What was once the thing of spy movies and industrial espionage news headlines is now, sadly, a common occurrence for public organizations and private enterprises around the globe. Insiders… employees, consultants, partners… have emerged as one of the most immediate and serious threats facing IT and cyber security teams and practitioners today. It is not however because every insider has turned malicious.
The Splunk Threat Research Team recently evaluated ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging to assist enterprise defenders in finding malicious PowerShell scripts. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging.
Security analysts know this situation well: inundated by alerts, alternating between 10 different security tools, and feeling the pressure of responding to each and every threat. It’s typically around this point that SOC teams realize it’s humanly impossible to process the amount of data that needs to be processed, and they should start looking for a solution. Gretchen White, Chief Information Security Officer at Minnesota Judicial Courts, experienced this firsthand.
Cyber attacks come in many forms, but they almost always share one trait in common: they are carried out over the network. Although there are exceptions, the network is usually the entry point that attackers use to launch whichever exploits, data thefts, or other intrusions they aim to impose upon a business.
The Splunk Threat Research Team (STRT) most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging.
The Office of Management and Budget’s memo mandates a maturity model for event log management, sets agency implementation requirements, and establishes government-wide responsibilities. Fortunately, Splunk solutions can help agencies comply with the new mandates.
Does your Splunk app integrate with a third-party service or API? If so, that service might require your app’s users to authenticate using a secret. You can securely store and retrieve secrets in an app using the capabilities of the Splunk platform.
