Using Splunk for Big Data and DDoS Analytics


In the event of a distributed denial of service (DDoS) attack or other cyberattack, it is important to have attack analysis, both during and after an attack. Unfortunately, despite the fact that many organizations have made significant investments in analytics tools and expert cybersecurity staff, they often have only minimal visibility into security events. In those situations, security analysts can only react to the threats after the damage has been done, and must sift through reams of unintelligible log data.

However, some technology and support solutions offer just the right kind of comprehensive analysis of DDoS attacks and other security incidents that enterprises, hosting and service providers need. Corero SecureWatch® Analytics is an example of such technology. It’s included with the purchase of SmartWall® TDS hardware, and it seamlessly integrates with a variety of Security Information and Event Management (SIEM) and Operational Intelligence solutions, such as Splunk. Corero’s DDoS Analytics App for Splunk Enterprise leverages Splunk software for big data analytics and visualization capabilities that transform security event data into sophisticated dashboards.

The advanced security data and dashboards are accessible via Corero SecureWatch® Analytics portal. Organizations can utilize this portal as a window into DDoS attacks and cyber threats targeting their Internet-facing services. For those who use Splunk, check out this blog post to learn how to use the stats command in Splunk to bend data at your will.

The Benefits of Real-Time Attack Analysis

During a DDoS attack it’s extremely useful to have granular security event data so that in the event of an anomalous attack, network security managers can quickly adapt their DDoS mitigation efforts. DDoS hackers have become sophisticated in their attack strategies; i.e., they now typically use multi-vector attacks, and they automate their attacks, changing vectors on the fly. Often, volumetric attacks are used as a smoke screen to hide low and slow application layer attacks. Furthermore, cybercriminals sometimes leverage the power of one botnet to launch pulse-wave, also known as burst, attacks that alternate between two or more targets. In these situations, visibility into the real-time attack definitely helps a Security Operations Center (SOC) effectively counter an attack appropriately with custom mitigations. Granular detection into traffic anomalies can provide guidance into possible configuration changes.

The Importance of Post-Attack Analysis

Comprehensive visibility into an organization’s network activity is essential not only to quickly combat DDoS threats, but also to enable compliance reporting and archive security event data that enables security audits and forensic analysis of past threats. Organizations can learn from past attacks to uncover hidden patterns of data and identify emerging vulnerabilities within the massive streams of security event data Without this level of visibility, it is impossible to determine how effectively an attack was mitigated and whether there were any false-positives which led to collateral damage that substantiates any service level agreement (SLA) claims.

When evaluating a DDoS mitigation solution, look for one that provides real-time and historical dashboard views that summarize network and security activity in the datacenter, including traffic anomalies, link utilization, packets per second rate, number of active flows, and flow set up rates. Users should be able to view these dashboards at a site-by-site level, or in an aggregate view that provides a consolidated “single-pane” security picture.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.