Staff Picks for Splunk Security Reading October 2021

Hello everyone! Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, white papers, and customer case studies that we feel are worth a read.

This month we decided to switch things up and include some of our favorite .conf21 presentations. Check out our monthly staff security picks and our all-time best picks for security books and articles. We hope you enjoy.



Dave Herrald


Touring the Software Factory: Get Visibility Into Your Pipeline Analytics to Ship Better Software Faster With GitHub by Doug Erkkila and Jose Palafox 

 “As Splunk continues its journey to provide solutions for DevSecOps practitioners, visibility to the CI/CD pipeline is a foundational capability. Splunk can now ingest audit logs from GitHub Enterprise Organizations. This talk details why Splunk and GitHub teamed up to build this integration, how to set it up, and some cool use cases. If you are interested in DevSecOps, software supply chain security, or application security, you will not want to miss this talk.”

Mick Baccio


Administrators Anonymous: Splunk Best Practices and Useful Tricks I Learned the Hard Way by Tom Kopchak

"Following up on a great session from .conf20, Tom Kopchak is back at .conf21 building on lessons learned as the Director of Technical Ops at Hurricane Labs. This is a fantastic session, filled with practical tips that can be implemented right away. No matter how long you’ve been administering your environment, I guarantee you will learn something new."

Tamara Chacon


DoH or DoH not, there is no try. Is machine learning the force you need to save your detections from the encryption empire? by Josh Cowling and Stefan Bogdanis

 “This .conf21 talk was extremely insightful in breaking down DoH and some of the issues that come along with DoH. The SPL breakdown was very easy to understand and showed how to use Splunk Stream or Zeek to analyze these types of  connections. It was also great to get a link to the data they used so I could play around with the data myself in Splunk.”

Matt Toth 



.conf21 Threat Modeling: The Bare Necessities by Rebecca Blair 

 “At our user conference, Splunk .conf21, there were a lot of great talks delivered by   our customers and teammates. One that I particularly liked was given by Rebecca Blair, the SOC manager at Toast around Threat Modeling. I came away with  a fresh perspective on different Threat Models, how to choose different controls to look at based on use case or capability, and the impact Threat Modeling can have. It is really nice to see members of the information security community  coming together at our event, and to be able to learn from each other.”

John Stoner   



FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor by Ramin Nafisi

 “This article is hot off the press which makes it timely but is a continuation of the   interest that APT29 or Nobelium, as Microsoft refers to them, continues to have in   gaining access to Active Directory Federation Servers (ADFS). The Sunburst   backdoor that was associated with APT29 and the supply chain attack of Solarwinds Orion software isn’t far in the rear view mirror, but here we have an in depth analysis of a backdoor focused on exfiltrating the configuration database, decrypted token signing certificates and token decryption certificates of ADFS servers. Gaining access to these components could lead to abuse of the SAML token, which could be used to bypass ADFS to gain access to other systems. This has been referred to as a Golden SAML attack. Ramin goes into great detail around the components of what is referred to as FoggyWeb and ends with a list of IOCs and mitigations for administrators responsible for ADFS. The hybrid nature of environments with a foot in the cloud and a foot on premise and their active directory in between makes these kinds of attacks dangerous, so if you are someone either contemplating or in this architecture, I would highly recommend reading up on this.”

Damien Weiss   



New Policy for Improving National Security by Fixing the Problem of Insider Spies by Dr. David L. Charney

 “With Splunk's ongoing effort to integrate with different UAM providers, I once   again went back to one of the best white papers on the psychology of insider threats. Yes, I realize that the doctor was researching and writing about spies, but the information contained is directly relevant to the broad insider threat space. If you're trying to find insiders, or even if you enjoy understanding why 'good people do bad things' and how to prevent it, take a read. It's well worth the time.”

Audra Streetman         



Splunk .conf21 sessions led by SURGe

 “It was too hard to pick just one .conf21 session as my favorite, so I decided to   highlight the sessions led by Splunk SURGe members and contributors. 

 Marcus LaFerrera and Ryan Kovar gave a presentation with an accompanying white paper on how to detect supply chain attacks using Splunk and JA3/s hashes to detect malicious activity in servers. The JA3/s data referenced in the paper was also used in the APT scenario of the 6th annual Boss of the SOC competition. More than 2,400 people registered for this year’s Boss of the SOC, with participants from 52 countries and 6 continents!

John Stoner used examples from Boss of the SOC data to illustrate how indicators can easily be integrated with the threat intel framework using Splunk Enterprise Security as well as how to customize the correlation of these indicators. The session included tips and techniques to quickly ingest indicators and operationalize threat intelligence. 

Drew Church showed us how an IT Specialist with the Department of the Navy is leveraging Splunk to help automate data collection, reporting and visualization to quickly identify and remediate compliance issues.

Megan Parsons and James Young broke down the key technical steps for asset discovery with Splunk. That means understanding all of your assets, which is a critical foundation for any risk-based security practice. 

Lilly Lee, James Young and Paul Pelletier compared SIEM, SOAR and XDR in order to demystify these technologies and explain how they actually complement one another within your organization. 

Tamara Chacon and Katie Brown guided participants through core Splunk and Enterprise Security using a prescriptive training roadmap so they can grow from a beginner to a champion in Splunk security. 

Dave Herrald and Chris Riley showed us how Splunk can be used for DevSecOps use cases along with attack detection using known TTPs from recent security incidents. Attendees can access data from the talk on BOSSng, Splunk’s new on-demand security workshop."





Splunk’s .conf21 was packed full of interesting talks and big announcements. Splunk executives joined leaders from McLaren, AWS, and Walmart to share their stories of how Splunk is turning data into doing and innovating to solve the challenges of tomorrow. If you missed any of the sessions mentioned above, you can watch them on-demand at

Audra Streetman is a member of SURGe, Splunk's security research team. Before arriving at Splunk, Audra worked as a reporter, producer and anchor at local TV stations in Indiana, California, Kentucky and Colorado. As a journalist, she covered several major cybersecurity stories including SolarWinds and ransomware attacks targeting Colonial Pipeline, JBS and Kaseya. In her free time, she enjoys hiking and skiing in the Colorado Rockies.

Show All Tags
Show Less Tags