Adrian Mole, Wimpy Kid are your new security mentors
Share your secret diary to improve security, says Splunk
Splunk has hurled the fourth edition of its Enterprise Security product out the door, and feels that the most important new feature is its diary, or as Splunk likes to call it the “Investigator's journal”.
The result of usability studies, the journal offers a means to record all the actions taken when security teams spot something suspicious. Some entries are automated, others manual, but the firm hopes security types will use the journal to create a detailed log of responses to an event that makes it possible for their colleagues to understand past efforts to repel boarders. By collating all such efforts in one place and placing them on a timeline, Splunk thinks it becomes easier for folks starting a new shift or joining a team to get up to speed with defence efforts, and therefore to frame more effective responses.
“People have ten browser tabs open or refer to a notebook,”, said Haiyan Song, Splunk's senior veep for the security market. “We're trying to make one big canvas.”
The firm's also improved the subtleties of its User Behavior Analytics (UBA) tool. This one's designed to spot odd behaviour wherever it may take place, but especially when users start to display abnormal behaviour. Song says most recent high-profile breaches start with compromise of a single account and that better detection of unexpected actions can provide leading indicators of a breach.
Asked by your correspondent if occasional frenzies of tracert and ping deployed in the name of research for a story might mark me as a malfeasant, Song said policies could use such actions as a trigger. More likely tests, she said, are activities at unexpected times, changes in daily upload volumes or new destinations for uploads. Such actions that indicate a user is not carrying on as usual are worthy of investigation.
Splunk's also cranked out version 3.0 of its PCI DSS tool, this time with all the new goodness of PCI DSS 3.1 taken into account. There's also a new API to enable consumption of the tool's output, the better to communicate compliance efforts. ®