Splunk Brings SOAR to SIEM Platform
Splunk this week at its .conf18 conference deliver on a promise to integrate the security orchestration and automation response (SOAR) technology gained through its acquisition of Phantom with the security information event management (SIEM) platform it developed on top of its core operational analytics platform.
Other new capabilities added to the SIEM platform include support for event sequencing to optimize threat detection and accelerate investigations and a new Use Case Library to discover events ranging from adversary tactics to best practices for cloud security.
At the conference, Splunk also unfurled a Splunk Adaptive Operations Framework (AOF), a replacement for the Splunk Adaptive Response Initiative that is based on the API-framework developed for Splunk Phantom.
Finally, Splunk unveiled version 4.2 of Splunk User Behavior Analytics software, which enhances anomaly model scoring to improve threat detection, improves data ingestion performance and adds single-sign-on authentication support.
At the .conf18 conference this week Splunk outlined a 2020 plan through which it envisions connecting its SOAR platform to a broad range of third-party security and IT platforms.
Oliver Friedrichs, vice president of security automation and orchestration at Spunk, said the company’s security offerings now generate half of all Splunk revenues. The goal now is to extend the SIEM platform to include a framework for automating responses to incident management.
In general, Friedrichs credits Splunk’s success in security to the fact that its approach to indexing data enables the company’s security platform to generate schemas on reads. Most other SIEMs are based on databases that require a lot more data management expertise to manage.
Friedrichs said the challenge now will be convincing security professionals to reduce reliance on home-grown scripts in favor of a commercial SOAR platform. Because of a chronic shortage of cybersecurity professionals, he said, there’s a lot of pressure to automate, especially given the massive number of alerts that multiple security products and technologies generate every day. Most security breaches occur because it was simply too difficult for cybersecurity teams to identify a real threat. The SOAR capability being added by Splunk is designed to not only prioritize those alerts, but also escalate them based on how lethal a specific threat might be to the IT environment, he said.
Splunk is pursuing two paths to security automation. One path is to provide a set of low-code tools through which cybersecurity professionals can create a runbook. But organizations that have embraced more advanced DevSecOps processes can invoke an application programming interface (API) that Splunk has exposed, Friedrichs noted, adding that for now, however, the number of organizations that have successfully embraced DevSecOps is limited.
Splunk also will work to integrate its security offerings with the IT incident management software the company gained in its acquisition of VictorOps. Cybersecurity and IT operations teams have much in common in terms of how they manage processes, but each camp has developed their own tools and terminology over the years, Friedrich said. IT operations teams have been playing a bigger role in implementing cybersecurity polices, but Friedrichs doesn’t see those two worlds converging anytime soon. However, machine learning algorithms will be playing a much larger role in advancing cybersecurity automation, he believes.
It’s clear that how cybersecurity is managed today needs to change. Reliance on manual processes only plays into the hands of cybercriminals that increasingly rely on automation to launch their attacks. The issue now isn’t deciding whether to automate, but rather how best to go about it.
