Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

April 2023

Coffee Talk with SURGe: 2023-MAY-02 SolarWinds, US Marshals Service, OT Threat Sharing, Bluesky, RSA

Grab a cup of coffee and join Ryan Kovar, Mick Baccio, and Audra Streetman for another episode of Coffee Talk with SURGe. The team from Splunk will discuss the latest security news, including: Ryan and Mick competed in a charity challenge to discuss the impact of splintering social media platforms for keeping track of security news and opinions. The trio also recapped the highlights from RSA Conference.

The Security Analyst Role: Skills, Responsibilities & Salary in 2023

Security breaches and cyberattacks have become the norm. Companies need security experts to identify vulnerabilities and prevent cybercriminals from exploiting them. This is where security analysts come in. In this article, I’ll discuss the security analyst role, including their skills, responsibilities, salary, and more.

7 questions all CxOs should ask to increase cyber resilience before buying more software

Procuring cybersecurity or enterprise resilience software is a multifaceted consideration, typically owned or heavily influenced by technical stakeholders like the CSO, CIO or CTO. But paradoxically, some of the best insights as to whether a particular software or technology is the right choice for your organisation can be gleaned by considering non-technical factors.

Paws in the Pickle Jar: Risk & Vulnerability in the Model-sharing Ecosystem

Early 2023 has been characterized by an explosion of Artificial Intelligence (AI) breakthroughs. Image generators and large language models (LLMs) have captured global attention and fundamentally changed the Internet and the nature of modern work. But as AI / Machine Learning (ML) systems now support millions of daily users, has our understanding of the relevant security risks kept pace with this wild rate of adoption?

Security Monitoring Explained: How Security Monitoring is Your Foundation for Cybersecurity

Security Monitoring is the catch-all name for the process of detecting threats and managing security incidents. It’s generally broken into two phases: In this article, let's take a look at what security monitoring means and how it forms the foundation for your cybersecurity posture.

The Threat Hunting Guide: Everything To Know About Hunting Cyber Threats

Threat hunting has become an increasingly important aspect of cybersecurity, as organizations strive to identify and mitigate security incidents that automated systems may have missed. Yes, the definition of threat hunting can vary, and it generally involves a combination of manual and machine-assisted processes driven by human curiosity and pattern recognition.

Coffee Talk with SURGe: 2023-APR-25 The Interview Series live from RSA Conference

Grab a cup of coffee and join Mick Baccio and special guests Juan Andres Guerrero-Saade and Jon DiMaggio for another episode of Coffee Talk with SURGe, live from RSA Conference in San Francisco. Guerrero-Saade and DiMaggio are both contributing authors for Bluenomicon, a new book by SURGe that features stories and advice from security leaders and practitioners. You don't want to miss it!

SecOps In Seconds: Creating Response Templates in Splunk Mission Control

Streamline your workflows by improving SOC process adherence when you codify your operating procedures into pre-defined templates. Use Splunk Mission Control to speed up investigations with pre-built response templates that include embedded searches, actions, and playbooks to empower security analysts. Model your response plans based on pre-built templates that can be used for security use cases such as “Encoded PowerShell Response”, “Insider Threat” or “Ransomware”. Or build your own templates based on your established processes that are scattered across systems to finally achieve repeatable security operations. This allows you to close the gap between your Splunk ES detections and rapid incident response.

Threat Update: AwfulShred Script Wiper

The Splunk Threat Research Team (STRT) continues to analyze and produce content related to the ongoing geopolitical conflict in eastern Europe where new variances of destructive payloads are being released, targeting government and civilian infrastructure. The sole purpose of these destructive payloads is to decimate infrastructure; there is no ransom or alternative presented, and they need to be addressed as soon as they are detected.

Coffee Talk with SURGe: 2023-APR-18 NSO Group, LockBit macOS Encryptors, AI in CTI, MSFT Taxonomy

Grab a cup of coffee and join Ryan Kovar, Mick Baccio, and Audra Streetman for another episode of Coffee Talk with SURGe. The team from Splunk will discuss the latest security news, including: Mick and Ryan competed in a 60 second charity challenge about how generative artificial intelligence could be used in cyber threat intelligence, with proceeds benefiting the ACLU. The trio also discussed Microsoft's new threat actor naming taxonomy and the role of attribution in cyber threat intelligence.

