IT Security

Reaching for Security Intelligence

Security Intelligence is the process of collecting information and applying the knowledge, creativity, and skill of the security team and deriving business value. Most organizations now have to be concerned about two types of threats. 'Known threats' - the ones reported to us by signature and rule based systems such as anti-virus, IDS/IPS, firewalls, and security information and event management systems (SIEM). The other kind of threat is called the 'unknown threat.'

Monitoring Unknown Threats

Unknown threats comprise abnormal patterns in 'normal' IT data. Normal IT data is generated by the user of enabler services that humans use every day. This data is the reflection of human-to-machine and machine-to-machine interactions and activities. Our normal activities include badging into the building, surfing the web, getting an IP address from a DHCP server, using DNS, using a VPN, using email, and accessing enterprise applications and company information. It is in these normal activities where attackers want to hide their activities.

Patterns of human activity seen in this data follow business patterns and happen within parameters of time and location. Splunk can be set to monitor for thresholds and outliers in this data that can reveal stealthy malware activities. Splunk's analytics language supports threat scenario based thinking that allows the security professional to ask any question of the data -- ultimately searching for 'unknown threats.' Employing this strategy monitoring the enterprise's most critical data assets is a risk based approach aligned with business goals and objectives.

Supporting the Security Intelligence Analyst

Security Intelligence Solutions move beyond traditional SIEM use cases of providing canned reports, dashboards, and monitoring for known threats to support a Security Intelligence analyst's needs for data exploration to find abnormal activity patterns in massive amounts of normal data. Splunk supports the newest role in security -- the Security Intelligence Analyst

This approach supports the newest versions of regulatory requirements and frameworks such as FFIEC, HIPAA, and FISMA, that emphasize data protection and privacy. The SEC's recent guidance that public companies discuss their cyber security risks in their 10-K statements specifically mentions, "Risks related to cyber incidents that may remain undetected for an extended period" as a risk to be discussed. Adopting a Security Intelligence approach when looking for unknown threats in 'normal' IT data is a mitigation strategy that can be mentioned in the 10-K.

Splunk Benefits

Security Using Splunk

Index all the data you need to monitor and investigate any type of threat - OS, IDS, firewall, network device, DNS, DHCP, remote access and AAA logs, proxy, web, custom application logs and more.

Security analysts and incident response teams will initially adopt Splunk to investigate IDS and SIEM alerts, investigate activity for flagged users and investigate access to sensitive data.

As they go, they'll enrich the raw data by tagging events they encounter as significant; normalizing heterogeneous data formats on-the-fly by extracting and naming fields such as usernames and identifying and naming events such as successful logins.

Automatically monitor for known bad events, and use sophisticated correlation via search, to find known risk patterns such brute force attacks, data leakage and even application-level fraud.

Security managers will take advantage of Splunk's reporting to get a birds-eye view of security-relevant events such as firewall reporting, IDS rule violations and login activity. Use Splunk proactively to search for attack footprints in response to reports of new zero-day attacks, review trends in logins and other activity to uncover suspicious patterns and anomalies to find previously undetected attacks.