Level Up Your Security Data Journey and MITRE ATT&CK Benchmarking with Splunk Security Essentials

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, Splunk Enterprise, and Splunk Enterprise Security deployment and help strengthen an organization’s security program — no matter their current level of maturity. The app provides an extensive library of pre-built security content that aligns with the MITRE ATT&CK framework and Cyber Kill Chain, making it easy to visualize your current security coverage and find and implement new content that addresses your organization’s needs. It also offers a prescriptive security data maturity framework that helps you determine your current level of maturity and provides recommendations on additional data sources and security content to implement to reach the next level of maturity.

To help you mature your program even faster, we released version 3.8.0, which includes:

• An updated security data maturity journey that includes four levels instead of six stages
• Faster content searches and loading in security content 
• A new MITRE ATT&CK benchmarking dashboard to check how your detections stack up against the top 20 techniques

Let’s dive into each of these updates.

Updated Security Data Journey 

The SSE Security Data Journey previously had six stages. In SSE 3.8.0, we have moved from six “stages” to four “levels” based on the Splunk Security Maturity Methodology (S2M2) to provide prescriptive outcomes for your security operations in alignment with the Splunk digital resilience prescriptive value path (PVP). 

Security use cases have evolved with the industry,  and there is a need to move faster from one level of security data maturity to the next as data and detections become more closely aligned with each other. Our experts at Splunk have strived to bring all of this together across four levels within the Security Data Journey. Technologies and a fast changing environment have made it easier to enhance your security programs, and mature them with a consolidation of tools, data and products. The four levels are: 

^{Figure 1: Security Data Journey’s updated four levels to mature your security program}

Level 1 - Foundational Data Insights
This level focuses on collecting machine data generated by the foundational components of your security infrastructure, including servers and security controls, and the gathering of assets and identities reference data. This data, along with the implementation of the Common Information Model (CIM) enables you to track systems and users on your network and to consume detection mechanisms for critical infrastructure. Even if you don’t plan to stand up a formal security operations center (SOC), normalized data will help streamline investigations and improve the effectiveness of an analyst. 

Level 2 - Data Exploration and Automation
The data sources at this level unlock a rich set of detection capabilities and the automation of simple response actions. Endpoint, cloud, and Domain Name System (DNS) data, along with threat intelligence feeds, improve visibility and contextual understanding while enhancing early threat detection and incident response capabilities. World-class threat hunters rely on DNS and advanced endpoint data to uncover and track adversaries dwelling in your network. Opportunities to automate more routine tasks such as password resets/lockouts, malicious IP blocking etc. have been identified and implemented. The Splunk Common Information Model (CIM) is being utilized to normalize data to aid in the scale and speed of security event correlation.

Level 3 - Enhanced Insights and Analytics
The integration of these data sources can enhance threat detection through improved visibility into application-layer activities, behavioral analysis, and the monitoring of broader attack surfaces. It enables the detection of insider threats, supports incident response and investigation with additional detailed logs, and contributes to policy enforcement and compliance — especially in OT/ICS environments.

Level 4 - Unified TDIR
The availability of these data sources, along with more advanced automation, minimizes visibility gaps and enables the implementation of unified, risk-based threat detection, investigation and response (TDIR) workflows within the SOC and the software development life cycle. 

Splunk Security products can help enable you to enhance your security monitoring and coverage at each of these levels. With the four levels of Security Data Journey, you can now move from foundational monitoring to a more advanced monitoring with automation and data coverage to get a comprehensive solution with our premium products such as Splunk Enterprise Security, Splunk SOAR, and Splunk UBA. In the SSE Security Content page you can now filter based on the levels to identify the content to help you plan and execute your security programs. 

