Creating an action plan from an insider threat workshop
The primary goal of this part of the Insider Threat Workshop is where you document and present workshop findings, including outcomes and recommendations to key stakeholders for insider threat use cases. You should discuss next steps and potential areas for improvement, along with potential gaps.
This Insider Threat Workshop is available as a 5-day engagement with Splunk Professional Services. If you do not feel comfortable completing this workshop on your own, or would like hands-on training with any of the concepts and processes included in this offering, contact our Professional Services experts.
Roadmap and enablement
Review the use cases you have selected, as well as your team's ability to administer, maintain, and upgrade the systems and data sources needed to run those use cases. Ensure that your team knows how to administer Splunk Enterprise Security and the risk rules you want to set up.
Final presentation, expected outcomes, and recommendations
Use the following report template to put together your Insider Threat Workshop solution.
Insider Threat Workshop Solution Design Document Template
Following the delivery of this report, you should review the identified insider threat use cases grouped by data sources and enrichment required along with the recommendations related to your Enterprise Security RBA deployment, and prioritize use case implementation with consideration of the existing onboarded data sources. Implementation of each insider threat use case consists of a development process summarized below and can be resourced using a combination of internal resources and consulting resources.
- Using existing data sources, validate the theory of the use case applied to your environment as a Splunk search.
- Revise and repeat until an acceptable signal-to-noise ratio has been reached; one that can be managed by the SOC within the SLA for an event of the stated urgency.
- Examine the fields and verify the information presented is informative, with the minimal amount of additional search required by the analyst.
- Implement the search in Splunk Enterprise Security with a default status of ‘Closed’.
- Identify false positives or legitimate activity within the results of the correlation search; return to step one to reduce signal-to-noise ratio.
- Develop a response plan/knowledge article to inform the analyst of the steps required to triage and respond, and add these steps to the ‘next steps’ field in the ES correlation search editor.
- Evaluate the number of events over a seven-day period to baseline activity.
- Update the search to a default status of ‘New’ and operationalize response within the SOC.
Congratulations, you have completed the Insider Threat Workshop! Remember that you can return to this workshop, or parts of it, at any time if your organizational needs, systems, or data sources change.