Top 5 Use Cases

for Splunk

Enterprise
Security
It’s not easy to detect and respond to security But even if a happy analyst sounds nice, life in the fast-paced
events quickly. A security analyst can spend world of security isn’t always so easy, and security teams still
have to figure out where to start their security journey. And, as
minutes (sometimes hours) on an alert. Now,
we’ve established, knowing that any part of their organization
multiply that by the hundreds of security alerts is susceptible to intrusion — and that they have to identify
they have to deal with every day, and they’re security gaps well ahead of time — can be an overwhelming
left with too many tickets and too few analysts. and difficult task for even the best of analysts.
Starting to see the problem? Lucky for them — and security analysts everywhere — we’ve
been working with Splunk customers for years on how to deal
We need to help security teams speed up their response with this very issue. We’ve helped them with their toughest
times while reducing the number of alerts they get. We can security questions by unlocking the answers hidden inside
start by improving visibility into their environment, so they can their data.
detect and respond to threats faster. Better yet, an automated
response to alert triage can turn minutes into seconds and We’ve bundled those conversations into this quick guide on
hours into minutes — and who wouldn’t want that? high-level security use cases and how to get started. These
are the security issues we frequently get asked about, along
This gives hard-to-detect, insidious threats like malware fewer with best practices for content, and ideas that will help
places to hide and propagate, and reduces the amount of security teams hit the ground running as they deploy or refine
damage they can cause — meaning stressed out security Splunk Enterprise Security (ES).
analysts become happier.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 2

01
Compromised
credentials
What is compromised user credentials? How does Splunk address compromised
Compromised user credentials is when an attacker obtains employee user credentials?
credentials through tried and true methods, like a phishing attack or
Splunk ES can identify instances where user credentials have been
business email compromise. Once the bad guys (and gals) have entered an
compromised and are being used by someone other than the authorized person
environment with valid user credentials, they start looking for vulnerabilities
or application. ES can also provide coverage for shared and generic account
to achieve their objective (and ruin a security analyst’s day). Worst of all,
usage. Utilizing Splunk User Behavior Analytics (UBA)’s behavioral modeling
since the threat actor managed to log in with valid credentials, they appear
notifies analysts when a user has unusual activity from what’s been established
to be a totally legitimate user — making this a difficult threat to detect.
as normal behavior. Detection encompasses identifying unusual or malicious
Active Directory (AD) activity, such as operations on self, terminated user,
disabled accounts and account recovery.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 3

02
Privileged user Splunk UBA helps score the severity of risk, using a baseline of normal behavior.

compromise
What is privileged user compromise? How does Splunk address privileged
Privileged user compromise is when a hacker gains access to a privileged user compromise?
user account through social engineering techniques or zero-day exploits.
Splunk ES utilizes risk-based alerting (RBA) to detect sophisticated threats by
In these attacks, hackers usually target high-priority users who have
attributing risk to users and entities, and only triggers an alert when behavioral
administrative access to sensitive assets, or executive-level authority. This
thresholds are exceeded and certain MITRE ATT&CK tactics are observed. By
is why it’s important for security analysts to immediately identify when a
building a comprehensive collection of attributions with RBA and Splunk UBA
privileged account has been compromised. The actual technique usually
creating a baseline of the behavior of each account, it makes it easy to identify
involves the hacker getting around traditional security tools — like firewalls
irregularities compared to the user’s baseline behavior. This usually indicates
or legacy security information event management (SIEM) solutions — that
excessive usage, rare access, potential sabotage or someone trying to cover
are built to defend against known threats. Once the hacker is in, they
their tracks. As user behavior continues to differ from known normal behavior,
start looking for ways to get more access by gathering other sensitive
UBA’s confidence grows, increasing the likelihood and severity of risk. Examples
information, like passwords or SSH keys.
of detections include using service accounts to access VPN or interactive logins,
data snooping, deleting audit logs and accessing confidential information.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 4

03
An example of a Splunk dashboard to help identify insider threats.

Insider Threat
What is an insider threat? How does Splunk address insider threats?
Insider threat is when an employee or contractor with access to privileged Splunk ES and UBA captures the attacker’s footprint as they move across
information purposely — or accidentally — misuses their access to hurt enterprise, cloud and mobile environments. Their activity is analyzed by
the company they’re working for. It’s such a common issue that insider advanced machine learning algorithms to create a baseline, detect deviations
threats account for two-thirds of attacks or data loss. Compromised user and find anomalies in near real time. The totality of the hacker’s actions within
credentials, privileged user compromise and insider threat are all related an environment are stitched into an illustrative sequence that uses pattern
to the same general behavior, where valid credentials are exploited for detection and advanced correlation to reveal the kill chain so security teams
nefarious reasons. can take action immediately.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 5

04
Ransomware
What is ransomware? How does Splunk address ransomware?
Ransomware is a type of malware that is sadly rising in popularity. This threat Splunk ES receives updates from the Splunk ES Content Update (ESCU),
has even caught President Joe Biden’s attention. This attack happens when which gives security analysts pre-packaged security content that helps
hackers employ phishing attacks to force unsuspecting users into giving away them fight ongoing time-sensitive threats, attack methods and other
their privileged access. Then the malware springs into action, encrypting security issues. There are currently 35 ransomware use cases provided in
some (or all) of the user’s files. The bad guys then demand a ransom — thus the ESCU, and as new threats are spotted, the Splunk Threat Research Team
the name — of tens of thousands (or sometimes millions) of dollars through reverse engineers them to push out automatic updates via ESCU to ensure
cryptocurrency, in return for unlocking the files. detections remain up to date.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 6

05
Cloud security
What is cloud security? How does Splunk bolster cloud
Cloud security is founded on the principle that cybersecurity should move security coverage?
away from the perimeter, and retire its network-centric approach (which many
Splunk ES makes it easy to onboard GCP, AWS and Azure assets and identities
traditional security solutions still subscribe to). For that, you can thank COVID,
(A&I) information so it can seamlessly populate A&I tables within Splunk.
and our collective large-scale migration to the cloud as we moved to WFH.
Splunk ES also provides out-of-the-box detections for the big three cloud
Because of the rise of cloud computing — and because more companies are providers across authentication, network traffic and configuration changes.
migrating critical parts of their business to one of the public clouds, like Google Through mapping the aforementioned cloud providers data models to Splunk’s
Cloud Platform (GCP), Amazon Web Services (AWS) or Microsoft Azure — it’s Common Information Model, a company’s existing detection and investigation
important that organizations easily analyze their data in real time, to better workflows are infused with vital cloud data coverage.
obtain the visibility required to stay one step ahead of hackers.

Top 5 Use Cases for Splunk Enterprise Security | Splunk 7

Ready to supercharge your security operations
with a cloud-based data-driven SIEM solution?
Learn how to get started with Splunk.

Learn More

Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc.
All rights reserved.

22-20968-Splunk-Top 5 Use Cases for Splunk Enterprise Security-LS-105