Scenario: You work for a university at which students, and sometimes faculty, use the network to distribute content illegally. By law, you are required to pass on notification of infringement of the Digital Millennium Copyright Act (DMCA) to the end user in violation. If you don’t pass on the notices, the university might become liable for the copyright infringement and owe damages to the reporting party. However, identifying the end user can be a challenge due to network authentication and network address translation.
How Splunk software can help
You can use Splunk software to speed up the processing of DMCA notices. When provided with the date, time, and public IP address of the violation, an investigator can use Splunk software to determine which network user committed the violation.
What you need
The following technologies, data, and integrations are useful in successfully implementing this use case.
The best person to implement this use case is a security analyst who is familiar with network data sources. If you also have a security tools engineer who is familiar with setting up Splunk dashboards and input panels, you can speed up the process further. These people might come from your team, a Splunk partner, or Splunk onDemand Services.
Processing a DMCA notice using Splunk software can last from 1 to 5 minutes.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
- DHCP data
- Network authentication data
How to use Splunk software for this use case
You can run many searches with Splunk software to determine who violated the DMCA and serve notice. Depending on what information you have available, you might find it useful to identify some or all of the following:
- A machine that leased an IP address at a particular time
- The owner of a device that used a certain MAC address
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. Two processes commonly impact success with this use case:
- Communicating the notices to the investigator
- Notifying the violator after an identity has been established
How to assess your results
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to investigate request: The average time it takes an analyst to complete the investigation stage of the notification process
- Monthly requests processed: The total number of requests that were fully processed within a month
- Monthly monetary value of risk avoided: The number of requests processed per month x average $$ of risk for notice