The Splunk App for Stream – Tracking Open Ports for Security and Compliance – Part 2

In  Part 1 of this post we looked at using the Splunk App for Stream to look for open ports on your networked systems.  (Hint: Follow the ACK packets.)  This post looks at how to keep track of those open ports, and how to detect when a NEW port starts listening.

 

Of course, Splunk is an extensible tool that gives you the ability to solve problems like this a number of different ways.  The method I’ve chosen to use for this case is the Splunk Key Value Store.  This is a new feature in Splunk 6.2 that lets you read and write data within a Splunk app, allowing you to maintain state in that application.  Think of storing …
» Continue reading

.conf2014 Highlight Series: Splunk Ninjutsu by David Veuve

In our ongoing series of .conf2014 #TBT highlights, we revisit David Veuve’s “Security Ninjutsu” presentation focused on using Splunk for Advanced Correlation, Anomaly Detection and Response Automation.
lgo-conf2014-pms381
Skill Level:
Advanced
Solution Area:
IT Operations, Security
Splunk:
Splunk Enterprise

Presentation overview:
Splunk’s analytical capabilities allow security users to leverage advanced correlation and anomaly detection moving beyond basic incident response. Splunk can also take action, ranging from integration with ticketing systems to automatic blocking and beyond. This session walks the audience through automated threat intelligence response, behavioral profiling, anomaly detection, and tracking an attack against the kill chain. Through each of the examples, David reviews the data, how to analyze it, and what actions could be taken, providing reusable examples for how …

» Continue reading

Splunk App for Stream: How Can You Use Ephemeral Streams?

Did you know that Splunk App for Stream supports ephemeral streams in addition to permanent ones? Ephemeral stream capture enables you to grab wire data on the fly for a specified period and analyze it in Splunk software. You can start using ephemeral (temporary) streams in a variety of situations: security analysis (see below), to better your applications performance, to observe network latency during increased traffic conditions (for example, Cyber Monday or another seasonal event).

We have integrated wire data and ephemeral streams in our popular Splunk App for Enterprise Security. From within the app, you can trigger on-the-fly wire data capture based on your search results, events or alerts. With ephemeral streams you can choose to monitor just …

» Continue reading

Deploying Splunk Securely with Ansible Config Management – Part 2

automate all the things

In part one we covered generic deployment of Ansible with a static inventory list. This time, we are going to raise the complexity bar a bit and show you how you can use Ansible to deploy the Splunk environment with a dynamic inventory. Keep in mind that not only can you use this for Splunk, but for other deployable server types in your organization.

Dynamic Inventory

What is a dynamic Inventory and When do I use it?

Dynamic inventory, in our case, is when you have a list of servers and server types that are being destroyed and created very fast. A scenario where this might be needed would be in an auto scalable environment like AWS EC2 where you …

» Continue reading

Top 10 Splunk and Cisco Highlights in 2014

Over the past 7 years Cisco and Splunk have built a broad and multi-faceted relationship.

Internally Cisco IT, security, engineering and other teams use Splunk software every day for operational intelligence and security analytics. Cisco shared details at Splunk’s 2014 user conference in a session titled How Cisco IT Moved from Reactive to Proactive and Even Predictive with Splunk” and Cisco’s CSIRT team commented a blog post on Security Logging in an Enterprise … [W]e moved to Splunk from a traditional SIEM as Splunk is designed and engineered for ‘big data’ use cases.”

Splunk & Cisco have partnered across security, networking, application management, IoT, Big Data and other areas to help our joint customers realize the same …

» Continue reading

Monitoring Network Traffic with Sysmon and Splunk

Every IT guy has a set of tools that they use every day. One of mine is sysinternals. It’s a set of Windows utilities made available by Microsoft that do a whole slew of things. You can install them with chocolatey (another in my toolset) or downloaded and unpacked from their website. If you use Windows and this toolset isn’t in your arsenal, maybe it’s time.

Back in August, I got a request from one of our engineers asking me if we had any plans to support the collection of Sysmon data. Sysmon is a Windows system service (yes, another agent) that logs system activity to the Windows Event Log. However, it places all the important stuff in the …

» Continue reading

From South Africa to Oslo & shipping to life insurance to sensor data. SplunkLive EMEA customer round up.

CT2It has been a busy few weeks for Splunk EMEA with eight SplunkLive events in Cape Town, Johannesburg, Frankfurt, Vienna, Oslo, Copenhagen, Stockholm and Amsterdam. There have been close to a thousand people hearing some great customer stories about how organisations use Splunk to get operational intelligence across a huge range of different industries. I was lucky enough to be at six of them and thought it would be worth sharing some of the stories from across the region.

 

 

It has been a bit of a flying visit to each country with the usual plane-airport-taxi-hotel-presentation-taxi-airport-plane but the range of use cases for Splunk, the many different industries and the different kinds of value the organisations are getting from …

» Continue reading

Splunk, Big Data and Healthcare Analytics in the Federal Government – Part 3 DHMSM

Welcome to part three of my three-part blog on the ascending role of big data for healthcare analytics in the federal government. In this final part of the series we look at DHMSM, a very large project to find efficiency and insight in near real time. Part one and part two can be found here and here.

DHMSM and the problem to be addressed

Department of Defense Healthcare Management System Modernization (DHMSM) Program is administering an RFP for a potential $11B effort which calls for the modernization the Department of Defense healthcare system by uniting multiple legacy healthcare systems and data stores, developed over decades. I’ve reviewed most of the RFP consisting over 20 attachments which also calls for …

» Continue reading

The Role of Big Data in Improving the Quality and Efficiency of Healthcare – Part 2 RMADA

In part two of the healthcare analytics topic we take a look at the RMADA RFP.

It is only through measurement that the quality of healthcare delivered can be improved and its delivery made more efficient. The Federal government needs to facilitate the highest quality at the lowest cost. Medicare, Medicaid and the Children’s Health Insurance Program (CHIP) all involve the use of Federal dollars and the Center for Medicare Services (CMS) has access to a massive amount of data the that could be used for planning, analysis, implementation, and rapid cycle evaluation of innovation and determine program effectiveness.

The purpose of the RMADA RFP, (contract awarded July 2014) is to solicit bids to, “…develop a Research, Measurement, Assessment, …

» Continue reading

Splunk, Big Data and Healthcare Analytics in the Federal Government – Part 1 The Veterans Administration

There have been three interesting events that have occurred recently in the area of healthcare analytics that deserve our attention:

  • The passage through the US House and Senate of the Veterans Access to Care through Choice, Accountability, and Transparency Act;
  • The development of a government IDIQ (indefinite delivery/indefinite quantity) contract to develop a Research, Measurement, Assessment, Design, and Analysis (RMADA) that will provide analytic support and technical assistance for models and demonstration programs that are derived under the Patient Protection and Affordable Care Act (ACA) and;
  • Department of Defense Healthcare Management System Modernization (DHMSM) Program procurement task orders.

These three activities all highlight the need for a big data solution in healthcare that can provide accountability, …

» Continue reading