Wisdom - Predicting Security Threats with Splunk: Getting to Know Splunk

You may have already heard of Big Data, but probably not in relation with IT Security: although Big Data is often associated with social media, actually it is much more than that; so lets recall some concepts regarding Big Data Analytics, before looking at their implementation in Splunk.

Conventionally, Big Data are characterized by the three Vs: Volumes,Velocity, and Variety.

• Volume of data (in terms of data storaging magnitude): the order of magnitude of data is usually considered starting from Petabytes to Zettabytes (and over). As more and more data are generated on a daily basis, Volume seems not to be a complete and appropriate criterion to tell Big Data apart from other normal data: as a matter of fact, as storage capabilities increase, along with their costs falling down, the Volume magnitude factor shifts constantly upwards;
• Velocity of data: is the speed at which data are generated or, on the other hand, the frequency at which data are delivered to organizations. As new hardware devices are put in place (sensors, cameras, rfid, even clickstream of web sites, etc), the stream of data at our disposal flows at higher rate then ever before, demanding for a real time approach in getting rid of informations hidden in data streams.
• Variety of data , has not only to do with different data sources, but also with their inherently unstructured format: it is controversial if data could be at all considered as unstructured as per their nature, or if it is instead the lacking of information about metadata that leads to unpredictable models.

Nevertheless, even when we try to analyze well known textual objects, such as emails (that are structured in compliance with RFC-2822, for example), we cannot be sure if they come in a predefined model or schema (for example, we cannot predict how long the email body field would be, or if a Subject field would be present or not, and so on).

The aforementioned characteristics may be summarized into a single concept: the need for scalability.

In fact, what really distinguish Big Data from Relational databases, for example, is that the latter dont scale very well when the magnitude of data increases exponentially, or when data streams produced by hardware appliances (over)flow in real time fashion, or data themself dont seem to comply with predefined and rigid schemas.

To work correctly, Relational databases need predefined data models with clearly defined fields in associated tables; in a very sense, Relational database conform to User driven data analytics, implying the so-called Early Structure Binding of data; in other words, the analyst needs to know in advance what kind of questions are to be answered by analyzing the data, so that the database design, including the schema and the structure of data, could be arranged in a predefined and appropriate format, in order for the questions to be answered correctly.

Instead, in a data driven context, such as Big Data Analytics, we let the data speak for themself: without imposing a predefined schema to data, we can freely rearrange their format at real time, reflecting the correlations (hidden insights) that may arise, letting the analyst focus the attention on appropriate variables, as their relevance becomes evident as the flow of data from different sources are merged together to form a whole new domain of research.

Chapter Three

Splunk Search

To start searching, you need to point your browser to Splunk Home, i.e. the interactive portal to apps and data accessible from the Splunk instance (please note that Splunk Web interface is at http://localhost:8000), as in Figure 2:

(Figure 2)

In the Apps panel, you will see workspaces for the apps that are installed on your Splunk server that you have permission to view. The workspace displays a menu of the views and objects in the app context. Select the App to open it or select a content page listed in the workspace to go directly to that view. (Please note also the Data panel, that you can use to add data to Splunk).