SPLK-5001 Defenses, Data Sources, and SIEM Best Practices

Defenses, Data Sources, and SIEM Best Practices Detailed Explanation

1. Defenses (Security Controls)

Security defenses are the strategies, tools, and actions taken to protect information systems from attacks and other security risks.
They are organized into several types, based on their role in the security process.

Let’s explain each type clearly:

Preventive Controls

Preventive controls aim to stop security incidents before they happen.
They create barriers that make it hard for attackers to succeed.

Examples include:

• Firewalls: Block unauthorized network traffic.

• Antivirus Software: Detects and blocks malicious software before it can cause harm.

• Strong Authentication: Requires strong passwords or multi-factor authentication (MFA) to prevent unauthorized access.

• Network Segmentation: Divides the network into separate sections to limit the spread of an attack.

Summary:
Preventive controls are your first line of defense to avoid problems.

Detective Controls

Detective controls identify and alert when a security incident occurs or is attempted.
They do not stop the attack, but they help you notice it quickly.

Examples include:

• Intrusion Detection Systems (IDS): Monitor network traffic for suspicious activity.

• Security Monitoring: Real-time monitoring of logs and network activities.

• Log Analysis: Reviewing system logs to find signs of attacks.

Summary:
Detective controls are like alarm systems that tell you when something is wrong.

Corrective Controls

Corrective controls are actions taken after an incident to fix the problem and restore normal operations.

Examples include:

• Restoring Backups: Recovering lost or corrupted data from backup copies.

• Patching Vulnerabilities: Fixing security flaws after they are discovered.

• Reimaging Infected Machines: Wiping and reinstalling systems to remove malware completely.

Summary:
Corrective controls repair the damage and help you recover after an attack.

Physical Controls

Physical controls protect the physical parts of information systems, such as computers, servers, and network devices.

Examples include:

• Biometric Locks: Require fingerprints or retina scans for access.

• Security Guards: Prevent unauthorized physical access to sensitive areas.

• Surveillance Cameras: Monitor and record who accesses critical infrastructure.

Summary:
Physical controls stop people from physically touching or tampering with your systems.

Administrative Controls

Administrative controls are policies, procedures, and training that guide human behavior and organizational security practices.

Examples include:

• Acceptable Use Policies: Rules about how employees should use company technology.

• Security Awareness Training: Educating staff on how to recognize phishing emails and follow security practices.

• Incident Response Plans: Detailed steps to follow when responding to a security incident.

Summary:
Administrative controls make sure people behave securely and respond correctly to threats.

2. Data Sources

In cybersecurity, especially when using a Security Information and Event Management (SIEM) system like Splunk, understanding your data sources is critical.

Different sources provide different types of visibility into potential threats.

Here are key data sources explained:

Firewall Logs

Firewall logs record information about network traffic that is allowed or denied by a firewall.

Why they are important:

• Show attempts to connect from suspicious IP addresses.

• Reveal blocked and allowed connections.

• Help identify unauthorized access attempts.

Example:
Seeing many denied connection attempts from a foreign IP could signal a scanning attack.

Intrusion Detection/Prevention Systems (IDS/IPS)

These systems monitor network traffic and generate alerts when they detect:

• Known attack patterns (signatures)

• Unusual or suspicious activities (anomalies)

IDS systems alert when something suspicious is seen.
IPS systems can also block the attack automatically.

Example:
An IDS detects repeated login failures and raises an alert for a possible brute-force attack.

Endpoint Logs

Endpoints are devices like laptops, desktops, and servers.

Endpoint logs record activities such as:

• Login attempts

• Application behavior

• System errors

• Malware detections

Why they are important:

• Provide insight into user activities and system behavior.

• Help detect compromised devices.

Example:
A server's logs show an unknown application running, indicating potential malware.

Authentication Logs

Authentication logs record successful and failed login attempts.

They are especially critical because:

• Brute force attacks often involve many failed logins.

• Account takeovers often follow strange login patterns.

Example:
Ten failed login attempts followed by a successful login from a strange location could mean a compromised account.

Web Server Logs

Web server logs capture details about HTTP requests and responses.

They help identify:

• Web application attacks such as SQL Injection or Cross-Site Scripting (XSS).

• Unexpected requests that could signal scanning or probing.

Example:
Seeing many requests with strange parameters might indicate an attempt to find vulnerabilities.

VPN and Remote Access Logs

These logs show who is connecting to the network remotely, when, and from where.

Why they are important:

• Detect unauthorized or suspicious remote access.

• Monitor access outside of normal hours or from unusual locations.

Example:
An employee account connecting from a country they are not traveling to could signal credential theft.

Cloud Platform Logs

These logs record activities inside cloud environments like:

• AWS (Amazon Web Services) CloudTrail

• Microsoft Azure Monitor

Cloud logs help monitor:

• User activity

• System changes

• Data access

Example:
Logs show a new virtual machine being spun up without authorization, which could indicate an attacker creating a foothold.

Threat Intelligence Feeds

Threat intelligence feeds provide external information about known threats, including:

• Malicious IP addresses

• Blacklisted domains

• Malware file hashes

Using this information, organizations can block or monitor known threats more effectively.

Example:
A threat feed alerts you that a known malicious IP tried to connect to your network.

