Fast Historical Threat Research with Splunk
From Wikipedia, the free encyclopedia
Splunk is an American multinational corporation based in San Francisco, California, that produces software for searching, monitoring, and analyzing machine-generated big data, via a Web-style interface.
Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Splunk's mission is to make machine data accessible across an organization by identifying data patterns, providing metrics, diagnosing problems, and providing intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and Web analytics. As of early 2016, Splunk has over 10,000 customers worldwide.
Splunk is based in San Francisco, with regional operations across Europe, the Middle East, Africa, Asia, and Australia.
Download our FREE guide now
Speed up cyber response, incident investigations, audits and compliance checks by centralising your penetration testing and vulnerability scanning results.
Learn how you can use Splunk to;
1. Index your penetration testing and vulnerability scanning results
2. Create dashboards in Splunk for an instant view of threats and weaknesses.
3. Search a hosts entrire past weaknesses.
4. Reduce cyber response delays.
Date : January 2018
File Type : PDF
No registration required
Overview of Fast Historical Threat Research
What is Fast Historical Threat Research?
Its a term we came up with to describe a research activity which is to very quickly obtain historical security weakness data for a host, network or service that could pose a threat.
What's the benefit of having this capabiity in a cyber response situation?
It takes on average 66 days to identify where (or how) a breach occured according to IBM's Global Cost of Data Breach Study 2017 before you can begin the process of plugging the gap, clearly this is too long and this does not include the several months it takes on average to find out you have been breached. Knowing what your weaknesses were historically could reduce the delay in pinpointing the issues that led to the breach by allowing you to focus on events and data at or around timeframes where weaknesses were recorded.
How long should it take for me to research and identify weaknesses in suspected or suspicous hosts in my environment?
15 mintutes or less if you are a Splunk user already and have weakness related events indexed.
If I get penetration testing and scanning results into Splunk, will that give me a clear picture of all my vulnerabilities and weaknesses?
No. Absolutely not. For a complete picture you will need all events from a 'vulneraility management programme' such as patch management, configuration compliance checking (against secure build), integrity checking, anti-malware, SIEM events etc, even security defects for in-house solutions. Scanners will miss things. Penetration testers only have limited time to check, both methods are no garantee in identifying weaknesses or patch levels. That being said, you cant rely on just patch managment either, you can have a clean bill of health but still have weaknesses which is why a vulnerability management programme is needed. Equifax for example ran a scan for the Apache Struts vulnerability, it came back clean so the vulernability announced was ignored as a non-issue, this is the clearest example of why scanners cannot be relied on as a replacement for patch management and more importantly, a vulnerability management programme.
If the penetration testing and scanning results are indexed, can other process and procedures benefit?
Audit, compliance checks and incident management can all benefit. Once the data is in, it can be researched for any purpose and used for assurance reporting to executives and senior management.
Do you have scripts to convert penetration testing results?
No. A good penetration testing service will provide you the findings in a CSV or Excel format as part of the report deliverable, just ask them for it. This should make it a simple cut and paste task to get it into Splunk for indexing. Penetration testing is normally a manual task hence fully automating is difficult.
Do you have scripts to convert output from hacking and scanning tools into a CSV file that I can use?
Not at this time. We are looking into whether creating scripts for the most popular tools is worth creating and sharing or not. There are literally hundreds of tools, all with various kinds of outputs and many organisations with differing requirments for tools being used.
What is the best scripting language to use to convert outputs from hacking and scanning tools?
We like Python. As a scripting language, its really the weapon of choice with lots of great resources, books, articles and online help. Its also easy to learn.
What else can we index in Splunk?
Almost anything you like, if you have a risk, threat or concern and have data that could help monitor or provide a report, simply get the information into Splunk in a format that suits, the world is your oyster.
share the love