Staff Picks for Splunk Security Reading January 2021

Howdy, folks! A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in early 2018, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series! I hope you enjoy.


Ryan Kovar


Consider all outcomes before taking a step, and spend your life on one leg.

Advanced Painting with Data: Choropleth SVG by Splunk's Ryan O'Connor

This is a little bit of a different security pick for me. Years and years ago, when I was still a Splunk customer, I was desperate to get D3 visualizations going in Splunk. At the time, Splunk legend Nate McKervey was my PS consultant, and we hounded him for years on the subject! Eventually, a now deprecated feature called escape hatch was developed, which gave me the flexibility that I needed to do D3 OUTSIDE of Splunk, but I still yearned for sexy SVG viz inside of Splunk. The recent work done by the UI/UX team at Splunk shows how this is possible! This excellent blog by Ryan O'Connor at Splunk gives some great examples of the new SVG capabilities and links back to the Splunk Dashboard Example app. If you haven't dusted off your Stephen Few and Edward Tufte books for a couple of years, I recommend you do so and start making Security visualizations! I'm now itching to make an org tree image and having the "gauge" fill up the business units to show their patching levels! Imagine walking into a SOC and seeing that!

Matt Toth


Expect the worst, it's the least you can do.

Not your grandparent's watering hole... by Dan Goodin

When discussing hacks and attacks, we often think of the malware, vulnerability or the aftermath. One aspect that often gets overlooked is the reconnaissance an adversary does to make sure they hit their intended target. The recent hacking operation detailed by Google Project Zero, utilized a watering-hole attack and four zero-day exploits to hit their targets. A watering-hole attack is when an adversary compromises a website that they believe their target will visit, with the objective of infecting the target when it does visit the site. The exploit chains used in this specific attack are impressive, and the research team does a good job of detailing the exploits. Be aware that an adversary will do their research to determine how to attack you (what sites you visit, who you are connected to on LinkedIn, what OS's you use, etc), and that by limiting the data available to them, it makes you a harder target.

Damien Weiss


People are noticing you! Try wearing pants more often.

The Mac Malware of 2020 by Patrick Wardle

The fact that we can have an article titled, "Mac Malware of 2020" and it be readable in twenty minutes means two things. First, Macs have held up well under the assault of malware writers, and second Macs are not invulnerable to malware. If you've been voluntold to start monitoring Macs at your workplace, there is a dearth of material available. Luckily, Patrick Wardle has stepped in and done an amazing job of documenting the threats to the platform and how to find and defend against them.

John Stoner


You are 192,239th in line for COVID Vaccine

CrowdStrike Services Cyber Front Lines Report by Crowdstrike

This year end report snuck out at the end of December 2020, but with the Solorigate efforts, holidays and the like, this may have gotten overlooked and I couldn't let that happen, so my pick for January is the Crowdstrike Service Cyber Front Lines Report. I will preface that Crowdstrike will prompt you for an email address to gain access to the report, but I found the report to be interesting and useful. Basically, this report takes outcomes and findings from their previous year's incident response engagements and discusses those findings thematically and then looks ahead to the coming year. A couple of key stats that I found interesting included the dwell time of the adversary is down to 79 days, with some organizations getting down to a week but others going longer than six months! Another interesting data point is that 68% of organizations encountered another sophisticated intrusion attempt in the next year. Crowdstrike rolls these findings into six themes to think about in the coming year with some thoughts about how to take action to counter these challenges. Like any report, you might read a section, and say, yeah I knew that, but in terms of looking at a broader set of incident response engagements and looking for themes and ideas of where to improve your security posture, this one is a good one to check out!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.

Join the Discussion