Crowdsourced Splunking for Security Exploits
Crowdsourced correlation search development in security information and event management (SIEM) tools such as Splunk is a best practice for security monitoring and user awareness. For some SIEM systems such as Splunk, IT power users or administrators can develop searches. If, like me, you’re a fan of “little data” that can be analyzed without high-priced hadoops and data scientists, you’ll love this idea of spreading security knowledge and awareness to get more out of the real brains of the enterprise: the staff on the payroll and actually using the systems.
Do you have holes in your firewall for remote access by road warriors, vendors or third party suppliers? Be honest, you know you do. It can be a business necessity to provide this access; unfortunately, it also leads to many breaches. Even if you try two factor authentication, compartmentalize the access, and regularly recertify credentials you’d be better be monitoring for who’s logging in successfully, who’s generating failures and to what and when. The figure above shows example Splunk searches that can be combined with other variables to filter through a haystack of failed authentication events in the logs to find the needles – malicious access through the secure shell (SSH).
I won’t go into the technical details of the searches, but you can read more about them in this Splunk community wiki article.
The Correlation Contest
with Guest Blogger Tim Mather, CISO Greater San Francisco Area
I’ve known Tim for a long and respect him as one of the most savvy CISOs around. When we got together last week in Mountain View, Tim said that one of the most interesting things he’d done as a CISO recently was conduct a contest for who could develop the best correlation rules. He had previously spent over 6 figures on deploying Splunk, a leading enterprise search and SIEM solution. Yet it took a $250 contest to really get the most from it.
Tim asked his staff, peers and colleagues to come up with one or more original correlation rules for the contest. Each rule had to use least two logs, or other data sources. One source had to be under the contestant’s group control, and the other one had to be under another group’s control. Thus, if a contestant belonged to the account management group, he or she would would have to create a rule correlating authentication or authorization events with something else, such as data from a firewall log or database.
Also, contestants could submit more than one entry and make joint submissions together. “I picked the five best ones and then held a meeting, at which we crowdsourced choosing the winner,” Tim concluded.
I observed to Tim that his contest ingeniously tapped into the core human motivations – the intellectual challenge posed in a puzzle, the desire for recognition among peers and financial gain. I noted that for $250 a person could take the spouse out for a fine dinner.
Tim laughed and said, “For some of our Indian male employees, the wife gets their whole paycheck anyway and manage the finances. But when they get a bonus they keep it for themselves.”
After the exercise concluded, Tim noticed some lasting benefits. Staff are now much more tuned into security monitoring and continue to come up with ideas for correlations. Also, some of his peer management colleagues in IT are asking for security monitoring reports and dashboards.
If you ask me, Tim’s $250 was well-spent.