The
Essential Guide
to Security
How to Get Started Using Splunk
for Security to Solve Your
Everyday Challenges
, Table of Contents
Introduction .................................................................................5
Splunk in the Security Operations Center (SOC)...................................................6
What’s Your
Understanding the Fundamentals ..............................................8
Splunk’s Analytics-Driven Security Journey............................................................8
Splunk’s Security Suite....................................................................................................... 10
Plan for The Security Use Cases ..................................................................................................... 12
Embarking on Your Analytics-Driven Security Journey.................................. 15
Cybersecurity?
Stage 1: Collection........................................................................... 16
11010110
1101100110
Stage 2: Normalization.....................................................................20
0101011011
1001011010
1101101011
11010110
Stage 3: Expansion...........................................................................22
Are you simply “planning Stage 4: Enrichment.........................................................................24
for the worst, but hoping Stage 5: Automation and Orchestration............................................ 26
for the best?” Stage 6: Advanced Detection..........................................................28
Solve Common Security Challenges With the Splunk
Security Operations Suite.........................................................30
Incident Investigation and Forensics......................................................................... 32
• Detect Lateral Movement With WMI.......................................................................32
• Identify Multiple Unauthorized Access Attempts..........................................35
Security Monitoring...............................................................................................................38
• Detect Public S3 Buckets in AWS.............................................................................38
• Find Multiple Infections on Host................................................................................42
Advanced Threat Detection.............................................................................................44
• Detect Connection to New Domain.........................................................................44
• Find Emails With Lookalike Domains......................................................................48
SOC Automation...................................................................................................................... 52
• Automate Malware Investigations...........................................................................52
• Automate Phishing Investigations and Responses.......................................54
Incident Response.................................................................................................................56
• Detect New Data Exfil DLP Alerts for User.........................................................56
• Identify Basic Dynamic DNS Detection................................................................59
Compliance................................................................................................................................. 62
• Detect New Data Exfil DLP Alerts for User.........................................................62
• Find User Logged Into In-Scope System They Should Not Have..........65
Fraud Analytics and Detection.......................................................................................68
• Detect Compromised User Accounts....................................................................68
• Find Anomalous Healthcare Transactions..........................................................71
Insider Threat Detection.................................................................................................... 73
• Detect Large Web Upload..............................................................................................73
• Detect Successful Login of Account for Former Employee.................... 76
,So how can you Introduction
best defend your What’s your plan for cybersecurity? Are you simply “planning
for the worst, but hoping for the best?” With digital technology
touching every part of our lives and new threats popping up daily, it’s
organization and imperative that your organization is precise, informed and prepared
when it comes to defending your assets and hunting your adversaries.
hunt down new High-profile breaches, global ransomware attacks and the scourge of
cryptomining are good enough reasons why your organization needs
adversaries?
to collect, leverage and understand the right data. You’ll also need to
implement the right processes and procedures, often alongside new
technologies, methods and requirements–all with an ever-increasing
velocity and variety of machine data.
Ultimately, by taking a holistic So how can you best defend your organization and hunt down new
approach to your defense adversaries? Ultimately, by taking a holistic approach to your defense
system across the enterprise. system across the enterprise. This is why Splunk believes every
organization needs a security nerve center, implemented by following
a six-stage security journey that we will describe for you.
Let’s break down what that means.
, Splunk in the Security Operations Sound good?
Center (SOC) Great. So how do I make all of this happen in the real world, you ask?
Data-driven businesses take advantage of the investigate, monitor,
analyze and act (IMAA) model to advance their security by optimizing To get you started, we put together this short guide to introduce you
their people, processes and technology. It includes using all the data to the top security use cases organizations face and to show you how
from the security technology stack, which can help you investigate, Splunk’s analytics-driven platform can help you solve your security
detect and take rapid, coordinated action against threats in a manual, challenges. This guide is divided into three sections:
semi-automated or fully-automated fashion. When security teams
1. Understanding the Fundamentals. Here you will find an
invest in their security infrastructure, their security ecosystem
introduction to the security journey and a quick primer on
and skills become stronger, making it possible to expand security
security use cases with each use case mapped to relevant
practices into new areas and proactively deal with threats.
Splunk solutions.
The Splunk Data-to-Everything Platform and Splunk’s security
2. Embarking on Your Analytics-Driven Security Journey. Here
portfolio brings together multiple cybersecurity areas, as well as
we explain the six stages of the data-driven security journey–and
others outside of security, to foster collaboration and implement
what you should be able to do, and how well, at each stage.
best practices for interacting with your data. Security teams can use
Splunk solutions to drive statistical, visual, behavioral and exploratory 3. Solving Common Security Challenges With Splunk. Here
analytics that inform decisions and actions. From there, the platform we walk through examples of how to solve common security
allows for a modern workflow, from collecting data all the way to challenges associated with:
Splunk Adaptive Response
invoking actions to address cyberthreats and challenges.
• Incident investigation and forensics
• Security monitoring
Network • Advanced threat detection
• SOC automation
Web Proxy Threat
Firewall Intelligence • Incident response, compliance
• Fraud and analytics detection
• Insider threat
WAF & App
Security
Orchestration
Ready to create a kick-ass security practice?
We thought so.
Internet Network Endpoints
Security
Identity and
Access
Figure 1: Splunk Enterprise Security includes a common framework for interacting with data and invoking
actions. The Adaptive Operations Framework enables security teams to quickly and confidently apply
changes to the environment. Splunk Enterprise Security can automate the response as well, enabling the
security infrastructure to adapt to the attacker using a range of actions appropriate to each domain.
