Splunk wants you to monitor your employees' behaviour
Analytics firm says it can help you identify insider threats
Splunk has announced a new tool to identify insider threats and upgraded its security offering to keep security analysts one step ahead of hackers.
The first product is Splunk Enterprise Security 4.0, the latest version of its signature security software that used to be known as the Splunk App for Enterprise Security.
New with the tool are three features aimed at helping security analysts focus on responding to attacks and discovering threats.
Investigator Journal helps security analysts track their investigations automatically for compliance reasons, rather than interrupting it to compile a log of what they are doing for HR.
Speaking to IT Pro at Splunk's .conf2015 event in Las Vegas yesterday, chief security evangelist Monzy Merza said: "It shows the analyst all of their activity, so any dashboard they went to, any foreign field they filled in, anything they did with enterprise security, it's there.
"It's really trying to enable the analyst to bring focus to the investigation rather than to all these other reporting requirements, because honestly most analysts hate that part of their job."
Investigator Timeline lets security professionals to keep a separate timeline logging the actions of the hacker or the attack.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Merza said it puts an end to the messy notes kept by most analysts in the course of an investigation.
"There's notes on paper, Excel sheets copied and pasted and a browser open with 55 tabs. That makes it really difficult to maintain context, [to] move forward in an organised fashion," he said.
"The timeline allows you to quickly add any event you're looking at in your investigation to it, so you can keep marching on."
It also lets different security team members place events, actions and annotations into the timeline.
Lastly, the Enterprise Security Framework allows developers, customers and vendors to extend security with apps that utilise the framework's alert management, risk, threat intelligence, and the identity and asset features.
"Anyone can build additional content on top of enterprise security, whether customer, partner or someone building content," said Merza.
"They can just put it out there with any mechanism they want and it can be quickly incorporated into enterprise security."
Tracking the insider threat
Splunk's other security announcement concerns its acquisition of behavioural analytics firm Caspida in July, folding it into its product range as Splunk User Behavior Analytics (UBA), and it is designed to pick up on insider threats.
Merza explained: "You can profile users' behavioural activity. It's in real-time as well as doing it over long time periods - multiple days, multiple weeks, because we know people's activities aren't always smash and grab, sometimes they last over much linger periods of time."
The other thing it allows you to do is compare any user to his or her peers, to look for unusual behaviour for that job role.
"So if you and I are engineers in the same organisation, by and large our behaviour would be very similar, but we can analyse if something different's happening [and find] maybe your credentials are compromised," Merza said.
"Too many attempts to log in, logging in from different places, moving large files, all of those types of things. We could bundle that up and look at it as one problem and conclude maybe there's some data exfiltration going on."