Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Staff Picks for Splunk Security Reading July 2018
By
Ryan Kovar
|
Howdy, folks!
A new month, so a new list of security picks! Splunk security nerds (employees and customers) like to make things. They like to make LOTS of things. But sometimes...they get lost! So as we promised in January, we are bringing you some golden security nuggets you might not have seen before. These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk security world that WE think everyone should read. I hope you enjoy.
(Check out our monthly staff security picks and our all-time best picks for security books and articles!)
|
"I would go out tonight... |
Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations by Digital Shadows Ugh. I know. You are sick of this blog series waxing poetically about MITRE ATT&CK. Yes we have a total cybercrush. But here is the thing... this blog post exemplifies what the MITRE ATT&CK framework can be used for! One of the most significant recommendations that I give customers who want to learn about "hunting APTs" is to read APT reports from places like APT reports hosted by Threat Miner and learn from them. The MITRE ATT&CK can act as a cognitive thought model for you to frame the reports and easier identify where the victim—in this case the DCCC (Democratic Congressional Campaign Committee) and DNC (Democratic National Committee)—could build defenses or have detected the incursion. What I love about that this blog post is that it is short, sweet, and succinct. It gives an excellent computer network defense (CND) view of the supposed GRU actions against the DCCC and DNC and places to for other organizations to improve their security. Think about assigning homework to your analysts to read reports and return with similar-formatted threat models to see if it improves your network's safety! |
|
but I haven't got a stitch to wear. |
Defending Office 365 with Graph Analytics by Matt Swann I'm going back into the archive for one of my all-time favorite posts (inspired by a recent post from @jackcr), which talks about how the O365 security team uses graph analytics combined with multiple strengths of an indicator. While my data science fanaticism goes wild for the graph analytics, the piece I think everyone should take away from this article is the classification of analytics into Alerts, Behavioral, and Contextual. We have seen advanced Splunk customers apply similar concepts, and I love any opportunity to help facilitate the value of "risky" behavior or important notes to augment a traditional alert. |
|
This man said 'it's gruesome that... |
Give Your SOC a SOUL by Alissa Torres This week I had the pleasure of attending and participating in the annual SANS Security Operations Summit in New Orleans. Chris Crowley (@CCrowMontance) and the team once again assembled a fantastic lineup of speakers for this two-day event. One presentation that stood out to me was Give Your SOC a SOUL by Alissa Torres (@sibertor). Those of us who work in the blue-team toolset area of the security industry are quick to invoke the topic of analyst retention, but I'm not sure we fully appreciate the magnitude or the nuances of this challenge. In her talk, Alissa thoughtfully and rigorously examines the human aspect of the SOC with an emphasis on what leaders can do to motivate, empower, and retain analysts. |
|
someone so handsome should care'" |
As I was reviewing the articles that I had read throughout the month, this SANS paper by Dan Gunter really stood out. One of the challenges with hunting is determining what you have, but also identifying your gaps in coverage. This can help drive adding relevant data sources to your logging, so you have better coverage in the future. Dan lays out several concepts around how to calculate the rigor of your hunt and shows how you can map this to observable collected during your hunt, Lockheed Martin Kill Chain, MITRE ATT&CK as well as a way to characterize Threat Intel return on investment. While Dan is referencing ICS environments in his paper, there is no reason that many of the concepts he presents could not be used for any environment. He makes the following comment as well that resonates: "While Newton's third law does not apply to network or host phenomena, this research proposes a similar corollary relevant to network and host phenomena that states, "for every attacker action there is a manifestation of the attacker's action realized in network and host logs." Let's hope this is taking place... |
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
