Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco

Mar 14, 2014Download as PPT, PDF2 likes711 views

This document discusses using Splunk as a security information and event management (SIEM) tool. It describes the author's role responding to security incidents at Cisco Systems, which has over 100,000 employees, 150,000 servers, and indexes almost 1 terabyte of log data daily. The document contrasts old approaches that relied on vendor-provided reports with new approaches like hunting for threats by building custom queries. It also discusses strategies for hunting versus gathering, with gathering meaning saving repeatable queries as reports or playbooks to enable automated detection of known threats.

Copyright © 2014 Splunk Inc.
Splunk the SIEM
Jeff Bollinger 0x506682C5
Technical Leader and Infosec Investigator: CSIRT
Cisco Systems, Inc.
https://blogs.cisco.com/author/jeffbollinger/
https://twitter.com/jeffbollinger

About Me...
– Cisco Computer Security Incident Response Team (CSIRT)
– CSIRT = Security Monitoring and Incident Response
– Architecture, Engineering, Research, and Investigations
– Enterprise global threat and 24x7 incident response

The Numb3rs
Cisco Systems Inc.:
–100 countries
–130,000 employees (with laptops and phones)
–150,000 servers of all types
–40,000 routers
–1,500 labs
–1 CSIRT analyst for every 7,000 employees

The Numb3rs
Cisco indexes almost 1Tb of log data per day

Incident Response Basics
•What am I trying to protect?
•What are the threats?
•> How do I detect them?
•How do we respond?

Out With The Old
• You don’t know what you don’t
know
• Buy and trust a SIEM to run canned
reports
• Wait for updates from the vendor
• Try to edit/create custom reports
• Build your own collection infrastructure
• Data-centric approach
• Build your own reports
• Research your own intelligence
• Operationalize and optimize!
The Old Way The New Way

playbook | plā bŏk|ˈ ˌ
(noun)
A prescriptive collection of repeatable
queries (reports) against security event data
sources that lead to incident detection and
response.
Analyze: SIEM

A Note on Strategy
Hunting vs. Gathering

Hunting: Build a Query – Find Bad Stuff
• Start with the obvious and simple:
index=wsa earliest=-24h x_wbrs_score=ns
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score.

Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns
Let me stop you right there…

Hunting: Build a Query – Find Bad Stuff
• Filter based on unique attributes:
index=wsa earliest=-24h x_wbrs_score=ns |where isnull(cs_referer)
English translation: Splunk, look at our web proxy
logs over the past 24 hours, and give me all the
web sites (objects) that had no known reputation
score, and there was no HTTP referrer.

Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns | where isnull(cs_referer)
Ok getting better, sort of…

Hunting: Build a Query – Find Bad Stuff
• Filter, refine, filter, refine:
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)
English translation: Splunk, query our web proxy logs over the past
24 hours, and give me all the web sites (objects) that had no known
reputation score, and there was no HTTP referrer, where either
Java or Internet Explorer successfully downloaded an executable
file from a site that didn’t have ‘mirror’ or ‘CDN’ in the URL.

Hunting: Build a Query – Find Bad Stuff
Here we go!
index=wsa earliest=-24h application/x-dosexec ns GET 200
x_wbrs_score=ns cs_method=GET sc_http_status=200
cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR
cdn) | where isnull(cs_referer)

Gathering: Build a Query – Find Bad Stuff
If you can find or create a re-usable pattern, you
can save a search, make a report, and
automate!
16

$Gathering: Build a Query – Find Bad Stuff For example: this query will detect the Tracur clickfraud trojan: index=wsa earliest=-6h@h m cs_url="*/m/*” MSIE (NOT (cs_referer="*")) | regex cs_url="^http://(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?). (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/m/[A-Za-z0-9/+] {50,1000}$" http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fTracur$

Do It Yourself
Once you have:
• Solid, repeatable, saved searches
• Research and intelligence gathering
• Consistent handling procedures
• Documentation and tuning
You have your own SIEM, running in Splunk, and completely custom to
your organization.

This document discusses using Splunk as a security information and event management (SIEM) tool. It describes how Cisco's Computer Security Incident Response Team (CSIRT) uses Splunk to monitor over 1 terabyte of log data per day across Cisco's global operations. The document contrasts old approaches that relied on vendor-provided reports with new approaches like hunting for threats by building custom queries. It emphasizes an iterative process of filtering, refining queries to find bad traffic and saving reusable searches to automate threat detection.

