Find Malicious Insiders Before You Become a Headline

Screen Shot 2017-02-14 at 10.13.21 AMThe media is filled with reports of Russia’s possible influence over the U.S. presidential elections. While American security agencies are investigating the Kremlin’s possible involvement in a hack of the Democratic National Committee, a U.S. Intelligence Service unclassified report suggests the Russians motive, at least in part, may have been retaliation for the U.S. working with a malicious insider to leak news of a Soviet Olympic athlete doping scandal.

Regardless of whether the report is true, it reveals a growing concern over insider threats for foreign governments everywhere. Countries such as Canada are heavily investing to protect its citizens against insider and foreign attacks, while the U.S. Department of Defense Inspector General found in a recent audit that the U.S. …

» Continue reading

Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Stop Security Threats With Real-Time Data Monitoring

Imagine having a vast library of books but not being able to see what words live on the page that you are reading or want to read. That would be like being able to ingest security relevant data from a diverse array of data sources but not being able to use that information to monitor your security posture in near real time.

Library of Congress

Library of Congress

Real-time data monitoring is essential to secure an enterprise because it gives security practitioners the ability to monitor and manage the consumption and use of machine data across complex IT and security systems with visual insights into that data. The data can come from sources such as web logs, application usage to digital transactions. Why …

» Continue reading

Make Security Incidents Less Scary By Organizing Your Response

The Federal Emergency Management Agency (FEMA) created the National Response Framework in 2008 to organize how the national government responds to natural disasters, terrorist attacks and other catastrophic events. Unfortunately, government resources alone can’t properly respond to disasters. That’s why the framework exists. It helps organize FEMA’s limited resources to respond to threats in the most efficient manner possible.

The six-step planning process from FEMA’s National Response Framework

The six-step planning process from FEMA’s National Response Framework

Similarly, incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to best organize alerts and resources within a security information and event management (SIEM) system to handle the situation in a way that limits damage and reduces recovery time and …

» Continue reading

Three Ways Machine Data Makes Your SIEM Better at Security

All data is security relevant is a mantra that security practitioners should get used to saying. But knowing what sources you need to tap into to improve your security posture can seem like a daunting task. It doesn’t need to be.

Data sources are a way companies solve the security issues causing them pain or issues that may cause harm. So what exactly is a data source? It can be almost anything from the machine data being generated by your existing firewall to online web logs. Just what data sources you tap into depends on your security use case.

There are already companies that have found unique ways to leverage machine data to work for their specific needs – whether …

» Continue reading

Let’s Get Critical: The Capabilities You Need for an Analytics-Driven SIEM

New Webinar — register now:
Let’s Get Critical: The Capabilities You Need for an Analytics-Driven SIEM

In the Gartner 2016 Critical Capabilities for Security Information and Event Management (SIEM) report, Splunk scored the highest in all three use cases*: Basic Security Monitoring, Advanced Threat Detection and Forensics and Incident Response

In this report, each capability is then weighted in terms of its relative importance for specific product/service use cases.

SIEMPIC1
 
SIEMPIC2
 
SIEMPIC3

SIEM technologies provide a set of common core capabilities that are needed for all basic security monitoring use cases. Other SIEM capabilities are more critical for the advanced threat detection or incident response and management use cases.

The eight critical capabilities used in the 2016 report to determine scores …

» Continue reading

Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Splunk Named a Leader in Gartner SIEM Magic Quadrant for the Fourth Straight Year

Gartner has published the 2016 Magic Quadrant for Security Information and Event Management and Splunk was named a leader for the fourth straight year.

In the report, Gartner placed Splunk in the Leaders quadrant and positioned Splunk furthest overall for completeness of vision.

MQ SIEM FINAL

Our security portfolio, including Splunk® Enterprise and the Splunk Enterprise Security solves basic, advanced and emerging SIEM use cases to dramatically accelerate the detection, investigation of advanced threats and attacks and to rapidly respond and remediate them by providing security intelligence from all security relevant data that is collected across IT, the business, and the cloud.

A growing number of organizations are using Splunk Enterprise Security to augment, replace and go beyond their legacy SIEM deployments.…

» Continue reading

SIEM success patterns – How to get it right!

Hello all,

One of the things I love about machine data is that it can be used in so many ways. Interestingly enough over the years I have observed a common pattern in organizations that have been successful with SIEM. The implementation of a cyber defence center should serve to increase security maturity, strengthen cyber security skills and security intelligence, enabling organisations to successfully stop complex attacks (not just malware!) and better protect customer data and the overall business. Yet in the past I have been called in to meet with prospects regarding failed SIEM deployments and it doesn’t matter which traditional vendor it is there are always similar patterns.

 

What are the patterns of a failed SIEM deployment?

trip_hurdles_800_clr_5680The …

» Continue reading

2016 Scalar Security Study – The Cybersecurity Readiness of Canadian Organizations

This is a guest post contributed by Aoife Mc Monagle, Director, Marketing & Communications at Scalar Decisions
scalar-NoTagline_4CAs Canada’s #1 IT security company, Scalar spends a lot of time advising clients on how to manage cybersecurity risk. We also spend time researching the market to better understand the needs of Canadian clients and how they are dealing with cybersecurity today. In February 2016, we published our second annual security study: The Cyber Security Readiness of Canadian Organizations.

Our objective was to examine changes in the cyber threat landscape, and what strategies, tactics, and technologies respondents were finding most useful in combatting these threats.

2016-scalar-security-study-the-cyber-security-readiness-of-canadian-organizations-1-638

The findings showed that the landscape was generally getting worse year-over-year: more attacks, more breaches, …

» Continue reading