It's Budget Time!
Your CFO points in your direction and smiles. He gives you carte blanche as far as spending goes because “we simply must not be put in the public eye the way that Target was in 2013”. This has got to be the happiest day of your career. To have full power and control over you and your company’s destiny as far as network and information security is concerned.
I couldn’t even begin to explain the thoughts that pour through my head with that scenario in place. Just to touch on it a bit, 99% of security attacks are directed at the user, and with that in mind I’d have so many changes that would aggravate so many people. Every host, not user, not server... every host would be it’s own /30 network with a network/application firewall as it’s default gateway. Every host would be it’s own “trusted” IDS variable, as far as network is concerned and be connected to an incredibly well thought out OS security and control model that is centrally managed by a team of people I could only describe as something Hollywood would portray as a group of 8-10 people working 24x7 to solve some unsolvable mystery.
I could literally go on about the resources I would put in place. Cloud based web filtering, full disk encryption, multiple layers of public facing asset protections, not even to mention that I would probably take care of 5% of the nation’s unemployment rate, just to make sure there was enough physical coverage to respond to every event that came about. You all know you could use more people help, right? Security won’t work itself, right?
Pondering Cognitive Security
Just think about that idea momentarily, cognitive security. Not the product/company Cisco acquired (we all know how manual anything Cisco-related can be), but the true idea of information working to your advantage with minimal administrative interaction.
I’ve been doing it the hard way for customers as a security vendor for the past 5 years of my career. Multiple products in place; ISA/TMG, Qualys, mod-security, TrendMicro, <insert firewall vendor name here>, Barracuda, Sourcefire, port-security, etc. That’s a lot of effort for administration to work with in a very disconnected format that requires significant attention for them to function with the purpose they were intended. I’m not going to bash any one product, they all control what they were meant to control. It’s just that many companies/organizations don’t have the manpower or time to give these products the proper attention they require to be as completely up to date as possible.
That’s why we moved to Splunk. It puts all of this information in one place. Don’t stop there. You still need to do something with it that can effectively manage these products and their capabilities globally. For the good of each product and the better of your response and support teams.
That’s where we put Splunk to work. You can tell Splunk to do things with your log data/security alerts based upon the information provided by your network and security infrastructure, the systems and infrastructure you already have in place. Just by sending Splunk your log data.
Let's Look at Some Examples
A simple example would be something along the lines of automatically opening up a help-desk ticket because Splunk was able to tell from your IDS alert data that a host at your Chicago office has tripped. A less simple example would be that the same help-desk ticket was opened only if that alert triggered a certain amount of times within a specific time frame. An even more complex example would be that the same alert threshold would correlate with your Websense and firewall data to verify that the traffic passed successfully to properly prioritize the ticket it opens with your help-desk team, to help communicate how quickly action needs to be taken. A simple example of an outside security threat would be parsing the IDS alert data against internal Qualys scan results to determine if that threat requires a help-desk/security ticket internally because it’s running the affected software, on top of running a script that will kill the connection at the network or host based firewall. It can even go as far as to detect a DDoS or Reflection attack from your firewall logs and execute a script that automatically drops the traffic for a certain time period without any human interaction at all.
Proactive Security Intelligence
Honestly, that’s as perfect as you can get in today’s security world. We call it HDSI, because we’re Hurricane Defense and it’s our Security Intelligence. I call it being as proactive as you possibly can with the information and infrastructure you have in place. Sure, nothing is perfect and things change, but if you put in the effort to be as proactive as you can with what you have, you can sit back and say you are doing everything in your power to be as proactive as possible. I’m not going to lie either, this is all security based Splunk use case discussions. You can easily sell Splunk to other departments and their budgets based upon it’s incredible operational strength. You know, spread the wealth if you will.