Scenario: A global pandemic has forced all your employees to switch to working from home. Now, with so many employees working on their home networks, instead of the corporate network, you are concerned about data security. Additionally, the alerts you had previously configured, such as those for unusual login times, are firing constantly as people's work habits have changed. You need to realign your organization's security policies and practices with these new circumstances.
How Splunk software can help
You can use Splunk software to create new baselines, You can then use this data to establish new alerts, monitoring, and reporting that fit with a home-based workforce.
What you need
To succeed in implementing this use case, you need the following dependencies, resources, and information.
The best person to implement this use case is a CISO, director of security operations, or security analyst who is familiar with safeguarding an organization with a remote workforce. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.
Depending on the maturity of your organization's security posture and whether you previously had remote employees, establishing safeguards for an organization with a remote workforce can take between a few days and a few weeks.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
- Remote Work Insights - Executive Dashboard
How to use Splunk software for this use case
You can run many searches with Splunk software to safeguard an organization with a remote workforce. Depending on what information you have available, you might find it useful to develop some or all of the following:
- New baselines for logons
- New baselines for network traffic
- Updated phishing investigations
- Remote logons to hosts
As the habits of your organization's employees continue to evolve, the need to correlate events, rather than looking at them independently, will become more important because what was suspicious before might not be now.
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Determining whether to have split tunnel or full tunnel VPN
- Establishing two-factor authentication for your VPN
- Updating or enhancing password policies
- Establishing or improving monitoring of your cloud services
- New methods of team collaboration and communication
- Identification of experts for new types of log data
These additional Splunk resources might help you understand and implement this use case: