Staff Picks for Splunk Security Reading: January 2018

Ryan Kovar

“The pretty one”
@meansec

“Zero to 100 in 90 Days - Building Up Your Security Operations" by Kelcey Tietje and Lisa Tawfall

Let's go back oldschool. I first saw this presentation when I was a customer in 2013 and it really blew my mind how quickly Bechtel spun up a world class SOC in 90 days. I love how they outlined the challenges they overcame and where they finished. Although from 2013, I still think this is an incredibly relevant presentation that addresses issues security analytsts are still facing today.

James Brodsky

“#thanksbrodsky”
@james_brodsky

“Turning IOCs into Tangible Protection” by Katie Winslow and Mike Slavick, Kaiser Permanente

How do we link security to the business? How do we organize our SOC to better meet today’s security challenges? And how did we leverage Splunk to do it? This presentation from Kaiser is two, two, TWO presentations in one! First, Kaiser Security pro Katie Winslow discusses how and why threat data is important to the healthcare giant, and then details the key security indicators she presents to the business to prove that the security teams are actually protecting Kaiser AND saving them money. Her colleague Mike Slavick then details the specific threat data sources Kaiser uses, with details on how these technologies impact the business. I don’t know of an easier-to-digest presentation that explains how Splunk can make security data business relevant.

David Veuve

“King of SPL”
@davidveuve

“Finding Advanced Attacks and Malware With Only 6 Windows EventIDs” by Michael Gough, Malware Archaeology

This is almost a gimme—one of the most popular presentations that will help you see what’s essential in your Windows monitoring and why. Learn more from Malware Archaelogy’s Michael Gough on what’s the best bang for your Splunk license buck, and what is crazy to not monitor. This presentation includes 60+ slides of goodness and, equally important, a set of cheat sheets to help you implement monitoring easily in your environment.

Dave Herrald

“Dave or David”
@daveherrald

“Maturing Workday’s SOC With Splunk” by Jordan Perks and Ravi Shah

When we talk about the people, processes and technology that make up a security program, I find it’s most difficult to get concrete examples of solid processes. Many organizations don’t have any processes, some processes are too specific to one environment to be generally applicable, and sometimes organizations are simply unwilling to share. What makes this presentation so unique and valuable is that it shines a light on the specific metrics and techniques used by a real-world, high-performing SOC and their security engineering team to manage workflow and continually improve.

John Stoner

“Does not live in Colorado”
@stonerpsu

Pretty Good SOC: Effectively Enhancing our SOC with Sysmon & PowerShell Logging to detect and respond to today’s real-world threats

With every organization I speak with, I find myself wishing endpoint data got more love. The good news is that oftentimes Windows Event Logs are getting picked up, but there is always concern how much data it generates, let alone turning on high fidelity logging like sysmon and powershell due to data volumes. This talk, given at .conf2017, details how TransAlta was able to build and tune their endpoint configuration, collect these valuable sources, filter out noisy, low value events and keep their logging footprint to around 10MB per system per day!