Overcoming Cybersecurity Resource Challenges in Government

At a hearing on cybersecurity and protecting taxpayer information held by the Senate Finance Committee last month, the IRS Commissioner, John Koskinen, testified that the agency faces the loss of key IT and data security personnel over the next year. He attributed this to pay discrepancies between the private and public sector as part of his appeal to renew a lapsed law that boosted the pay of top-notch personnel temporarily recruited from the private sector1.

While it is important to ensure that talent is rewarded appropriately, the cybersecurity issue goes deeper than retention of highly trained personnel. For one, agencies are strewn with dozens of disparate security products procured over the years that are managed and operated in silos. …

» Continue reading

Enriching threat feeds with WHOIS information

It’s almost been 2 years since I spent a summer in Seattle interning with the Splunk Security Practice (SecPrax) Team. Damn, time flies! The Splunk Security community is growing everyday, due to the unbelievable amount of flexibility, visibility, insight Splunk Enterprise offers for all data and as I have learned all data is security relevant. Back at Splunk to work with the Security Research team, this is my first blog post and I would like to hear what you people have got to say about it, so please leave a feedback/comment.

What am I missing while doing threat intelligence?

While I am doing some research looking for threat intelligence data sets to ingest into Splunk, I realized there can be …

» Continue reading

Lessons learned from the “SWIFT” Attack


Unfortunately, somewhere in the world a big party must be going on. In February hackers successfully compromised a bank connected to the SWIFT Network in Bangladesh, stealing $81 million – as reported by Reuters earlier this week. While the computer system in Bangladesh seems to have missed a number of IT security best practices, it shows that a connected system even if it’s designed to be closed can be compromised by the weakest supplier, compromising the whole system.




It’s mind blowing to see how much subject matter expertise the hackers must have had about the SWIFT System.

Have we seen this attack in our network, too?

The chances that …

» Continue reading

.conf2015 Highlight Series: City of LA and Splunk Cloud as a SIEM for Award-Winning Cybersecurity Collaboration

Registration and call for papers is now open for Splunk .conf2016. We can’t wait to host you all at the Walt Disney World Swan and Dolphin Resorts in Orlando, Florida; September 26-29, 2016.
LACitySealColorDuring last year’s Splunk .conf2015 we were lucky to have Timothy Lee, the CISO of the City of Los Angeles, share his case study for why his department chose Splunk Cloud as a SIEM for one of their cybersecurity initiatives and how it is used. Though we’re summarizing his key points in this post, you can get the complete picture by checking out a recording of Tim’s presentation, and access to his slides, at the bottom of this post.

Screen Shot 2015-11-20 at 10.04.33 AM

The Scenario

Tim began …

» Continue reading

Announcing Splunk Add-on for Microsoft Cloud Services

I am pleased to announce the availability of Splunk Add-On for Microsoft Cloud Services. Released on April 1st 2016, this add-on which is available on Splunkbase, provides Splunk admins the ability to collect events from various Microsoft Cloud Services APIs. In this first release, this includes:

  • Admin, user, system, and policy action events from a variety of Office 365 services such as Sharepoint Online and Exchange Online and other services supported by the Office 365 Management API.
  • Audit logs for Azure Active Directory, supported by the Office 365 Management API.
  • Current and historical service status, as well as planned maintenance updates for a variety of services supported by the Office 365 Service Communications API.

If you are wondering …

» Continue reading

Developing Correlation Searches Using Guided Search

Guided Search was released in Splunk Enterprise Security 3.1, nearly two years ago, but is often an overlooked feature. In reality, it is an excellent tool for streamlining the development of correlation searches. The goal of this blog is to provide a better understanding of how this capability can be used to create correlation searches above and beyond what Enterprise Security has to meet your unique security requirements.

So what is Guided Search?

It’s a “wizard”-like process to gather the key attributes that make up a correlation search. Essentially, there are five elements to Guided Search:

  • Identify the data set to search
  • Apply a time boundary
  • Filter the data set (optional)
  • Apply statistics (optional)
  • Establish thresholds (optional)

Along the way, …

» Continue reading

Splunk and Moviri – driving Italian Operational Intelligence at UniCredit, Yoox/Net-A-Porter & Saipem

SplunkLiveMilanLast week we ran SplunkLive! Italy in Milan and Rome. I was lucky enough to be in Milan and spend some time with the Splunk team but also one of our key partners, Moviri. We’ve been working with Moviri for many years and together we have delivered some outstanding examples of Operational Intelligence using machine data. Moviri is a leader in IT optimization in Italy, focusing on security, analytics, and monitoring operations. The customer speakers in Milan were UniCredit, Yoox/Net-A-Porter and Saipem. UniCredit presented their excellent story on delivering IT Operational Analytics, Yoox presented real-time security intelligence and Saipem presented on how they use the platform for multiple use cases in Oil and Gas. All three customers have gained significant …

» Continue reading

Back from GISEC 2016 – The day the lights went out



I’m just back from GISEC2016 in Dubai – a great show that brought information security professionals together from across the region. On the Splunk stand we gave out lots of T-shirts – but more importantly – we had great conversations about how Splunk can help small and big organizations to solve their big data and security problems. Examples in the region include Dubai Smart Government, Al Rajhi Bank (Saudi Arabia) or Saudi Arabian Airlines who all are using Splunk to analyze their log data for different functions. This ranged from security to IT operations and IoT , which Splunk is a great fit for.

There were several keynotes with great messages that I wanted to share:

Nigel Gibbons, Global Advisory

» Continue reading

Splunk maintenance releases and patch to address the DROWN OpenSSL vulnerability

Today, we published a number of maintenance releases that include updates to the OpenSSL package in order to address the DROWN vulnerability.

Download Splunk Enterprise 5.0.15, 6.0.11, 6.1.10, or 6.2.9 from https://www.splunk.com/page/previous_releases

Download Splunk Light 6.2.9  from https://www.splunk.com/page/previous_releases/splunk_light

Download HUNK 6.2.9  from https://www.splunk.com/page/previous_releases/hunk

For more information about the DROWN vulnerability, review the following security advisory posted on our security portal.

Patches available for users on 6.3.x

If you can upgrade to 6.4, you should absolutely do that. In addition to a bunch of great new features, the 6.4.0 release contains the updated OpenSSL package. However, if you’re not able to upgrade to 6.4, we’ve made patches available on the 6.3.x codeline to get you through until the upcoming 6.3.4 release (which will …

» Continue reading

Building add-ons has never been easier

Speaking from personal experience, building add-ons had never been the easiest task for me. There are numerous steps required, and each step may come with its owns challenges. Worse, I might spend time on a solutions just to hear it wasn’t best practice.

Wouldn’t it be great if there was a way to make this process easier by equipping developers, consultants, and Splunk Admins with the right tool to build their own add-ons? To take it a step further, wouldn’t it be even better if this tool actually helps you build the add-on by following tried and true best practices?

Allow me to introduce you to the Splunk Add-on Builder that helps to address the challenges highlighted above. Splunk Add-on …

» Continue reading