Splunk Adds Statistical Analysis to Enterprise Security App

Analysis of machine-generated data can play an important role in a sophisticated layered defense for your data and systems, but getting there can be challenging even with advanced intelligence platforms.

Splunk-- provider of an engine that collects, indexes and analyzes massive volumes of machine-generated data--is out to change that with today's release of version 2.4 of the Splunk App for Enterprise Security, which makes the statistical analysis tools, dashboards and visualizations available out of the box.

"Statistical analysis is the new weapon of the security warrior defending against threats that bypass traditional security detection systems," says Mark Seward, senior director of security and compliance at Splunk.

"Companies now understand that hidden in the terabytes of user-generated machine data are abnormal patterns of activity that represent the presence of malware or the behavior of malicious insiders," Seward adds. "The new Splunk App for Enterprise Security enables statistical analysis of HTTP traffic to help security professionals determine a baseline for what's normal, quickly detect outliers and use those events as starting points for security analysis and investigation."

Today's advanced threat malware is essentially a spy that uses your unwitting employees as 'data mules' to external locations, according to Splunk. Its purpose is to communicate its health, facilitate command and control and collect and send valuable data to the attacker--generally via web-based protocols.

Using statistical analysis of the data in your logs, Seward says, Splunk can reveal attacks and threats including the following:

Command and control instructions (CNC) embedded in URLs

Hosts communicating with new malicious web sites--hosts talking to domains registered within the past 24 to 48 hours are often a key indicator of CNC sites

Significant increases in unknown communications

Unusual user agent strings in use

Abnormal amounts of source/destination traffic

The new version of Splunk App for Enterprise Security automates monitoring and correlation of these outliers and anomalies in real time and presents the resulting analysis via dashboards and alerts.

"In the new version, all of this is automatic," Seward says. "As long as you're capturing proxy data, for example, all of that data will automatically go into the Splunk App for enterprise Security and all of those statistical outliers will be there and available to you."

"Finding advanced threats is hard," adds Jim Krev, Sr., security manager of Fieldglass, a provider of vendor management system (VMS) technology that two years ago replaced its legacy Security Information and Event Management (SIEM) tool with Splunk Enterprise and the Splunk App for Enterprise Security.

"Finding advanced threats is hard. What Splunk has done with the Enterprise Security 2.4 release is make it easier to find and visualize unusual characteristics of data using statistics," Krev says. "This can help to detect a malicious payload left on a host and its outbound communication. The visualizations also make it easier for me to assure management that our AV software is working sufficiently and we have had no payload problems."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysplunk

More about Splunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place