18 Questions about Splunk and Digital Guardian



Here are 18 great questions about our integration with Splunk (and other SIEMs), answered by Tony Themelis, VP of Product Strategy here at Digital Guardian. This Q&A was taken from our webinar, “How Splunk + Digital Guardian Protect Data from Advanced Threats.”

1. If a customer does not have Splunk, by just having Digital Guardian ATP, would it be possible to detect and manage within the DG console?

The answer is yes, it would be. The reason why many of our customers use Splunk is obviously so that they can take advantage of the richness of the infrastructure of the ability to interact with the data, the ability to consolidate data from many other platforms into things like the Enterprise Security App.

Follow-on question: What versions of Digital Guardian are required to use this Splunk App?

There is no real limitation. Essentially anything from a 6.2 Management console and upwards will export to Splunk.

2. What if you have a SIEM with Digital Guardian, will Digital Guardian provide the same information in invisible format as Splunk? And can this be integrated with other SIEM tools?

It can be integrated with other SIEM tools. We do have exports that go to QRadar, ArcSight, Nitro, other such SIEM tools. We are actually in the process of upgrading our own backend infrastructure. I would say right now that for customers that do use Splunk, it's a lot more flexible and a lot easier to use and more interactive to use. We actually spent a lot of time working on our Splunk App, just because we had a ton of customer demand for it. So we think it's Best in Class right now in terms of ability to analyze Digital Guardian Data.

3. Can other SIEMS like Sumo Logic be used in a similar manner to Splunk?

A syslog export, as long as that is supported by the SIEM, it's gonna be fine.

4. When you mentioned the tag in classification, how is it done? How does that work?

Let’s say, for example, you’re subject to PCI regulation. Then you'll write a policy that says, "If any file has greater than ten matches, for example, of a person name, a credit card number and a Social Security number, then tag that file." The system will scan all the files in your environment, and any file that matches those criteria will receive a tag on the file. So on Windows, and MAC and Linux, they're slightly differently implemented, but essentially it's the tag on Windows sits in the Ultimate Data Screen. On Linux and MAC, it's a shadow directory that holds all of the tags. Those tags move with the file. It's a very scalable and efficient mechanism, because once you've scanned a file once, that's it. You've tagged it. It's identified. You don't need to scan it over and over again unless the file changes. And the tag moves with the file wherever it goes, therefore, you can follow, tag files, wherever they move inside of your environment.

5. Is there ability to filter out how much data is sent to Splunk? Is the data being sent directly from the agent?

The data is sent from the agent via an aggregator, if you like. And the aggregator is our Management Console. At the aggregator level, we have an out of the box recommended set of information that goes to Splunk. Many of our customers may be cost-conscious and won’t want to just send everything. What you can do is you can filter it out, and there's no limit to the amount and dimensions of filtering that you can do to limit the amount of data that goes to Splunk. It's completely up to you.

6. Can you quarantine/isolate compromised hosts directly from Splunk?

Not as of today. You cannot do that.

7. Is there a list of pre-canned rules you provide with the app? How often do they get updated?

If you purchase Digital Guardian, you'll get the list of pre-canned rules that come with whatever product of the three that I was describing earlier you're buying. And then the Splunk is designed to receive the data that comes from your environment and the alerts and policy violations that are generated from those pre-canned rules. It's all an integrated system that you can either get out of the box and use, and at some point in time, if you want, you can tweak and modify.

8. Is Digital Guardian using any OCR technology to scan the content of image files, such as JPEG to determine if there's any sensitive information?

We do have a text extraction mechanism. Sometimes JPEG files actually have headers and footers and other bits of content, where the text can be extracted and it can be inspected. OCR, in and of itself we do not have. However, we do have some partners that can do OCR, if it's important.

9. How is Digital Guardian APT different from other ATP appliances or software products?

There are a few things that are different. The first thing is that we have an ability not only to detect based on a signature, so for example, a list of MP5 hashes, a list of known Command and Control IP addresses. We also have the capability to detect based on heuristics. For example, that PowerShell attack sequence, or the phishing attack. Or a new version of CryptoLocker that you see all of those file writes to executables. Those are all zero day type things. They're behaviors, and we have out of the box with our ATP policy offering, a long list of those that we continuously track and monitor. We also have a team that continuously updates that. So that's the first thing. The first thing is we can do both signature-based and heuristic detection. The second very, very important thing is that we can tell how many machines were compromised. We can also tell what data leakage there was on those compromised machines. So therefore, we allow our customers to be able to answer the question, "Okay, I was attacked. What is the risk? What is my exposure? Was it big? Was it small? Was it one machine? Was it one thousand machines?" The third thing that we can do is control. In other words, with the press of a button you can say, "Quarantine all infected machines. Prevent any sensitive data egress." So those are the three real important ones. And I think it's the core underlying technology, the root of which covers both DLP and ATP that allows us to differentiate ourselves.

