splunk

Splunk vs Loglogic: Battle of the logs

Dave Farquhar security , ,

If you need a centralized logging solution for your business, you’ll need to consider Splunk vs Loglogic. I have experience with both in corporate environments.

I guess you can say I spent a lot of time configuring and waiting on Loglogic. I spent a little time configuring Splunk and a lot of time turning the data inside it into knowledge.

Read more

Using Splunk to find bad guys in your network

Dave Farquhar security , , ,

I’ve covered event logging before, but the excellent site Malware Archaelogy has some cheat sheets that include Splunk queries you can use to find incidents or malware operating in your network, or even use to create dashboards so you can keep an eye on things. Malware Archaelogy’s list of events to log is a bit different from what I covered before, but there’s a considerable amount of overlap. You probably want what they recommend and what anyone else is recommending.

The key to corporate computer security is situational awareness, and I don’t think anyone sells a blinky box that provides enough of that. But you can build it with Splunk.

And, for what it’s worth, I do recommend Splunk. I’ve used Log Logic in the past, and its searches often take days to finish, which means Log Logic is so slow that by the time you find anything in it, it’s likely to be too late. Splunk isn’t quite real-time, but you can find stuff in a few minutes.

The difference between a vulnerability scanner and a SIEM

Dave Farquhar security , , , ,

I heard an interesting question the other day: What’s the difference between a vulnerability scanner and a SIEM? Qualys and Nessus are examples of vulnerability scanners. Arcsight and Splunk are examples of SIEMs.

To a security practitioner, the tools couldn’t be much more different, but not everyone is a security practitioner.

On a basic, fundamental level, a vulnerability scanner deals in what’s missing in the environment and what could happen as a result of those things that are missing. A SIEM deals in what actually has happened and is happening.

Read more

The workstation events you want to be logging in Splunk

Dave Farquhar security , , , , ,

Every once in a while the NSA or another government agency releases a whitepaper with a lot of really good security advice. This paper on spotting adversaries with Windows event logs is a fantastic example. It’s vendor-neutral, just talking about Windows logs and how to set up event forwarding, so you can use the advice with any log aggregation system or SEIM. I just happen to use and recommend Splunk. But whatever you use, these are the workstation events you want to be logging.

I want to call your attention to a couple of items in the paper. Most breaches begin on workstations, and this paper has the cure.

Read more

Security flaws in security tools are all too common

Dave Farquhar security , , , , ,

Fireeye runs a bunch of its processes as root, a practice that’s been a no-no since the late 1990s, and they’re more interested in litigation than they are in working with the guy who discovered it.

The attitude is all too common.

Read more

The most valuable IT skill you can learn in 2015: Splunk

Dave Farquhar security

Whether you want to move to security or just get a lot of job security and raise potential while staying in infrastructure, probably the best thing you can do for your career is to learn Splunk.

What’s Splunk, you ask? Well, my t-shirt says “Weapon of a security warrior,” but it really does a lot more than that.

I think of it as a centralized logging and alerting system, but really, because it can log and alert and draw graphs, it can replace almost any piece of management infrastructure. I asked, only ten-percent joking, why a Splunk shop needs to run anything else to manage itself.

Stand up Splunk, let it collect your logs and your performance data, and when something goes wrong, you have one place to look for the data you need to figure out what happened.

Fortunately, unlike many enterprise tools, you can run Splunk at home for free. Splunk offers a well-written 200-page book for free in all of the common e-book formats that provides a good introduction and a set of data to play with, and you can download the software itself from Splunk’s front page. You can then pull your logs from all of your desktops, and if you run DD-WRT, you can pull those logs as well, then practice learning what you can from that data beyond what’s in the book.

You will undoubtedly find some things when you start poking around, so even if you’re not able to get going with Splunk in your current role, you’ll end up with the war stories you need to get a Splunk-related role for your next job. Even if all you do is catch HD Moore and Robert Graham scanning you, your interviewer will be interested in hearing how you saw it and managed to figure out it was them.