Recently, we hosted a webinar titled “How to Identify and Solve Top Security Challenges.” During the webinar, Jon Papp, Aditum’s Professional Services Manager, presented insights into how to address your organization’s security needs using Splunk Security Essentials. The webinar included a live demonstration of the latest version of the Security Essentials app, which is a free app that can be deployed on top of Splunk Enterprise.
Understand Your End Goal
When Splunk is up and running, it can be used to detect events, inform preventive controls, and in some cases, it can even remediate incidents automatically. For most organizations, success with Splunk means that security efforts are moving from a reactive, problem-solving mode to a more proactive posture. This movement is typically accomplished in phases and progress is fueled by the type of data that is ingested into the tool.
Initially, it’s important to understand exactly which data sources will have the most impact on moving increasing your organization’s maturity. The next step is performing the right analytics, which can at times be challenging to design and create. Fortunately, Splunk provides tools to help with both of these steps within the latest version of its Security Essentials app.
Splunk Security Essentials: Combining Tool and Technique
Splunk Security Essentials is a free app available on Splunkbase. It includes 340+ examples of security use cases that you can tailor to your own environment, whether you’re working in a small or large organization. This includes use cases for Advanced Threat Detection, Security Monitoring, Insider Threats, Compliance, Application Security, and more. Details on each type of use case are provided when you initially download and install the app.
Perhaps most valuable, Security Essentials provides a prescriptive path to help your organization navigate the journey from Day 1 installation to gain increased value from the use cases within the app. This includes not only the maturity stages defined in the chart to the right, but also the use cases and data sources that need to be identified and ingested at each stage. If you’re unsure of where to begin on your security data journey, Splunk Security Essentials will show you where to start.
Tips and Tricks for Using the Splunk Security Essentials App
During the webinar, we provided a demonstration of the Splunk Security Essentials app. Splunk provides an introduction and detailed instruction within the app, and here are some additional tips presented during the webinar that will help you get started.
- There are over 340 use case examples within Splunk Security Essentials. They are displayed by journey stage, but you can further filter them by category, data source, or additional custom filters to simplify the process of finding the item you’d like to work with.
- Each use case example provides a detailed description including the security impact of the use case, expected alert volume, SPL difficulty level, required data sources, and instructions on how to implement the use case.
- Each use case shows the SPL that performs the search as well as comments on the SPL. Pro tip – reviewing this pre-written code is a great way to improve your SPL skills. Having the SPL also enables you to more easily tailor a use case to your organization’s needs.
- All use cases contain demo data. This allows you to see examples of the use case in action before deploying it with production data.
- Splunk Security Essentials provides a bookmark feature, so you can save the use cases that are most relevant to you. They’ll automatically be saved to a separate tab where you can track your implementation progress for each use case.
- Splunk Security Essentials provides a Data Source Check by use case, so you’ll know exactly what data you have and what you still need in order to run each search.
Start Your Security Data Journey with Splunk Security Essentials
Splunk Security Essentials is an excellent way to kickstart your security data journey. Get your journey off on the right foot by starting with the most critical data sources and ensuring that they’re complete. Then, enable the use cases that are useful to your organization. You can continue to phase in additional data sources and use cases as needed to improve your security posture one step at a time.
Additional Resources
- .conf 2017 – David Veuve – Quickly Advance Your Security Posture with Splunk Security Essentials
- Splunk’s Essential Guide to Security
- Splunk Security Essentials app
- Splunk Security Essentials for Ransomware app
- Splunk Security Essentials for Fraud Detection app
- Phantom
Security Best Practices at Your Fingertips
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.
