Outpost Security
RBA FAQ
Executive knowledge base &
frequently asked questions
What is Risk Based Alerting (RBA)?
How does Risk Based Alerting work in Splunk® ES?
So RBA is just a new feature in Splunk ES?
What does Outpost Security actually do?
What’s the difference between the RBA in Splunk ES and Outpost RBA in the Outpost Security Apps?
What are the first principles that OutpostRBA is built on?
When did Risk Based Alerting become a thing?
How long has Outpost Security been working with RBA?
Why would I use the OutpostRBA App instead of RBA in Splunk ES?
What Fortune 500s have you worked with?
Where do teams make mistakes in implementing RBA?
What about automation - won't that eliminate the need for RBA?
I'm getting less and less value from my MSSP - can I get rid of them with RBA?
What is Risk Based Alerting?
Risk Based Alerting (RBA) in Splunk® ES is a framework for threat detection and alerting. The key differentiators between RBA and traditional alerting are:
The evolution from one-to-one alerting to many-to-one alerting, related by object.
The evolution from alerting on events or IOCs to alerting on behaviors (a series of events & IOCs).
How does Risk Based Alerting work in Splunk ES?
In RBA – the searches – or “Risk Rules” - are detecting anomalies, then recording the search results (log events) to the Risk Index inside of Splunk ES. A risk score is calculated for each event as well, and attached to associated objects found in the event (e.g. user or system).
Then a separate set of searches – called “Risk Incident Rules” or “Risk Notable Rules” - mine the risk index full of anomalous events and potential threat activities. When an object is found with enough risk events during one of these searches, that is when a notable is created in Splunk ES. The most common alerting threshold is aggregate risk score, but notables can also be generated for other conditions such as variety of MITRE ATT&CK® tactics observed.
SO RBA IS A JUST A FEATURE IN SPLUNK ES?
Yes and No. Risk Based alerting can be a fundamental shift in how you detect and alert on threats. Its first and foremost a framework that's built and scaled using first principles.
The framework provides a shared vocabulary that tracks throughout the entire Identify, Protect, Detect, Respond, Recover lifecyle.
The shared vocabulary and transparency allows security teams to align objectives. With shared priorities, all of the security teams are able to work more efficiently and effectively together.
The end result is metrics and performance improvements of 10x or more.
What does Outpost Security Actually Do?
Outpost Security is an independent Splunk partner. We have three core offerings:
Distribute and support our premium Splunk Apps
Implementation and training services for our Splunk Apps
Provide professional services for Splunk and Splunk ES as experts in threat detection, security operations and Splunk. These services focus around enabling advanced cybersecurity capabilities and processes made possible by successfully implementing a Risk Based Alerting framework in Splunk ES.
Whats the difference between the RBA in Splunk ES and Outpost RBA in the Outpost Security Apps?
Splunk ES still requires a large amount of customization and programming to make it work for security operations - this is true for small companies and large enterprises. Splunk Apps developed by Outpost Security contain best practices developed and tested by us through years of RBA deployment and operation.
Included in this is our own version of Risk Based Alerting. We still use the core ES frameworks (Data Models, Assets, Identities, Threat Intel, etc.) but we’ve added our own Intellectual Property to make ES function as you need it for your security program.
Think of it as the missing link between RBA “theory” and RBA practice. We’ve figured out the hard parts so you don’t have to re-invent the wheel.
What are the first principles that Outpost RBA is Built on?
Outpost RBA is built on three first principles:
Expand - look at more data with broader detections.
Relate - around objects - allowing you to realize a "many-to-one" efficiency at large scale.
Enrich - use the expanded data and relationships to automatically show depth of context to each alert - including related objects and their context.
WHEN DID RISK BASED ALERTING BECOME A THING?
Splunk released their first embedded RBA features in Enterprise Security 6.5 in late 2020. Before that, a number of Splunk customers were using a publicly available Splunk App (SA_RBA) that was downloaded from GitHub.
How long has outpost security been working with RBA?
Our co-founder and CTO, Stuart McIntosh, gave the first RBA in Splunk ES talk at .conf 2018. In 2019, we founded Outpost Security to deliver RBA as a supported Splunk App.
Outpost Security made a significant contribution to programming the SA_RBA App. Since then we have released several proprietary Splunk Apps that extend the capabilities of Splunk ES. To date over 1,000,000 users are being alerted on daily in multiple companies, from public sector organizations to Fortune 500 environments.
WHY would I use the outpost Apps instead of rBA in Splunk ES?
While there are RBA fundamentals built into RBA in Splunk ES there is still a lot of configuration and programming work to be done - this is in addition to deploying and tuning RBA detections. Large and complex environments will require advanced techniques and custom programming to implement Risk Based Alerting in your SOC.
Outpost ZERO to ONE (Splunkbase) is a Splunk App designed to implement RBA in less than two weeks.
Outpost RBA (Splunkbase) is a Splunk App that includes all of the advanced features and workflows that will make RBA effective in large environments (>2000 users, over 3 TB of daily ingest) or complex organizations (multiple operating companies), saving you months of programming and effort to deploy.
We pair our Apps with a proven implementation method, modifications per your specifications, and multiple trainings for your Splunk and security teams to make Risk Based Alerting the fully functioning foundation of your detection and alerting program.
Why Splunk ES?
Splunk ES offers core functionality that is either not found in other SIEMs or not easy to leverage (i.e. requires non-native programming/functionality)
Ability to combine data across sources.
Ability to normalize data to make the source technologies interchangeable.
Ability to incorporate foundational data (assets, identities, threat intel) using a common framework.
WhAt Customers have you worked with? Any Fortune 500’s?
We don't publicly disclose that, but we are happy to connect you with our satisfied customers from those companies as well as RSMs and SEs at Splunk. The largest customer we’ve worked with has about 350,000 employees globally.
Where Do teams Make mistakes in implementing RBA?
Because RBA is such a foundational shift and contains many layers (when implemented fully), it's difficult to be successful without getting each part correct and in the right order.
Failure to properly normalize assets, identities, and log data.
View RBA as just a technology or "new detection method" only.
Attempt to "game the system" by putting too much weight or not enough on individual event risk scores.
We did a podcast episode on this topic - and the very reason why we developed the Outpost Security ZERO-to-ONE Splunk App.
What about AUTOMATION - WON’t That eliminate the need for RBA?
Security Automation has huge potential in solving a multitude of challenges facing security teams. RBA actually makes automation faster, easier, and more robust. The alerts RBA generates are highly structured, with rich context, allowing universal playbooks to run effectively - minimizing overhead and maintenance required from the automation engineers.
I have all of these legacy systems, do I need to worry about those before I can change my alerting methodology?
With Splunk and Outpost RBA - we can absorb the data from your legacy systems, and give you the opportunity to cutover to new systems seamlessly without security gaps or overhaul of the SIEM and your existing detections.
I'm getting less and less value from my MSSP - can I get rid of them with rBA?
Yes - implementation of Outpost RBA allows you to become exponentially more self-reliant without adding staff. By eliminating L1 alerts your MSSP won't have much left to do (except maybe cover nights & weekends).
In this podcast episode - Jimi Mills from Texas Instruments talks about how they went from handling 2,000 cases per year to over 12,000 per year with-out adding headcount.
Do OUtpost Splunk Apps work on Splunk Cloud?
Yes. All versions of our app are validated by Splunk App Inspect and we are happy to share the inspection report with you.
“We are realizing a cash savings of $500,000 per year with Outpost RBA.”
— Senior Manager of Security & Threat