Conducting an insider threat workshop in your organization
Conducting an insider threat workshop can empower your team on:
- proactively monitoring and detecting insider threats using the MITRE ATT&CK Engenuity Insider Threat TTP Knowledge Base
- mapping these techniques to security detections in the Splunk Security Essentials app to significantly enhance an insider threat program in several ways:
- Comprehensive coverage
- Prioritization of detections
- Contextual awareness
- Benchmarking and maturity assessment
The workshop, as outlined in this guide, is focused on developing recommended insider threat use cases in Splunk Enterprise Security and how to enhance these use cases with risk-based alerting (RBA). The key objective is to help you detect, mitigate, and emulate insider actions on IT systems and stop them. The intended outcome is a solution design document (including RBA maturity documentation) with related recommendations that will be fulfilled during an implementation phase. Note that implementation is out of scope of this guide.
This self-led workshop is appropriate for you if:
- are in the early phases of the RBA maturity curve
- have staff available to work insider threat alerts
- have technical stakeholders who are familiar with your business processes, architecture, and system configurations, and who will be available for questions as necessary
- have ensured that role-based access control requirements have been thoroughly vetted
This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.
Prerequisites
System prerequisites
- Splunk platform implemented and configured (Splunk Enterprise or Splunk Cloud Platform) version 8.2+
- Splunk Enterprise Security (ES) 6.4+ implemented and configured
- ES search head or a dedicated stack with dual forwarding capabilities
- ES search head with latest version of the Splunk Security Essentials app installed (or ability to be installed)
- ES search head with latest version of the Splunk App for Lookup File Editing installed (or ability to be installed)
Environment prerequisites
- Data sources should be onboarded and CIM compliant
- RBA should be not implemented yet or in the early phases
- ES assets and identities framework should be implemented
Phases
Discovery and design: Selecting insider threat use cases for your organization
In this phase you will conduct a kickoff to align on goals and objectives. You will identify requirements with your stakeholders by:
- Gathering information about the your security operations center, workflows and teams.
- Discussing short term and long term monitoring goals, pain points, and critical assets/users.
- Conducting guided conversations about other use cases, and monitoring goals of an insider threat program.
- Using multiple frameworks to map coverage progress and enrichment requirements to RBA rules that can be developed.
RBA planning: Analyzing your organization's adoption of risk-based alerting
In this phase you will build a plan for implementation of initial risk-based alerting (RBA) use cases in your Splunk Enterprise Security environment. You will create a plan with documented steps for recommended RBA enhancements, or an RBA implementation if you are not currently using RBA, by:
- Identifying your security monitoring requirements and mapping them to current risk rule coverage
- Assessing effectiveness of risk notables by reviewing current baselines and contributing risk rules
- Assessing completeness and effectiveness of assets and identities
- Reviewing applicable data sources to ensure they are onboarded and CIM compliant
- Reviewing and ensuring current risk rules are configured correctly
- Ensuring RBA related dashboards and investigative workflows are populating correctly
Current state: Assessing your organization's current state of insider threat awareness
In this phase you will run a discovery and planning session that will use existing use case advisory methods used for Splunk Enterprise Security. This includes:
- Reviewing your data sources
- Using the Splunk Security Essentials app to review use case coverage and data availability to support selected detections from the use case repository.
Documentation: Creating an action plan from an insider threat workshop
In this phase you will create advisory report documentation that you will then use to report on your workshop findings to key stakeholders. This includes:
- Reviewing your roadmap and enablement plan
- Developing and presenting your report, which includes expected outcomes and recommendations