Cisco and Splunk: Under the Hood of Cisco IT Breakout SessionSplunk

Cisco has a long-standing relationship with Splunk, using its software and services for IT operations, security analytics, and other purposes across its global data centers. Some key points: - Cisco has used Splunk for over 7 years to monitor over 70 applications and aggregate data from various systems. - Splunk helps Cisco improve IT operations by reducing issues by 50% and resolution times by 90%, and reducing operational costs by 80%. - Cisco's security team uses Splunk to conduct investigations, detecting up to 2-3 million security events per day from various sources. This allows for faster investigations and automated tasks. - Cisco designs and validates architectures for running Splunk on its Cisco UCS servers

Intermedia Customer PresentationSplunk

Ryan Barrett, VP of Security and Privacy at Intermedia, and Ninad Bhamburdekar, Security Engineer at Intermedia, presented on how Intermedia uses Splunk Cloud. Intermedia is a cloud-based business services company that provides services like email, file sharing, and identity management to over 70,000 customers. They needed a security information and event management solution to monitor their large and complex global IT environment with limited security personnel. Splunk Cloud enabled Intermedia to gain security capabilities like threat assessment, real-time monitoring, and security dashboards while also expanding to DevOps and business analytics use cases.

Splunk @ AdobeSplunk

Splunk is a software company headquartered in San Francisco with additional offices in London and Hong Kong. They have over 2,100 employees and annual revenue of $668.4 million, growing 49% year-over-year. Their products include Splunk Enterprise, Splunk Cloud, and other solutions for collecting, analyzing, and visualizing machine-generated data from websites, applications, sensors, and other sources. Splunk has over 11,000 customers across more than 110 countries, including 80 of the Fortune 100. Their largest customer indexes over 1 petabytes of data per day.

Splunk in the Cisco Unified Computing System (UCS) Splunk

Cisco has been a Splunk customer for 8 years, with a strong engineering partnership for 3+ years. Learn how several Cisco customers as well as Cisco IT have deployed, grown, and transformed our businesses using the advantages of Splunk Enterprise software together with Cisco UCS and Nexus hardware. We will also talk about scalability and performance considerations for all scales of data footprint and business growth.

Splunk for DevelopersSplunk

This document discusses Splunk for developers. It provides an overview of empowering developers with Splunk, building Splunk apps, and gaining application intelligence across the development lifecycle. Key points include instrumenting application logs for insights, integrating and extending Splunk, building unit testing and code integration, and gaining end-to-end visibility across development tools. The document also discusses resources for Splunk developers including tutorials, code samples, SDKs, and developer licenses.

Customer Presentation - Financial Services OrganizationSplunk

The document discusses the experience of migrating from an old SIEM to Splunk Enterprise Security (ES). Key points include: - The old SIEM was difficult to maintain, slow, and lacked community support. Splunk provided better performance and capabilities. - Logs were migrated to Splunk one source at a time after normalization. Analysts found Splunk easier to use. - A proof of concept with ES showed its advanced correlations, dashboards, and incident management capabilities beyond core Splunk. - ES provides templates for searches, alerts, and workflows that would have taken months to recreate. It is a more complete SIEM solution.

Getting Started with Splunk EnterpriseSplunk

1. The presentation provides an overview of Splunk and how it can be used to access, analyze, and gain insights from machine data. 2. It demonstrates Splunk's core capabilities like universal data ingestion, schema-on-the-fly indexing, and fast search capabilities. 3. The presentation concludes with a demo of Splunk's interface and basic functions like searching, field extraction, alerting, and reporting.

SplunkLive! Customer Presentation - Cardinal HealthSplunk

This document summarizes Patrick Farrell's role as the Sr. Software Engineer and Splunk administrator at Cardinal Health, a Fortune 500 healthcare company. It describes how Splunk has helped Cardinal Health improve root cause analysis, gather customer usage statistics, increase efficiencies, and provide more proactive customer support. Specifically, Splunk reduced the time to resolve issues from hours to seconds, improved systems uptime and performance, and increased customer satisfaction. The document provides recommendations on best practices for implementing Splunk and describes Cardinal Health's plans to expand Splunk usage.