3. SIEM Best Practices

SIEM (Security Information and Event Management) platforms like Splunk collect, normalize, analyze, and visualize data for security operations.
To use SIEM tools effectively, best practices should be followed.

Here are the key best practices explained:

Data Normalization

Different devices and applications produce logs in different formats.

Normalization means:

• Converting all logs into a common format.

• Allowing for easier searching, correlation, and analysis.

Example:
Standardizing fields like "source IP" or "destination IP" across logs from firewalls, servers, and cloud platforms.

Use Cases Development

Use cases are specific security scenarios you want to detect.

Good use case development means:

• Defining what you want to detect.

• Creating specific detection rules.

Example:
Creating a rule to alert if an administrator account logs in outside normal business hours.

Prioritize High-Value Data Sources

Instead of collecting everything, focus first on data that provides the most security value.

High-value sources include:

• Authentication logs

• Firewall logs

• IDS/IPS alerts

Prioritizing avoids wasting resources and helps catch important incidents faster.

Fine-Tuning Alerts

Not every alert matters equally.

Fine-tuning alerts means:

• Reducing false positives (non-important alerts).

• Adjusting thresholds and filters to catch real threats.

Example:
Instead of alerting on every failed login, only alert after ten failed attempts in five minutes.

Security Content Management

Attack techniques evolve.

Keeping your SIEM content updated involves:

• Adding new detection rules for new attack methods.

• Retiring outdated rules.

• Improving existing detection content based on lessons learned.

Retention and Compliance

Regulations may require storing logs for a specific amount of time.

Best practice:

• Understand requirements like PCI DSS, HIPAA, GDPR.

• Configure SIEM to retain logs accordingly.

Example:
PCI DSS requires storing logs for at least one year, with three months available immediately.

Automation

Automation helps respond faster to incidents.

Examples of SIEM automation:

• Automatically isolating a machine showing signs of infection.

• Blocking IP addresses linked to threats.

• Notifying incident response teams instantly.

Automation reduces the time between detection and action.

Performance Optimization

To keep SIEM fast and efficient:

• Index only important fields.

• Avoid indexing unnecessary raw data.

• Use summary indexing for repeated, high-volume reports.

Summary indexing saves time and resources by summarizing detailed logs into smaller, faster-to-search summaries.

Defenses, Data Sources, and SIEM Best Practices (Additional Content)

1. Deterrent Controls (Defenses)

Deterrent Controls are security measures intended not to prevent or detect attacks directly, but to discourage potential attackers from attempting malicious actions.

Key Characteristics:

• Focus on influencing the behavior of would-be attackers by highlighting the risks or consequences of their actions.

• Work primarily through psychological effects, increasing the perceived cost or difficulty of attacking.

• Often rely on visible warnings or communications rather than technical enforcement.

Common Examples:

• Legal warning banners displayed on login screens.

• Publicly posted security policies indicating strict enforcement and penalties.

• Notifications about monitoring and surveillance activities.

• “Authorized personnel only” signage in restricted physical areas.

Purpose:

• To create doubt or fear of detection, prosecution, or severe consequences among potential attackers.

Summary:
Deterrent Controls serve as visible reminders that security is actively enforced and that malicious activities will have serious consequences, thereby discouraging attacks before they happen.

2. Database Logs (Data Sources)

Database Logs are a critical but sometimes overlooked data source for cybersecurity monitoring and incident investigation.

Key Characteristics:

• Capture detailed records of database activity, including:

  • Successful and failed login attempts.

  • SQL queries and commands executed.

  • Changes to database structures (such as new tables or modified permissions).

  • Data extraction activities (such as large-volume reads).

Why Database Logs Matter:

• They help detect attempts to exploit database vulnerabilities, such as SQL Injection attacks.

• They reveal unauthorized queries that could signal data theft or internal misuse.

• They assist in reconstructing the scope of a data breach involving sensitive records.

Examples of Events to Monitor:

• Unexpected queries accessing sensitive data.

• High-volume data exfiltration activities.

• Privilege escalation attempts inside the database.

Summary:
Database Logs provide critical visibility into database operations and are essential for detecting and investigating insider threats, injection attacks, and unauthorized data access.

3. Asset Context Enrichment (SIEM Best Practices)

Asset Context Enrichment refers to the practice of enhancing security event data with additional information about the assets involved.

Key Characteristics:

• Goes beyond the raw technical details (such as IP addresses or hostnames) included in standard log events.

• Associates critical business-related attributes with each asset, such as:

  • Department ownership.

  • Business criticality (e.g., finance server vs. development workstation).

  • Sensitivity level of the hosted data.

  • Asset location (geographical or network segment).

Benefits:

• Helps analysts quickly assess the true impact and urgency of an alert.

• Supports better alert prioritization by highlighting attacks on high-value or mission-critical systems.

• Improves incident response efficiency by directing resources where they are needed most.

Common Implementation Techniques:

• Integration with Configuration Management Databases (CMDB).

• Use of asset management systems or lookup tables in the SIEM platform.

• Automation of asset-tagging processes during log ingestion.

Example:

• An alert involving unauthorized login attempts is treated more urgently if it targets a critical database server hosting sensitive customer data rather than a low-risk development machine.

Summary:
Asset Context Enrichment transforms raw security alerts into actionable intelligence by providing business context, enabling smarter prioritization and faster response.