Splunking Your VoIP Gaining visibility into VoIP Phone Logs for U.S. Embassies
Bringing A Central View of Your Entire Environment into Focus
You have automated routine builds - new servers and desktops are deployed in minutes through cloud services, VDI, and build servers. Software is updated and deployed nightly or even hourly. Security updates, OS patches, etc., are centralized, managed, and deployed routinely, reliably, and nearly invisibly. Network device configs are kept current.
But what view of your whole environment do you have? Do you know where every single one of your servers and services reside - are they onsite? Sitting in AWS? Azure? GCP? All the above? Somewhere else? Hosted as a SaaS? Do you have real-time and historical analysis of your customer's activities? How about attacks and exploits that may be coming to different regions of your infrastructure, through both known and new, unknown means? Are you correlating events across your technical estate to see known users attempting (or apparently attempting) to access content and devices they shouldn't? Are you seeing patterns emerging of attacks against your edge devices looking for holes into your most core data and systems?
If you are not seeing this, why aren't you? Is it because you're really not being targeted by both anonymous and directed attacks? (If so, props to you!)
If you're seeing any or all of this, what are you doing about it? What policies are you updating and implementing to mitigate the risks that have inevitably come to your organization? What about those risks that you haven’t thought about yet?
This is where Splunk will illuminate your day-to-day work in ways you haven't even thought of.
Sure, you're using Splunk to look at log files. Sure, you're searching sales, technical, networking, and device data.
But there is so much more about your environment you know should be viewable. You know you should be able to correlate Active Directory authentication data against resources users should be accessing - and when (and from where) they should be accessing them.
You know you should be able to view attacks coming against your routers and firewalls and see where they are originating, what they're trying to access, and when they're trying to attack you. More importantly, you know you should be able to view what is changing in incoming attacks based on what is learned by both failed and successful (or partially successful) attempts to access your infrastructure.
Combining additional products atop and alongside your existing Splunk Enterprise deployment, you can leverage Splunk's powerful new Machine Learning technologies to do all the above - and more.
Splunk Enterprise Security (ES), the industry standard for Analytics-Driven Enterprise SIEM (Security Information and Event Management), ships with a host of pre-built, out-of-the-box correlation searches, dashboards, reports, and alerting mechanisms. See attacks on your load balancers and firewalls in correlated coincidence with drops in network performance. See if - and which - internal devices and services have been compromised to either rapidly shift them off the production network (because you're automating your IT infrastructure), or deny those outbound packets and port accesses to quickly isolate problems.
Perfect for parallel deployment to Splunk ES is Splunk IT Service Intelligence (ITSI). ITSI offers KPI alerts based on expansive modeling of your environment, with reporting options ranging from "traditional" dashboards to glass tables where you can overlay reports atop your own custom diagrams of your environment. By tying together views of varied applications into a gestalt services view, you can see not merely that a DDoS is underway against your e-Commerce frontend, but also what middleware systems are being adversely affected that are shared between eCommerce and other services that drive your organization. Know within minutes of an attack or other service degradation beginning that not only is your storefront experiencing poor load times, but also precisely which component(s) are seeing the worst performance.
From this data, you can make the most relevant and important business decisions concerning not only first-order decisions like "stop this IP block at the firewall", but also to see if new horizontally-scalable components of your services need to be deployed (ideally handing-off both of those tasks to your infrastructure orchestration and automation tools, of course). See if too much load is being placed on shared middleware resources that justify dedicating new hardware, instances, etc., to support different aspects of your business. Splunk knows your business is NOT "managing technical infrastructure" - it's providing vital services and products to your customers. ITSI offers a single-pane-of-glass, rollup view of your whole environment (with Splunk’s ubiquitous drill-down functionality) to get you back to providing the stellar service your customers expect - reducing issue response time and improving your IT service reliability.
Most recently, Splunk released User Behavior Analytics (UBA) as something of a pre-holiday treat at the end of 2017. Coming alongside to buttress both ES and ITSI, UBA offers exclusive Machine Learning based analysis of the data you have already been collecting to rapidly identify aberrant user behavior that may be insider threats - whether knowingly or unknowingly.
Insider threats, which can arise from malware, phishing attacks, social engineering, and disgruntled employees, are the single biggest threat to any organization, as reported by both the IAPP (International Association of Privacy Professionals), American Express, and DigiCert. Ranging from carelessness to active hostility, employees - and other trusted users - cause the most worry among security professionals. It is employees who are granted, to greater or lesser degrees, the literal "keys to the kingdom" of your organization: they are trusted to send emails on behalf of the organization; they are trusted to deal with customers, vendors, financial data, and on and on.
UBA helps identify suspect behavior in your environment, assigning various levels of risk based on patterns it finds. Should Victoria be VPN'ing from Vietnam? Should Francois be fiddling with financial systems? Maybe. Maybe not. As the Russian proverb says: "trust, but verify".
And this is the beauty of UBA - as it sifts-through user-authentication data, it builds correlations to alert your security team about behavior it thinks may be risky. Employing a combination of human-guided and self-guided ML techniques, UBA will get better at identifying and alerting on unusual and risky behavior the longer you use it.
Want to explore more of Splunk’s machine learning capabilities? August Schell has the right engineers who know how to design, deploy, and manage Splunk solutions for your IT environment. Reach out to us now or call us at (301) 838-9470 to learn more.