Introducing the PEAK Threat Hunting Framework

Cybersecurity is an ever-evolving game of cat and mouse. As security experts come up with new ways to protect valuable digital assets, cybercriminals develop craftier techniques to bypass these defenses. Enter threat hunting – the proactive practice of ferreting out those sneaky cyber-rodents.

Are you a good or great boxer? Real-world approaches of building cyber resilience in 2023

You must have been asleep not to have heard about Splunk’s new mission - ‘to build a safer and more resilient digital world’. Why have we chosen this? Well, not because it is a snappy little tagline, but because we know how important digital resilience is to all of our customers in our ever changing times.

Send Your SOAR Events to Splunk

During a recent Proof of Concept (PoC) for Splunk SOAR with an existing customer of Splunk Enterprise Security (ES), I was asked if it was possible to send events/containers available in Splunk SOAR to Splunk ES as a Notable Event. While the reverse process of sending ES Notable Events to Splunk SOAR is highly documented, I was surprised to find hardly any documentation about the use case my customer brought up during the PoC. Hence, my cue to write my first ever Splunk blog!

Splunk SOAR Playbooks - Dynamic Identifier Reputation Analysis (Part 1)

The Dynamic Identifier Reputation Analysis playbook is an essential tool for any security operations center (SOC) team looking for a comprehensive view of their environment’s threat landscape. By leveraging MITRE DEFEND's approach for dynamic identifier reputation analysis, SOC teams can quickly identify potential threats and vulnerabilities and take proactive steps towards mitigating risk before it causes damage.

Splunk SOAR Playbooks - Dynamic Identifier Reputation Analysis (Part 2)

The Dynamic Identifier Reputation Analysis playbook is an essential tool for any security operations center (SOC) team looking for a comprehensive view of their environment’s threat landscape. By leveraging MITRE DEFEND's approach for dynamic identifier reputation analysis, SOC teams can quickly identify potential threats and vulnerabilities and take proactive steps towards mitigating risk before it causes damage.

Endpoint Monitoring: The Ultimate Guide for Enterprise Security & Compliance

You keep your organization’s computers, devices and servers safe, but what about your employees’ devices? The security of their mobile phones, laptops, tablets and other devices is just as critical to your overall security posture. As company endpoints grow, so does their vulnerability. In fact, 66% of organizations are experiencing a growth in endpoint threats.

These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers

The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet.

Level Up Your Cybersecurity with Risk-Based Alerting

In our first blog in the Splunk RBA series, we introduced Risk-Based Alerting (RBA) and covered the basic principles of RBA. In the rest of this series, we explain how you can plan and then implement RBA within your organization. Are your security teams drowning in data and overwhelmed with alerts? Are you thinking that there must be a better way, some esoteric or forbidden knowledge, to produce higher-fidelity alerts and keep your team from burning out?

Coffee Talk with SURGe: The Interview Series featuring Michael Haag

Coffee Talk with SURGe: The Interview Series featuring Michael Haag Join Coffee Talk with SURGe for our bi-weekly interview series. This week, Audra Streetman interviews Michael Haag, Senior Threat Researcher at Splunk. They'll discuss his YouTube show, Atomics on a Friday, along with the Living off the Land Drivers project, which aims to consolidate vulnerable and malicious drivers into a centralized location.

Insights from Public Sector Leaders: Understanding the State of Security and Lessons learned

L et’s start with this: Global research shows over half of organisations have had a data breach, and 62% suffer from unplanned downtime on a monthly basis. The recent research figures are a stark reminder of the prevalence and current nature of security threats. It may not come as a surprise to those who follow the constant stream of media reports detailing mistakes and malicious attacks.

