Overcoming Cybersecurity Resource Challenges in Government
At a hearing on cybersecurity and protecting taxpayer information held by the Senate Finance Committee last month, the IRS Commissioner, John Koskinen, testified that the agency faces the loss of key IT and data security personnel over the next year. He attributed this to pay discrepancies between the private and public sector as part of his appeal to renew a lapsed law that boosted the pay of top-notch personnel temporarily recruited from the private sector1.
While it is important to ensure that talent is rewarded appropriately, the cybersecurity issue goes deeper than retention of highly trained personnel. For one, agencies are strewn with dozens of disparate security products procured over the years that are managed and operated in silos. …
Enriching threat feeds with WHOIS information
It’s almost been 2 years since I spent a summer in Seattle interning with the Splunk Security Practice (SecPrax) Team. Damn, time flies! The Splunk Security community is growing everyday, due to the unbelievable amount of flexibility, visibility, insight Splunk Enterprise offers for all data and as I have learned all data is security relevant. Back at Splunk to work with the Security Research team, this is my first blog post and I would like to hear what you people have got to say about it, so please leave a feedback/comment.
What am I missing while doing threat intelligence?
While I am doing some research looking for threat intelligence data sets to ingest into Splunk, I realized there can be …
Lessons learned from the “SWIFT” Attack
Unfortunately, somewhere in the world a big party must be going on. In February hackers successfully compromised a bank connected to the SWIFT Network in Bangladesh, stealing $81 million – as reported by Reuters earlier this week. While the computer system in Bangladesh seems to have missed a number of IT security best practices, it shows that a connected system even if it’s designed to be closed can be compromised by the weakest supplier, compromising the whole system.
It’s mind blowing to see how much subject matter expertise the hackers must have had about the SWIFT System.
Have we seen this attack in our network, too?
The chances that …
.conf2015 Highlight Series: City of LA and Splunk Cloud as a SIEM for Award-Winning Cybersecurity Collaboration
Registration and call for papers is now open for Splunk .conf2016. We can’t wait to host you all at the Walt Disney World Swan and Dolphin Resorts in Orlando, Florida; September 26-29, 2016.
During last year’s Splunk .conf2015 we were lucky to have Timothy Lee, the CISO of the City of Los Angeles, share his case study for why his department chose Splunk Cloud as a SIEM for one of their cybersecurity initiatives and how it is used. Though we’re summarizing his key points in this post, you can get the complete picture by checking out a recording of Tim’s presentation, and access to his slides, at the bottom of this post.
Tim began …
Announcing Splunk Add-on for Microsoft Cloud Services
I am pleased to announce the availability of Splunk Add-On for Microsoft Cloud Services. Released on April 1st 2016, this add-on which is available on Splunkbase, provides Splunk admins the ability to collect events from various Microsoft Cloud Services APIs. In this first release, this includes:
- Admin, user, system, and policy action events from a variety of Office 365 services such as Sharepoint Online and Exchange Online and other services supported by the Office 365 Management API.
- Audit logs for Azure Active Directory, supported by the Office 365 Management API.
- Current and historical service status, as well as planned maintenance updates for a variety of services supported by the Office 365 Service Communications API.
If you are wondering …
Developing Correlation Searches Using Guided Search
Guided Search was released in Splunk Enterprise Security 3.1, nearly two years ago, but is often an overlooked feature. In reality, it is an excellent tool for streamlining the development of correlation searches. The goal of this blog is to provide a better understanding of how this capability can be used to create correlation searches above and beyond what Enterprise Security has to meet your unique security requirements.
So what is Guided Search?
It’s a “wizard”-like process to gather the key attributes that make up a correlation search. Essentially, there are five elements to Guided Search:
- Identify the data set to search
- Apply a time boundary
- Filter the data set (optional)
- Apply statistics (optional)
- Establish thresholds (optional)
Along the way, …
Splunk and Moviri – driving Italian Operational Intelligence at UniCredit, Yoox/Net-A-Porter & Saipem
Last week we ran SplunkLive! Italy in Milan and Rome. I was lucky enough to be in Milan and spend some time with the Splunk team but also one of our key partners, Moviri. We’ve been working with Moviri for many years and together we have delivered some outstanding examples of Operational Intelligence using machine data. Moviri is a leader in IT optimization in Italy, focusing on security, analytics, and monitoring operations. The customer speakers in Milan were UniCredit, Yoox/Net-A-Porter and Saipem. UniCredit presented their excellent story on delivering IT Operational Analytics, Yoox presented real-time security intelligence and Saipem presented on how they use the platform for multiple use cases in Oil and Gas. All three customers have gained significant …
Back from GISEC 2016 – The day the lights went out
I’m just back from GISEC2016 in Dubai – a great show that brought information security professionals together from across the region. On the Splunk stand we gave out lots of T-shirts – but more importantly – we had great conversations about how Splunk can help small and big organizations to solve their big data and security problems. Examples in the region include Dubai Smart Government, Al Rajhi Bank (Saudi Arabia) or Saudi Arabian Airlines who all are using Splunk to analyze their log data for different functions. This ranged from security to IT operations and IoT , which Splunk is a great fit for.
There were several keynotes with great messages that I wanted to share:
Nigel Gibbons, Global Advisory …
Splunk maintenance releases and patch to address the DROWN OpenSSL vulnerability
Today, we published a number of maintenance releases that include updates to the OpenSSL package in order to address the DROWN vulnerability.
Download Splunk Enterprise 5.0.15, 6.0.11, 6.1.10, or 6.2.9 from https://www.splunk.com/page/previous_releases
Download Splunk Light 6.2.9 from https://www.splunk.com/page/previous_releases/splunk_light
Download HUNK 6.2.9 from https://www.splunk.com/page/previous_releases/hunk
Patches available for users on 6.3.x
If you can upgrade to 6.4, you should absolutely do that. In addition to a bunch of great new features, the 6.4.0 release contains the updated OpenSSL package. However, if you’re not able to upgrade to 6.4, we’ve made patches available on the 6.3.x codeline to get you through until the upcoming 6.3.4 release (which will …
Building add-ons has never been easier
Speaking from personal experience, building add-ons had never been the easiest task for me. There are numerous steps required, and each step may come with its owns challenges. Worse, I might spend time on a solutions just to hear it wasn’t best practice.
Wouldn’t it be great if there was a way to make this process easier by equipping developers, consultants, and Splunk Admins with the right tool to build their own add-ons? To take it a step further, wouldn’t it be even better if this tool actually helps you build the add-on by following tried and true best practices?
Allow me to introduce you to the Splunk Add-on Builder that helps to address the challenges highlighted above. Splunk Add-on …