Squelching Attacks with Splunk

​MANY IT NETWORKS are subject to a continual barrage of attacks and threats. IT executives often need quick, accurate data on such threats to take immediate and ongoing preventive measures.

One relatively new product, Splunk, can monitor for patterns of potential threat activity. The product can be configured to monitor logs from numerous systems and applications throughout a network. It also includes instant threat alerting and a search engine that can identify and analyze historical data.

The automobile information site Edmunds.com had many security tools and outside services to help it protect its site, says John Martin, senior director of application operations at Edmunds. But staff had to spend a considerable amount of time searching through the different applications to analyze threats.

Splunk’s “search engine” capabilities were a top reason Edmunds was initially drawn to the product, says Martin. It’s like having “Google search” across log data.

Downloading and implementing Splunk was fairly straightforward, he says. Many features helped with security right “out of the box.” But an initial challenge was setting up and adjusting Splunk to generate automated threat alerts, helping Edmunds take faster action such as blocking ranges of Internet Protocol (IP) addresses. The company also wanted to correlate certain kinds of data from security devices and other systems.

Initially, Martin says the company was receiving more security alerts than necessary. One area he adjusted was requests from IP addresses that came through a proxy service. Many requests have turned out to be from legitimate individuals or organizations, he says. Martin says he took advantage of another way Splunk can identify Web requests using what’s called URI data, which provides more detailed information on this type of request’s path across the Web.

Splunk can be configured to help identify problems and produce charts on possible security issues on a daily or weekly basis. Specific types of data can be correlated to help identify security weaknesses in firewalls, routers, and other parts of the corporate network, according to Martin. Reports can also provide additional details on intrusion events, including which systems may have been affected.

Splunk can also be used to search across logs for historical analysis. Searches can be conducted based on criteria such as host, security solution, and time period.

As Edmunds has gained experience using Splunk, the tool has grown more helpful at blocking threats, says Martin. Weekly attacks have declined approximately 80 percent since the tool’s implementation. It has also freed up staff time.