SOC 1, 2, 3 Compliance: The 2023 Guide to Understanding & Achieving SOC Compliance

Imparting your data to an organization, whether you are a private individual or another organization yourself, requires an incredible amount of trust. How can you be sure that they will handle your sensitive information properly? For specific industries, stringent standards and regulations are in place to ensure cybersecurity. For example, HIPAA for healthcare and PCI DSS for payment card processing companies reassure customers and companies that data is protected.

CISO Matters: How to Win Security Allies and Influence the Business

The rumors are true: it can get lonely at the top. As a CISO, I have many teams below me, a board of directors to keep happy and an organization to protect. This is nothing new, and at this stage of my career, I’ve become familiar with the many challenges — and even greater rewards — that go hand in hand with leading. Of course, it helps that I’ve been managing from the jump.

Vulnerability Types: 5 Types of Vulnerabilities You Need To Know

A vulnerability is any flaw or weakness within the technology system that cybercriminals can exploit to gain unauthorized access to a network, information assets and software applications. For any organization today, there are plenty of vulnerabilities. Knowing where and how vulnerabilities can exist, you can start to get ahead of them. So, let’s look at the 5 most important types of vulnerabilities.

The ISO/IEC 27001 Standard for InfoSec: Meaning, Importance & Requirements

ISO/IEC 27001 is the international standard on information security. It was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to stipulate the framework for implementing Information Security Management Systems (ISMS) in an organized and risk-effective way. For this article, we’ll mostly refer to ISO 27001, but know that we’re referring to both ISO/IEC 27001. Got it? Let’s begin!

FedRAMP Compliance: What It Is, Why It Matters & Tips for Achieving It

Data security is a major concern for almost everyone. From organizations to individuals, most of us who use or supply cloud-based services want to ensure that our information stays confidential and accessible. However, these concerns are amplified to national security when government data is the subject. That’s why the U.S.government has a stringent set of security requirements known as FedRAMP®. All cloud vendors that provide services to federal agencies must comply with these standards.

The Credential Stuffing Guide: How To See & Stop Credential Stuffing Attacks

What do cybercriminals do with the information they obtain during a data breach? Most of the time, it results in credential stuffing. Credential stuffing is a cyberattack where criminals systematically use stolen data to test usernames and passwords across multiple online platforms. Bad actors gain access to these accounts for financial gain, identity theft and other malicious purposes.

The Shared Responsibility Model for Security in The Cloud (IaaS, PaaS & SaaS)

Cloud security incidents are skyrocketing. In fact, nearly half (45%) of all security incidents target cloud-based services. Another angle: 80% of business organizations experienced at least one cloud security breach incident last year. (Arguably the worst part here is that, when a system is breached, the average dwell time is 9 weeks.) Still, over 72% of businesses plan to continue investing in the cloud. So how do you make cloud computing a secure environment for sensitive business information?

Coffee Talk with SURGe: 2023-APR-04 3CX Supply Chain Compromise, Medical Device SBOMs, ChatGPT

Grab a cup of coffee and join Ryan Kovar, Mick Baccio, and Audra Streetman for another episode of Coffee Talk with SURGe. The team from Splunk will discuss the latest security news, including: Audra and Mick competed in a 60 second charity challenge on whether or not they see artificial intelligence reaching singularity, with proceeds benefiting DataEthics4All. The trio wrapped up with a deep dive into the RESTRICT ACT and proposed TikTok ban in the United States.

The State of Security 2023: Collaboration Is Essential For Building Resilience

Security is, and always has been, a tough job. Security teams continue to face escalating cyberattacks while being bombarded by false positives and clocking more hours due to staffing shortages. However, security leaders and practitioners alike also understand that these crises are inevitable — and are increasingly focusing their efforts on recovering as quickly and efficiently as possible when disaster strikes.

Using Workflow Actions & OSINT for Threat Hunting in Splunk

Picture yourself, a threat hunter using Splunk, and the words "workflow action" are uttered by your helpful security Splunker... Workflow actions make you a faster and more effective security analyst. They allow you to skip the laborious steps of logging into various websites to do your job and just get straight to business.