SPLUNK : The Essential Guide to Security USING SPLUNK

Table of Contents Introduction .................................................................................5 Splunk in the Security Operations Center (SOC)...................................................6 Unde ...

Table of Contents Introduction .................................................................................5 Splunk in the Security Operations Center (SOC)...................................................6 Understanding the Fundamentals ..............................................8 Splunk’s Analytics-Driven Security Journey............................................................8 Splunk’s Security Suite.......................................................................................................10 The Security Use Cases ..................................................................................................... 12 Embarking on Your Analytics-Driven Security Journey.................................. 15 Stage 1: Collection...........................................................................16 Stage 2: Normalization.....................................................................20 Stage 3: Expansion...........................................................................22 Stage 4: Enrichment.........................................................................24 Stage 5: Automation and Orchestration............................................26 Stage 6: Advanced Detection..........................................................28 Solve Common Security Challenges With the Splunk Security Operations Suite.........................................................30 Incident Investigation and Forensics.........................................................................32 • Detect Lateral Movement With WMI.......................................................................32 • Identify Multiple Unauthorized Access Attempts..........................................35 Security Monitoring...............................................................................................................38 • Detect Public S3 Buckets in AWS.............................................................................38 • Find Multiple Infections on Host................................................................................42 Advanced Threat Detection.............................................................................................44 • Detect Connection to New Domain.........................................................................44 • Find Emails With Lookalike Domains......................................................................48 SOC Automation......................................................................................................................52 • Automate Malware Investigations...........................................................................52 • Automate Phishing Investigations and Responses.......................................54 Incident Response.................................................................................................................56 • Detect New Data Exfil DLP Alerts for User.........................................................56 • Identify Basic Dynamic DNS Detection................................................................59 Compliance.................................................................................................................................62 • Detect New Data Exfil DLP Alerts for User.........................................................62 • Find User Logged Into In-Scope System They Should Not Have..........65 Fraud Analytics and Detection.......................................................................................68 • Detect Compromised User Accounts....................................................................68 • Find Anomalous Healthcare Transactions..........................................................71 Insider Threat Detection....................................................................................................73 • Detect Large Web Upload..............................................................................................73 • Detect Successful Login of Account for Former Employee....................76 Introduction What’s your plan for cybersecurity? Are you simply “planning for the worst, but hoping for the best?” With digital technology touching every part of our lives and new threats popping up daily, it’s imperative that your organization is precise, informed and prepared when it comes to defending your assets and hunting your adversaries. High-profile breaches, global ransomware attacks and the scourge of cryptomining are good enough reasons why your organization needs to collect, leverage and understand the right data. You’ll also need to implement the right processes and procedures, often alongside new technologies, methods and requirements–all with an ever-increasing velocity and variety of machine data. So how can you best defend your organization and hunt down new adversaries? Ultimately, by taking a holistic approach to your defense system across the enterprise. This is why Splunk believes every organization needs a security nerve center, implemented by following a six-stage security journey that we will describe for you.