Today I attended VB-Trend 2018 Splunk conference organized by system integrator VolgaBlob.

Video fragments from the event:

Comparing to “Splunk Discovery Day“, the conference was much smaller (less than 100 people), focused on technical aspects, Information Security and informal communication. And I need to say that there really was a lot of talks with colleagues from different companies, not only about Splunk, but also about Vulnerability Management, Application Security and Container Security.

New features

The event started with the mention of new features in Splunk 7.2:

• Data storage in the Splunk Smart Store (“privacy leaves, the cloud comes”).
• Workload manager
• Log to Metrics
• Dark Theme

Some features were announced in Splunk Next and will be available as Apps or in Kernel:

• Data Stream Processor. It will be placed in front of the indexer and will drop unimportant data and keep the important data (including data obfuscation procedure). In the graphical interface, without scripts and crutches. It will make possible to work with a large stream of data and save money on license. Of course, “dropped” data can be saved somewhere.
• Data Fabric Search. Large Splunk installations use petabytes a day and hundreds of indexers. New dfsjob tool will increase the speed of searches on distributed infrastructure.
• Splunk Mobile. A new tool for building applications for smartphones and smartwatches. The only problem: data must pass through the Splunk Cloud Gateway. No one in the hall was ready to use such a scheme. But maybe it can be suitable for some BI data.
• VictorOps a chat for investigating incidents. Here again, it works through an external server.
• Splunk Business Flow. Diagrams that show data flows for business customers. The stages of the process are represented by the line thickness. Well, for me it was not really clear.
• Nice demo how you can scan NFC / QR / Barcode of a physical object and get the data for this object from Splunk.

Presentations

Guys from VolgaBlob told about their collection of applications Smart Monitor (something like Splunk Enterprise Security). Great apps! I especially liked their inventory module.

Then there was a presentation about Phantom SOAR orchestrator. Organizations, on average, have  30-50 security products, a lot of events, no centralized reaction, huge reaction lags and a great shortage of specialists. Phantom allows you to automate actions through playbooks. Although the same can be done with your own scripts through the API.

Quite an interesting presentation about Docker, Kubernetes (OpenShift, OKD and about  orchestration in general), and then about monitoring of such systems.

I am quite skeptical about the use of AI in information security (see “Post-SIEM black boxes“), but still I try to follow the topic. There was an interesting presentation how Yandex guys were detecting anomalies in access control system logs.

I liked the most the last presentation how Cronus Vulnerability Management solution was integrated into VlogaBlob Smart Monitor for Splunk. It was interesting to hear how they detect new assets and add descriptions for them. Also how they integrate the network map with the vulnerability scanner.

Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.