SplunkLive! Customer Presentation – athenahealthSplunk

The document summarizes Splunk adoption at athenahealth, a cloud-based healthcare services company. It discusses how Splunk has provided athenahealth's security teams visibility into various data sources to help prioritize threats and incidents. Specifically, Splunk Enterprise Security is used by the Security Incident Response Team. Over 10 power users consume 400GB of data per day from hundreds of forwarders. Splunk has improved efficiency, reduced alert fatigue, and allowed for better investigation and correlation of security information.

SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunk

This document discusses Jeff Campbell's role as the Information Security Architect at Penn State Hershey Medical Center and their use of Splunk. It describes how Penn State Hershey Medical Center has over 9,000 employees and a combined $1.5 billion budget across its institutes and hospitals. It outlines some of the challenges they faced with decentralized logging prior to Splunk, and how Splunk provided a centralized log repository allowing for faster searching and correlation across systems. It provides examples of how Penn State Hershey is using Splunk for security use cases, operational improvements, and additional sources. It also discusses their Splunk architecture and future plans to expand Splunk usage.

Getting Started with Splunk EnterpriseSplunk

Splunk for DevelopersSplunk

Here are some key considerations for architecting a Splunk application: - Define a data model and taxonomy - Map data sources to common schemas and entities. This allows for unified search, reporting and alerts. - Partition data appropriately - Separate apps by function, team, data type or other logical boundaries. Consider security, scalability and maintenance. - Choose input methods based on data volume and type - Streaming for high volume, modular/scripted for custom parsing. Consider HTTP Event Collector, TCP or file monitors. - Design for scalability - Distribute data and workloads across multiple Splunk instances. Consider sharding, clustering, load balancing. - Implement modular and reusable components - Custom searches, lookups

Yodlee Customer PresentationSplunk

This document summarizes Yodlee's use of Splunk over the past 5 years. It discusses how Yodlee initially started with a small Splunk license in 2010 and has since expanded usage across multiple teams. Splunk is now used for troubleshooting, monitoring production servers and databases, and security monitoring. The document also outlines Yodlee's plans to further expand Splunk usage to additional data sources and servers.

Splunk at Weill Cornell Medical CollegeSplunk

Tom McMahon is the Security Engineering Manager at Weill Cornell Medical College. They have grown their security team from 2 to 12 people over 5 years. Splunk has become a central tool for their security operations and IT operations. It has improved security response times, increased visibility across their networks and systems, and allowed for better operational reporting and metrics. Splunk consolidates logs from many different systems and applications, providing a single pane of glass. It has replaced their legacy SIEM which was at capacity.

Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk

Getting Started with Splunk Enterprise Hands-OnSplunk

This document provides an overview and demonstration of Splunk software. It outlines an agenda to discuss why Splunk, how to install and use Splunk through a live demonstration, Splunk deployment architectures, and communities for help. The live demonstration shows importing sample data, performing searches, creating alerts and dashboards. It also discusses pivoting, field extraction, analytics, and scaling Splunk deployments.

AdvancedMD Customer PresentationSplunk

This document summarizes Tyler Germer's presentation on AdvancedMD's use of Splunk for log management and monitoring. Some key points: - AdvancedMD uses Splunk to gain visibility across its infrastructure including applications, networking, and other systems. This has helped reduce troubleshooting time. - Their Splunk deployment includes indexers, search heads, forwarders and syslog servers ingesting logs from over 600 systems. - Splunk has provided operational intelligence and helped identify issues quickly, such as spotting errors in a software release within 30 minutes. - AdvancedMD aims to expand Splunk usage to other teams and applications and upgrade their deployment.

DevSum - Top Azure security fails and how to avoid themKarl Ots

Group Health Cooperative Customer PresentationSplunk

Group Health Cooperative uses Splunk's software and CIRTA system to conduct incident response. It ingests logs from various systems using Splunk and analyzes the data to detect anomalies and security incidents. When incidents are found, CIRTA is used to track, investigate, and categorize each incident to measure the effectiveness of the response. Examples provided show how Splunk detected phishing attempts and vulnerable systems to help Group Health address security issues.

