Splunk wants you to monitor your employees' behaviour

Analytics firm says it can help you identify insider threats

Splunk has announced a new tool to identify insider threats and upgraded its security offering to keep security analysts one step ahead of hackers.

The first product is Splunk Enterprise Security 4.0, the latest version of its signature security software that used to be known as the Splunk App for Enterprise Security.

New with the tool are three features aimed at helping security analysts focus on responding to attacks and discovering threats.

Investigator Journal helps security analysts track their investigations automatically for compliance reasons, rather than interrupting it to compile a log of what they are doing for HR.

Speaking to IT Pro at Splunk's .conf2015 event in Las Vegas yesterday, chief security evangelist Monzy Merza said: "It shows the analyst all of their activity, so any dashboard they went to, any foreign field they filled in, anything they did with enterprise security, it's there.

"It's really trying to enable the analyst to bring focus to the investigation rather than to all these other reporting requirements, because honestly most analysts hate that part of their job."

Investigator Timeline lets security professionals to keep a separate timeline logging the actions of the hacker or the attack.

Merza said it puts an end to the messy notes kept by most analysts in the course of an investigation.

"There's notes on paper, Excel sheets copied and pasted and a browser open with 55 tabs. That makes it really difficult to maintain context, [to] move forward in an organised fashion," he said.

"The timeline allows you to quickly add any event you're looking at in your investigation to it, so you can keep marching on."

It also lets different security team members place events, actions and annotations into the timeline.

Lastly, the Enterprise Security Framework allows developers, customers and vendors to extend security with apps that utilise the framework's alert management, risk, threat intelligence, and the identity and asset features.

"Anyone can build additional content on top of enterprise security, whether customer, partner or someone building content," said Merza.

"They can just put it out there with any mechanism they want and it can be quickly incorporated into enterprise security."

Tracking the insider threat

Splunk's other security announcement concerns its acquisition of behavioural analytics firm Caspida in July, folding it into its product range as Splunk User Behavior Analytics (UBA), and it is designed to pick up on insider threats.

Merza explained: "You can profile users' behavioural activity. It's in real-time as well as doing it over long time periods - multiple days, multiple weeks, because we know people's activities aren't always smash and grab, sometimes they last over much linger periods of time."

The other thing it allows you to do is compare any user to his or her peers, to look for unusual behaviour for that job role.

"So if you and I are engineers in the same organisation, by and large our behaviour would be very similar, but we can analyse if something different's happening [and find] maybe your credentials are compromised," Merza said.

"Too many attempts to log in, logging in from different places, moving large files, all of those types of things. We could bundle that up and look at it as one problem and conclude maybe there's some data exfiltration going on."

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Microsoft seizes domains used by Chinese hacking group
cyber attacks

Microsoft seizes domains used by Chinese hacking group

7 Dec 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021