Big Data and Insider Threats: Industry Conversations

B_GSiiLXIAAU1ws On any given day, you will hear numerous buzzwords within the government IT marketplace. Recent conversations surrounding big data, cybersecurity and insider threats are top of mind for government organizations. These discussions are imperative for exploring the challenges, needs and viable solutions that are necessary to achieve a stable security infrastructure. However, it is essential that these conversations involve both sides of the table – government agencies and technology providers.

At Splunk, we work to achieve greater Operational Intelligence through collaboration with our industry peers. Just last week we participated in an Insider Threat Detection and Mitigation conference where Adam Cohn, the director of Government Affairs & Public Policy at Splunk, discussed how agencies can manage insider threat risks in …

» Continue reading

.conf2014 Highlight Series: Operationalizing Advanced Threat Defense

As we get closer to .conf2015: The 6th Annual Splunk Worldwide Users’ Conference in Las Vegas in September, we’re excited to continue our series of .conf2014 #TBT highlights. This week we revisit Monzy Merza’s in-depth presentation focused on how to get the most out of the Splunk App for Enterprise Security.

Skill Level:
Intermediate
Solution Area:
Security
Splunk:
Splunk App for Enterprise Security

Presentation overview:
Splunk’s Minister of Defense and security guru, Monzy Merza, shows how to use the Splunk App for Enterprise Security to detect, respond to and mitigate advanced malware through various phases of the threat’s lifecycle chain.

For the full recording, check out Operationalizing Advanced Threat Defense.

We look forward to sharing more of these …

» Continue reading

Contextualize your data with threat intelligence information from Project Honey Pot

Greetings Splunk Ninjas,

this is my first blog post. I’m a Splunk EMEA specialist and work in the IT industry nearly 10 years. 7 of them with Software Vendors in the IT-Security space. I worked already with many large companies to improve their environments in many ways.

Some time ago I posted on Splunk Apps the IP Reputation App. I was inspired by the trend of various security vendors establishing reputation databases and including them in their products (next generation firewalls, AV’s etc). There is great value in having this information included in the Splunk platform to put machine data in context.

After two years on apps.splunk.com the app has had over 4,000 downloads so there is a lot of demand. The app performs lookups …

» Continue reading

Deploying Splunk Securely with Ansible Config Management – Part 2

automate all the things

In part one we covered generic deployment of Ansible with a static inventory list. This time, we are going to raise the complexity bar a bit and show you how you can use Ansible to deploy the Splunk environment with a dynamic inventory. Keep in mind that not only can you use this for Splunk, but for other deployable server types in your organization.

Dynamic Inventory

What is a dynamic Inventory and When do I use it?

Dynamic inventory, in our case, is when you have a list of servers and server types that are being destroyed and created very fast. A scenario where this might be needed would be in an auto scalable environment like AWS EC2 where you …

» Continue reading

Top 10 Splunk and Cisco Highlights in 2014

Over the past 7 years Cisco and Splunk have built a broad and multi-faceted relationship.

Internally Cisco IT, security, engineering and other teams use Splunk software every day for operational intelligence and security analytics. Cisco shared details at Splunk’s 2014 user conference in a session titled How Cisco IT Moved from Reactive to Proactive and Even Predictive with Splunk” and Cisco’s CSIRT team commented a blog post on Security Logging in an Enterprise … [W]e moved to Splunk from a traditional SIEM as Splunk is designed and engineered for ‘big data’ use cases.”

Splunk & Cisco have partnered across security, networking, application management, IoT, Big Data and other areas to help our joint customers realize the same …

» Continue reading

Splunk App for Salesforce

Do you manage a Salesforce environment and would like to analyze who is accessing what? Would you like to find out who is exporting sensitive data? Would you like to detect any Salesforce related suspicious activities or any slow running reports, dashboards, SOQL queries?

If the answer to the above is yes, you should check out the Splunk App for Salesforce which has been recently released as a service on Splunk Cloud. This App relies on the Salesforce Event Log File that exposes Salesforce access logs. In addition to that, you can also leverage this app to collect and index any data from the standard Salesforce objects. In other words, you can use this app to index structured and unstructured salesforce data.
For …

» Continue reading

Preparing users for phishing attacks with Splunk

Why waste time and energy trying to crack passwords or hack through some obscure and complex vulnerability when there is a much easier way to breach a computer network?

Want a break in? Just ask for an invitation.

Phishing is probably the simplest way to get reliable, authentic access to a target network. By baiting users into visiting a website or downloading code, hackers can persuade them to hand over valuable access to vital data stored in even the most secure environments.

One Splunk customer in the healthcare industry found an ingenious way to fight back. Techniques they developed with Splunk have helped them harden their network against social engineering attacks and better protect patient data. The tactic has been …

» Continue reading

Mitigating the POODLE Attack in Splunk

By now you are probably tired of seeing poodle memes. Fear not! Instead, I will share mitigation techniques on how to protect Splunk against this attack and leave out the memes.

Let me preface the different techniques by adding some context to the exploitability of POODLE: This attack requires that an attacker have MITM (Man In The Middle) access to your communication between the client and Splunk. This is a important point to keep in mind when considering different mitigation techniques and their aggressiveness. I mention this because many of you do not have your Splunk deployment exposed to the internet architecturally, or require VPN access to your corporate network before a client can access Splunk. This reduces the risk …

» Continue reading

Look at all the pretty colors!

Well, it’s Sunday here in Las Vegas, and  .conf2014 is about to go down. I’m sitting in one of our Splunk University classes at the MGM, with many of our fine customers.

The class is our Power User Bootcamp, and we just finished talking about Splunk’s tagging, event types, and lookup functionalities. One of our more security-minded customers asked “hey – that ability to assign a color to event types in the Splunk search GUI is pretty cool – I’d like to use that to prioritize the events I’m looking at based on the risk profile assigned to a user. From a lookup. Can I do that?”

A second customer said “I like that idea.”

So, since this …

» Continue reading

Finding shellshock (CVE-2014-6271, 7169, 7186, 7187) with Splunk forwarders

UPDATE 9/24/14 (evening): I changed the script a little bit to include platform information in the output by using the uname command and bash version information in the output with –version. This should work on Linux and OSX.

UPDATE 9/25/14: The first script below is specific to find the original shellshock: CVE-2014-6271. The second shellshock vulnerability, CVE-2014-7169, requires a different test. See the script later in the post to cover this.

UPDATE 9/26/14: A whole bunch of useful comments have been added to this post. I have added information at the end of the post in response. I have further updated the scripts. Also, I should point out – if you are looking for information about how Splunk products are

» Continue reading