Adrien C., a cybersecurity consultant with Squad for the past year and a half, is currently on assignment with a well-known client in the Toulouse region. He is currently working in the client's SOC and shares his best practices with us. We review the basics and analyze his everyday work tool, Splunk.
SOC, the basics
The term SOC (Security Operations Center) refers to a department within a company whose primary function is to ensure IT security.
Among the many different teams within the latter is the role of SOC analyst. Their objective is to monitor, detect, and analyze security incidents, often under the direction of a security manager.
It is therefore responsible for protecting IT systems against various threats and potential cyberattacks at all levels of the IT system (including the network, software, access rights, etc.). A SOC monitors activities on the IT infrastructure (known as monitoring) by collecting various types of information (mainly activity logs for different assets, more commonly referred to as logs or machine data).
Analyzing these logs allows security breaches to be detected. As the nerve center of an IT system's security, the SOC generally relies on a SIEM (Security Information and Event Management) system, which is responsible for managing and collecting logs. It correlates these logs, i.e., links several events to a single cause.
In general, a SIEM operates as follows:
- First, let's talk about collection: SIEM takes events collected from the IS as input, either passively or actively. Event logs come from various sources: firewalls, routers, servers, databases.
Various log formats are supported.
- Standardization: events are first saved in raw format to preserve their legal value before being standardized into a more readable format.
The principle of normalization enables multi-criteria research.
- Aggregation: filtering rules are then applied to retain the most relevant criteria before sending everything to the correlation engine.
- Correlation: correlation rules enable the identification of an event that caused several others to occur (for example, an attacker who successfully penetrated the network and subsequently interacted with a particular piece of equipment, etc.).
They also allow alerts to be escalated in several ways, such as opening a ticket if the SIEM solution is interfaced with a ticket management tool.
- Reporting: this step allows you to create and generate dashboards and reports. This gives the various SOC stakeholders (CISO, L1/L2 team, L3, etc.) visibility into the IT system (number of attacks, number of alerts per day, etc.).
- Archiving: SIEM can be used in a legal context. Archiving events is therefore necessary to guarantee the integrity of the traces.
- Replay: Replay allows post-incident events to be reproduced in order to conduct in-depth analyses and study the behavior of safety equipment.
SIEM varieties
There is now a wide variety of SIEMs available: Intrinsec, LogPoint, QRadar, SolarWinds, etc.
Among these is Splunk Enterprise Security, a solution developed by the company of the same name that integrates a wide range of features to help businesses deal with external threats (and internal threats too, a danger that is often overlooked to the detriment of the former).
It provides a comprehensive overview of data generated from security technologies such as networks, endpoints, access points, malware, system vulnerabilities, and identity information, and can be deployed in multiple ways: as software, a cloud service, or a private cloud.
In addition to the event management I mentioned earlier, Splunk also incorporates threat response mechanisms and allows automated response actions to be launched to speed up manual tasks.
In addition, it facilitates alert management by integrating intuitive visual elementsvia a risk scoring system and dashboards, and allows you to easily customize the type of view you want.
It is possible to interact with Splunk via the Search Processing Language (SPL), a language of its own that resembles SQL in terms of its capabilities, but with its own syntax in order to fully exploit the power of its indexing engine.
The latter allows events to be extracted at the user's discretion and refined according to certain fields and/or a given time period.
It is also possible to create reports to save searches and dynamically view changes in the data. Each report contains one and only one saved search.
Is Splunk a good solution?
Splunk is therefore a software platform that allows users to search, analyze, andvisualize data, particularly in a big data context. It is a solution that offers many advantages, including the ability to visualize activity in real time, but it also has some drawbacks.
In terms of advantages, we can mention its flexibility: Splunk ES is suitable for small organizations with low data volumes, as it can adapt to complex structures with large volumes of data to process.
It also offers great scalability thanks to the Splunk community, which provides numerous connectors and extensions. Finally , another positive point is the impressive power of its indexing engine .
The main drawback lies with SPL, which, although powerful and offering great possibilities in terms of research, remains relatively complex to master.
See also ⤵
