Staff Picks for Splunk Security Reading: April 2018

Howdy, folks!

A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised in January, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature our favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk security world that WE think everyone should read. I hope you enjoy!

(Check out our monthly staff security picks and our all-time best picks for security books and articles.)

Ryan Kovar

“Crap, its end of April?”

The Art of Detection Using Splunk Enterprise Security by Doug Brown

I think most Enterprise Security administrators are a little scared of customizing ES to fit their SOC. Doug Brown is not that administrator. One of the things I love about this presentation is that it shows how ES can be molded to work better with "your" workflow rather than just what we at Splunk think a workflow should be. To be fair, there are dragons when you modify ES, and you should be careful to make sure you don't change things that will be overwritten in an upgrade, but it IS possible. In this presentation, Doug walks through step-by-step some ideas he has for modifying ES to make his (and his users) life more manageable.

James Brodsky

“Can I do mine in May?”


Endpoint Isolation with the Windows Firewall by Dane Stuckey

I’m busy researching material for upcoming endpoint presentations and hands-on experiences that we hope to offer at Splunk’s .conf18. One of the things we will focus on is a back-to-basics approach—what can you do with “standard, native event sources” when you ingest them in Splunk? Well, don’t forget about how powerful the built-in Windows firewall can be, when configured correctly to block for common indicators of malicious behavior. Dane Stuckey from Palantir has done just that in this post, where he goes through in quite a lot of detail how Palantir has configured their firewalls, centrally via GPO, to effectively reduce or eliminate lateral movement across Windows endpoints. It’s built in! Why wouldn’t you use it? Combine an effective endpoint firewall policy like Dane presents, with comprehensive reporting about firewall activity in Splunk (via the Universal Forwarder and the Windows Security log) and you’ve got a solid defensive solution...without having to install YARA. (Yet Another Remote Agent—what did you think I meant?)

Michael Weinberger

Phantom New Guy!

Malware: Linux, Mac, Windows, Oh My! by

Many customers have endpoint technologies that maintain the security of their Windows and Mac endpoints. Once in a while, you get a particular type of user, who wants to use Linux as their primary operating system. While there are a few choices for common security tools that you can use to protect your Linux endpoints, there are also a series of hunting exercises you can perform to manually determine if anything fishy is going on with your endpoints. Some good examples can are found in this great trustedsec article and not only can you run these commands on your endpoints, but you can use Phantom to automate these actions as well! So what does this mean? This blog post gives you a collection of one-off actions to help protect your environment. You might not want a dedicated tool for this but using the Phantom platform, you can leverage the tools and technologies you already have to cover that gap with automated processes. This will make sure those Linux endpoints get the tender touch that they need, to keep your network secure.

Dave Herrald

“Bro, where's my car?”

Sysmon - DFIR by Michael Haag

This month I recommend "Sysmon – DFIR" a newly-published list of Microsoft Sysmon related tools and resources curated on GitHub by Michael Haag (@M_haggis on Twitter). Endpoint telemetry is critical to any team who is serious about detecting and responding to today’s advanced threats, and Sysmon is a powerful free tool for gaining this type detailed visibility into your Microsoft Windows-based systems. Whether you are brand new to Sysmon or an experienced blue-teamer, you're sure to find something interesting in Mike's repository.


John Stoner

"Tagalong Johnny”


This week, I was fortunate enough to attend the SANS Blue Team Summit in Louisville (special thanks to Ryan and Dave!). One of my favorite talks from the conference was Pack Hunting by Kristina and Andrew. There has not been a lot written about threat hunting (in comparison to other aspects of cyber), and there is even less available on how to operationalize a team of threat hunters. As I listened to Kristina and Andrew, I was pleased that they were able to come and share their experiences on how they organize, plan and document their hunt, as well as demonstrate value to their leadership. Their tips are invaluable to anyone looking to establish a hunt capability, and while this is not a paper, but a presentation, I highly recommend checking this out!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags