Selecting security use cases for the Splunk platform

Security monitoring

Security monitoring processes enable you to analyze a continuous stream of near-real-time data for threats and other potential security issues. Data sources for monitoring include network and endpoint systems, as well as cloud devices, data center systems, and applications. The Splunk platform enables security teams to detect and prioritize threats found in the stream of data from these sources:

• Managing firewall rules
• Monitoring badges for facilities access
• Monitoring for network traffic volume outliers
• Monitoring major cloud service providers
• Monitoring security events with Enterprise Security and Microsoft Copilot for Security
• Securing a work-from-home organization
• Securing medical devices from cyberattacks
• Using contentctl to speed up your SOC
• Validating endpoint privilege security with CyberArk EPM

Incident Management

Security incidents can occur without warning and can often go undetected long enough to pose a serious threat to an organization. Usually, by the time security teams are aware of an issue, there’s a good chance the damage has been done. Splunk software provides security teams with a “single source of truth” for all time-stamped machine data in a computing environment. This helps them drive better and faster security investigations, reducing the chance of a threat going undetected for extended periods.

• Creating a timebound picture of network activity
• Investigating a ransomware attack
• Investigating unusual file system queries
• Reconstructing a website defacement
• Responding to incidents with the Splunk platform and FOX-IT's Dissect
• Supporting a cloud forensics workflow

Compliance

In nearly all environments, there are regulatory requirements in one form or another – especially when dealing with GDPR, HIPAA, PCI, SOX and even common guidelines that aren’t considered true compliance, such as the 20 CIS Critical Security Controls. Organizations need to stay ahead of ever-evolving regulations, policies, and business risks while reducing time, errors, and costs with an analytics-driven, proactive approach to compliance. There are many ways of solving compliance challenges using Splunk solutions. 

• Analyzing AWS service action errors
• Automating Know Your Customer requirements
• Complying with the HIPAA Security Rule for ePHI
• Complying with the Markets in Financial Instruments Directive II
• Defining and detecting Personally Identifiable Information (PII) in log data
• Detecting unencrypted web communications
• Identifying new Windows local admin accounts
• Knowing your financial services customer
• Monitoring consumer bank accounts to maintain compliance
• Monitoring NIST SP 800-53 rev5 control families
• Processing DMCA notices
• Recognizing improper use of system administration tools
• Running common General Data Protection Regulation compliance searches

Visualizations and Reporting

A well-configured visualization or report should allow you to view threats and incidents that are trending up or down. You should be able to produce and show current results and trends in order to review incidents, assess your security posture, and make better decisions. Viewing trends through a single pane of glass is a powerful tool for both analysts and managers, helping to reduce dwell and resolution times and providing real-time insights.

• Reporting on MOVEit automation activities
• Reporting on MOVEit transfer activities

Anomaly detection

Tools that analyze behavior on your network and use machine learning to find anomalies in that behavior can notify you of potential threats. Where it could take a human days or weeks to find anomalies, machine learning algorithms can find this behavior in near real-time. Augmenting your SIEM with behavior analysis deepens your security capabilities by detecting and resolving use cases such as lateral movement, unknown threats, and data exfiltration.

• Finding windows audit log tampering

Threat Hunting

Advanced and sophisticated threats can get past traditional and automated cybersecurity defenses or can be overlooked by tier 1 and 2 analysts. Establishing a successful threat hunting program is based on your environment's data quality and your ability to surface insights generally not found through day-to-day correlation activity. Security teams need to conduct investigations and threat hunting across the entire attack surface and from a single tool. When data is easily collected, normalized, accessed and analyzed, this provides valuable clues for your team's threat hunters to chase down threats.