October 31st is looming (like a 9 foot xenomorph) and as the sequel to perhaps the definitive Halloween film (titled…Halloween) is being released, it felt wholly appropriate to write a sequel to my previous Halloween blog posts – Hostbusters and Splunk-o-ween. Scary cybersecurity stories are never far from the news. You’ve all heard the spooky tales where things aren’t what they “SIEM” and threats leap out where you least expect them (usually branding some form of very large, very sharp DDOS attack). Trying to stop the spooky hacker clown who plagues your “IT” isn’t easy. However, help is at hand. There’s no need to be haunted by security incidents. You’ve got a (Splunk) Phantom on your side.
Firstly, let’s establish which horror movie plot your security team is dealing with, by matching some well-known blockbusters with the types of threats they may be facing. This is a new game I call “Cybersecurity Movie Fright Night”, see if you can match the movie poster to the security threat - bonus points for those you can guess my reasons why (answers at the bottom of the post):
In most good horror films, the fate of the characters depends on the actions they decide to take. It isn’t going to go well if the cast walks into a creepy looking house carrying a candle. Likewise, when the villain attacks – survival is hinged on the protagonists’ next move being made fast, and smart. – Running into a morgue is usually a bad move, picking up a huge axe or something that shoots fire (or troubleshoots firewalls) is probably a good one.
So how do you survive? Your security team are your (G)hostbusters, but they need the right tools. They also need to cross the (data) streams if things get really bad. Responding to an attack, however bad it is, under pressure and knowing what to do in any situation is the key to responding to a cybersecurity incident. Being able to orchestrate and automate the steps you’re going to take, helps you effectively react to the incident/monster/zombie/alien/ghost/tornado of killer sharks.
That’s where Splunk Phantom comes in. Phantom is a SOAR (Security Orchestration Automation Response) platform that allows you to run a series of playbooks when a hack-er attacks.
If you want to find out more, there’s a Phantom community that allows you to pick up playbooks that people have already used to exorcise their malware ghosts, fight off demonic DDOS pets, battle the zombie phishing apocalypse, and rid their organisation of any other types of security attacks.
So, if you’re having a Nightmare on ELK street (couldn’t resist), if your systems have been slimed, or Freddy Kruger is hunting your credentials while you sleep – you can try Phantom here.
As always, thanks for reading, have a great Halloween (make sure you wear your Splunk “I see dead servers” t-shirt) and try and avoid any graveyards at midnight.
Insider threat = Alien (just for “that” scene)
Cloud attacks = The Mist - dangerous things in the cloud you can’t see
Malware = zombie infection as seen in the Day (zero vulnerability) Of The Dead
Botnet = a from of possession, not unlike The Exorcist
Advanced Persistent Threats = Poltergeist, invisible unless you know the signs
DDOS attack = Sharknado (just because I’ve always wanted to get Sharknado into a blog post...)
IOT attack = Ghostbusters, where your (connected) fridge starts doing weird things