Splunk Going Up Against the Growing Threat of Ransomware

How to Increase Your Security Defenses With Machine Data and Risk Analysis

The Changed Mindset of Today’s Hacker: Ransomware Takes Over 

Fifteen to twenty years ago, getting viruses on machines was still a problem. A user might get a disc or USB, or have visited a website and clicked on something malicious, and engaged an infected file that would spread and wreak havoc on a system—not terribly different from the scenario we’re all facing today. But here’s the difference: today, hackers already know they have the capacity to cause chaos and frustration; why do it for free? Now that the thought process has changed, getting infected might not destroy files, but there’s a good chance it’ll encrypt them, and when the infected user wants to work on their system, it’s locked, and there’s no access to files, followed by a threatening message demanding a certain amount of money in order to unencrypt the data. This is the era in which ransomware was born.

Splunk for Ransomware

Fortunately, Splunk offers numerous capabilities that assist organizations in defending against the ongoing onslaught of ransomware attacks.

From the offset, deploying Splunk in any environment, allows users to collect all logs—every single one, whether from Windows, Linux, applications, or the network. Then, security analysts can correlate that information from a router to a desktop to another desktop and see what happened and how malware got into the system. Based on the information discovered, alerts and alarms can be set up to enable analysts to take preventive action. As a result, rather than reactive working, which can result in an entire office being taken down, the security team gets notified on the first instance, and can take preventive measures so that the ransomware doesn’t spread across the organization. 

Splunk Security Essentials

Splunk Security Essentials uses Splunk Enterprise combined with Search Processing Language (SPL) to feature over 55 examples of anomaly detection based on entity behavior analysis (UEBA). Each example includes sample data and actionable searches that can be put to use immediately within the environment.

Use cases utilize analytics to give security analysts the capability to detect unusual activities such as users printing more pages than is typical (spike detection) or logging onto new servers (first seen behavior), the ability to see when adversaries change file names to evade detection, and more. Each use case includes:

• Expected alert volume
• Explanation of how the search works
• Description of security impact
• Ability to save searches directly from the app in order to initiate alert actions 

Splunk Security Essentials for Ransomware

Splunk Security Essentials for Ransomware is an app designed to support Splunk users in managing risk and response to WannaCry, and other such types of ransomware. The app provides a starting point which can be customized to function with a specific environment, and includes over twelve use cases which enable analysts to measure how effectively the risk of ransomware is being reduced. It also provides searches that help detect the effects of ransomware within the enterprise. Splunk Security Essentials for Ransomware uses Splunk Enterprise and SPL to feature working examples of detection and best practices to be employed in the environment to prevent infections.

Taking Levels of Risk and the Power of Data Into Account

Even Splunk Security Essentials on its own gives security teams the wherewithal to utilize the built-in logic to evaluate users’ behavioral patterns, from which a report can be generated with numbers associated with risk levels. If a security analyst reviews a report covering several thousand machines, the top 5 offenders will be highlighted based upon their unusual behaviors and associated levels of risk. Run-of-the-mill intrusion detection and prevention tools don’t do that, and this capability provides organizations with an immense power to manage and mitigate risk before it becomes a problem.

“In today’s world, data is important. So, every successful organization is making data-driven decisions, and we have a lot of data in digital workspaces—cell phones, PCs, tablets, it’s all generating data, so why not look at it and based upon it, make decisions for your organization? Splunk lets you do that much better than anything else on the market.”

-Arsalan Malik, Splunk Consultant & Engineer at August Schell

Have you taken action to better protect your agency from ransomware? With each passing day, new strains are being developed and fortified, and there’s no better time to put the emphasis on proactivity. Don’t let a mass ransomware infection become your reason to take action. Reach out to an August Schell cybersecurity expert, or call us at (301)-838-9470 today.