In the world of security, it’s an on-going process of adding and replacing tools, up-leveling our people and up-leveling our processes. The above slide illustrates the various levels to achieve that will aid in maturing your corporate security program. But start with the basics.
In this presentation, we’ll talk about how to get started with Splunk for security. We’ll start with the platform. We’ll discuss the top data sources and the top use cases to get you started. And we’ll talk about where to go from there in your Splunk journey.
But you’re probably wondering, how do I get started? Excellent question.
Most programs start here. It’s a purely reactive program. When an event takes place, there’s a scurry of activity, but it’s all knee jerk reactions.
The challenge here is that there is very little visibility because they haven’t centralized their data, so they have to jump around, wasting time, searching silo to silo trying to piece together answers to their questions. Investigations, in these programs, are a massive time suck.
Stage two, instead of waiting for awful news to arrive, the team begins monitoring the network to be more proactive. There is still a limited centralization of data, and realtime monitoring is done only for specific use cases and specific source-types, but the goal here is to increase maturity striving for a more proactive stance.
And this is where customers begin to see the value of Splunk. Basic alerting and monitoring is configured for the highest priority items, however, in many cases, the focus is on IT risk, not business risk.
Stage three is where things get interesting. This is where Security teams have become situationally aware.
At this point, as part of that security journey, these teams have centralized all of their data into Splunk, they are monitoring threats in real-time, they are using correlation in their alerts to reduce noise, they’ve focused on automation as a way of enriching data and they’ve begun to use threat data from various commercial sources, community feeds or government agencies.
But here, stage four, at the top of the maturity stack, is when organizations are in full proactive mode.
Here, they’re focusing their time and effort into the most important assets and identities based on their risk score. They’ve used automation to greatly reduce the number of alerts that trigger per day, instead, opting for an orchestration strategy that either blocks users from getting to known bad sites, to automatically segregating a endpoints to a segregated VLAN when suspicious activity is detected, and/or the user passwords are automatically reset upon suspicious behavior being detected. At this point, the security program can focus on the most important items, and can thwart breaches in real-time to avoid the exifil altogether.
But you’re probably wondering, how do I get started? Excellent question.
But you’re probably wondering, how do I get started? Excellent question.
But you’re probably wondering, how do I get started? Excellent question.
We’ll start with the top 5 most popular data sources. Each of the following sources has a TA, which is essentially a parser, that will extract all of the fields such as Source IP, Hostname, User, etc. and prep the data for the apps that we will also install, apps that offer reports, alerts and searches, out of the box.
Windows is number one. We can ingest data from Windows a number of ways from sysmon, to WMI to 3rd party forwarders like Snare. But the best way is to use a Splunk Universal Forwarder. It’s a very light weight collector, compresses and forwards the data, and is very flexible in the data it can collect from each source.
Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
Windows TA https://splunkbase.splunk.com/app/742/
Active Directory TA https://splunkbase.splunk.com/app/3207/
Windows App for Infrastructure https://splunkbase.splunk.com/app/1680/
Windows is number one. We can ingest data from Windows a number of ways from sysmon, to WMI to 3rd party forwarders like Snare. But the best way is to use a Splunk Universal Forwarder. It’s a very light weight collector, compresses and forwards the data, and is very flexible in the data it can collect from each source.
Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
Windows TA https://splunkbase.splunk.com/app/742/
Active Directory TA https://splunkbase.splunk.com/app/3207/
Windows App for Infrastructure https://splunkbase.splunk.com/app/1680/
And once that data is ingested, here are some examples of use cases you can satisfy using the Splunk App for Windows Infrastructure.
Universal Forwarder: https://www.splunk.com/en_us/download/universal-forwarder.html
Windows TA https://splunkbase.splunk.com/app/742/
Active Directory TA https://splunkbase.splunk.com/app/3207/
Windows App for Infrastructure https://splunkbase.splunk.com/app/1680/
Next up? Linux. Linux can be ingested as syslog, or, even better, you can use a Splunk Universal Forwarder here also. It’ll capture the local data, then send it off to your Splunk instance, index it, and make it available for the unix app.
Universal Forwarder https://www.splunk.com/en_us/download/universal-forwarder.html
Add-on for Unix/Linux https://splunkbase.splunk.com/app/833/
Splunk app for Unix/Linux https://splunkbase.splunk.com/app/273/
Next up? Linux. Linux can be ingested as syslog, or, even better, you can use a Splunk Universal Forwarder here also. It’ll capture the local data, then send it off to your Splunk instance, index it, and make it available for the unix app.
Universal Forwarder https://www.splunk.com/en_us/download/universal-forwarder.html
Add-on for Unix/Linux https://splunkbase.splunk.com/app/833/
Splunk app for Unix/Linux https://splunkbase.splunk.com/app/273/
And here are a number of use cases that the Linux TA and the *NIX app can offer.
Universal Forwarder https://www.splunk.com/en_us/download/universal-forwarder.html
Add-on for Unix/Linux https://splunkbase.splunk.com/app/833/
Splunk app for Unix/Linux https://splunkbase.splunk.com/app/273/
The two most popular firewalls that our customers use are Palo Alto firewalls and Cisco. Palo Alto and Cisco created their own apps and TAs for Splunk which highlight all of their specific features and capabilities.
