If you've read some of my previous posts you would know by now that something I started splunking for security, and even environmental, purposes a long while back was badge data from badge entry devices. The use of this data can provide many different use cases for security analysts and intellignece programs, here is one specific use case I outlined at the start of this year that addressed an issue that made national headlines:


And then here's a post where I detailed a environmental use case:



I think it's safe to say at this point everyone and their dog's dog has heard in some form or another about the Mandiant report released entitled "APT1: Exposing One of China's Cyber Espionage Units". Regardless of what you think of the report - Jeffrey Carr has a good rebuttal - the one thing it does give us is a LARGE amount of indicators which can be made into actionable intelligence and I HIGHLY commend Mandiant on sharing this intelligence!


Continuing on with my goal for 2013 of writing more blog posts I figured I'd go back and look at a neat use I found for Splunk and two kinds of data I was able to ingest in to it.

As Splunk has grown in popularity over the last year I started see more and more blog posts, twitter comments, etc regarding various uses for Splunk and most of the time I look over at my own dashboards and see items I've had in place for a long time being described.


There was a Case Study published by Andrew Valentine over at the Verizon Business Security Blog titled "Pro-active Log Review Might Be A Good Idea" which details an incident where an employee working for a "U.S. critical infrastructure company" was found to have outsourced his own job to a Chinese consulting firm. Here's a quick snippet from the Case Study:

"As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day."


Decided to finally make public the slide deck I created as a "customer presentation" for a Splunk & Herjavec Group sponsored event here in Toronto on Dec 14, 2012. It was my 6th time being a customer presenter for a Splunk event and as always enjoyed the opportunity to speak, share ideas and meet new faces. So..... Thoughts? Annoyances? Public lashing? I welcome all :) Slides can be found here: