“Statistical analysis is the new weapon of the security warrior defending against threats that bypass traditional security detection systems. This is one of the reasons why more than 1,500 organizations around the world rely on Splunk for security,” said Mark Seward, senior director of security and compliance, Splunk.
“Companies now understand that hidden in the terabytes of user-generated machine data are abnormal patterns of activity that represent the presence of malware or the behavior of malicious insiders. The new Splunk App for Enterprise Security enables statistical analysis of HTTP traffic to help security professionals determine a baseline for what’s normal, quickly detect outliers and use those events as starting points for security analysis and investigation,” he added.
The common purpose of advanced threat malware is to communicate to external locations its health, facilitate command and control, and collect and send valuable data to the attacker. Essentially, attackers are turning employees into ‘data mules’ for advanced threat actors. Often, the attacker will then use web-based protocols for communication in the hopes of hiding their traffic in terabytes of web logs.
Traditional security approaches help find known threats, and statistical analysis is used to separate ordinary user activity from the anomalies that result from unknown threats. The Splunk App for Enterprise Security includes searches, dashboards and visualizations for Advanced Threat Detection that help to reveal what activity is abnormal and detect attack patterns.
This statistical analysis reveals attacks and threats including:
- Command and control (CNC) instructions embedded in URLs. The Splunk App for Enterprise Security automates the process to watch for outliers in the data.
- Hosts communicating with new malicious websites. Hosts that are talking to domains registered in the past 24-48 hours indicate a likely CNC site. Splunk users can correlate domain registrations and proxy data to monitor this in real time and historically.
- Significant increases in unknown communications. Monitoring proxy data for specific users with the Splunk App for Enterprise Security enables organizations to watch for spikes of unknown communications as an overall trend and by specific users.
- Unusual user agent strings in use. User agents automate the collection of data such as email, but during attacks user agents strings can also facilitate automated victim attacker communications. Splunk customers can monitor and be alerted about user agent anomalies in real time.
- Abnormal amounts of source/destination traffic. Track average amounts of traffic are tracked between source/destination pairs and calculated over user specified time frames. Statistical outliers are visualized in a scatter plot and can be used to start an investigation.