Setting up Splunk SIEM

11/9/2020

“It is simply unrealistic to expect human teams to catch potential cybersecurity events reliably.”

“Automation is not just a technical buzzword or a passing fad” Automation is everything and easily within the grasp of both companies large and small… Many online services already use a great deal of automation to provide the best user experiences for their customers. In regards to Cybersecurity automation is an absolute must. On any given day a network can transfer an absolutely insane amount of data so to simplify we will state an average server sends 100MB of data. In this example we will look at the common role of packet sniffing and break down the number of packets a single 100MB transfer produces. A single MB produces 685 packets as each packet can only be 1460bytes.. Each packet consists of at least 4 layers and each layer has several options and pieces of data associated with it. Rather than detailing out each layer lets simply multiply 685 * 4 to produce 2,740 pieces of information that could be analyzed by a single MB transfer. Now to extrapolate our 1MB to 100MB we get 274,000 pieces of potentially dangerous information being transferred. With the shear mass of data transfer happening every second of every day It is simply unrealistic to expect human teams to catch potential cybersecurity events reliably.

Enter Splunk

Splunk is an intelligent data modeling threat analysis toolchain. The application consumes and monitors data across an organization and can have several Machine Learning brains used to detect and flag anomalies and raise attention to threats based on network and data traffic patterns. A SOC team is only as good or effective as the tools they have at their disposal.