Scribd
Upload
7 views9 pages

Top 5 Use Cases For Splunk Security Analytics

Uploaded by

kalilinuxymca938
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
7 views9 pages

Top 5 Use Cases For Splunk Security Analytics

Uploaded by

kalilinuxymca938
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Top 5 Use

Cases for
Splunk

Enterprise
Security
It’s not easy to detect and respond to But even if a happy analyst sounds nice, life in the
security events quickly. A security fast-paced world of security isn’t always so easy, and
security teams still have to figure out where to start
analyst can spend minutes (sometimes
their security journey. And, as we’ve established,
hours) on an alert. Now, multiply that by
knowing that any part of their organization is
the hundreds of security alerts they susceptible to intrusion — and that they have to
have to deal with every day, and they’re identify security gaps well ahead of time — can be an
lefl with too many tickets and too few overwhelming and difficult task for even the best of
analysts. Starting to see the problem? analysts.

Lucky for them — and security analysts everywhere —


We need to help security teams speed up their we’ve been working with Splunk customers for years
response times while reducing the number of alerts on how to deal with this very issue. We’ve helped
they get. We can start by improving visibility into them with their toughest security questions by
their environment, so they can detect and respond to unlocking the answers hidden inside their data.
threats faster. Better yet, an automated response to
alert triage can turn minutes into seconds and hours We’ve bundled those conversations into this quick
into minutes — and who wouldn’t want that? guide on high-level security use cases and how to
get started. These are the security issues we
This gives hard-to-detect, insidious threats like frequently get asked about, along with best practices
malware fewer places to hide and propagate, and for content, and ideas that will help security teams
reduces the amount of damage they can cause — hit the ground running as they deploy or refine
meaning stressed out security analysts become Splunk Enterprise Security (ES).
happier.
01
Compromised
credentials
What is compromised user How does Splunk address
credentials? compromised user credentials?
Compromised user credentials is when an attacker obtains Splunk ES can identify instances where user credentials have been
employee credentials through tried and true methods, like a compromised and are being used by someone other than the authorized
phishing attack or business email compromise. Once the bad guys person or application. ES can also provide coverage for shared and
(and gals) have entered an environment with valid user generic account usage. Utilizing Splunk User Behavior Analytics (UBA)’s
credentials, they start looking for vulnerabilities to achieve their behavioral modeling notifies analysts when a user has unusual activity
objective (and ruin a security analyst’s day). Worst of all, since from what’s been established as normal behavior. Detection
the threat actor managed to log in with valid credentials, they encompasses identifying unusual or malicious Active Directory (AD)
appear to be a totally legitimate user — making this a difficult activity, such as operations on self, terminated user, disabled accounts
threat to detect. and account recovery.

Top 5 Use Cases for Splunk Enterprise Security | 3


Splunk
02
Privileged
start looking for ways to get more access by gathering other sensitive
information, like passwords or SSH keys.

user
compromise
What is privileged user
compromise?
Privileged user compromise is when a hacker gains access to a
privileged user account through social engineering techniques
or zero-day exploits. In these attacks, hackers usually target
high-priority users who have administrative access to sensitive
assets, or executive-level authority. This is why it’s important for
security analysts to immediately identify when a privileged
account has been compromised. The actual technique usually
involves the hacker getting around traditional security tools —
like firewalls or legacy security information event management
(SIEM) solutions — that are built to defend against known
threats. Once the hacker is in, they
Top 5 Use Cases for Splunk Enterprise Security | 4
Splunk
Splunk UBA helps score the severity of risk, using a baseline of normal
behavior.

