Security Incident handling with Splunk – Preview to our new Cyences App to be published on Splunkbase
For the past year, customers have asked us to simplify Splunk so that they are able to identify nefarious activities quickly. In addition, they wanted to be able to forensically investigate any event without having to be experts in Splunk Processing Language (SPL).
During our initial meetings, we started to realize that the issue is not as simple as creating alerts and dashboards, but more of building a security engineer’s application for Splunk. Most security engineers understand what bad traffic and orchestration looks like, but they can’t navigate Splunk to get to the bottom of things, so we started developing the Cyences App which this blog previews.
The Cyences App was developed to achieve the following initial objectives with more to come on monthly basis.
- Community-based development starting with our existing clients and branching out to others soon afterwards
- Unified panes of glass that within one or two screens can provide a wholistic viewpoint of what’s important to be observed (if a certain correlation report doesn’t have an alert associated with it, it’s not necessary to be in the nefarious activity pane)
- Activity monitoring should include workstations and users (pre-COVID, this was not necessary, but offices and office firewalls currently play a small part in securing user activity)
- Global view: Collecting and correlating logs throughout a single organization is no longer sufficient because the activity becomes more of a reactive response vs. proactive. We decided that Cyences will collect Global Activity that is deemed nefarious and correlate all incoming and outgoing packets to decide with more accuracy whether something is wrong
- Drill down forensics: We found many existing dashboards and apps to be lacking because of the inherent inability for the security engineer to dig down quickly to ascertain an alarm. All dashboards to be built will have built-in forensics capabilities to reduce response time
There are many more to come but we decided to start off with the six above and publish the App as 1.0.0 at the end of this month because the value is already there.
If you’re interested in downloading or joining our community, please email me directly or reach out on LinkedIn and I will get you access to our Cyences forum. Below are some screenshots and use cases.
This dashboard is based on the MITRE framework
Fake Windows Processes
Some ransomware creates its executable file name as some default Windows process name to go undetected by the users. We can detect these processes because they will be installed outside the Windows default location.
Cyences App is showing attacker and compromised system information in the “Details” dashboard for easy access.