Ep07 - Eliminating Points of Failure with Zero-to-One

Written By Stuart McIntosh

Successful implementation of Risk Based Alerting in Splunk can be very challenging. Implementing any SIEM is challenging for that matter.  We’ve seen a lot of teams struggle and distilled the problems we’ve observed into three key areas:

  • Getting data normalized across all feeds

  • Trying to build exhaustive detection programs before releasing them, or

  • Grasping to get a full picture of an alert event in order to make informed decisions

In this episode we discuss why teams get stuck here and introduce our newly launched RBA Zero-to-One app for Splunk(TM) ES; designed specifically to overcome these problems, generate additional benefits to your team dynamics, and lay a foundation for tackling a broader range of issues specific to your environment.

Technology – Critical Path: Scope -> Configure -> Enable 

• Time and money to develop Splunk customizations 

• Scoping of detection deployment & tuning cycles 

 

Process – Critical Path: Detect/Alert/Investigate Loops: Decide-> Tune-> Show & Tell 

• Over engineering to solve problems created by inexperience with RBA 

• Adoption of RBA style alerts by the SOC/IR teams 

 

People – Critical Path: See their data -> Execute Loops -> Feel Confidence 

• Difficulty incorporating business context into alerting 

Stuart McIntosh
Previous

EP08 - Interview with Haylee Mills, Splunk Security Strategist
Next

Ep06 - Interview with CSO Jimi Mills of Texas Instruments