Phishing – What does it look like in machine data?

Hello Security Ninjas,

Shark_Phishingin the last write up i shared info of a phishing mail i received and what questions do you want to ask once an attack is identified. In this one, i want to give you some technical insights how it can look like when performing an investigation. I’m sure you have analyzed some of those attacks in your own environment so you know the departments that might be most targeted e.g. your high risk users – if you haven’t I highly recommend you check your own environment by collecting data from the different sources and analyzing how infections start in your environment and where they occur most often.

In this case for tracking the process and generating the activity events …

» Continue reading

Phishing hits a new level of quality

Hello community,

In recent weeks I’ve noticed that the quality of phishing e-mails I’m receiving (even to my personal account) have reached a new quality. They are getting better and better every day and even the latest spam filters let them through.

Why are they better?


Let’s look at one currently being sent out to many e-mail addresses that appears to be from DHL about tracking orders on the way to your house. For the German speaking market the quality is very good. Previously, end users have easily detected this kind of phishing attack as they contained spelling errors or bad translations form Google translate. Today they no longer include spelling errors and even the graphics and the branding of the e-mail look …

» Continue reading

Master of Machines 2015 Part 1: Operational Intelligence helps conquer complexity


We’ve been very busy the last few months working on a piece of research with industry analyst Quocirca and I’m very pleased to announce 2015’s Masters of Machines report and a new Operational Intelligence benchmarking tool. We conducted this research last year and it gave the market some great insight into the value machine data can deliver and the maturity of Operational Intelligence in Europe, so we’ve repeated it for 2015 and the findings are fascinating. The research analysed around 400 senior business and IT decision makers from the UK, Germany, France, Sweden and the Netherlands to look again at the maturity of Operational Intelligence. The key findings from the research are that the fastest growing concerns for IT …

» Continue reading

“Go Big Security”: Insights from MeriTalk Panel

B_GSiiLXIAAU1wsIt sounds simple – combat cyber threats by harnessing the power of your own data. But many government agencies are still not taking full advantage of big data analytics to detect, contain, and remediate cyber threats.

Last week, I participated in a webinar hosted by MeriTalk that focused on how government agencies can improve cybersecurity through a big data approach. The webinar discussion focused on the findings from a recent Splunk-sponsored MeriTalk survey of 300 federal, state, and local government IT leaders.

I was joined during the webinar by fellow panelists George Jakabcin, CIO for the Treasury Inspector General for Tax Administration, and Matt Smith, Chief Security Engineer at the Department of Homeland Security. We discussed what agencies are currently …

» Continue reading

Cybersecurity Teams for State and Local Government

B_GSiiLXIAAU1wsCybersecurity is all the buzz across public sector these days. While lots of attention is given to preventing breaches at the federal level, we actually see state and local government as a critical area for the development of cybersecurity policies and best practices. State and local IT leaders are recognizing how data analytics capabilities can support their security and risk management practices. The key is taking the right approach before diving in head first and one of the first steps is putting together a cybersecurity team.

Splunk’s own John Zarour contributed an article this week to Government Technology that describes the important components for building an effective cyber team in state and local government. John notes the challenges state and …

» Continue reading

Duqu 2.0 – The cyber war continues on a new level

Hello Security-Ninjas,

recently i blogged already how important it is to apply today’s threat intelligence information to historical data. I gave the example the Duqu malware, which contained a self destroy capability to remain hidden. It seems the hiding strategy has evolved to a new level…

What has happen?

pirate_looking_spyglass_800_clr_10516Today (10th June) Kaspersky Labs announced that they have been attacked by a new version of Duqu. At the time of writing it has been imaginatively named Duqu 2.0. It’s a very sophisticated piece of cyber-espionage malware and speculation is that it was a nation-state behind the attack with an estimated cost to creation the malware of around $50 million. The entire malware platform relies heavily on zero-day vulnerabilities to jump into systems and from …

» Continue reading

Achieving Improved IT Operations with Splunk

Screen Shot 2015-06-02 at 4.40.38 PM

Splunk has a strong reputation for supporting security in the public sector market. But more and more federal, state and local government organizations are realizing Splunk’s Operational Intelligence platform offers far more than security.

Last week, I led the latest “Do you know Splunk?” webcast hosted by Carasoft. This particular webcast focused on how Splunk’s capabilities can be used to simplify and improve IT Operations. Many government agencies are using their Splunk implementations to improve things like mean-time-to-investigate or to proactively monitor Key Performance Indicators (KPIs) for applications to identify and resolve problem areas. During the webcast, we explored a plethora of ways government agencies can and do use Splunk solutions to enhance IT Operations.

A few key …

» Continue reading

Everything you always wanted to know about SPAN ports, Network Taps, Packet Mirrors, and the Splunk App for Stream (but were afraid to ask)

As this is my first Splunk blog post, I’ll keep this short.

This post has to do with moving raw packets around the network and analyzing their contents. In fact, not IP packets at L3, actually Ethernet frames at Layer 2.

Occasionally, engineers have a need to capture and inspect raw packets. This is usually done in the case where you don’t necessarily trust what’s going on with a given application (say a web server, or a DNS server) and you’d actually like to see what’s going over the wire, rather than what the application is telling you from its log. The use case could be one of fault isolation, troubleshooting, or an actual malicious event sourced by a human …

» Continue reading

The M.O. of Insider Threats


Public concern for defending against cyber threats has grown exponentially over the past five years. However, perhaps the most recognizable U.S. government breach during that time was perpetrated by an insider, Edward Snowden. I recently participated in a webinar that explored how public and private sector organizations should be auditing their data for insider threats. During the conversation, I provided a high-level breakdown of insider threats to help organizations think ahead as they implement new processes and technology solutions to detect threats within their networks.

Who might be considered an insider threatening your system?
There are multiple attributes to consider when identifying potential insider threats. The individual could be a current or former employee, a contractor or business associate. The …

» Continue reading

ESG Report: An Analytics-based Approach to Cybersecurity

esg-logoIn their report, “An Analytics-based Approach to Cybersecurity,” Enterprise Strategy Group explains why organizations continue to experience costly data breaches and how some lack the right cybersecurity strategies, skills, processes, and technologies needed to best tackle cyberattacks. The report highlights two key areas of weakness – incident response and limitations of legacy SIEM solutions.

Incident response is a simple concept yet many companies felt they were weak in capabilities such as performing root cause analysis, scoping an outbreak to contain and remediate the infection and then determining how to prevent similar attacks in the future. This means that any attack that gets into the organization will have a good change to persist within that organization, and once the …

» Continue reading