Find Malicious Insiders Before You Become a Headline

Screen Shot 2017-02-14 at 10.13.21 AMThe media is filled with reports of Russia’s possible influence over the U.S. presidential elections. While American security agencies are investigating the Kremlin’s possible involvement in a hack of the Democratic National Committee, a U.S. Intelligence Service unclassified report suggests the Russians motive, at least in part, may have been retaliation for the U.S. working with a malicious insider to leak news of a Soviet Olympic athlete doping scandal.

Regardless of whether the report is true, it reveals a growing concern over insider threats for foreign governments everywhere. Countries such as Canada are heavily investing to protect its citizens against insider and foreign attacks, while the U.S. Department of Defense Inspector General found in a recent audit that the U.S. …

» Continue reading

How Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage

A group of hackers recently cost Madison County, Indiana $200,000 and another group demanded $73,000 from the San Francisco Municipal Transport Agency (SFMTA) over the Thanksgiving holiday to decrypt frozen data. What was the common factor connecting the two attacks? A popular form of malware known as ransomware.

Why You Should Care About Ransomware

Ransomware is often used to extort funds directly from victims. Ransomware literally takes systems hostage, requiring a “ransom” to free those systems back to a usable state. This can be a very lucrative business for cyber criminals.

Ransomware, like other malware, gets into your network via bad actors who figure out a way to deliver it into your environment without “sounding an alarm” – for example, …

» Continue reading

SC16 Conference: Home of the The World’s Fastest Network

conferenceYou don’t think of High Performance Computing (HPC) everyday but its use in a diverse set of applications such as climate prediction, nuclear labs, oil and gas discovery, defense and aerospace work, financial forecasting and other computational intensive activities touch us in our daily lives.  And from November 13 – 18, 2016 Salt Lake City become the home for HPC enthusiasts at the SC16 conference.

What makes this conference different than any other? It happens to be the home for the world’s fastest network, SCinet. It is a high-performance, experimental network that is specifically built for the conference and connecting it to the broader internet. To give you a sense of its capacity, it provides more than 5 Tpbs(!) of internal …

» Continue reading

Stop Security Threats With Real-Time Data Monitoring

Imagine having a vast library of books but not being able to see what words live on the page that you are reading or want to read. That would be like being able to ingest security relevant data from a diverse array of data sources but not being able to use that information to monitor your security posture in near real time.

Library of Congress

Library of Congress

Real-time data monitoring is essential to secure an enterprise because it gives security practitioners the ability to monitor and manage the consumption and use of machine data across complex IT and security systems with visual insights into that data. The data can come from sources such as web logs, application usage to digital transactions. Why …

» Continue reading

Make Security Incidents Less Scary By Organizing Your Response

The Federal Emergency Management Agency (FEMA) created the National Response Framework in 2008 to organize how the national government responds to natural disasters, terrorist attacks and other catastrophic events. Unfortunately, government resources alone can’t properly respond to disasters. That’s why the framework exists. It helps organize FEMA’s limited resources to respond to threats in the most efficient manner possible.

The six-step planning process from FEMA’s National Response Framework

The six-step planning process from FEMA’s National Response Framework

Similarly, incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to best organize alerts and resources within a security information and event management (SIEM) system to handle the situation in a way that limits damage and reduces recovery time and …

» Continue reading

SF Muni Hacked. Learn How to Detect Ransomware in Your Environment

Join security expert James Brodsky for our How-to Webinar: Detection of Ransomware and Prevention Strategies on December 13.

SF Muni was hit with a Ransomware attack last week, just as the prime holiday shopping season was kicking off. For many, the free fares for the weekend while Muni assessed the damage probably seemed like a holiday gift or customer service bonus.

But the lost revenues and potential $73K ransom they were asked to pay was no bonus for the IT and security teams.

News of Ransomware attacks are becoming much more common these days, with a reported $209M paid to ransomware criminals in Q1 2016 and the FBI anticipating ransomware to be a $1B source of income for cybercriminals this year.

Ransomware attacks are on the rise.

Ransomware attacks

» Continue reading

Let’s Get Critical: The Capabilities You Need for an Analytics-Driven SIEM

New Webinar — register now:
Let’s Get Critical: The Capabilities You Need for an Analytics-Driven SIEM

In the Gartner 2016 Critical Capabilities for Security Information and Event Management (SIEM) report, Splunk scored the highest in all three use cases*: Basic Security Monitoring, Advanced Threat Detection and Forensics and Incident Response

In this report, each capability is then weighted in terms of its relative importance for specific product/service use cases.

SIEMPIC1
 
SIEMPIC2
 
SIEMPIC3

SIEM technologies provide a set of common core capabilities that are needed for all basic security monitoring use cases. Other SIEM capabilities are more critical for the advanced threat detection or incident response and management use cases.

The eight critical capabilities used in the 2016 report to determine scores …

» Continue reading

Best Practices for using Splunk Enterprise for compliance

Screen Shot 2016-11-09 at 2.06.28 PMIn September at .conf2016, the Splunk worldwide users conference, I co-presented a session titled “How to Use Splunk for Automated Regulatory Compliance.” It included a discussion of regulatory compliance and standard/framework 101 and how Splunk could be used for compliance, including some case studies and product demos of the Splunk App for PCI Compliance, the CIS Critical Security Controls App for Splunk, Splunk Enterprise Security, and Splunk User Behavior Analytics.

For the technical ninjas attending the session, the most interesting part was probably the closing section covering best practices related to using Splunk Enterprise for compliance which is the focus of this blog post. I have listed these best practices below in …

» Continue reading

Creating McAfee ePO Alert and ARF Actions with Add-On Builder

One of the best things about Splunk is the passionate user community. As a group, the community writes amazing Splunk searches, crafts beautiful dashboards, answers thousands of questions, and shares apps and add-ons with the world.

Building high quality add-ons is perhaps one of the more daunting ways to contribute. Since the recently-updated Splunk Add-On Builder 2.0 was released, however, it’s never been easier to build, test, validate and package add-ons for sharing on SplunkBase.

Technical Add-Ons, aka TAs, are specialized Splunk apps that make it easy for Splunk to ingest data, extract and calculate field values, and normalize field names against the Common Information Model (CIM). Since the release of version 6.3, Splunk Enterprise also supports TAs for …

» Continue reading

Adaptive Response: Beyond Analytics-Driven Security

SCL-Splunk-conf2016-Badge-7-v2_fb-1200x627

Now that .conf2016 is in full swing, I’m excited to discuss one of my favorite topics – the Splunk-led Adaptive Response Initiative, which we first announced at the RSA Conference earlier this year. We made a big splash with a strong group of 8 founding participants representing key security technologies like Network Firewall, Endpoint Detection and Response, Privileged User Management, Threat Intelligence, and Incident Response. We are thrilled by the support from Splunk customers and strategic partners as we continue to enable organizations to operate multi-vendor adaptive security architectures and bring life to our vision for a security nerve center.

So here we are in Orlando, and I’m happy to share our latest Adaptive Response milestones:

  1. We have extended Adaptive Response controls into Splunk Enterprise Security 4.5 (ES)
  2. Vendor
» Continue reading