Crowdsourced Splunking for Security Exploits
with Guest Blogger Tim Mather, CISO Greater San Francisco Area
I’ve known Tim for a long and respect him as one of the most savvy CISOs around. When we got together last week in Mountain View, Tim said that one of the most interesting things he’d done as a CISO recently was conduct a contest for who could develop the best correlation rules. He had previously spent over 6 figures on deploying Splunk, a leading enterprise search and SIEM solution. Yet it took a $250 contest to really get the most from it.
Tim asked his staff, peers and colleagues to come up with one or more original correlation rules for the contest. Each rule had to use least two logs, or other data sources. One source had to be under the contestant’s group control, and the other one had to be under another group’s control. Thus, if a contestant belonged to the account management group, he or she would would have to create a rule correlating authentication or authorization events with something else, such as data from a firewall log or database.
Also, contestants could submit more than one entry and make joint submissions together. “I picked the five best ones and then held a meeting, at which we crowdsourced choosing the winner,” Tim concluded.
I observed to Tim that his contest ingeniously tapped into the core human motivations – the intellectual challenge posed in a puzzle, the desire for recognition among peers and financial gain. I noted that for $250 a person could take the spouse out for a fine dinner.
Tim laughed and said, “For some of our Indian male employees, the wife gets their whole paycheck anyway and manage the finances. But when they get a bonus they keep it for themselves.”
After the exercise concluded, Tim noticed some lasting benefits. Staff are now much more tuned into security monitoring and continue to come up with ideas for correlations. Also, some of his peer management colleagues in IT are asking for security monitoring reports and dashboards.
If you ask me, Tim’s $250 was well-spent.