vuln_exec_summary EDITEDA common motivational phrase “If you’re not moving forward, you’re falling behind” embraces the idea that simply trying to maintain the status quo isn’t really just being stagnant, but also means you’re being overrun by the world.  This idea applies to many different things in life such as professional sports, IT, and yard work. Okay. That last one is my own personal challenge to keep up with. In sports, if you’re not innovating new plays and adding new talent, while your competition is doing both, catching up and staying on top is impossible.  In IT, the pace of change often indicates just how far you fall behind by not moving forward.  New technology isn’t just neat and cool, over time it becomes a necessity.

Cybersecurity is closer to the professional sports analogy than regular IT.  But your competitors aren’t just trying to win the same trophy as you, they are bad actors trying to delete or steal confidential and proprietary information.  For the Federal government, this reality has played out vividly and publicly. Embarrassing and costly breaches have been in the headlines seemingly non-stop.  CIOs and CISOs have been working hard to improve and move forward, investing in new technology and cybersecurity talent that can make a difference.

Sometimes attention to areas that were invested in originally, fall by the wayside, as new shiny objects appear that solve immediate threat vectors.  It’s a tough challenge to keep up with all the new threats, vulnerabilities, and technologies to mitigate them.  One area GuidePoint Security is focused on is making sure that past investments continue to show value through small investments that move them forward.  A prime example is Splunk.

Splunk is a fantastic big data platform that offers nearly unlimited analytic possibilities and ways to ferret out bad guys in an environment before they can do harm.  It’s also a highly customizable platform that offers opportunity to orchestrate labor intensive tasks that are repeated often. These tasks cost organizations hours of valuable analysts’ time that could be spent proactively hunting or evaluating new alerts and threats.  GuidePoint has enjoyed great success deploying Splunk into environments for customers showing significant value and ROI.  However, we have even greater success showing customers that continued investments in Splunk produce even larger gains.

Fine tuning Spunk on a routine schedule can mean the difference between powerful results or a slow depreciation in value.  Here are just three possible initiatives to improve an existing Splunk implementation for your environment:

  1.  Integration of products purchased or implemented since the last services engagement.

One of the most common use cases for Splunk security implementations is funneling security alerts and information into the platform for analytics and dashboards. Over time, two things happen.  First, new tools and solutions are added and are either not integrated or not integrated fully into Splunk.  Second, tools that were originally fed into Splunk need updating as their functionality and Splunk’s functionality may not be fully realized.  Splunk is a highly customizable, fully programmable platform. Splunk can not only ingest and compare threat feeds and data from security tools, but can also integrate to centralize consoles and controls of many different products. An example that GuidePoint has already implemented for customers is allowing SOC operators to stay in the Splunk interface and make changes to Palo Alto products in response to Splunk analytics, without having to switch consoles. This type of integration can be done with many security products.

  1. Orchestration of routine labor intensive manual processes.

Many SOC teams have scripts to “automate” recurring labor-intensive tasks.  I put the term automate in quotes because, in reality, it’s an orchestration that requires human interaction to initiate.  It typically is not automated in the true sense of the word because fully automated responses can be dangerous.  Orchestration is a better description. These are usually created out of necessity, under time crunch by a high level security analyst.  While this typically fills the immediate need of the SOC and is usually shared with the team, there are two problems with this scenario.  First, the only person that knows how the script really works is the original programmer.  Others have to rely on that person’s knowledge and availability to make improvements or fixes.  If the individual ever leaves, knowing what that script does and how it can be adjusted, could become a problem.  Second, the decision on what to automate may be made without full knowledge of management and the end result could positively or negatively impact the SOC or IT infrastructure.

Having an outside firm such as GuidePoint Security come in and sit down with the SOC team to discuss recurring, labor intensive processes that could be orchestrated, elevates the conversation to a more visible decision process.  Secondly, it allows the programming in Splunk to be well documented in a deliverable method that is more easily maintained inside of Splunk’s language. The script is no longer written in a personal preference language that may not be known or maintainable by the rest of the team.

  1.  Improving dashboard functionality and efficiency.

It has already been mentioned that over time new products might need to be added to the Splunk dashboards since the original configuration and coding was done.  However, there are more improvements and efficiencies that can be addressed on the dashboards for a SOC.  Often GuidePoint Security finds that fine tuning what is being displayed can only be done after some usage.  SOC front line folks will have a good idea of efficiencies and improvements that can help them get their jobs done faster.  Non-traditional metrics may have become obvious that could be added to the dashboards to significantly improve the SOC team’s knowledge of their security posture.

Lastly, continued refinement of one-click reports for SOC and top line leadership, in particular, can significantly assist security teams in meeting their own and management’s needs, reducing time-to-discovery and security posture reporting to management in real-time.

GuidePoint Security performs professional services implementing these kinds of improvements for customers with Splunk every day.  We can augment your environment for short engagements and significantly improve the value and efficiency of your security investments.  So consider these and other initiatives and make sure your Splunk implementation doesn’t stagnate or move backwards because it’s not moving forward.


About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: