Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Are you a manager or individual contributor of a SOC/CERT Team, or currently thinking about establishing one in your organization? If the answer is “yes” to either of those questions, then you should listen to this 40 minute webinar.

We recently co-presented a security briefing with Cisco’s CSIRT EMEA and APAC Manager, Imran Islam and ISC2’s EMEA Managing Director, Dr. Adrian Davies. The webinar showcases Cisco’s CSIRT reliance on Splunk as their Investigation and Response Platform, and after 10 years in infosec, this has become one of my favourite stories of effectively bridging  the gaps among business context, cost justification and cyber security. If you don’t quite have 40 minutes to spare right now, then here is a rundown of the three key lessons learnt:

Understand your data and environment

Imran explained that Cisco  has a very large number of tools that protect different parts of the organization’s digital infrastructure. With high volumes of event data, the  environment is constantly changing, and despite being Cisco - even they face a shortage of skilled staff and time. These challenges lead the Cisco team  to use Splunk because it’s easy to use, super fast and enables a better understanding of the data.. Cisco can now easily extract information from events never seen before, correlate everything with everything, create dashboards, alerts and add context through lookups.

Collaborate with your IT-Operations team

Like many organizations, the CSIRT team can not always identify if something is malicious or not. Items of concern within a Windows server environment might be things such as unscheduled restarts, local admin account password changes, authorization of new users to the admin group, or installation of new services. Where the security team might be looking at something malicious; the IT-operations team is the go to place to know if the activity was  intended or not. To tackle this, the CSIRT team has built specific views for the IT-operations team, giving them deeper insights into what’s going on within their systems. IT-operations  can now judge and escalate anomalies to the CSIRT Team for investigation - this takes a maximum of 5-10 minutes per day for the service owners of the IT-Ops team to ensure all noise is filtered out. Imran shared a Windows Auditing Guide with tips on what to look for, as well as why and how to respond. You can find it in the attachments tab of the brighttalk session.

Justify required security investments with playbooks

We got to see how Cisco justifies its  resources through playbooks. To date, the team has  deployed over a 100 plays, and each play is associated with a cost factor. They measure how often a specific play is triggered, how long an analyst takes to solve it, and record  the false positive rate. This process allows Cisco  to effectively manage and be transparent on resource spending. Examples of justifications can be;

• If a play triggers too often and has a low false positive rate, it can now be decided  if it makes sense to automate the response, or fix the root causeto optimize operations

• If a play has too many false positives, the team  can take the calculated risk and disable the trigger altogether

• If an individual wants to add a new service to monitor, they can also charge per play, like “Security Monitoring as a Service”.

These are just three lessons learnt, but there are  even more Security Operations tips and best practices to take away from Imran and his CSIRT team. You can find the full recording of the webinar here.

Do you want to perform a hands on security investigation with Splunk?  Try out one for free!

Stay safe!

Matthias