Palo Alto:
TA for Palo Alto https://splunkbase.splunk.com/app/2757/
Splunk app for Palo Alto https://splunkbase.splunk.com/app/491/
Cisco: (docs for the following) https://splunkbase.splunk.com/app/525/#/details
Cisco Security Suite https://splunkbase.splunk.com/app/525/
TA for Cisco ASA https://splunkbase.splunk.com/app/1620/
TA for Cisco WSA https://splunkbase.splunk.com/app/1747/
TA for Cisco ESA https://splunkbase.splunk.com/app/1761/
TA for Cisco ISE https://splunkbase.splunk.com/app/3064/
TA for Cisco FireSight https://splunkbase.splunk.com/app/1808/
The two most popular firewalls that our customers use are Palo Alto firewalls and Cisco. Palo Alto and Cisco created their own apps and TAs for Splunk which highlight all of their specific features and capabilities.
Palo Alto:
TA for Palo Alto https://splunkbase.splunk.com/app/2757/
Splunk app for Palo Alto https://splunkbase.splunk.com/app/491/
Cisco: (docs for the following) https://splunkbase.splunk.com/app/525/#/details
Cisco Security Suite https://splunkbase.splunk.com/app/525/
TA for Cisco ASA https://splunkbase.splunk.com/app/1620/
TA for Cisco WSA https://splunkbase.splunk.com/app/1747/
TA for Cisco ESA https://splunkbase.splunk.com/app/1761/
TA for Cisco ISE https://splunkbase.splunk.com/app/3064/
TA for Cisco FireSight https://splunkbase.splunk.com/app/1808/
And here are some examples of various use cases that can be satiated by that firewall data (or the next gen firewall data, such as Palo Altos) out of the box, using the vendor apps.
We’re seeing more and more adoption of Cloud in the security space. AWS is our fourth most popular data-source. The AWS apps are used to monitor AWS instances for compliance, for security, and even for billing and performance.
AWS TA: https://splunkbase.splunk.com/app/1876/
Splunk App for AWS: https://splunkbase.splunk.com/app/1274/
App for AWS Billing: https://splunkbase.splunk.com/app/1577/
AWS Compliance and Security Analyzer: https://splunkbase.splunk.com/app/3395/
We’re seeing more and more adoption of Cloud in the security space. AWS is our fourth most popular data-source. The AWS apps are used to monitor AWS instances for compliance, for security, and even for billing and performance.
AWS TA: https://splunkbase.splunk.com/app/1876/
Splunk App for AWS: https://splunkbase.splunk.com/app/1274/
App for AWS Billing: https://splunkbase.splunk.com/app/1577/
AWS Compliance and Security Analyzer: https://splunkbase.splunk.com/app/3395/
Here’s some examples of use cases satiated out of the box with the AWS apps.
AWS TA: https://splunkbase.splunk.com/app/1876/
Splunk App for AWS: https://splunkbase.splunk.com/app/1274/
App for AWS Billing: https://splunkbase.splunk.com/app/1577/
AWS Compliance and Security Analyzer: https://splunkbase.splunk.com/app/3395/
Lastly, Anti-virus. The top two Antivirus suites used by our customers is Symantec and McAfee. We have TAs for both.
Symantec:
Splunk App for Symantec: https://splunkbase.splunk.com/app/1365/
Symantec Endpoint Protection TA https://splunkbase.splunk.com/app/2772/
Symantec Endpoint Protection TA for Syslog: https://splunkbase.splunk.com/app/3121/
McAfee:
McAfee TA https://splunkbase.splunk.com/app/1819/
And here are the use cases that you can satisfy by capturing your antivirus data.
Symantec:
Splunk App for Symantec: https://splunkbase.splunk.com/app/1365/
Symantec Endpoint Protection TA https://splunkbase.splunk.com/app/2772/
Symantec Endpoint Protection TA for Syslog: https://splunkbase.splunk.com/app/3121/
McAfee:
McAfee TA https://splunkbase.splunk.com/app/1819/
Lastly, Anti-virus. The top two Antivirus suites used by our customers is Symantec and McAfee. We have TAs for both.
Symantec:
Splunk App for Symantec: https://splunkbase.splunk.com/app/1365/
Symantec Endpoint Protection TA https://splunkbase.splunk.com/app/2772/
Symantec Endpoint Protection TA for Syslog: https://splunkbase.splunk.com/app/3121/
McAfee:
McAfee TA https://splunkbase.splunk.com/app/1819/
So, with those five data sources, you’re able to knock out the top 6 SIEM use cases according to the Infosec Institute.
But you’re not limited to specific data-source apps. There are a number of additional apps that can up-level your security program by leveraging industry controls, and recommendations from companies such as SANS and MITRE.
CIS20 | Critical Controls: https://splunkbase.splunk.com/app/3064/
Splunk Security Essentials: https://splunkbase.splunk.com/app/3435/
Splunk Security Essentials for Ransomware: https://splunkbase.splunk.com/app/3593/
The CIS Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best-practices” based on the Top 20 Critical Security Controls v6.1 published by the Center for Internet Security.
But you’re probably wondering, how do I get started? Excellent question.
In the world of security, it’s an on-going process of adding and replacing tools, up-leveling our people and up-leveling our processes. The above slide illustrates the various levels to achieve that will aid in maturing your corporate security program. But start with the basics.
https://github.com/swannman/ircapabilities
https://creativecommons.org/licenses/by/4.0/
But you’re probably wondering, how do I get started? Excellent question.
In summary, we introduced you to Splunk for Security, introduced you to the top five data-sources and the associated use cases that will get you started in your Splunk Security Journey. Lastly, we talked about how to mature that security program over-time to protect your corporate network.
In summary, we introduced you to Splunk for Security, introduced you to the top five data-sources and the associated use cases that will get you started in your Splunk Security Journey. Lastly, we talked about how to mature that security program over-time to protect your corporate network.