Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
 
 
 
Splunk Lantern

Identifying non-defensible networks with Splunk

 

Having a complete asset and identity network inventory is the first step in creating a defensible network. Knowing which identities are assigned or have access to a particular resource helps cyber defenders and assists incident responders when creating a list of who is supposed to be on the network. This article discusses how to maintain your current inventory and explores techniques to find rogue machines.

Taking inventory

There are several ways to find assets and identities in Splunk Enterprise Security. The most popular is by navigating to Security Domains > Identity and then either Asset Center or Identity Center, depending what is being investigated.

es_assets.png

Scanning for success

A common method for finding assets on a network is to scan it. There are many vendor tools that provide scanning capabilities and the more advanced tools provide a traffic analysis to give analysts deeper insights into data. In addition to vendor tools, there are several open source tools such as Network Mapper, also called Nmap, which is widely available across operating systems including Windows, Linux, and macOs. An equivalent tool with a graphical user interface called Zenmap is also available. After those scan results are ingested into Splunk Enterprise Security, IP addresses and, depending on the Nmap scan settings, host information can be processed. The image below shows a typical output of a discovery scan.

nmap-scan-results-splunk.png

Strategies for finding non-standard assets

Depending on your organization's policy for allowing personal hypervisors such as VMware Workstation, Microsoft Hyper-V, and Oracle VM VirtualBox, there may be hundreds, if not thousands, of these unsanctioned machines running at various times. Since every network adapter has a unique identifier known as a MAC address, you can employ advanced network scanning products to search for them. After you find them, you can add these machines to a report for further analysis. An investigator can correlate these results to certain network segments and possibly identify the location in a building or remote location of your organization.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you require assistance.