Wipro Customer PresentationSplunk

This document discusses Wipro's experience helping a customer transition from their existing SIEM platform to Splunk for security monitoring and analytics. It describes how Wipro guided the customer through a two-phase implementation: first standing up a hybrid on-premise/cloud Splunk deployment to address immediate needs, and now expanding that deployment to 500GB/day in Splunk Cloud and 200GB/day on-premise to accommodate growing data and use cases. The transition yielded significant improvements in search performance, data ingestion and parsing flexibility, and enhanced security visualization and analytics capabilities.

Security as Code owaspShannon Lietz

The document outlines the security configuration procedures for an organization. It details the DevSecOps approach taken with sections for security engineering, operations, compliance operations, and security science. It also outlines response times for certain security issues and the roles used within IAM. Diagrams show how tools, accounts, and data are integrated between security teams and AWS services.

Principles of Chaos Engineeringh_marvin

FAUG Jyväskylä 28.5.2019 - Azure MonitoringKarl Ots

This document discusses monitoring real-life Azure applications. It provides an overview of the Azure monitoring tools and services including Application Insights, Log Analytics, Azure Monitor, Activity Logs, and Azure Security Center. It explains how these tools can be used to monitor applications, hosts, infrastructure, and platforms. The document also discusses collecting and analyzing Azure logs and metrics across multiple subscriptions and accounts for security monitoring in an enterprise environment.

SplunkLive! Customer Presentation - Satcom DirectSplunk

Splunk is used by Satcom Direct for monitoring aviation systems, tracking aircraft in flight, and analyzing business data. Logs from networking devices, phone systems, satellite communications systems and aircraft position reports are fed to Splunk. This allows Satcom Direct to provide a single dashboard for support technicians to monitor systems, see customer information and receive alerts. Splunk is also used to visualize aircraft flight paths on maps and analyze business metrics like call volumes to different countries to improve contracts.

Splunking configfiles 20211208_daniel_wilsonBecky Burwell

Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseKarl Ots

In this session Karl will walk you through the fundamentals of building a comprehensive Azure Governance model, based on real-life experiences with working on multi-vendor hybrid IaaS / PaaS projects in the enterprise. When proper governance model is followed, you can ensure your teams are operating in a secure and compliant Azure environment during design, development and operations. After this session, you should have a better understanding of Azure governance best practices and in-house team roles & responsibilities. You should also have an overview of the technical implementation of governance controls. As presented in Antwerpen, Belgium at 22nd of May 2019.

SplunkLive! Austin Customer Presentation - BaylorSplunk

- Baylor University is a private Christian university in Waco, Texas with over 17,000 students. The CISO, Jon Allen, built the university's security program from the ground up over 17 years. - Before Splunk, it was difficult and inefficient for the security team to search logs and get the information they needed across different systems in a timely manner. - Splunk provided a single platform to integrate and search all their log data, allowing the security team to quickly gain visibility, troubleshoot issues, and meet compliance requirements. It also helped break down silos between different IT teams. - Splunk has improved operational efficiency by reducing the time to find information from hours to minutes. It also fosters

Gov & Education Day 2015 - Tim Lee, City of Los AngelesSplunk

Tim Lee, CISO, City of Los Angeles Learn how the City of Los Angeles, faced with tight budgets and limited security personnel, successfully implemented a data-focused approach to ensuring cybersecurity across departments. The CISO of the City, Timothy Lee, details how the City built an Integrated Security Operations Center, analyzing 14 million+ events per day, using Splunk Cloud and the Splunk App for Enterprise Security.

Using Big Data for CybersecuritySplunk

More Related Content

What's hot (20)

