101 things the mainstream media doesn’t want you to know about PowerShell logging*

powershell_recipe

At .conf2016 Steve Brant and I presented on how to detect PowerShell maliciousness using Splunk [2]. The only problem is, if you didn’t attend the conference and only read the PowerPoint slides you might say something like “Your presentation is just big photos and SPL”. Which is true. Frankly, we like big fonts and we cannot lie. You other presenters may deny. That when a deck goes up with a big sans-serif font and a bright image in your eyes you get… distracted by where I am going with this paragraph. As such, we are going to create blog postings of our presentation for those of you who didn’t attend our talk in person. In this missive …

» Continue reading

Important information for customers using Splunk Enterprise 6.2 or earlier

Do you use SSL to secure Splunk Enterprise? Are you still using Splunk Enterprise version 6.2 or earlier? If you answered yes to both of these questions, please read on.

Securing communication with your Splunk instance can be essential in today’s digital environment, especially if it is collecting sensitive information. If communication to/from your Splunk instance can be easily intercepted (e.g. public access to SplunkWeb, Forwarders outside firewall) then this communication should be encrypted using SSL. Additionally, security functionality is constantly being enhanced to combat the evolving threat landscape so you should stay on as current a version of Splunk as possible.

You may have heard that the OpenSSL Software Foundation will cease support for OpenSSL version 1.0.1 as …

» Continue reading

Analyzing the Mirai Botnet with Splunk

On September 20th, the largest Distributed Denial of Service attack ever recorded targeted security researcher Brian Krebs. This attack was made up of Internet of Things (IoT) devices such as cameras, wireless controllers and internet enabled devices peaking at 400,000 total. Now dubbed the “Mirai botnet”, these devices scanned the internet for devices running telnet and SSH with default credentials, infecting them and further propagating. The source code for the botnet has since leaked to GitHub, where further analysis is underway by security researchers.

During the infection time period, I happened to be running a honeypot and captured some infection attempts on my own system. Using Suricata and /var/log/secure.log I can correlate invalid login attempts associated with Mirai with malicious …

» Continue reading

Secure Splunk Web in Five Minutes Using Let’s Encrypt

Configuring SSL for your public facing Splunk instance is time-consuming, expensive and essential in today’s digital environment. Whether you choose to go with a cloud provider or self-hosting; RTFM-ing how to generate the keys correctly and configuring how Splunk should use them can be quite confusing. Last year, a new certificate authority Let’s Encrypt was born in an effort to streamline the CA process and make SSL encryption more widely available to users (The service is FREE). In this short tutorial, we will cover how to make use of this new CA to secure your Splunk instance and stop using self-signed certs.  Using SSL will help you to secure your Splunk instance against MITM attacks. Let’s Encrypt utilizes all of …

» Continue reading

Adapting Your Security Strategy in the Ever-Changing Threatscape

event-logo-us16
The modern threat landscape is constantly changing. How can an organization maintain mission and business focus in the presence of an evolving adversary? If we take a business centric approach, technology leaders will tell you that the organizations security posture and capability should evolve to maintain parity with mission and business priorities.

Balancing the demands of the changing threat with demands of the changing business can sometimes appear incompatible. Of course one can’t simply overhaul the security infrastructure every time there is a new class of threats. Ransomware is getting quite a few headlines these days, but that doesn’t mean some of the traditional problems of rogue devices gaining access to your network are going away.

To combat the ever …

» Continue reading

Collaboration is the Key to Government Innovation

I recently participated in a panel while attending the Bloomberg RE/BOOT event in Washington, D.C. The focus of the panel was how to improve partnerships between government and industry. We started by discussing how industry can better partner with government agencies to strengthen cybersecurity in the United States. At Splunk, we solve problems by viewing the overall security solution from an ecosystem lens. Splunk technologies are just one part of that ecosystem. To address challenges in a government environment, we see our operational intelligence platform as the foundation that serves as the nerve center of the security operations ecosystem. No single solution or technology can solve every government problem, but together, industry technology leaders can partner with agencies to tackle …

» Continue reading

2016 Scalar Security Study – The Cybersecurity Readiness of Canadian Organizations

This is a guest post contributed by Aoife Mc Monagle, Director, Marketing & Communications at Scalar Decisions
scalar-NoTagline_4CAs Canada’s #1 IT security company, Scalar spends a lot of time advising clients on how to manage cybersecurity risk. We also spend time researching the market to better understand the needs of Canadian clients and how they are dealing with cybersecurity today. In February 2016, we published our second annual security study: The Cyber Security Readiness of Canadian Organizations.

Our objective was to examine changes in the cyber threat landscape, and what strategies, tactics, and technologies respondents were finding most useful in combatting these threats.

2016-scalar-security-study-the-cyber-security-readiness-of-canadian-organizations-1-638

The findings showed that the landscape was generally getting worse year-over-year: more attacks, more breaches, …

» Continue reading

.conf2015 Highlight Series: City of LA and Splunk Cloud as a SIEM for Award-Winning Cybersecurity Collaboration

Updated June 23, 2016:

Screen Shot 2016-06-23 at 1.29.51 PMWe are pleased to announce the City of Los Angeles was recently presented with the City on a Cloud award at the AWS Public Sector Summit in Washington, DC. The City on a Cloud Innovation Challenge recognizes and celebrates local and regional governments in three categories: Best Practices, Partners in Innovation and Dream Big. The City of Los Angeles was selected as the Best Practices winner for its use of innovative, world-class cybersecurity to protect digital assets and deployment of a unique, cloud-based security information and event management (SIEM) solution for the Integrated Security Operations Center (ISOC), to help consolidate, maintain, and analyze security data across the city’s departments.

All of the below was first published

» Continue reading

Full-Scale Operational Intelligence Through CDM

SplunkGov LogoIn the face of high-profile breaches and increasingly sophisticated hackers, the Federal Government’s Continuous Diagnostics and Mitigation (CDM) program is one of the most important and widely discussed cybersecurity initiatives in recent history.

Did you know that Splunk Enterprise will be used at 25 of the largest civilian departments and agencies covering 97% of the federal civilian government workforce?

On Wednesday, May 11, I spoke at the Face-to-Face Cybersecurity CDM event hosted by FCW to discuss how Splunk’s solutions and government’s CDM program fit together. As Nick Murray noted in a recent blog post, the CDM program makes tools and services available to agencies via a government wide contract to help them identify cybersecurity risks on an ongoing basis, prioritize …

» Continue reading

What’s North of the Wall? Why cybersecurity is like Game of Thrones.

Cybersecurity winter is coming

Firstly, I was late to Game of Thrones but I’m now hooked. Here in the UK it is on TV on a Monday night so I spend most of Monday avoiding spoilers after it has shown the night before in the US. Secondly, this post tries to frame the modern cyber security landscape through a Game of Thrones lens and I have to warn you it might get a bit geeky.

If you haven’t ever seen Game of Thrones (GoT) it is the story of politics, war, power, dragons and a growing threat from an army of undead (called the White Walkers) north of a massive wall (according to the GoT wiki it is 300 miles long, 700 feet …

» Continue reading