As Halloween Approaches, Splunk Uses Analytics To Make Cyber Attacks Less Scary

This year, Splunk will move to make Halloween less scary for enterprises worried about cyber attacks. On Oct 31, Splunk is set to ship technologies to help analysts better detect, diagnose and respond to security attacks. IDN learns more from Splunk’s chief security evangelist Monzy Merza.

Tags: analytics, behavior, Caspida, data, conf2015, Hadoop, Hunk, Mint, mobile, security, SIEM, Splunk, UBA,

Monzy Merza
chief security evangelist

"The big trajectory at Splunk has always been: ‘How do we enable the analyst through data, context and intelligence."

Big Data in Motion Summit
Manage Expanding Data Volumes for Analytics & Operations
February 25, 2016
Online Conference

This year, Splunk will move to make Halloween less scary for enterprises worried about cyber attacks. On Oct 31, Splunk is set to ship new technologies to help analysts detect, diagnose and respond to security attacks even more easily and quickly.


The offerings are Splunk Enterprise Security 4.0 (an upgrade to the formerly-called Splunk App for Enterprise Security) and Splunk User Behavior Analytics (based on Splunk’s recent acquisition of Caspida).


Together, Splunk’s latest offerings debuted at Splunk’s .conf2015 user conference, reflect a big leap in how machine logs and machine learning can be enlisted in the fight against cyberthreats through smarter and deeper data gathering, correlation, visualization and collaboration. Combined, they show Splunk continued push to bring insight and value to using analytics to drive enterprise-wide Security Information and Event Management (SIEM) solutions.


“We’ve learned by working with our customers, security is an ecosystem problem,” Splunk’s chief security evangelist Monzy Merza told IDN.  “So, we are delivering technology to let more [people] play together and work together, using all types of data. That is really the right approach.” 


Enterprise Security 4.0 sports features to allow organizations to better uncover the cause-and-effect of breeches, as well as track attackers’ steps via ad hoc analyses and event sequencing. The technology updates will also make it easier to detect advanced threats, and apply the often-used ‘kill chain’ methodology across multiple analysts and stakeholders.


“For us, the big trajectory at Splunk has always been: How do we enable the analyst – thru data, context and intelligence,” Merza said. “So, the goal [with ES 4.0] is to add all types of information and make it part of the chain.”  This approach not only will help an individual analyst to come to an insight – but will also allow teams to better collaborate on a security problem and maybe uncover something new and unexpected, he added.  


Of special note, Enterprise Security 4.0 sports a new Investigator Timeline feature to modernize how analysts select, compile and visualize and share data related to cybersecurity analysis and forensics. This add-on feature should be of particular value to analyzing multi-stage attacks, Merza said. 


“Analysts use a lot of outdated tools for such tasks. They take a lot of notes on paper or track on spreadsheets or open a whole bunch of tabs in their browser. That is time consuming and you can’t easily share information using that style,” Merza explained.  


In contrast, Investigator Timeline brings control and automation to this task.


Rather than a disconnected set of notes, URLs or tabs, Investigator Timeline lets analysts select data and events with a simple mouse click or clipboard action to add that noteworthy data or information to a timeline, Merza said. Beyond making it easy to assemble all relevant data into a single place, Investigator Timeline can also present the information in a chronological and visual way, he added. 


“By letting users view and correlate all the artifacts they collect, we give you a recipe of what was wrong or what was bad,” Merza said. “And, because you have this clean way of looking at these recipes, when in the future attacks come from the same IP [address] or show the same pattern, you’ll know because you have that in your threat intelligence framework.”


Quick Tour of Splunk’s Enterprise Security 4.0’s Investigator Timeline

IDN asked Merza to give us a tour of just how the Investigator Timeline capability in Enterprise Security 4.0 delivers this correlated and visual view.


“We have timestamps for all data or events you want to capture. You just click to say ‘add this to the timeline’ and it gets added, where it should be added in context,” Merza said. “So, now you can speed up your analysis or maybe come to an insight you may have overlooked. That’s because rather than raw data all over the place, you can see this picture of how things happened and when they happened.  Looking at data in that way, analysts can say, ‘Oh, this is what really happened.’” 


