Detect Insider and Third Party Security Threats with BlackRidge App for Splunk

By Doug Johnson, Senior Director of Solution Engineering

Every day you hear that perimeter defenses are not effective in stopping attacks, and we know that flat internal networks do not provide sufficient isolation and protection from insider threats. From a Harris poll in the Vormetric 2015 Insider Threat Report, 89% of respondents felt that their organization was now more at risk from an insider attack; 34% felt very or extremely vulnerable. This translates to a top operational priority for CISOs to improve their security operations center (SOC) to identify compromised or rogue insiders and third party vendors.  These SIEM and analytics tools used by SOC analyst need to provide sufficient and timely information to your IT team to remediate intrusions, and also show security controls to auditors and for regulatory compliance.

Assuming your CISO’s priorities are also the SOC team’s concerns, a good chunk of the security operations time and security spend is now tactically based on the assumption that you are or will be breached, and you will need to run lots of analytics to detect and then remediate the incidents. Lucky for you BlackRidge is working with Splunk® to give you tools today to help you be prepared for the future.  BlackRidge and Splunk are in the initial stages of a partnership, where we are working together to advance the state of the art in early detection of incidents with attribution of user identity.  So let’s explore how BlackRidge provides identity attribution to Splunk.

Why the BlackRidge App for Splunk
A good side effect of having BlackRidge identity-based network security in place is that we can detect unauthorized access attempts at the earliest possible time, on the first packet of TCP connection request.  This emergent identity attribution data is available via raw syslog messages for Splunk to ingest.  Now it just needs to be processed so your security analysts and IT operations teams can quickly identify compromised or rogue users, handle exceptions, and respond to potential breaches.  That’s where the Splunk App comes in.

What the BlackRidge App for Splunk does
The BlackRidge TAC Gateway App runs on top of a Splunk Enterprise instance.  All you have to do is configure where you want the BlackRidge TAC solution to send syslog messages to. The app leverages Splunk’s searching and indexing capabilities to present the syslog data through a predefined set of dashboards that provide ready-made graphs for popular syslog messages from the BlackRidge TAC Gateway.

Based on our deep knowledge of BlackRidge log data we have programmed the Splunk app to highlight the key identity attribution events to enable you to:

  • Prioritize the top real-time network security events from BlackRidge raw mesesages including unauthorized access events.
  • View a predefined set of dashboards to visualize the top 10 identity attribution events for the past day, week and month.
  • Generate real-time alerts with identity attribution of unauthorized network connections attempts to protected resources.

How to sell your CISO on this
Assuming that you have Splunk Enterprise in place, you can tell your boss that not only are you Identifying unauthorized access that can help in identifying compromised or rogue users, you can now provide the IT team with information to handle exceptions.  If that is not enough, then how about the ability to support audits and regulatory requirements pertaining to security controls by providing user identityinformation for compliance and forensic analysis.

Per Gorka Sadowski, Director of Global Strategic Alliances, Security Markets at Splunk: “The BlackRidge App for Splunk extends the Splunk Enterprise platform helping enable end-to-end security context across the entire organization. This in turn helps SecOps and SOC analysts when hunting for and linking events to compromised systems or rogue insiders and third party vendors.”

Where to get the Splunk App
BlackRidge TAC Gateway App for Splunk is generally available to Splunk customers at no extra charge, and can be downloaded from Splunkbase at:

What if we don’t have BlackRidge in place?
Then please contact us to learn more about our identity-based network security that stops cyber-attacks and protects against insider threats before network sessions are established, while also providing identity attribution records as described above.  When you look at things from a long term strategy perspective, deploying the level of protection that BlackRidge provides will empower you to regain the upper hand by adopting new cyber defense technologies.