When you take a close look at the Continuous Diagnostics and Mitigation (CDM) function at the heart of a successful cybersecurity program, you quickly realize that it all depends on integration. It isn’t that the individual components of the program aren’t absolutely essential. But with cyber-attacks gaining in number and sophistication, the true power of CDM is in the ability to overlay multiple datasets to create a single lens for tracking, assessing, and responding to threats.

As Denmark’s largest power, utility and telecommunications company servicing 1.5 million customers, Norlys understands the need for fast response to security alerts. When the company first started, the Norlys security team built their own log analytics and incident response capabilities from the ground up. This homegrown approach presented challenges, including manual workflows, too many repetitive tasks and difficult-to-maintain processes.

What is the benefit of combining the power of Data Stream Processor (DSP) and Splunk Phantom? I will give you a hint - the answer involves speed and extensibility. In today's security landscape, speed to detect and mitigate security attacks or outages is of the utmost importance. A slow response to a security incident can have a detrimental impact to your organization's bottom line.

I used to have a cat who loved ice cream. I think I may have given her some as a kitten, and from then on, anytime that she saw someone eating ice cream she would do her best to try and steal some from them. And even if she didn’t really seem to enjoy a particular flavor, she still seemed driven to try and steal that person’s ice cream. Like my cat stealing ice cream, bad guys are constantly trying to target organizations and their data for nefarious purposes.

A few weeks ago, researching another topic, I posed a question - Which domain within the security ecosystem has struggled to move the needle over the past few years? After trawling through a multitude of annual breach analysts reports (Verizon Breach Report, M-Trends, et al., I concluded that “identities accessing cloud infrastructure” was an irritatingly tough nut to crack.

With cloud computing growing at a phenomenal rate across the world, shifts in consumer behavior towards digital services are resulting in evolutionary changes for the banking, financial services and insurance industry. Cloud-based banking, for example, is regarded as a catalyst for business transformation and a turning point in financial services. Cyber safety, however, has become a key concern holding back cloud adoption in many organizations.

Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called “Ransomware Activity Targeting the Healthcare and Public Health Sector.” This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies.

Several weeks ago, my good friend Katie Nickels (Director of Intelligence at Red Canary extraordinaire) and I were chatting about Ransomware. She was super interested and passionate about some new uses of a ransomware variant named “Ryuk” (first detected in 2018 and named after a manga/anime character) [1]. I was, to be honest, much less interested. It turns out, as usual, Katie was right; this was a big deal (although as you will see, I’m right too… still dull stuff!).

Here at Splunk, when we discuss Splunk Phantom with customers we end up talking about phishing pretty frequently because it’s something like Olivia outlined in a recent blog post, "Between Two Alerts: Phishing Emails — Don’t Get Reeled In!", customers both encounter and talk to us about all the time. It makes a lot of sense — phishing is a super common issue that almost everyone deals with ad nauseum and it’s annoying to investigate.

In a recent post by the Splunk Threat Research team, we addressed permanent and temporary token/credential abuse in AWS and how to mitigate credential exposure. With 94% of Enterprises using a cloud service, and some using at least five different cloud platforms, it’s imperative to stay ahead of threats across multicloud environments. Let’s now turn our attention to Google Cloud Platform (GCP) and how to detect and mitigate OAuth Token Abuse.