Tag Archives: Splunk

Highlights: Splunk Presentation with U.S. Steel’s James Wolfe

Leave a reply

This event was held October 26th, and in case you missed it, here are some of the highlights to be taken away from the presentation.  So, if you were in class and regretted now skipping class for this, we have got you covered!

Main Points:

  • Searches – he discussed how when you use the search bar, it is important to understand its format:
    • [general code] | [less general] | [continually more specific search]
    • as you can tell, the idea is that there are commands that you use that are processed from left to write, and each command is separate by the |(pipe).
  • Save searches! – with there being so many different ways to slice all of the network traffic that Splunk is managing, having different frequented searches saved is very convenient to insure more time searching network traffic, and not google for Splunk commands.
  • Statistics – in order for anomaly detection to work, there needs to be an idea of what is normal.  One person’s smile could be another person’s bad-day face.  It is important to judge off of what is normal for the network traffic, much like judging someone’s behavior off of what is normal for that person.  The statistics generated are what determines what falls within normal behavior for their network.
  •  Real-time Graphs & Charts – generating graphs and charts that will actually change and adjust in real time are super important.  It allows an easy way to understand what is going on in the network – instantaneously.  Wolfe stressed that bosses will love something so clean, visually appealing, and content-specific.

Splunk application:

This presentation was about Splunk, the security event manager/log aggregation software.  If you have had Paullet’s class and suffered through the wonderfully challenging Enron emails assignment, then you have had a small taste of this software’s capabilities.  Splunk can be used for a wide variety of applications because of its ability to organize/index large sums of information with ease into databases, or indexes.  James Wolfe focused on Splunk’s network security applications.  James Wolfe is a security administrator for U.S. Steel, so his job requires him to focus on network traffic such as IPs, users, or anything that could potentially indicate a point of failure for their network.  Wolfe explained that the beauty of Splunk is that you can start looking without needing to know exactly what it is that you are looking for – exactly how I described my use of Splunk when trying to find incriminating Enron emails.  Because security is the importance of the job, he discussed the commands that would be useful for security.  These things included:

  • dedup – removes duplicates in your search.
    • EX: dedup user, src_ip
  • wineventlog
    • 4625 – this code indicates a failure to log in

A very basic example shown to us to show how the data was being used to detect anomalies was through the ratio or successful to unsuccessful log ins for users.  By creating a baseline formula for the rate of successful logins for each user, the computer can flag any time there is a change in this rate that goes within 1-2 standard deviations.  The data is all producing algorithms and equations based on what you – the user of the Splunk software – deems important.

  • table_raw – views the raw informaiton that splunk pulled the information from for the databases/indexes

This raw information was very education in seeing how convenient the software is, because the raw version was pretty jumbled, messy, and difficult to understand.

Career Advice:

  • Deskside/IT support is a good career start – you learn to troubleshoot
  • Ask as many questions as you can – be willing to do projects; this will make you valuable.
  • CERTIFICATIONS: N+* – basic fundamentals of networking.
  • Government – certifications are legally required
  • CCNA – CISCO; mid-level
  • Maintain a strong work ethic
  • Log into a firewall – download free for home*
  • 2 year schools like ITT tech allows hands on experience
  • 4 year degree preferable, but less hands on – it proves that you are hardworking and willing to put in the time necessary; this ties in greatly with having a strong work ethic.
  • Microsoft imagine account; dream spark; 2016 data center OS worth $3,000 [we get it for free at RMU, so utilize it!]
    • Spin up a DHCE from home
  • All acronyms – know.
  • Splunk: just saying that you have worked with Splunk automatically gives you an edge against the competition for any job in security.
  • Google: useful; know that it really is alright to google what you do not understand when doing anything on the computer.  There is so much to know, and as long as you accept that you will be learning throughout your entire career, you will be able to stay in demand with employers.

Fun Facts:

  • Companies have filters on their employee’s computers preventing them from going on certain sites.  Because you cannot access these through google, users will use Bing as their loophole to sites that they are not supposed to access.
  • U.S. Steel, much like other companies, uses firewall redundancy to prevent any debilitating security errors.
  • Splunk is free to download; free for developers license. All software is free all you need is to buy your own server with 16 gigs – plenty for an at home – of ram.  Buy second NIC. Spin up VMs. Download licenses.