To facilitate team member collaboration, your organization uses cloud-based code collaboration and version control for sharing computer program source code and associated documentation. This system allows for sharing but also introduces the potential of intellectual property loss via data exfiltration through a systems breach or insider threat. You need some fundamental procedures for detecting behavior that could be indicative of data exfiltration or any other security risk to your source code.
How to use Splunk software for this use case
You can use Splunk software to monitor who accesses specific GitHub repositories, what actions they take in those repositories, and how their activities compare to those of their peers. You can identify first-time access to repos and compare what is accessed with the role and responsibilities of the identity making the access. Finally, you can use Splunk software for statistical analyses like frequency, patterns of access, and time of day information.
To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.
Some of the detections that can help you with this use case include:
To maximize their benefit, the searches above likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Identity management with roles, responsibilities, teams, and current project assignments to aid in identifying anomalous access from inside.
Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Access counts by user to detect anomalous patterns
- Count of downloads to detect anomalous increases
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.