information about what was occurring before, during, and after the event of concern in order to identify if any fraudulent behavior was even occurring at all. Cyber-security analysts therefore require a host of tools to monitor and investigate fraudulent behavior; tools capable of dealing with large amounts of disparate data sets. It would be great for these security analysts to have a platform to be able to …

» Continue reading

Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Gaze into Splunk’s Crystal Ball for What’s to Come in 2017

social-splunk-2017predictionsLast year, a team of Splunkers came up with several predictions for what 2016 would bring in the fields of IT, security, and big data. This year we’ve done it again, looking into our crystal ball (or industry experience) to share our prophecies for 2017.

But first, let’s look back at some of the hits and misses of what we predicted for 2016.

Behavioral analysis will shift from an emphasis on user credentials to machine-to-machine credentials.

Haiyan Song, our SVP of security markets, predicted that “anomaly detection will become less about analyzing users or entities and more about leveraging machine learning and data science.” While there’s still a way to go, this has begun to come true: As

» Continue reading