Oct.25

Sep.27

Splunk’s Major Announcements at .conf 2016

This years’ .conf event is currently being hosted by Splunk at Disney in the US. So far the have been some awesome announcements and below are the highlights with links to the Splunk Blogs which go into them in more detail.

  • Introducing Splunk Enterprise 6.5 – Machine Learning and Simplified Data Analysis Open New Vistas
    • Splunk Enterprise has long offered a strong array of ML commands like anomaly detection, outlier, predict and cluster that use fixed algorithms to do their work – no ML expertise required. Today, we formally introduced the Splunk ML Toolkit (v2.0 actually) –  a guided workbench and SPL extensions to help you create and operationalize your own custom analytics based on your choice of algorithms.
    • Next up is Tables, a new feature that lets you create and analyze tabular data views without using SPL. Tables will make it easier for anyone to work with Splunk – even Splunk specialists – and will let you leverage your data into whole new uses and users.
    • Hadoop Data Roll give you another way to reduce historical data storage costs while keeping full search capability. It’s now a free option of Splunk Enterprise that lets you save up to 80% storage capacity by leveraging your data lake for storing seldom-accessed data.
  • What’s new in Splunk IT Service Intelligence
    • ITSI is focused on improving the signal to noise ratio with IT monitoring, reducing the effort wasted sifting through vast numbers of event data by filtering, tagging and sorting events based on priority. You can quickly tag, index, enrich and add context to events in ITSI to make event management more informative and more actionable.
    • Splunk ITSI Modules include built-in data access and pre-packaged dashboards, to deliver deep, service-oriented insights into individual technology domains like application servers, databases, load balancers, operating systems, virtualization, web servers, storage, cloud services and mobile end user experience.
  • Enterprise Security 4.5 – Use Analytics-Driven Decision Making and Automation to Improve Threat Detection and Operational Efficiency
    • It provides the ability to register and configure automated or assisted response actions enabling you to effectively leverage your existing your security products, Firewall, IDS/IPS, Endpoint, Threat Intelligence, Incident Response, Identity, with Splunk ES as your central security intelligence platform.
    • You can use UI wizards and dashboards for specifying the nature of actions, categorizing actions, receive feedback on status of actions and results across a wide range set of entities.
    • Glass Tables includes a visual analytics framework that uses key security metrics to create custom visualizations. Glass Tables has two modes, viz., Edit mode and View mode. The Glass Tables edit mode provides a intuitive visual editor, where you can create and modify visualizations, including security metrics searches based on data models and correlation searches. The Glass Tables View mode lets you see any visualization, which includes search results for security metrics based on data models and ad hoc searches.
  • Introducing Splunk UBA 3.0
    • Splunk UBA’s primary focus is to continue broadening its detection coverage and the latest release supports over forty machine learning models. The models are categorized as either streaming or batch. Streaming models analyze data in real-time, whereas batch models process data or compute aggregates at a scheduled interval; an example of a batch model would be as follows: identify any outliers on Active Directory data with Peer Group in consideration (Active Directory Markov-Chain Correlation Model).
    • Splunk UBA 2.3 (released at RSA) delivered the ability to write custom threats, but with Splunk UBA 3.0, customer threat detection capabilities were elevated to the next level. Not only are new threat scenarios delivered via content subscription, our threat research team delivers blue prints of new use-cases that can be customized to address customer’s needs. All-in-all, twelve to over twenty out-of-the-box threat scenarios are now available at a customer’s finger tips. These new threat scenarios range from detecting low-and-slow attacks to detecting aggressive attacks such as Remote Account Take Over with Data Exfiltration.

That’s the big ones from this year’s .conf! I encourage you to check Social Media and/or their Blog if you would like to see what other news is coming this week from Splunk!

News

Sep.20

Splunk User Group – Edinburgh

So in partnership with Splunk and ECS I’ve started an official Splunk User Group based in Edinburgh.

It’s the only UK based user group not based in London, so we’re hoping to get a good following and hopefully build a great community of enthusiastic Splunkers!

The events are free and a ‘no sales’ space. Very much designed for technical users of Splunk, but newbie are welcome too!

Join / Event (RSVP)

We’ll also be looking for guest speakers and people who would like to lead group discussions.

Hope to see you there!

News

Sep.05

CloudFlare, SSL & Unhealthy Security Absolutism (Troy Hunt)

Really interesting (and in my opinion) great artical by Troy Hunt on why CloudFlare’s SSL [free] offerings are awesome!

“First and foremost, if your choices are to either run entirely unencrypted or to protect against the 95% (or thereabouts) of transport layer threats that exist between your visitors and your origin, do the sensible thing. Nobody in their right mind is going to advocate for remaining totally unencrypted rather than using CloudFlare purely to encrypt between their edge nodes and your users. There are people not in their right mind that will argue to the contrary and that’s precisely what the title of this post suggests – it’s unhealthy security absolutism.”

Source: Troy Hunt: CloudFlare, SSL and unhealthy security absolutism

Security

Jul.18

Reverse engineering DUBNIUM (Microsoft Malware Protection Center)

“In most cases, the daily operation of the DUBNIUM APT depends on social engineering through spear-phishing. They are observed to mainly rely on an .LNK file that has an icon that looks like a Microsoft Word file. If the victim clicks the file thinking it’s a Microsoft Office Word file, it downloads a simple dropper that will download and execute next stage binary – which in this case, has the file name of kernelol21.exe.”

Source: Reverse engineering DUBNIUM –Stage 2 payload analysis – Microsoft Malware Protection Center

Security