SplunkLive! Customer Presentation - Cardinal HealthSplunk

SplunkLive! Customer Presentation – athenahealthSplunk

SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunk

Getting Started with Splunk EnterpriseSplunk

Splunk for DevelopersSplunk

Yodlee Customer PresentationSplunk

Splunk at Weill Cornell Medical CollegeSplunk

Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk

Getting Started with Splunk Enterprise Hands-OnSplunk

AdvancedMD Customer PresentationSplunk

DevSum - Top Azure security fails and how to avoid themKarl Ots

Group Health Cooperative Customer PresentationSplunk

Wipro Customer PresentationSplunk

Security as Code owaspShannon Lietz

Principles of Chaos Engineeringh_marvin

FAUG Jyväskylä 28.5.2019 - Azure MonitoringKarl Ots

SplunkLive! Customer Presentation - Satcom DirectSplunk

Splunking configfiles 20211208_daniel_wilsonBecky Burwell

Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseKarl Ots

SplunkLive! Austin Customer Presentation - BaylorSplunk

SplunkLive! Customer Presentation - Cardinal HealthSplunk

SplunkLive! Customer Presentation – athenahealthSplunk

SplunkLive! Customer Presentation - Penn State Hershey Medical CenterSplunk

Getting Started with Splunk EnterpriseSplunk

Splunk for DevelopersSplunk

Yodlee Customer PresentationSplunk

Splunk at Weill Cornell Medical CollegeSplunk

Getting Started with Splunk Enterprise Hands-On Breakout SessionSplunk

Getting Started with Splunk Enterprise Hands-OnSplunk

AdvancedMD Customer PresentationSplunk

DevSum - Top Azure security fails and how to avoid themKarl Ots

Group Health Cooperative Customer PresentationSplunk

Wipro Customer PresentationSplunk

Security as Code owaspShannon Lietz

Principles of Chaos Engineeringh_marvin

FAUG Jyväskylä 28.5.2019 - Azure MonitoringKarl Ots

SplunkLive! Customer Presentation - Satcom DirectSplunk

Splunking configfiles 20211208_daniel_wilsonBecky Burwell

Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseKarl Ots

SplunkLive! Austin Customer Presentation - BaylorSplunk

Viewers also liked (9)

Gov & Education Day 2015 - Tim Lee, City of Los AngelesSplunk

Using Big Data for CybersecuritySplunk

SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...Splunk

Nutanix provides a turnkey and scalable infrastructure for Splunk in 3 sentences: 1) The Nutanix solution uses SSD and a scale-out datacenter appliance to address Splunk's IO intensity and provide faster time to value. 2) It employs a scale-out cluster to eliminate server sprawl and simplify adding more data sources. 3) The converged and software-defined Nutanix platform virtualizes Splunk for enterprise features while improving performance, capacity, and manageability over direct deployment.

Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon

This document contains an agenda and presentation materials for a webinar on integrating Splunk and Palo Alto Networks. The agenda includes overviews of Splunk and Palo Alto Networks, a live demo of their integration, and a Q&A section. The presentation materials provide more details on how each company's products work, examples of how they can be used together for security monitoring, investigation and reporting, and next steps for engaging with Splunk and Palo Alto Networks.

SplunkLive! Splunk for SecuritySplunk

This document provides an overview of Splunk software for security applications. It begins with an agenda for a Splunk security presentation, then discusses challenges facing security teams like advanced threats and limitations of existing security information and event management (SIEM) systems. The document demonstrates how Splunk can collect all types of machine data, perform fast searches and analytics, and be deployed more easily than traditional SIEMs. Use cases shown include incident investigations, compliance reporting, and real-time monitoring of known and unknown threats. The document highlights Splunk's customer base, performance in industry evaluations, and integrations with security vendors. It concludes by inviting the reader to learn more about Splunk on their website or contact sales.

Splunk for DevOps - Faster Insights - Better CodePhilipp Drieger

Splunk is a platform that allows users to search, monitor, and analyze machine-generated data. It collects data from various sources like servers, applications, sensors, and mobile devices. This document discusses how Splunk can be used for application delivery and DevOps. It provides end-to-end visibility across development pipelines and helps accelerate software development cycles. Splunk also allows monitoring of key performance indicators and troubleshooting of issues in production. Customer case studies demonstrate how Splunk reduced error rates and improved continuous integration.

Splunk for Enterprise Security and User Behavior AnalyticsSplunk

This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.

