Introducing the Cisco Security Suite for Splunk 6
I know. I normally blog about Microsoft stuff. Recently, however, I’ve been helping out on another project – updating the Cisco Security Suite to be compatible with Splunk 6. The Cisco Security Suite is the most downloaded app on Splunkbase behind the *Nix and Windows apps and exposes Cisco specific information about your Cisco specific security devices.
We had many aims for this project, aside from just upgrading everything to work with Splunk 6. We wanted it to use the Technology Add-ons that you may already have from a deployment of Enterprise Security. If you were considering an upgrade to Enterprise Security in the future (and you should – it’s awesome), then we wanted the data you have already …
Splunk and The Top 10 CIO Priorities for State and Local Goverment
On November 5, 2013, National Association of State Chief Information Officers (NASCIO) released a member service document representing the top 10 state CIO priorities for 2014. The list presents no surprises as state CIOs try to do more with less extracting the most value out of every dollar, providing constituent services, protecting customer data and preventing data breaches. The list is almost a mirror image of the benefits our customers are seeing with Splunk. I won’t go through the whole list but lets look at the top three.
Security is the number one priority for state CIOs in 2014:
“Security: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security …
As a CIO in a high tech company, its always great to get the chance to either speak on behalf of the company or hear from customers who are excited about your products. Last week I had both experiences at SplunkLive Orlando. Best was to hear three customers Satcom Direct, Century Link, and PSCU. Between these, we had a database architect, security architect and VP Technology & Development all share how much of a difference Splunk had made in solving problems they could not have addressed in the past.
Favorite quotes: David from PSCU noted that for security use cases they were able to laser focus on what interested them and eliminate background noise. Khalid from Century Link noted …
Tuning Enterprise Security correlation searches
Here’s a nifty ES tuning tip that you might enjoy. We’ll be using some handy macros that are documented at Working_with_Notable_Events_from_Search, if you’d like to read up on the background.
What’s the most expensive, valuable, and constrained resource in a security team?
How many security analysts are there?
| `notable_owners` | stats count | eval sec_analysts=(count-1)
How long does it take them to forensically analyse an incident? We can get some hints by looking at the amount of review activity… Audit > Incident Review Audit and Audit > Suppression Audit are of course useful, but you can also do this sort of thing:
| `incident_review` | search status_default=false | timechart span=1day count by reviewer usenull=f
“Forensically analyze” …
BoxWorks and Cloud Security
Will be at BoxWorks next week speaking during the afternoon keynote about Splunk’s use of Box as our document management platform. Part of the discussion will focus on what we are doing in terms of securing our cloud assets, and it will be no surprise that we use Splunk to track access, failed login attempts, and other metrics to monitor use of our information. This will be enhanced in the coming weeks as we complete a Splunk App for Box which will set up the real time feed from the Box platform into our internal environment. A sample of the type of dashboards we can produce is shown herein (top logins into Box over the last 30 days) but some …
SplunkLive! DC: Helping Government Make Sense of Machine Data
There are a select number of U.S. cities dominated by certain industries that ultimately help to define those cities. Detroit for cars, Nashville for country music, Pittsburgh for the Steelers and Primanti Brothers – and Washington, DC for government.
Considering there isn’t a single organization or entity in the world with more data than the U.S. government, Washington, DC has been home to annual SplunkLive! events for the past five years. Yesterday, we hosted our largest yet with nearly 750 attendees.
Our Chairman and CEO Godfrey Sullivan kicked off the event with an overview of Splunk’s capabilities in private and public sectors, touching on key points like the importance of machine data for verifying accuracy and how continuous monitoring is imperative …
Last year, I created an app template to detect whether your users went to a phishing web site where you would supply the app the sourcetype name of your proxy logs and the URL destination field where they went. You can still download this Phishing app template from Splunkbase. In the same manner, I have created an app template called SQL Injection Search that you can download from Splunkbase.
Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible SQL …
Splunk Joins Public-Private Partnership to Improve Cybersecurity
Last week Splunk joined several other companies at U.S. NIST’s signing ceremony symbolizing our participation and partnership in the National Cybersecurity Center of Excellence (NCCoE).
There’s no doubt that there is a critical need to protect private-sector intellectual property and other valuable business data from a growing number of cyber threats. This partnership illustrates our commitment to the spirit of collaboration while providing real-world cybersecurity capabilities that address business needs.
The NCCoE has three key goals:
- Provide practical cybersecurity – Help people secure their data and digital infrastructure by equipping them with practical ways to implement cost-effective, repeatable and scalable cybersecurity solutions.
- Increase rate of adoption – Enable companies rapidly adopt commercially available cybersecurity technologies by reducing their total cost
More Breaches and More Accusations Against the Chinese
This past week several very prominent American news organizations publicly admitted having their computer systems hacked into, and explicitly blamed the Chinese government:
“Chinese hackers suspected in attack on The Post’s computers” – The Washington Post
“A Cyberattack From China” – The New York Times
“Chinese Hackers Hit U.S. Media” – The Wall Street Journal
There are several aspects of these events that seem to herald a change in this now familiar story of computer breaches reportedly being conducted by the Chinese. First is the public acknowledgement of the targeting of an apparent industry / sector – by that sector itself. (Obviously, the oil and financial services sectors have been explicitly targeted previously, but …
Another Wireless Security Problem
For years now, information security professionals have worried about the security of wireless connectivity to our organizational networks. “Wireless” has typically been defined, informally at least, as Wi-Fi. We have tended to discount security concerns about Bluetooth because of its supposedly short range – officially stated as approximately 1 to 100 meters, depending upon class of the device. That is in spite of the known threat of so-called Bluesniping. (See, for example, “Rifle’ Sniffs Out Vulnerability in Bluetooth Devices”.)
Because most WI-FI WAPs (wireless access points) have very limited processing and storage capabilities, authentication to WAPs is generally handled as a shared secret by the WAP itself, or through the external interface of a firewall connecting to an …