Splunk and The Top 10 CIO Priorities for State and Local Goverment

On November 5, 2013, National Association of State Chief Information Officers (NASCIO) released a member service document representing the top 10 state CIO priorities for 2014. The list presents no surprises as state CIOs try to do more with less extracting the most value out of every dollar, providing constituent services, protecting customer data and preventing data breaches.  The list is almost a mirror image of the benefits our customers are seeing with Splunk. I won’t go through the whole list but lets look at the top three.

Security is the number one priority for state CIOs in 2014:

“Security: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security

» Continue reading

SplunkLive! DC: Helping Government Make Sense of Machine Data

There are a select number of U.S. cities dominated by certain industries that ultimately help to define those cities. Detroit for cars, Nashville for country music, Pittsburgh for the Steelers and Primanti Brothers – and Washington, DC for government.

Considering there isn’t a single organization or entity in the world with more data than the U.S. government, Washington, DC has been home to annual SplunkLive! events for the past five years. Yesterday, we hosted our largest yet with nearly 750 attendees.

Our Chairman and CEO Godfrey Sullivan kicked off the event with an overview of Splunk’s capabilities in private and public sectors, touching on key points like the importance of machine data for verifying accuracy and how continuous monitoring is imperative …

» Continue reading

A Way of Thinking about Big Data and Security

I often get asked questions like, “I like Splunk but how much data should I be collecting for security purposes? Is there such a thing as too much data? How do I know what matters in my data?

These are good questions but unfortunately the answer really can be, “it depends.” I still believe there’s no such thing as too much data for security purposes if you are using Splunk. For me there are only two types of data, the data your are using for security and the data you’ll need later that you didn’t think you needed at the time. There will come a time when security folk will be looking at the fidelity of the data as an …

» Continue reading

Cognitive Splunking

Hi! Like Rob Reed I get a little excited when things go meta, and I’ve been spending a lot of time being excited at Splunk. One of the things that makes Splunk such a powerful tool is the fact that you can change your meta-cognition filters around on the fly via the magic of late-binding schemas. Index now, understand later is a pretty awesome trick, because it enables Splunk users to continue learning and leverage new understanding instead of getting stuck in whatever was sensible at the time of indexing. Since I spend my days on security and compliance problems this is an obviously useful mechanism, but I’d like to take a little time to write about why it’s interesting …
» Continue reading

Big data, Creativity and What I Learned On My Summer Vacation…

Vacations are good for you. You get a chance to decompress, experience new things and sometimes look at things in a new way or make a connection between things that at first glance may not seem connected at all. When I go on vacation I try to let my mind wander. Usually, I get rewarded with an epiphany or two that I take back to work when the vacation is done.

This vacation I read Imagine: How Creativity Works, by Jonah Lehreh, 2011 published by Canongate London. At 253 pages, it wasn’t very long read but as a former security practitioner it got me thinking a lot about the role of imagination and creativity in a security practice. Science …

» Continue reading

APAC Partners “Splunk Apps of the Year” Competition

Use Cases, Use Cases and more Use Cases. During the APAC Partner Kick Off, we had recently crowned a few apps and named them as the “Splunk Apps of the Year”. Before that, we had a Call for Submissions back in December 2011, and had invited all our APAC partners to participate in this competition. The response was overwhelming, and we had received 15 best-of-the-breed apps that showcase just how Splunk can be used across the industries.

Bounded by a set of Judging Criteria, we began the arduous task of scoring the apps. There weren’t any firm conclusions as each and every one of the apps were stellar and we had to go thru 23 rounds of debates and discussions …

» Continue reading

Splunk and the Cybersecurity Act of 2012

“The United States confronts a dangerous combination of known and unknown vulnerabilities in the cyber domain, strong and rapidly expanding adversary capabilities, and limited threat and vulnerability awareness.”[1]

I recently listened to the final set of hearings on The Cyber Security Act of 2012. The bill was developed, “…in response to the ever-increasing number of cyber attacks on both private companies and the United States government.” The bill is really about critical infrastructure protection as may be managed, owned or operated by either the government or the private sector.  It’s a bi-partisan bill and combines efforts from past sessions from the Senate Committees on Commerce, Homeland Security and Governmental Affairs, and Intelligence Committees. The bill would empower the Department …

» Continue reading

Three Splunk 4.3 features security pros should start using today

There is a lot to like in Splunk 4.3 for security use cases, but three items should be of particular interest to security professionals.

Sparklines – Adding Time to Tables for Reporting

I use tables of information in several of the security reports I create. Usually I’ll want to track a particular type of event and include the number of times it happens along with an average over a period of time. This allows me to benchmark a particular threshold and use that as the impetus for an investigation. For example:

I want to track the number of successful accesses against assets where critical data is stored over a twenty-four hour period by user. My table will contain the name …

» Continue reading

Big-data for Security: A new strategy against hackers

The recent article, “China Hackers Hit U.S. Chamber,” in the Wednesday, December 21, 2011, online version of the Wall Street Journal highlights yet another in a growing list of cyber attacks against US companies.

According to the article, the attack apparently started with a spear phishing scheme and social engineering tactics targeting a single employee in 2009. The attack followed a typical path of spreading to other systems, hiding behind credentialed activity, creating backdoors for access, reporting back to the attacker weekly, and granting the attacker remote access to Chamber member information and business policy documentation.  The bad guys even gained access to an HVAC system at a housing unit owned by the Chamber.

There are some notable …

» Continue reading

The sale of Q1 Labs and Nitro Security: An inflection point for SIEM

Several people have asked for my feelings about the sale of Q1 Labs to IBM and Nitro Security to Intel/McAfee.  In general, I can understand why Nitro and Q1 may have concluded that this is a good time to sell their businesses.

Personally, I classify these two companies as very good at what they do—to watch for what I’d call ‘known threats’ as reported from other signature and rule based systems.   At the same time, traditional SIEM vendors such as Q1 and Nitro face many stresses.  I believe that both Nitro and Q1 are challenged by ongoing support for specific data types, scalability, and new threats—namely Advanced Persistent Threat (APT) style malware deposited on systems using social engineering that can …

» Continue reading