Improving Visibility in Security Operations with Search-Driven Lookups

Looking back on 2016, Splunk Enterprise Security added significant capabilities to its platform for security operations, including Adaptive Response, User & Entity Behavior Analytics (UEBA) integration and Glass Tables.  Another capability that was added, but has received less attention is a new type of search that Splunk calls Search-Driven Lookups.  Because there has not been as much attention put to this, I wanted to share a bit about this capability and how it can be used.

Search-Driven Lookups originated from a question that users of legacy SIEM providers often asked; how can Splunk dynamically create watchlists that can then be used in correlating new events against a watchlist?  Enterprise Security has had the ability to correlate against a …

» Continue reading

Detecting Vulnerable and Compromised Certificate Use/Abuse with Splunk Enterprise Security and Stream

Recently, we have received a number of questions about compromised SSL certificates. One of the challenges this problem presents for analysts is how to gain insight into what these compromised SSL certificates are transporting and with whom are they communicating.

If you were to encounter this situation, you might find yourself being asked the following questions:

  • How would you identify which assets in your organization are affected?
  • How could you arrive at a strategy to prioritize what to remediate first?
  • How do we start looking for these certificates being used in communication across our networks and systems?

Detecting and Remediating

For users of Splunk, many of you know that the Splunk App for Stream can capture wire data. Stream can …

» Continue reading

Try Splunk Enterprise Security for Free

It’s no secret that the security landscape is continuously evolving and growing in complexity. Today’s attackers are highly skilled and employ a wide range of advanced techniques to evade legacy security. To succeed in this dynamic environment, security teams need scalable security intelligence for constant visibility across the organization.

Splunk Enterprise Security (ES) is a premium security solution that helps solve these complex security challenges. It employs analytics-driven security that connects people to the data and one another to help security teams to be faster, smarter, and more effective in their ability to detect and respond to modern day threats. But switching to a new security solution without trying it out first simply isn’t an option for most organizations.

That’s …

» Continue reading

Information Exchange Boosts Threat Intelligence

B_GSiiLXIAAU1wsThe rash of recent government breaches and continued cyberthreats have accelerated the need for the exchange of information related to these and other known incidents. For many years, DHS has been working with industry and other federal agencies to provide more standardization of content so that security practitioners (and anyone else for that matter) are speaking the same language across multiple vendor platforms as it pertains to software, configurations and vulnerabilities, to name a few. An early example that pre-dates DHS was the Common Vulnerability Enumeration (CVE) that Mitre launched in 1999. These efforts can be challenging because gathering consensus and buy-in is never easy across a diverse set of organizations and so finding entities that can shepherd these specifications …

» Continue reading