Implementing security use cases in the Splunk platform
Implementation guide
The following image shows the security data journey in the Splunk Security Essentials application. The Splunk platform is used in stages 1 to 4 to help build foundational search and investigation capabilities. Stages 5 to 6 focus on advanced features outside of the Splunk platform.
1. Collection
This stage focuses on foundational functionality of the Splunk platform by collecting the data, metrics, or events generated by key components of your security infrastructure. A defensible security posture, or regulatory compliance, requires moving critical activity logs to a separate system where they can’t be easily tampered with by an attacker. This also gives a security analyst the data necessary to perform basic investigations. At this early stage in security adoption, the best practice is to capture data in four primary focused categories:
- Network. Visibility into network traffic is critical for any security team. At this early stage, the priority is to see what types of traffic are entering and exiting your network. It’s critical to see permitted traffic as well as communication attempts that have been blocked.
- Endpoint. Endpoint logs complement network visibility to give insight into malicious activities such as malware execution, an insider performing an unauthorized activity, or an attacker dwelling in your network. It’s important to capture this data from both servers and workstations, and all operating systems (Windows, Linux, MacOS etc.)
- Authentication. Authentication logs can tell you when users are accessing your systems and applications, and from where. Since most successful attacks eventually include the use of valid credentials, this data is critical in helping to tell the difference between a valid login and an account takeover.
- Web Activity. Many attacks start with a user visiting a malicious website or end with valuable data being exfiltrated to a site that the attacker controls. Visibility into who is accessing what sites and when is critical for investigation.
2. Normalization
In this stage you'll begin implementing a Security Operations Center (SOC) to track systems and users on your network, and to consume a larger selection of detection mechanisms from vendors and the community. Even if you don’t plan to stand up a formal SOC, normalized data will streamline investigations and improve the effectiveness of an analyst.
At this stage, you map your data properly to the Common Information Model (CIM). This ensures that fields representing common values such as source IP address, port, or username have consistent naming conventions, regardless of the device that created the event. This allows you to start consuming detection mechanisms from many sources and to begin to scale the capabilities of your security team.
3. Expansion
Moving beyond foundational data sources, ingesting additional types of data into your Splunk environment unlocks a rich set of detection capabilities.
- Network. World-class threat hunters rely on DNS and advanced endpoint data to uncover and track adversaries dwelling in your network.
- Endpoint. Rich endpoint activity that captures process creation, file changes, registry modifications, network connections, and more to provide an amazingly clear history of critical events occurring on an endpoint.
4. Enrichment
Machine data is important, but high performing security teams enrich their data with other internal and external sources. A wealth of contextual and investigative knowledge including threat intelligence feeds, open source intelligence (OSINT) sources, and internally sourced information allows your security personnel to extract more value from the data you are collecting to detect security events and incidents sooner.
Splunk platform native enrichment
- IP Geolocation (Maxmind etc.)
- Lookup tables
- DNS
- Asset management
- HR system
- Authentication Data
Splunk Enterprise Security / Splunk SOAR enrichment
- Threat Intelligence Management (TruStar, VirusTotal etc.)
- Attack Analyzer (Twinwave etc.)
- IP Geolocation (Maxmind etc.)
5. Automation and orchestration
Mature organizations continuously monitor their environment for alerts, triage, and respond to threats in a consistent, repeatable, and measurable way. Stage 5 maturity provides the ability to track incidents, measure analyst effectiveness, and take action according to prescribed play books. You can automate simple response actions and combine them into more sophisticated orchestration.
6. Advanced detection
Find anomalous behavior and unknown threats by applying machine learning, data science, and advanced statistics to analyze the users, endpoint devices, and applications in your environment.
- Splunk Enterprise Security / Splunk Mission Control
- Splunk User Behavior Analytics
- RBA (Risk Based Alerting)
- Splunk native machine learning (MLTK, etc.)
Success measurement
When implementing the guidance in this adoption guide, you should see improvements in the following:
- Customer Experience
- Mean Time To Detect (MTTD)
- Mean Time to Respond (MTTR)
- Service Level Objectives (SLO)
- Service Level Agreements (SLA)