Blogs: SIEM

Use Cases, Use Cases and more Use Cases. During the APAC Partner Kick Off, we had recently crowned a few apps and named them as the “Splunk Apps of the Year”. Before that, we had a Call for Submissions back in December 2011, and had invited all our APAC partners to participate in this competition. The response was overwhelming, and we had received 15 best-of-the-breed apps that showcase just how Splunk can be used across the industries.

Bounded by a set of Judging Criteria, we began the arduous task of scoring the apps. There weren’t any firm conclusions as each and every one of the apps were stellar and we had to go thru 23 rounds of debates and discussions…

“The United States confronts a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness.”^[1]

I recently listened to the final set of hearings on The Cyber Security Act of 2012. The bill was developed, “…in response to the ever-increasing number of cyber attacks on both private companies and the United States government.” The bill is really about critical infrastructure protection as may be managed, owned or operated by either the government or the private sector.  It’s a bi-partisan bill and combines efforts from past sessions from the Senate Committees on Commerce, Homeland Security and Governmental Affairs, and Intelligence Committees. The bill would empower the Department…

There is a lot to like in Splunk 4.3 for security use cases, but three items should be of particular interest to security professionals.

Sparklines – Adding Time to Tables for Reporting

I use tables of information in several of the security reports I create. Usually I’ll want to track a particular type of event and include the number of times it happens along with an average over a period of time. This allows me to benchmark a particular threshold and use that as the impetus for an investigation. For example:

I want to track the number of successful accesses against assets where critical data is stored over a twenty-four hour period by user. My table will contain the name…

The recent article, “China Hackers Hit U.S. Chamber,” in the Wednesday, December 21, 2011, online version of the Wall Street Journal highlights yet another in a growing list of cyber attacks against US companies.

According to the article, the attack apparently started with a spear phishing scheme and social engineering tactics targeting a single employee in 2009. The attack followed a typical path of spreading to other systems, hiding behind credentialed activity, creating backdoors for access, reporting back to the attacker weekly, and granting the attacker remote access to Chamber member information and business policy documentation.  The bad guys even gained access to an HVAC system at a housing unit owned by the Chamber.

There are some notable takeaways…

Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee.  In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.

Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems.   At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses.  I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can…

Sometimes I’m glad I keep around the mounds of free trade publications that tend to pile up on my desk.  About once a month I start going through the stack but I never quite finish.  I got through placing 4 or 5 publications into the recycling bin before I read How to be an effective security buyer by Andreas M. Antonopoulos in the May 2011 on-line edition of Network World. This article (more than others I’ve read) takes a basic and practical approach to the hard buying decisions (and trade-offs) we all have to make.  The buying decision criteria is crisp and fresh and discourages simply relying on vendors that would…

I was at a CISO summit in Atlanta and one of the CISOs gave a presentation on creating a security awareness program.  He was able to get good support throughout the organization eliciting the help of the marketing department, legal department and other groups.  His team created videos about laptop theft and password sharing that featured a character called the Data Thief.  Yet, they we challenged on how to measure it’s effectiveness.  They ended up creating a number of surveys that they used to get some sense of the effectiveness of the program.  According the the survey overall, security awareness rose throughout the organization.  In a conversation with him afterwords I asked him if they’d thought about using log data…

Last week the Splunklive program rolled into Charlotte, NC. Given the commercial importance of this city and the level of interest we saw today, this was probably overdue. And besides, it was a really good day—great customer presentations, serious audience interest, excellent southern food, and possibly the best weather in the U.S.

nTelos: Management Dashboards in Hours
John Lewis, Manager of IT Assurance for this provider of wireless and wireline services, had some choice quotes about Splunk.  “Splunk was brought in for security and compliance, and is now a ‘knowledge sharing system’. Splunk is an eye-opener.” And “Splunk is a data warehouse for IT and business data.”

The IT Assurance Group is an internal oversight group responsible for Information Security,…

Recently Splunk published a document regarding Splunk and SIEM integrations-that outlines the challenges faced by many federal along with commercial customers. The challenges are well known and revolve around scalability as well as expanding beyond defined rules for true situational awareness. Splunk provides great value to SIEM customers because we can provide the true “common operational picture” by allowing analysts to look at all the data form one console-in real time. We do this with terabytes of data and continue to address scaling issues with customers world wide.

The document provides details in how Splunk integrates and servers as a the critical tool that not only integrates with SIEM, but other key underlying technologies. This paper positions Splunk as…

More than 200 people joined us last week in Washington, DC for our largest SplunkLive ever–doubling the number of attendees from the 2009 SplunkLive DC event! Representatives from great companies like BAE, Comcast, Lockheed Martin, McAfee, Qwest Communications, Verizon and representatives from nearly every branch of Federal government were in attendance.

Splunk’s Co-Founders Erik Swan and Rob Das started the day detailing why they created Splunk. Everyone knew there was value in IT data, but the way to search and understand it was complex and troublesome. Google was great for easily and logically finding information on the World Wide Web. Why not apply the same thinking to our log files and IT data? And…