Splunk – A one field game changer

At rSolutions, we often get asked by clients and people we meet about the power of Splunk and why we’re so invested in the technology. It’s a great question for a number of reasons. In IT, and really technology in general, we’ve become a little used to the notion of a new technology coming out and in no time, it’s lost its lustre. Additionally, when the occasional truly interesting idea comes up, everybody and their dog has a similar technology adaptation on the same principle. Remember sandboxing? It was “disruptive” when it came out, and in time other companies found ways to get their technology synced to the same mental real estate that makes it more of a commonality instead of technological disruption. The disruptive, turned commonplace. It’s almost becoming a foundational law of technology. Something new and shiny comes out, its disruptive for a time, then its not, then something else comes along.

The Splunk Difference

So what makes Splunk different? We think it’s the rate of advancement in the Big Data analysis space that will keep it ahead of the pack for the foreseeable future. But instead of boring you with advantages that sound more like a sales pitch, we want to tell you tell you a story about how it helped a client. The proof is in the pudding (whatever that means…long story short, we’ll prove it)!

Because we’re a security company, naming names is not something we do, but we can tell you about a scenario where a client changed their business with visibility into just one field.

Web proxy logs contain some interesting data points, but not least of which is the user agent field. One common use of the user agent field is to log information about the browser of the computer that is accessing the page and some tidbits about the operating system. This allows the web site to customize content for the capabilities of a particular device, but it may also raise security issues.

Welcome to the Splunk Dashboard

We created a Splunk dashboard for our client on this one unremarkable field (one of many) and with it the business was instantly afforded 3 major insights. The first was AV.

Using the dashboard the Security Administrator had instant visibility into who had unauthorized AV running in their environment by the calls it was making out, he saw those calls were using improper ports and that because some of these AV were unsupported, they also weren’t being updated.

With this new visibility the Admin was able to create specific and targeted actions to the team to remediate the outdated supported AV, get rid of unsupported AV and patch holes created by competing AV operating in the environment caused by these less-than-helpful-but-well-intentioned removals or additions.

The next insight was visibility into the Operating Systems running in the environment. Once again, this single but useful dashboard showed there were a few systems still running…wait for it…Windows XP. Yep, XP. An all together unsupported OS still clunking away because (let’s call him “Tyler”) Tyler from Communications branch doesn’t like change. He hid from the upgrade years ago and has been secretly indulging in the comfort of unchanging features of XP. What Tyler didn’t know (or care about) was that XP hasn’t had a security patch since April 8th, 2014 – over two years at the time of work with the client.

The next day our security admin was able to get the security team zeroed in on replacing those relics, and allowed more of his organization to enjoy computing in the modern era. And with solitaire, spider and minesweeper now fully disengaged, the organization is now getting better yield from Tyler. Win-win!

The Insight of Data Visualization

The last insight was probably the largest and most useful. By looking at the data visualizations afforded by Splunk our security admin was able to see the callouts made by web-enabled apps. By filtering the view to unanswered calls out for information by these apps, they were able to quickly identify missing patches, security vulnerabilities, outdated apps and more. Once again, data insights allowed the security admin to instantly see vulnerabilities and make plans to remediate them quickly.

Just one dashboard. One dashboard allowing them to identify potential weaknesses, head off some challenges that had the potential to be incredibly time-consuming and be pro-active in addressing issues instead of reactive and it came from insights easily shown in Splunk.

This, for us, is one of the best Splunk stories, because its an incredibly common one. We see every day how businesses become more efficient in ways they never dreamed possible, how organizations can improve their security posture because all data is now security-relevant and how visibility can help you better predict outcomes based on the data you already have.