Staff Picks for Splunk Security Reading: February 2018

Howdy, folks!

A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes... they get lost! So as we promised last month, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk security world that WE think everyone should read. I hope you enjoy!

(Check out our monthly staff security picks and our all-time best picks for security books and articles.)


Ryan Kovar

“Why are we not talking about BOTS”


Hunting for Chains by Jack Crook

I’m a huge fanboy of pretty much everything that Jack Crook writes. I love how this blog post talks about finding “chains” of activity and mapping it with Splunk. He gives some example SPL but I think the most important thing is to learn HOW “chaining” or linked behavior can be detected using clusters of events. I’ll add that @jackcr created a great set of Mindmaps that he posted to twitter as well. Check out the collection that @avkashk posted here!

James Brodsky



Blastin & Castin by Security Storm

A week doesn’t go by where we aren’t asked “hey, how can we realistically do something to combat phishing with our Splunk deployment?” Well, the guys over at Security Storm, who are very innovative Splunk customers that also run Splunk Enterprise Security, have written a detailed, four-part series on what they did. They use proxy logs, email metadata logs (which contain sender, recipient, and attachment details) and a series of searches that institute clever logic (mail from IP addresses instead of domains, mail from never before seen sender with an attachment) as well as lookups and summary indexes to find phishing attempts with a reasonable amount of fidelity. Then, they go one step further, showing how to take action from Splunk by removing the offensive email directly from their Exchange system before an intended victim can even open it. Many thanks to @JimApger for calling this series to our attention!

David Veuve


Outside the Closed World: On Using Machine Learning For Network Intrusion Detection by Robin Sommer and Vern Paxson

I wanted to go a little different this month. Rather than picking a great blog post, or prescient new thought, I’m going old school. This ten page research paper was published close to eight years ago, and walks through the innate challenges and areas of success with leveraging Machine Learning effectively for Network Intrusion Detection. I discovered it thanks to @davidjbianco, and was fascinated with the parallels and differences we see applying Machine Learning to the world of SIEM. It’s a different world, but one where we can be most effective if we are informed by the lessons from the past – I certainly would have saved myself some time had I known about this 7 years ago!

Dave Herrald


Adversarial Simulation - Chris Nickerson and Chris Gates at the Wild West Hacking Fest Oct

This month I chose a fantastic presentation from industry leaders Chris Nickerson and Chris Gates on the topic of adversary simulation. At Splunk we’ve noticed a significant uptick in interest in this topic from our more mature blue-team customers, and for good reason. Quite simply, defenders need real-world, repeatable, and measurable tests for their detection mechanisms. It only makes sense that the searches and alerts that we invest in so heavily, and that we rely on so critically, should be measured for efficacy and for coverage across models like the MITRE ATT&CK Framework. This presentation from Chris and Chris articulates the need, explains the history of how we got here, and provides some real solutions in the form of an interesting new open source project called Metta. The presentation also includes many references to related projects and includes an inspirational call to action for the community. Checkout the video!

John Stoner

“One trick Buttercup”

Creating a Threat-Based Cyber Team – Anthony Talamantes and Todd Kight, JHU-APL

At .conf2017, Anthony and Todd discussed their experiences defending against threat actors and their shift to behavioral and data-centric from signature based monitoring to increase their visibility. This shift was not just a technology shift, but also personnel and process. They share how they constructed their cyber threat team to adapt to their changing threat environment. Their story is a great example of how security operations must evolve from an alert and prevention based environment to a more dynamic detection based organization to meet the threats unique to their environment. The creation of automation to streamline their work, establishing hunt teams and improving on their processing of threat intelligence beyond just processing indicators are additional examples of methods to improve visibility.

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Show All Tags
Show Less Tags