I think it's safe to say at this point everyone and their dog's dog has heard in some form or another about the Mandiant report released entitled "APT1: Exposing One of China's Cyber Espionage Units". Regardless of what you think of the report - Jeffrey Carr has a good rebuttal - the one thing it does give us is a LARGE amount of indicators which can be made into actionable intelligence and I HIGHLY commend Mandiant on sharing this intelligence!
Continuing on with my goal for 2013 of writing more blog posts I figured I'd go back and look at a neat use I found for Splunk and two kinds of data I was able to ingest in to it.
As Splunk has grown in popularity over the last year I started see more and more blog posts, twitter comments, etc regarding various uses for Splunk and most of the time I look over at my own dashboards and see items I've had in place for a long time being described.
There was a Case Study published by Andrew Valentine over at the Verizon Business Security Blog titled "Pro-active Log Review Might Be A Good Idea" which details an incident where an employee working for a "U.S. critical infrastructure company" was found to have outsourced his own job to a Chinese consulting firm. Here's a quick snippet from the Case Study:
"As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day."
Decided to finally make public the slide deck I created as a "customer presentation" for a Splunk & Herjavec Group sponsored event here in Toronto on Dec 14, 2012. It was my 6th time being a customer presenter for a Splunk event and as always enjoyed the opportunity to speak, share ideas and meet new faces. So..... Thoughts? Annoyances? Public lashing? I welcome all :) Slides can be found here:
As I talk to different Splunk users, watch twitter, read blog entries and have the great opportunity to speak and participate in Splunk events I always find it so interesting the various use cases people have for Splunk. True that most organizations have brought it in primarily for Security tasks but time and time again it's so easy to find other great uses for it. Through these discussions I've been able to find many new uses for Splunk, ones which I had not initially thought of or was unsure of how to approach. From this I thought it would be great to have a central point of reference to break down these use cases into the reports/searches built for them so people could gain from others successes.