Central Logging: The First Step to Improving Security Visibility

At Splunk, we’re fortunate to have a massive user base that lives and breathes the benefits of a sound data strategy. And when it comes to data strategy, we cannot overemphasize foundation—the stronger your foundation, the better you can adapt.

Cybersecurity requires adapting. Not just tools, threats, and skills, but the overall approach. If you’re already a Splunk user, you’re likely applying these concepts daily; but if you’re not, then pay extra close attention. Our users are onto something!

Defense in depth is still a best practice to building security architecture. Each layer tells a key part of the story, based on:

  • Where deployed – e.g. to segment networks, protect server or database tiers, or keep track of endpoint activities (firewalls, EDR)
  • What they are optimized to look for – e.g. initial infection (anti-malware), reconnaissance or propagation (network scans/probes)
  • How they are used – e.g. to find evidence of data exfiltration, or command and control traffic, etc.

If anything, you probably continue to add more “layers” of point product to help protect assets, and each of these has its purpose; but ask yourself two key questions:

  1. What tools do we have in place today and what exactly are they protecting again?
  2. Will another point layer help, or hinder, our efforts to assess and improve security posture?

Today, more than ever, security analysts need to know the entire story

Why does cybersecurity require adapting? Attacks have gotten smarter and can exploit the complexity of an organization’s IT environment to better disguise themselves, evade detection, and accomplish mission objectives. Attacks often involve multiple systems, environments and events over a long period of time, and attackers are part of an economic system that motivates them more than ever before.

Therefore, it’s never been more important to “know the story behind what’s going on.”

But before you get to the story behind what’s going on, first you have to know what’s going on.

Let’s go back to the multi-layered defense. Each layer serves a purpose—protect against unauthorized traffic, infected files, control who and what gets in and out, etc. When certain conditions are met, you might get an alert.

Some of those alerts are informational, others are warnings or straight-up “critical.” Your systems are logging that activity and notifying you about it. Maybe you set it up that way, maybe you didn’t.

Bottom line: You’re getting plenty of alerts.

But are you getting insights with those alerts? Do you have enough context to make a good decision? For example, for a misconfiguration alert, is it an honest mistake or an insider at work? How do you know what’s actually happening?

Not having quick and easy answers leads to “alert fatigue,” and once you’re “de-sensitized”, you can end up making few good decisions—or worse—no decisions at all.

Gain insights into posture quickly and efficiently, with a single source of truth

At the core of the issue is the heterogeneous aspect of a multi-layered approach—different teams have different tools and perspectives, which means siloed tools and siloed opinions.

So how can you get everyone speaking the same language?

You can start with four easy examples of data that you probably already have today. The key is to get them into a single place first. This approach allows everyone to operate from a single source of truth—to see across the entire environment and verify alerts to determine whether there is an actual issue—and then, you’ll be able to relate pieces of information with each other quickly and easily.

Wait, what are we protecting again?

The primary objective here is being able to assess security posture; to establish an awareness of relevant activity, as related to the most critical assets you have—those assets that are most important to protect.

Once you know where things stand (e.g. what workstations are talking to others, what traffic is going out to sketchy websites, and which users are logging in most to your organization's finance servers and databases, etc.), you can start making better security decisions.

How to quickly and easily assess posture with Splunk

The security tools you have allow you to do some limited aspects of posture assessment specific to that layer, but what if you could quickly and easily see across the entire environment beyond what a single layer can provide?

Splunk enables you to get a single view across multiple sources of security data and analyze all that data from a single place. Everyone can work off a single source of truth, to quickly assess and validate security posture without having to run back and forth between management consoles.

The beauty of this approach is that once you have all your data in one place, you can perform deeper investigations, draw advanced correlations, and establish evidence-based relationships between seemingly unconnected events.

If you want to dive deeper into each of these areas, check out our free white paper entitled “Four Easy Ways Central Logging Improves Security Posture." Or if you're the hands-on type, you can try our free Security Investigation Online Demo Experience - Network Events now.

Jae Lee

Posted by