Splunk wants you to monitor your employees' behaviour

Analytics firm says it can help you identify insider threats

Splunk has announced a new tool to identify insider threats and upgraded its security offering to keep security analysts one step ahead of hackers.

The first product is Splunk Enterprise Security 4.0, the latest version of its signature security software that used to be known as the Splunk App for Enterprise Security.

New with the tool are three features aimed at helping security analysts focus on responding to attacks and discovering threats.

Investigator Journal helps security analysts track their investigations automatically for compliance reasons, rather than interrupting it to compile a log of what they are doing for HR.

Speaking to IT Pro at Splunk's .conf2015 event in Las Vegas yesterday, chief security evangelist Monzy Merza said: "It shows the analyst all of their activity, so any dashboard they went to, any foreign field they filled in, anything they did with enterprise security, it's there.

"It's really trying to enable the analyst to bring focus to the investigation rather than to all these other reporting requirements, because honestly most analysts hate that part of their job."

Investigator Timeline lets security professionals to keep a separate timeline logging the actions of the hacker or the attack.

Merza said it puts an end to the messy notes kept by most analysts in the course of an investigation.

"There's notes on paper, Excel sheets copied and pasted and a browser open with 55 tabs. That makes it really difficult to maintain context, [to] move forward in an organised fashion," he said.

"The timeline allows you to quickly add any event you're looking at in your investigation to it, so you can keep marching on."

It also lets different security team members place events, actions and annotations into the timeline.

Lastly, the Enterprise Security Framework allows developers, customers and vendors to extend security with apps that utilise the framework's alert management, risk, threat intelligence, and the identity and asset features.

"Anyone can build additional content on top of enterprise security, whether customer, partner or someone building content," said Merza.

"They can just put it out there with any mechanism they want and it can be quickly incorporated into enterprise security."

Tracking the insider threat

Splunk's other security announcement concerns its acquisition of behavioural analytics firm Caspida in July, folding it into its product range as Splunk User Behavior Analytics (UBA), and it is designed to pick up on insider threats.

Merza explained: "You can profile users' behavioural activity. It's in real-time as well as doing it over long time periods - multiple days, multiple weeks, because we know people's activities aren't always smash and grab, sometimes they last over much linger periods of time."

The other thing it allows you to do is compare any user to his or her peers, to look for unusual behaviour for that job role.

"So if you and I are engineers in the same organisation, by and large our behaviour would be very similar, but we can analyse if something different's happening [and find] maybe your credentials are compromised," Merza said.

"Too many attempts to log in, logging in from different places, moving large files, all of those types of things. We could bundle that up and look at it as one problem and conclude maybe there's some data exfiltration going on."

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

26 Feb 2021