Splunk Enterprise Security

Universal Forwarder on workstations for Enterprise Security

aelliott
Motivator

Should I install a universal forwarder on everyone's workstation in order to track possible malware attacks through correlation searches? Is this best practice?

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

I would not. Typically malware information can be easily gathered from a database (whether the EPP product's own, or a config management tool).

View solution in original post

0 Karma

aelliott
Motivator

I'm leaning towards yes on this question.
ES is good at telling you that there are anomalies in flows of data.
You've still got to apply the subject matter expertise to know if that's malware behavior or something else (through the use of a security analyst).
Malware is more likely to occur on a user's machine, which could lead to an outbreak.
Catching anomalies early can prevent an outbreak.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

I would not. Typically malware information can be easily gathered from a database (whether the EPP product's own, or a config management tool).

View solution in original post

0 Karma

aelliott
Motivator

Since you did technically answer my question correctly 🙂 I did not phrase it correctly. I mean't to view windows security events that could possibly be malware.. not specifically malware events.. Thanks!

0 Karma

aelliott
Motivator

Correct, and those anomalies is what our security analyst would look at to determine the root cause and determine whether or not it is possibly intrusive activity. You'd be able to correlate with several other users' machines to determine what is an anomaly and what is normal activity.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

As a Splunker, I suppose that I ought to suggest that you log all events from all software products and use full packet capture too 🙂 However, there's still a question about what you'll do with that data. ES is good at telling you that there are anomalies in flows of data, but you've still got to apply the subject matter expertise to know if that's malware behavior or something else. It won't tell you "this thing is malware that your EPP vendor doesn't know about", it will tell you "this is weird".

aelliott
Motivator

What about malware events that do not get detected by anti-malware software. I think that is the benefit of Enterprise security, the ability to track down these threats before they become "known" malware

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!