Adrian Mole, Wimpy Kid are your new security mentors

Share your secret diary to improve security, says Splunk


Splunk has hurled the fourth edition of its Enterprise Security product out the door, and feels that the most important new feature is its diary, or as Splunk likes to call it the “Investigator's journal”.

The result of usability studies, the journal offers a means to record all the actions taken when security teams spot something suspicious. Some entries are automated, others manual, but the firm hopes security types will use the journal to create a detailed log of responses to an event that makes it possible for their colleagues to understand past efforts to repel boarders. By collating all such efforts in one place and placing them on a timeline, Splunk thinks it becomes easier for folks starting a new shift or joining a team to get up to speed with defence efforts, and therefore to frame more effective responses.

“People have ten browser tabs open or refer to a notebook,”, said Haiyan Song, Splunk's senior veep for the security market. “We're trying to make one big canvas.”

The firm's also improved the subtleties of its User Behavior Analytics (UBA) tool. This one's designed to spot odd behaviour wherever it may take place, but especially when users start to display abnormal behaviour. Song says most recent high-profile breaches start with compromise of a single account and that better detection of unexpected actions can provide leading indicators of a breach.

Asked by your correspondent if occasional frenzies of tracert and ping deployed in the name of research for a story might mark me as a malfeasant, Song said policies could use such actions as a trigger. More likely tests, she said, are activities at unexpected times, changes in daily upload volumes or new destinations for uploads. Such actions that indicate a user is not carrying on as usual are worthy of investigation.

Splunk's also cranked out version 3.0 of its PCI DSS tool, this time with all the new goodness of PCI DSS 3.1 taken into account. There's also a new API to enable consumption of the tool's output, the better to communicate compliance efforts. ®

Similar topics


Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022