We recently delivered a presso that described how DotSec has used Splunk for a number of interesting projects. (In preparing the presso, I was a bit shocked to discover that we’ve actually been using Splunk now for over 12 years! Fun times!) Anyhow, our presentation was quite interactive, and it covered off four projects which pretty-well summarise work that we do at DotSec on a fairly regular basis:
- Splunk for compliance. Lots of our customers have compliance requirements, especially regarding PCI DSS, IRAP and ISO 27001. Other customers are keen to align their computing environment with accepted infosec best practice. Logging, monitoring, reporting and alerting is a big part of achieving compliance with almost any framework or best-practice guideline, and this part of the presso showed how easily DotSec has used Splunk to help in meeting our customers’ compliance goals.
- Splunk for due diligence. As shown in at least one news article almost every week, attackers are often successful in their goal of compromising and misusing any organisation’s information systems. When this worse case event happens, directors and C-level officers need to be able to show that the compromise was not as a result of negligence. O365 has been a key component in at least four recent incident-response jobs so it’s clear that O365 security needs to be included in any due diligence planning. Furthermore, insurance underwriters are increasingly including questions in their coverage applications that seek to understand how effectively an organisation manages and secures its corporate computing environment. This part of the presso discusses Splunk in the context of insurance coverage and obligations.
- Splunk for incident prevention. Anyone remember an incident at Equifax? Of course we do, and we also remember that the attackers exfiltrated stolen information over a period of 76 days before they were detected. It’s imperative that organisations use automated tools monitor all aspects of their computing environment, so that it’s possible to detect and respond quickly to anomalous and/or threatening activities. Without this kind of proactive approach, an organisation will only know that its been hosed once the damage has already been done. And of course, this part of the presso shows how DotSec has used Splunk assist with this kind of incident prevention work.
- Splunk for incident response. Knowing that something bad is about to happen (or has just happened) is useful, but it’s obviously also important to contain a security event once such an event has been identified. The questions that are often asked is, “How many systems were hit; how much did we lose; are the attackers still in there?” This section of the presso describes how DotSec has used Splunk to analyse in-progress (or past) security incidents so that the most effective incident-reponse measure could be enacted.
All in all, it was good presso, and we received lots of interesting questions. The slides from the presso are available here; please have a look through and let us know if you have any questions or comments.
Until next time!