_{Figure 2: Security Content page in SSE reflects the update Security Data Journey and new Splunk app logs}

Faster SSE Security Content 

Significant changes were made in SSE 3.7.0 designed to make the Security Content page faster. It previously took a few additional seconds to load all of the 1,800+ content as we added more and more content in the Splunk ES Content Update (ESCU) app. The Security Content page is the heart of SSE and is also the most used page. With this latest release of SSE 3.8.0, you can now load 1800+ security detections and additional content in a couple of seconds! This allows you to use the content faster, and helps accelerate tasks like searching, filtering content, and bookmarking security content. 

New MITRE ATT&CK Benchmarking 

Here at Splunk SURGe HQ, one of our guiding principles is to release research that is highly practical and real-world oriented. We are not afraid to roll up our sleeves and dive into some not-so-glamorous, yet pervasive issues like ransomware.

Our end-of-the-year project took a deep dive into the sea of annual threat reports published by industry bigwigs like Mandiant, Red Canary, and CISA. These reports are a go-to resource for companies worldwide, providing the latest intel on trending threats and serving as a measuring stick for their own defenses. The SURGe team kicked it up a notch, conducting a meta-analysis of these reports to spot commonalities, variations, and how the threat landscape shifts with related ATT&CK techniques. The outcome? A curated list of the top 20 techniques most frequently seen across the annual lists — a handy tool to check how your defenses stack up against the most prevalent offensive techniques.

In SSE 3.8.0, we took this a step further. We introduced the MITRE ATT&CK Benchmarking dashboard in Splunk Security Essentials, drawing directly from our SURGe research and providing you with an instant snapshot of your standing against the top 20 techniques.

_{Figure 3: The Macro-ATT&CK Top 20 list inside SSE on the MITRE ATT&CK Benchmark dashboard}

In the example above, the environment has one detection deployed that maps against the selected techniques giving 5% coverage. However, with the detections from the Splunk Threat Research Team, a theoretical coverage of 90% is attainable.

_{Figure 4: Benchmarking against the Macro-ATT&CK shows active 5% coverage and up to 90% coverage theoretically attainable.}

Another part of the SURGe research involved techniques used in conjunction with each other as part of an adversary attack flow. For this part, SURGe used a dataset consisting of CISA Alerts for 2020-2022 to see if there were any clear statistical links between techniques as they appeared in the alerts. If there was a statistical link, it could highlight the existence of attack flows or attack tools that launch a series of MITRE ATT&CK techniques in conjunction. This method of finding correlated techniques was implemented in the dashboard as well, and by setting a correlation percentage factor of 75%, we now add 13 techniques to the original 20. The math tells us that the 20 techniques originally selected have 13 other techniques that appear in 75% or more of the CISA alerts, which means they are strong indicators for each other. Practically, this implies that if a detection search triggers for one technique, it might be worth exploring the presence of the other correlated techniques as they often occur together.

_{Figure 5: Table showing 13 additional related MITRE ATT&CK techniques that have been found by analyzing CISA alerts from 2020-2022.} 

Now that we have a set of techniques on our radar, what detections are available, and what data do we need to leverage them? Don't sweat. This information is readily accessible on the dashboard where it details each technique, the detections from the Splunk Threat Research Team's out-of-the-box content repository, and the requisite data sources. You can even find which data fields can aid in detecting a particular technique.

_{Figure 6: Insight into Technique "T1505.003 Web Shell" with data source requirements from the Filesystem, Processes, and Web data models.}

Here's a little extra — the dashboard displays the aggregate of MITRE ATT&CK data sources for the selected techniques. The data sources that cover most techniques are "Process: Process Creation," "Command: Command Execution," and "Network Traffic: Network Traffic Content." In simple terms, keep track of your processes, command line, and network. This isn’t a groundbreaking revelation, but an essential reminder.

_{Figure 7: Data Sources and Technique counts for the SURGe Macro-ATT&CK Top 20}

New Endpoint for Security Content Delivery 

We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last corresponding supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0.

You've made it this far; now it's time to try things out! Splunk Security Essentials is up for grabs on Splunkbase, with version 3.8.0 fresh out of the oven.