Splunk for Enterprise Security
Splunk Enterprise and the Splunk App for Enterprise Security:
A new type of security intelligence
Today's attackers have the time, expertise and resources to create threats that bypass detection by security point products and downstream security and event management (SIEM) systems. They hide their actions within the terabytes of data generated through normal user activities. These attackers have realized that many security teams simply can't see these threats buried within operations data, due to organizational data silos, data collection issues, scalability challenges or a lack of analytics capabilities. Monitoring for known threats as reported by traditional security systems and unknown threats has now become part of the revised security charter.
Detecting today's advanced threats requires a new approach that can only be enabled by a scalable security intelligence platform. A security intelligence platform has the flexibility to make any data security relevant, scale to handle tens of terabytes of data per day and provide comprehensive analysis capabilities. This enables the security analyst to use normative statistical analytics on any data to help find unknown threats, while continuing to monitor for known threats detected by traditional security products.
Unpacking the Splunk App for Enterprise Security
Security Posture Dashboard
The security posture dashboard provides a SOC-style view supporting situational awareness and continuous monitoring of security domain based risk. All graphics support drill-down into the incident review dashboard.
The Incident Review section provides the analysis workflows required to understand the priority of the incident, incident context, its type and what hosts were involved. One click and you're exploring the raw data or viewing a journal of incident activities. Pivot on any piece of data known about the host to find out additional information or see related events.
HTTP Proxy Data Category Analysis
While it's normal for a web proxy system to be unable to categorize all HTTP traffic, abnormal amounts of traffic can be an indicator of an unknown threat.
New Domain HTTP Traffic and Activity
Attackers often register domains for the sole purpose of malware command and control (CnC). Splunk collects domains registered in the last 24-48 hours and compares them to web traffic data to know if hosts inside the network are talking to these domains.
Traffic Size Analysis
Splunk automatically baselines traffic between source and destination. Once a baseline is set, Splunk will watch for statistical outliers in the traffic between each source and destination.
HTTP URL length Analysis
URL length can be an indicator of embedded CnC. Splunk allows the user to select standard deviations and use outliers as starting points for investigation.
User Agent String Analysis
As with URL length analysis, agent strings can have specific qualities that can be measured using statistical analysis. Statistical outliers can be the first indicator of victim/attacker communications.