Are you considering Splunk for your security platform? To help with your decision, we teamed up with Splunk to create an Essential Guide to Security that will help you understand it better. As it’s 31 pages, and we know you’re busy, we have summarised some of the key points below.

To stay ahead of attacks, you need to take a holistic approach

If you want to properly defend your organisation against the countless threats out there, you have to take a holistic approach to security. That means bringing together information from across your whole enterprise to begin making meaningful connections.

Splunk is a powerful tool for this, because it can gather data from almost anywhere. That means you can start using it as a ‘nerve centre’ to bring together security and non-security data, providing invaluable insights to help you fend off attacks.

Getting started with Splunk for security

Okay, so you want a platform that not only helps you run security operations day to day, but helps you catch potential breaches before anything bad can happen? With Splunk, that’s feasible, but there is groundwork to be done first.

You need to ask yourself the following questions:

  • What are we trying to protect? (The more specific, the better!)
  • How will we protect it?
  • What data do we need?
  • How will we respond to threats?

These are challenging questions and you might not know how to begin answering them, but they’re a vital step in creating an effective platform.

As Splunk experts, we can help you with this, but for now, let’s walk through the six stages that we’d follow together if you choose Splunk for security.

Six steps to a highly effective Security Platform

six stages of splunk for security

1: Collection

First, we’d collect ‘the basics’ into Splunk: information from security logs and machine data. This could include data from:

  • Network (e.g. Palo Alto networks, Cisco, Checkpoint, Fortinet)
  • Endpoint (Windows Event Logs, Linux System Logs, Linux audited, MacOS System logs)
  • Authentication (Active directory, Local Authentication)
  • Web activity (Bluecoat, Websense).

This stage establishes the foundations on which to build insights. With data in one place, you’ll already have a new understanding of your security environment.

2: Normalisation

Next, we’ll start organising your data by applying fields representing common values, such as the source IP address, port, and username. We apply a Common Information Model (CIM) to make sure they have common names, regardless of the device that created the event. We can link assets and user details to events in your security log platform.

This cross-source correlation will help you bring more meaning to your data and streamline investigations.

3: Expansion

This stage builds on what is now a good source of basic security data to become more advanced. We bring in high-fidelity data sources like endpoint activity (from systems like Sysmon, Osquery, Carbon Black Defence) and network metadata for advanced attack detection.

This is the data world-class threat hunters use to uncover and track adversaries in the network. This stage creates the foundation for advanced detections.

4: Enrichment

Next, we add intelligence source data to provide more context. Sources include threat-intelligence feeds, open-source intelligence, and internally sourced information. This helps build an understanding of the impact of an event.

This allows you to establish the urgency of the alert based on the criticality of the asset. The result is more effective, appropriate responses to alerts.

Stage 5: Automation and Orchestration

This is where we establish consistent and repeatable operations. We’ll work together to come up with a series of security play books that will help teams respond in a consistent, repeatable and measurable way.

In this stage, you really begin to see the team’s response times improve. It’s exciting to be able to catch issues earlier and standardise responses.

Stage 6: Advanced detection

The final stage is where sophisticated detection mechanisms come in. Here’s where you can use all you’ve learnt to apply machine learning, and data analytics to identifying security threats.

Use cases

The full article goes into a lot more detail, but here are some options for how you can use Splunk for security. It’s worth mentioning that even with only basic levels of Splunk knowledge you can implement some fairly advanced levels of detection. Use cases include:

  1. Detecting when new or existing S3 buckets are set to public in AWS, which is a common way for breaches to occur
  2. Find hosts that have logged several different infections in a short period of time
  3. Detect users that browse to domains never seen before in your organisation
  4. Spot emailing activity from a domain name that’s similar to yours
  5. Flag newly created accounts elevated to local admins
  6. Detect compromised user accounts
  7. Identify a large data upload.

Get in touch to create an all-seeing, all-knowing Security Platform

In conclusion, Splunk is a very powerful Security Platform. With it, you’ll speed up security threat response times, reduce attacks and improve the way your team works together.

However, like any system, the quality you get out of it depends on the quality you put into it. It relies on a certain amount of planning beforehand and continual evaluation throughout the process. In order for you to get as much as possible out of Splunk and elevate your security operations to the next level, it helps to work with a Splunk Partner like Converging Data.

If you’d like to read the full article, it’s here, or contact us for an informal chat about how you could use Splunk to improve the security of your organisation.

Photo by Miłosz Klinowski on Unsplash