Investigator Timeline may feel like a simple clipboard, it becomes much more by running atop Splunk’s platform intelligence, which is the engine to power the deeper and faster insights.  “With all our pieces, Splunk has the smarts to bring all these data and notes together,” Merza added.

The under-the-covers Splunk Enterprise Security Framework lets users quickly access, extend and even create new security-related functionality for alert management, risk, threat intelligence, and the identity and asset frameworks, Merza added.


In addition, thanks to the visual nature of the timeline, users can see context – and discover where a piece of data might be missing or even suggest the path they think the attacker may have used, he added. 


For all the automation, correlation and visualization, the Investigator Timeline by itself doesn’t do the discovery, Merza emphasized.


“This is not an analysis analyzer. We can collect all the data and have all the context and enrich whatever you want to enrich it with. So, we want to give analysts all they need to exercise their own intelligence and intuition. We don’t want to be in the analyst’s way.


Splunk User Behavior Analytics (UBA) is specially-designed to detect hacker activities.


It combines Splunk’s analytics capabilities for security insights with Caspida’s broad range of data science-driven Behavioral Analytics capabilities. These include: machine learning, semantic classification, kill chain detection, graph/link analysis and threat scoring. 


Splunk security customers will benefit from Caspida’s ability to use these data science techniques to detect known, hidden, unknown and advanced threats from external and internal attackers,” Merza noted in a recent blog post.


He also described how bring Splunk / Caspida technologies bring together machine learning and advanced analytics to detect cyberattacks and insider threats:

“With Splunk’s emerging role as the nerve center for security, this new [Splunk / Caspida] combination increases the insights organizations gain as well as their capacity to detect threats and orchestrate and automate responses. . . Customers can significantly shorten their detect-to-respond time and effort as well as add the new insights and intelligence from anomaly detection into their ongoing monitoring program. . . 

With the Caspida Behavioral Analytics solution, Splunk security customers gain these capabilities out-of-box. As more and more organizations utilize Splunk to build out their Security Command Center, this addition dramatically boosts the[ir] ability to detect and respond to modern threats. Customers can now get a prioritized list of threats using the context of the kill chain along with the supporting evidence to make investigations more insightful and actionable. This is further strengthened by Caspida’s multi-domain (user, device and traffic applications) approach to anomaly detection.

At least one analyst has reported favorably on Splunk’s latest ways of bringing analytics and machine learning to security missions.


”Splunk continues to address analytics-driven security through product developments and strategic acquisitions,” said Scott Crawford, research director, 451 Research, in a statement. “Splunk Enterprise Security is designed to help practitioners conduct more efficient investigations and provides a new open framework that further supports a growing ecosystem of partners. Splunk User Behavior Analytics extends threat detection for customers through data science and machine learning.”


Beyond security, Splunk .conf2015 also rolled out other new offerings:

Splunk Enterprise 6.3This update to Splunk’s core platform offering delivers better performance, more advanced analytics and visualizations, and high-volume event collection for DevOps and Internet of Things (IoT) devices. Further, it is optimized for lower-cost operations, as the company has benchmarked hardware cost of a deployment of Splunk Enterprise can run as much as 50% less than the earlier Splunk Enterprise 6.0.


Splunk IT Service Intelligence (ITSI)ITSI is a new IT monitoring and analytics solution that builds upon Splunk’s deep product expertise and recognized customer value in IT Operations to provide new levels of visibility into the health and key performance indicators of IT services. Splunk ITSI can be deployed on-premises and as a cloud service.

Hunk 6.3, the latest update to Splunk’s integrated analytics platform to interactively explore, analyze and visualize big data in Hadoop and Amazon S3.  A key update feature is Unified Search, which lets users search archived data in virtual archive indexes. It also works with live data in the Splunk Enterprise indexes that feed those archives. Bottom Line: Users can use the same UI and search commands to search real-time and historical data.


Splunk Light, designed for smaller IT shops, will ship as a cloud service. Splunk MINT, analytics for mobile apps, now runs as an application on top of Splunk Enterprise and Splunk Cloud.