Scenario: You work for a university at which students, and sometimes faculty, use the network to distribute content illegally. By law, you are required to pass on notification of infringement of the Digital Millennium Copyright Act (DMCA) to the end user in violation. If you don’t pass on the notices, the university might become liable for the copyright infringement and owe damages to the reporting party. However, identifying the end user can be a challenge due to network authentication and network address translation. You want to use Splunk software to speed up the processing of DMCA notices. When provided with the date, time, and public IP address of the violation, your investigators can use Splunk software to determine which network user committed the violation.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
How to use Splunk software for this use case
You can run many searches with Splunk software to determine who violated the DMCA and serve notice. Depending on what information you have available, you might find it useful to identify some or all of the following:
- Machine leasing an IP address at a particular point in time
- Device owner identified using a MAC address
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to investigate request: The average time it takes an analyst to complete the investigation stage of the notification process
- Monthly requests processed: The total number of requests that were fully processed within a month
- Monthly monetary value of risk avoided: The number of requests processed per month x average $$ of risk for notice
In addition, these two processes commonly impact success with this use case and should be reviewed for efficacy:
- Communicating the notices to the investigator
- Notifying the violator after an identity has been established