Analysis of machine-generated data can play an important role in a sophisticated layered defense for your data and systems, but getting there can be challenging even with advanced intelligence platforms.
Splunk— provider of an engine that collects, indexes and analyzes massive volumes of machine-generated data—is out to change that with today's release of version 2.4 of the Splunk App for Enterprise Security, which makes the statistical analysis tools, dashboards and visualizations available out of the box.
"Statistical analysis is the new weapon of the security warrior defending against threats that bypass traditional security detection systems," says Mark Seward, senior director of security and compliance at Splunk.
"Companies now understand that hidden in the terabytes of user-generated machine data are abnormal patterns of activity that represent the presence of malware or the behavior of malicious insiders," Seward adds. "The new Splunk App for Enterprise Security enables statistical analysis of HTTP traffic to help security professionals determine a baseline for what's normal, quickly detect outliers and use those events as starting points for security analysis and investigation."
Today's advanced threat malware is essentially a spy that uses your unwitting employees as 'data mules' to external locations, according to Splunk. Its purpose is to communicate its health, facilitate command and control and collect and send valuable data to the attacker—generally via web-based protocols.
Using statistical analysis of the data in your logs, Seward says, Splunk can reveal attacks and threats including the following:
- Command and control instructions (CNC) embedded in URLs
- Hosts communicating with new malicious web sites—hosts talking to domains registered within the past 24 to 48 hours are often a key indicator of CNC sites
- Significant increases in unknown communications
- Unusual user agent strings in use
- Abnormal amounts of source/destination traffic
The new version of Splunk App for Enterprise Security automates monitoring and correlation of these outliers and anomalies in real time and presents the resulting analysis via dashboards and alerts.
"In the new version, all of this is automatic," Seward says. "As long as you're capturing proxy data, for example, all of that data will automatically go into the Splunk App for enterprise Security and all of those statistical outliers will be there and available to you."
"Finding advanced threats is hard," adds Jim Krev, Sr., security manager of Fieldglass, a provider of vendor management system (VMS) technology that two years ago replaced its legacy Security Information and Event Management (SIEM) tool with Splunk Enterprise and the Splunk App for Enterprise Security.
"Finding advanced threats is hard. What Splunk has done with the Enterprise Security 2.4 release is make it easier to find and visualize unusual characteristics of data using statistics," Krev says. "This can help to detect a malicious payload left on a host and its outbound communication. The visualizations also make it easier for me to assure management that our AV software is working sufficiently and we have had no payload problems."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at firstname.lastname@example.org