http://blogs.gartner.com/anton-chuvakin/2015/12/02/starting-a-siem-project-from-vendor-use-case-content-win-or-fail/
You might think – I just want to install a solution that provides me out of the box content – yes they exist and Splunk has also one. But keep in mind the experience of leaders in that industry. Anton Chuvakin, a Research VP at Gartner, and well known in the SIEM industry mentioned: The most mature SIEM users report their most valuable use cases were site-specific, custom or at least heavily customized.
Privileged user monitoring is nearly in every compliance regulation included, it’s mentioned in nearly every security book and controlled use of administrative privileges is also part in SANS TOP 20 Security controls. You want to know where and how are your service accounts used. Does someone use default user accounts? Or do privileged users work under their admin account? In case they do and they click on a wrong hyperlink – malware might spread with Admin Rights quickly through your environment. Similar happens if privileged users logon to end user workstations where malware might sleep and just wait for an admin to get activated. This are all “Keys to the kingdom” – to answer those questions you need the data from key data sources like Active Directory, Radius, Identity Management Systems such as CyberArk.
Across the entire journey, you need fresh content. To keep your teams trained
To keep them aware of the latest threats
To leverage the collective intelligence of the community
To deliver the playbooks to guide folks on next steps
To deliver the automation to combat threats faster and to get back to sleep at night. That’s what we’re delivering with ES Content updates—our analytics stories are the connective tissue of the nerve center.
Splunk ES Content Updates provides guidance on how to detect threats, where to investigate and how to navigate the decision-making process to take better follow-on actions.
It includes a library of analytics stories, to provide the full context of a situation for continuous education, investigation and response.
These analytics stories are “threat detection packages” including data sources, searches, relevant threat intel, recommended next steps and adaptive response actions all mapped to phases of the kill chain and the critical controls.
And not just adaptive response in terms of automating next steps, but adaptive response in terms of asking an initial question and then having all of the logical next questions asked and answered while also pulling in the related contextual details.
These aren’t just single searches or dashboards, but rather they give you the ability to detect, scope and remediate with confidence.
There’s a Feedback center component--so we can engage with you--tell us what works, what doesn’t or let us know what analytic story you’re looking to address, or you have the ability to customize and create your own analytics stories as appropriate for your organization.
We are delivering 26 today detailing use cases like Apache Struts vulnerabilities, suspicious DNS Traffic, Detecting lateral movement and and we will continue to add to this library frequently.
This is another mechanism for delivering fresh, relevant content to you as research teams develop it--Splunk or 3rd party led. We think of this content as the connective tissue for the various nerve center capabilities, unifying the product strategy we’re delivering for you.
This will help you to be be more aware and more responsive.
• Enhance security through visibility into all activity in your AWS account• Help ensure adherence to security and compliance standards with a full audit trail• Leverage machine learning for proactive insights, recommendations and anomaly detection• Effectively manage AWS costs with an in-depth view of used/unused resources, cost by account and cost by service
Key for ATP’s
Threat intelligence mgmt is a key topic area for many
Orgs:
basic: who use free IP blackists to correlate,
generate or package own threat intelligence,
big data & adversary fusion cells
Challenges:
Hard
Management of threat intelligence
Threat Sharing