10. How does Digital Guardian APT detect threats as a signature base or other method, and is it done by a virtualization kind of sandboxing?

It is not done by a virtualization sandboxing. But like I said we do integrate with those types of customers. In that example, a guy clicked on a Word document, downloaded it from Outlook, and launched that executable called peer.exe. As soon as you see that potential entry vector attack, we have a bi-directional link to sandbox company. You can actually send that indicator, if it isn't already in a known list to your sandbox for evaluation. It can then return a potential positive or negative that then can be consumed by our system. So in essence, you’re leveraging both. But in and of itself, we do not do sandboxing. We do signature and heuristics.

11. Regarding DLP, do you make detection via content, or the tag given to the content?

We make detection via content. For example, you're looking for HIPAA data. So you're looking for a dictionary of Procedure Codes and Diagnosis Codes or whatever it is, together with person names and addresses. We detect the information inside of a file, based on a pattern match that invokes the policy, we will write a tag on the file. That will from then on identify that file as being sensitive. And once that file is identified, as long as it’s not edited, we don't re-inspect the file, we just apply the policy based on the existing tag, based on an inspection that could have been done some time ago.

12. Does host isolation always require manual intervention or can it be automated via rules?

That's one of the big advantages that we have. It can be automated via rules. It does not require manual intervention.

13. Any direct alerting ability, for example, emails or SMS messages, or does it need to be done via Splunk?

No, there is direct alerting capability, for example, via email.

14. In most cases, we struggle with basic setup of a demo or trial. Can you guys or Splunk help with such setups?

Yes, we do help with such setups. We have a whole team dedicated to doing that. In fact, we make it really easy for you, because we can host all of the infrastructure in our managed services environment. Essentially we can spin up an infrastructure within a day or two, have you install our software and try it out for yourself.

15. How does the kernel agent work?

Essentially we load a kernel level driver on Windows, Linux and MAC machines. The kernel driver looks at what is called the Operating System Table. The system table shows all transactions that happen in the operating system. We can see all of those transactions, and we have the ability to prevent any from happening. If it's deemed by policy that they're against what should be allowed by the company.

16. Can Digital Guardian detect bots on firmware or systems that come with backdoors?

We have recently made an acquisition. The acquisition is an application whitelisting company. The name of the company is Savant, but it's now called Digital Guardian Application Whitelisting. And it is specifically purposed to answer exactly that question.

17. Can the kernel level driver be implemented through ETO?

The kernel level driver can be implemented through a distribution mechanism. There are many different distribution mechanisms that are available to do that.

18. When you mentioned the tag in classification, how is it done? How does that work?

Let’s say, for example, you’re subject to PCI regulation. Then you'll write a policy that says, "If any file has greater than ten matches, for example, of a person name, a credit card number and a Social Security number, then tag that file." The system will scan all the files in your environment, and any file that matches those criteria will receive a tag on the file. So on Windows, and MAC and Linux, they're slightly differently implemented, but essentially it's the tag on Windows sits in the Ultimate Data Screen. On Linux and MAC, it's a shadow directory that holds all of the tags. Those tags move with the file. It's a very scalable and efficient mechanism, because once you've scanned a file once, that's it. You've tagged it. It's identified. You don't need to scan it over and over again unless the file changes. And the tag moves with the file wherever it goes, therefore, you can follow, tag files, wherever they move inside of your environment.

Pete Tyrrell is the VP of Product Strategy here at Digital Guardian

Jean-Paul

Please post your comments here

Advanced Threat Protection - Building a Kill Chain Defense

Detect and stop targeted attacks with a data-centric approach that protects sensitive data regardless of the source of attack.

Download now

Related Articles
The Data Breach (Amazon) Bucket List

The leak of data on U.S. veterans this week is just the latest to be tied back to insecure cloud-based storage. What’s going on? Let’s take a look.

What Is Cloud Encryption?

Learn more about encryption’s role in cloud data protection.

Cloud Computing Security Benefits: Infosec Pros Reveal the Top Benefits of the Cloud

22 cloud security experts reveal top benefits cloud computing brings to information security teams today.