Webinar: Splunk Enterprise Security Deep Dive: AnalyticsSplunk

Splunk Enterprise Security (ES) ist ein Analytics-getriebenes SIEM, das Security Operations Teams erfolgreich bei der Gefahrenbekämpfung unterstützt. Aber wussten Sie auch schon, dass es aus einem Framework aufgebaut ist, das ganz individuell genutzt werden kann, um spezifische Sicherheitsanforderungen angehen zu können? In unserem Webinar zeigen wir Ihnen die technischen Details hinter dem ES-Framework: - Asset- und Identitäts-Korrelationen - beachtenswerte Events - Threat intelligence - Risikoanalyse - Investigation und Adaptive Response Wir werden Alltags-Beispiele besprechen und Ihnen anhand einer Demo die Schlüssel-Frameworks zeigen, die Ihnen dabei helfen werden, Securityprobleme zu lösen.

QRadar, ArcSight and Splunk M sharifi

The document provides a review and comparison of the QRadar, ArcSight, and Splunk SIEM platforms. It summarizes their key capabilities and components. For each solution, it outlines strengths such as integrated monitoring, analytics features, and scalability. It also notes weaknesses such as complexity, customization limitations, and high data volume licensing costs. The comparison finds QRadar well-suited for smaller deployments, ArcSight for medium-large organizations, and notes Splunk's log collection strengths but limited out-of-the-box correlations compared to competitors. Gartner assessments for each platform cover visibility trends, deployment challenges, and roadmap monitoring advice.

Gov & Education Day 2015 - Tim Lee, City of Los AngelesSplunk

Using Big Data for CybersecuritySplunk

SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...Splunk

Splunk Webinar: Splunk App for Palo Alto NetworksGeorg Knon

SplunkLive! Splunk for SecuritySplunk

Splunk for DevOps - Faster Insights - Better CodePhilipp Drieger

Splunk for Enterprise Security and User Behavior AnalyticsSplunk

Webinar: Splunk Enterprise Security Deep Dive: AnalyticsSplunk

QRadar, ArcSight and Splunk M sharifi

Similar to Splunk Live in RTP - March-2014-Jeff-Bollinger-Cisco (20)

Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty

The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments. In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company. Visualization. Data science. No machine learning. But pretty pictures. Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence: http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?

RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash

The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform. Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security. For more signup(it's free): www.cisoplatform.com

My tryst with sourcecode reviewAnant Shrivastava

- The author discusses their journey doing source code reviews to find bugs in WordPress plugins and themes. They started with just two people manually reviewing code but then automated the process and expanded their team. - Through their Phase 1 efforts analyzing over 250 plugins, they found over 250 issues. They are now focusing on authenticated vulnerabilities in Phase 2 like SQL injection, XSS, and CSRF. - They have created some open source tools to help with the process and are seeking volunteers to help make open source software more secure by joining their Codevigilant platform.

Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk

This document provides an agenda and overview of a Splunk Enterprise security workshop focusing on web attacks, lateral movement, and DNS exfiltration. The agenda includes introductions, demonstrations of SQL injection detection using regular expressions, detecting lateral movement through abnormal network traffic patterns, and using Shannon entropy and subdomain length to identify DNS exfiltration. Hands-on exercises are provided to allow attendees to search pre-loaded machine data and gain experience detecting these common security incidents.

Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk

The document provides information about detecting various types of cyber attacks using Splunk, including web attacks, lateral movement, and DNS exfiltration. It includes examples of search queries and apps that can be used in Splunk to detect SQL injection, pass-the-hash attacks, and DNS tunneling used for data exfiltration. The document demonstrates how machine data from different sources can be analyzed in Splunk to gain visibility into attack behaviors and detect security incidents.

Splunk September 2023 User Group PDX.pdfAmanda Richardson

Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk

This document provides information about detecting various web attacks and lateral movement in a Splunk environment. It includes examples of searches to detect SQL injection and pass the hash attacks in event data, as well as how to identify lateral movement by analyzing changes in network traffic patterns. DNS exfiltration techniques are also discussed, along with using Shannon entropy and subdomain length to identify potential data exfiltration in DNS query logs.

Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin

Splunk Enterpise for Information Security Hands-OnSplunk

Splunk is the ultimate tool for the InfoSec hunter. In this unique session, we’ll dive straight into the Splunk search interface, and interact with wire data harvested from various interesting and hostile environments, as well as some web access logs. We’ll show how you can use Splunk Enterprise with a few free Splunk applications to hunt for attack patterns representing SQL injection, data exfiltration, and C2 communication. We’ll show how to find evidence of RATs, brute force attempts, and directory traversal. Finally, we'll also demonstrate some ways to add context to your data in order to reduce false positives and more quickly respond to information. Bring your laptop – you’ll need a web browser to access our demo systems.