How does Splunk


address privileged user
compromise?
Splunk ES utilizes risk-based alerting (RBA) to
detect sophisticated threats by attributing risk to
users and entities, and only triggers an alert when
behavioral thresholds are exceeded and certain
MITRE ATT&CK tactics are observed. By building a
comprehensive collection of attributions with RBA
and Splunk UBA creating a baseline of the behavior
of each account, it makes it easy to identify
irregularities compared to the user’s baseline
behavior. This usually indicates excessive usage,
rare access, potential sabotage or someone trying
to cover their tracks. As user behavior continues to
differ from known normal behavior, UBA’s
confidence grows, increasing the likelihood and
severity of risk. Examples of detections include using
service accounts to access VPN or interactive logins,
data snooping, deleting audit logs and accessing
confidential information.

Top 5 Use Cases for Splunk Enterprise Security | 5


Splunk
03
Insider Threat
An example of a Splunk dashboard to help identify insider threats.

What is an insider threat?


Insider threat is when an employee or contractor with access to How does Splunk address insider threats?
privileged information purposely — or accidentally — misuses
their access to hurt the company they’re working for. It’s such a Splunk ES and UBA captures the attacker’s footprint as they move
common issue that insider threats account for two-thirds of across enterprise, cloud and mobile environments. Their activity is
attacks or data loss. Compromised user credentials, privileged analyzed by advanced machine learning algorithms to create a
user compromise and insider threat are all related to the same baseline, detect deviations and find anomalies in near real time. The
general behavior, where valid credentials are exploited for totality of the hacker’s actions within an environment are stitched
nefarious reasons. into an illustrative sequence that uses pattern detection and
advanced correlation to reveal the kill chain so security teams can
take action immediately.

Top 5 Use Cases for Splunk Enterprise Security | 6


Splunk
04
Ransomware
What is ransomware? How does Splunk address ransomware?
Ransomware is a type of malware that is sadly rising in popularity. Splunk ES receives updates from the Splunk ES Content Update
This threat has even caught President Joe Biden’s attention. This (ESCU), which gives security analysts pre-packaged security
attack happens when hackers employ phishing attacks to force content that helps them fight ongoing time-sensitive threats,
unsuspecting users into giving away their privileged access. Then the attack methods and other security issues. There are currently 35
malware springs into action, encrypting some (or all) of the user’s ransomware use cases provided in the ESCU, and as new threats
files. The bad guys then demand a ransom — thus the name — of are spotted, the Splunk Threat Research Team reverse engineers
tens of thousands (or sometimes millions) of dollars through them to push out automatic updates via ESCU to ensure
cryptocurrency, in return for unlocking the files. detections remain up to date.

Top 5 Use Cases for Splunk Enterprise Security | 7


Splunk
05
Cloud security
What is cloud security? How does Splunk bolster cloud
Cloud security is founded on the principle that cybersecurity should security coverage?
move away from the perimeter, and retire its network-centric
Splunk ES makes it easy to onboard GCP, AWS and Azure assets and
approach (which many traditional security solutions still subscribe to).
identities (A&I) information so it can seamlessly populate A&I tables within
For that, you can thank COVID, and our collective large-scale
Splunk.
migration to the cloud as we moved to WFH.
Splunk ES also provides out-of-the-box detections for the big three
Because of the rise of cloud computing — and because more cloud providers across authentication, network traffic and
companies are migrating critical parts of their business to one of configuration changes. Through mapping the aforementioned cloud
the public clouds, like Google Cloud Platform (GCP), Amazon Web providers data models to Splunk’s Common Information Model, a
Services (AWS) or Microsofl Azure — it’s important that organizations company’s existing detection and investigation workflows are infused
easily analyze their data in real time, to better obtain the visibility with vital cloud data coverage.
required to stay one step ahead of hackers.

Top 5 Use Cases for Splunk Enterprise Security | 8


Splunk
Ready to supercharge your security operations
with a cloud-based data-driven SIEM solution?
Learn how to get started with Splunk.

Learn More

Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the
United States and other countries. All other brand names, product names or trademarks belong to their
respective owners. © 2022 Splunk Inc. All rights reserved.

22-20968-Splunk-Top 5 Use Cases for Splunk Enterprise Security-LS-105

You might also like