Essential Guide
to Security
How to Get Started Using Splunk
for Security to Solve Your
Everyday Challenges
, Table of Contents
Introduction .................................................................................5
Splunk in the Security Operations Center (SOC)...................................................6
What’s Your
Understanding the Fundamentals ..............................................8
Splunk’s Analytics-Driven Security Journey............................................................8
Splunk’s Security Suite....................................................................................................... 10
Plan for The Security Use Cases ..................................................................................................... 12
Embarking on Your Analytics-Driven Security Journey.................................. 15
Cybersecurity?
Stage 1: Collection........................................................................... 16
11010110
1101100110
Stage 2: Normalization.....................................................................20
0101011011
1001011010
1101101011
11010110
Stage 3: Expansion...........................................................................22
Are you simply “planning Stage 4: Enrichment.........................................................................24
for the worst, but hoping Stage 5: Automation and Orchestration............................................ 26
for the best?” Stage 6: Advanced Detection..........................................................28
Solve Common Security Challenges With the Splunk
Security Operations Suite.........................................................30
Incident Investigation and Forensics......................................................................... 32
• Detect Lateral Movement With WMI.......................................................................32
• Identify Multiple Unauthorized Access Attempts..........................................35
Security Monitoring...............................................................................................................38
• Detect Public S3 Buckets in AWS.............................................................................38
• Find Multiple Infections on Host................................................................................42
Advanced Threat Detection.............................................................................................44
• Detect Connection to New Domain.........................................................................44
• Find Emails With Lookalike Domains......................................................................48
SOC Automation...................................................................................................................... 52
• Automate Malware Investigations...........................................................................52
• Automate Phishing Investigations and Responses.......................................54
Incident Response.................................................................................................................56
• Detect New Data Exfil DLP Alerts for User.........................................................56
• Identify Basic Dynamic DNS Detection................................................................59
Compliance................................................................................................................................. 62
• Detect New Data Exfil DLP Alerts for User.........................................................62
• Find User Logged Into In-Scope System They Should Not Have..........65
Fraud Analytics and Detection.......................................................................................68
• Detect Compromised User Accounts....................................................................68
• Find Anomalous Healthcare Transactions..........................................................71
Insider Threat Detection.................................................................................................... 73
• Detect Large Web Upload..............................................................................................73
• Detect Successful Login of Account for Former Employee.................... 76
,So how can you Introduction
best defend your What’s your plan for cybersecurity? Are you simply “planning
for the worst, but hoping for the best?” With digital technology
touching every part of our lives and new threats popping up daily, it’s
organization and imperative that your organization is precise, informed and prepared
when it comes to defending your assets and hunting your adversaries.
hunt down new High-profile breaches, global ransomware attacks and the scourge of
cryptomining are good enough reasons why your organization needs
adversaries?
to collect, leverage and understand the right data. You’ll also need to
implement the right processes and procedures, often alongside new
technologies, methods and requirements–all with an ever-increasing
velocity and variety of machine data.
Ultimately, by taking a holistic So how can you best defend your organization and hunt down new
approach to your defense adversaries? Ultimately, by taking a holistic approach to your defense
system across the enterprise. system across the enterprise. This is why Splunk believes every
organization needs a security nerve center, implemented by following
a six-stage security journey that we will describe for you.
Let’s break down what that means.
, Splunk in the Security Operations Sound good?
Center (SOC) Great. So how do I make all of this happen in the real world, you ask?
Data-driven businesses take advantage of the investigate, monitor,
analyze and act (IMAA) model to advance their security by optimizing To get you started, we put together this short guide to introduce you
their people, processes and technology. It includes using all the data to the top security use cases organizations face and to show you how
from the security technology stack, which can help you investigate, Splunk’s analytics-driven platform can help you solve your security
detect and take rapid, coordinated action against threats in a manual, challenges. This guide is divided into three sections:
semi-automated or fully-automated fashion. When security teams
1. Understanding the Fundamentals. Here you will find an
invest in their security infrastructure, their security ecosystem
introduction to the security journey and a quick primer on
and skills become stronger, making it possible to expand security
security use cases with each use case mapped to relevant
practices into new areas and proactively deal with threats.
Splunk solutions.
The Splunk Data-to-Everything Platform and Splunk’s security
2. Embarking on Your Analytics-Driven Security Journey. Here
portfolio brings together multiple cybersecurity areas, as well as
we explain the six stages of the data-driven security journey–and
others outside of security, to foster collaboration and implement
what you should be able to do, and how well, at each stage.
best practices for interacting with your data. Security teams can use
Splunk solutions to drive statistical, visual, behavioral and exploratory 3. Solving Common Security Challenges With Splunk. Here
analytics that inform decisions and actions. From there, the platform we walk through examples of how to solve common security
allows for a modern workflow, from collecting data all the way to challenges associated with:
Splunk Adaptive Response
invoking actions to address cyberthreats and challenges.
• Incident investigation and forensics
• Security monitoring
Network • Advanced threat detection
• SOC automation
Web Proxy Threat
Firewall Intelligence • Incident response, compliance
• Fraud and analytics detection
• Insider threat
WAF & App
Security
Orchestration
Ready to create a kick-ass security practice?
We thought so.
Internet Network Endpoints
Security
Identity and
Access
Figure 1: Splunk Enterprise Security includes a common framework for interacting with data and invoking
actions. The Adaptive Operations Framework enables security teams to quickly and confidently apply
changes to the environment. Splunk Enterprise Security can automate the response as well, enabling the
security infrastructure to adapt to the attacker using a range of actions appropriate to each domain.