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates

The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor

Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.

Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl

Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA

This document discusses advanced threat hunting and identifying zero-day attacks infiltrating organizations. It begins with background on the speaker and an overview of the evolving threat landscape, including nation-states, criminal enterprises, and hacktivists. It then discusses how advanced threats may not be as sophisticated as assumed and how threats often "live off the land" by using existing tools to blend in. The document emphasizes that advanced threat hunting requires knowing what to look for, as threats can enter opportunistically but cause damage over time. It provides examples of living off the land techniques like using PowerShell and internal sites for command and control. The conclusion stresses the importance of understanding one's environment and capabilities when conducting threat hunting.

Incorporating Threat Intelligence into Your Enterprise Communications Systems...EC-Council

It is well known that computer exploitation will continue to increase in prevalence and sophistication. Computer network attacks and data exfiltrations are most successful when the methods of exploitation traverse the entry and egress vectors that are least expected and least defended in your network. Most of the time, no matter how well your perimeter is guarded, the user still represents the weakest avenue into that network. A clear need exists to better protect data transmitted and received by the user. But what are we to do when signature-based detection has long been defeated and anomaly/heuristic-based detection is not yet where we need it to be? The solution lies in enhancing the defense paradigm via the incorporation of intelligence-based security (Threat Intelligence) in the analysis of threats and discovery of malicious activity affecting your network, data, and your protected clients.

BSides_Charm2015_Info sec hunters_gathersAndrew McNicol

This document discusses techniques for going beyond automated tools and scans to hunt for vulnerabilities and gather intelligence as an information security professional. It provides defensive use cases like analyzing pcap files with tcpdump and Dshell to profile network activity. Offensive techniques discussed include pushing past roadblocks during pentests, abusing features like contact forms, and testing remediation. It emphasizes the value of learning scripting languages like Python to build your own tools for tasks like vulnerability scanning and demonstrating proof of concepts. The overall message is that security professionals should adopt a hunter/gatherer mindset to find issues missed by automated tools alone.

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl

Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.

Using Splunk for Information SecurityShannon Cuthbertson

This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.

Using Splunk for Information SecuritySplunk

Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty

RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash

My tryst with sourcecode reviewAnant Shrivastava

Splunk Enterprise for InfoSec Hands-On Breakout SessionSplunk

Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk

Splunk September 2023 User Group PDX.pdfAmanda Richardson

Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk

Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin

Splunk Enterpise for Information Security Hands-OnSplunk

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates

The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor

Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.

Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl

Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA

Incorporating Threat Intelligence into Your Enterprise Communications Systems...EC-Council

BSides_Charm2015_Info sec hunters_gathersAndrew McNicol

Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016grecsl

Using Splunk for Information SecurityShannon Cuthbertson

Using Splunk for Information SecuritySplunk

Recently uploaded (20)

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Impelsys Inc.

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Want to learn practical tips for designing systems that can scale efficiently without compromising speed? Join us for a workshop where we’ll address these challenges head-on and explore how to architect low-latency systems using Rust. During this free interactive workshop oriented for developers, engineers, and architects, we’ll cover how Rust’s unique language features and the Tokio async runtime enable high-performance application development. As you explore key principles of designing low-latency systems with Rust, you will learn how to: - Create and compile a real-world app with Rust - Connect the application to ScyllaDB (NoSQL data store) - Negotiate tradeoffs related to data modeling and querying - Manage and monitor the database for consistently low latencies

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix

Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025 https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/ Is AI just another technology, or does it fundamentally change the way we live and think? Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater. At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts. At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.

AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB

I started my online journey with several hosting services before stumbling upon Ai EngineHost. At first, the idea of paying one fee and getting lifetime access seemed too good to pass up. The platform is built on reliable US-based servers, ensuring your projects run at high speeds and remain safe. Let me take you step by step through its benefits and features as I explain why this hosting solution is a perfect fit for digital entrepreneurs.

AI and Data Privacy in 2025: Global TrendsInData Labs

In this infographic, we explore how businesses can implement effective governance frameworks to address AI data privacy. Understanding it is crucial for developing effective strategies that ensure compliance, safeguard customer trust, and leverage AI responsibly. Equip yourself with insights that can drive informed decision-making and position your organization for success in the future of data privacy. This infographic contains: -AI and data privacy: Key findings -Statistics on AI data privacy in the today’s world -Tips on how to overcome data privacy challenges -Benefits of AI data security investments. Keep up-to-date on how AI is reshaping privacy standards and what this entails for both individuals and organizations.

How analogue intelligence complements AIPaul Rowe

Artificial Intelligence is providing benefits in many areas of work within the heritage sector, from image analysis, to ideas generation, and new research tools. However, it is more critical than ever for people, with analogue intelligence, to ensure the integrity and ethical use of AI. Including real people can improve the use of AI by identifying potential biases, cross-checking results, refining workflows, and providing contextual relevance to AI-driven results. News about the impact of AI often paints a rosy picture. In practice, there are many potential pitfalls. This presentation discusses these issues and looks at the role of analogue intelligence and analogue interfaces in providing the best results to our audiences. How do we deal with factually incorrect results? How do we get content generated that better reflects the diversity of our communities? What roles are there for physical, in-person experiences in the digital world?

Procurement Insights Cost To Value Guide.pptxJon Hansen

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

Artificial intelligence is changing how businesses operate. Companies are using AI agents to automate tasks, reduce time spent on repetitive work, and focus more on high-value activities. Noah Loul, an AI strategist and entrepreneur, has helped dozens of companies streamline their operations using smart automation. He believes AI agents aren't just tools—they're workers that take on repeatable tasks so your human team can focus on what matters. If you want to reduce time waste and increase output, AI agents are the next move.

Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

Complete Guide to Advanced Logistics Management Software in Riyadh.pdfSoftware Company

Explore the benefits and features of advanced logistics management software for businesses in Riyadh. This guide delves into the latest technologies, from real-time tracking and route optimization to warehouse management and inventory control, helping businesses streamline their logistics operations and reduce costs. Learn how implementing the right software solution can enhance efficiency, improve customer satisfaction, and provide a competitive edge in the growing logistics sector of Riyadh.

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Toradex brings robust Linux support to SMARC (Smart Mobility Architecture), ensuring high performance and long-term reliability for embedded applications. Here’s how: • Optimized Torizon OS & Yocto Support – Toradex provides Torizon OS, a Debian-based easy-to-use platform, and Yocto BSPs for customized Linux images on SMARC modules. • Seamless Integration with i.MX 8M Plus and i.MX 95 – Toradex SMARC solutions leverage NXP’s i.MX 8 M Plus and i.MX 95 SoCs, delivering power efficiency and AI-ready performance. • Secure and Reliable – With Secure Boot, over-the-air (OTA) updates, and LTS kernel support, Toradex ensures industrial-grade security and longevity. • Containerized Workflows for AI & IoT – Support for Docker, ROS, and real-time Linux enables scalable AI, ML, and IoT applications. • Strong Ecosystem & Developer Support – Toradex offers comprehensive documentation, developer tools, and dedicated support, accelerating time-to-market. With Toradex’s Linux support for SMARC, developers get a scalable, secure, and high-performance solution for industrial, medical, and AI-driven applications. Do you have a specific project or application in mind where you're considering SMARC? We can help with Free Compatibility Check and help you with quick time-to-market For more information: https://www.toradex.com/computer-on-modules/smarc-arm-family

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55

Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies

SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfPrecisely

Mobile App Development Company in Saudi ArabiaSteve Jonas

EmizenTech is a globally recognized software development company, proudly serving businesses since 2013. With over 11+ years of industry experience and a team of 200+ skilled professionals, we have successfully delivered 1200+ projects across various sectors. As a leading Mobile App Development Company In Saudi Arabia we offer end-to-end solutions for iOS, Android, and cross-platform applications. Our apps are known for their user-friendly interfaces, scalability, high performance, and strong security features. We tailor each mobile application to meet the unique needs of different industries, ensuring a seamless user experience. EmizenTech is committed to turning your vision into a powerful digital product that drives growth, innovation, and long-term success in the competitive mobile landscape of Saudi Arabia.

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxAnoop Ashok