DomainTools has integrated its cybersecurity threat investigation tools with the security information event management (SIEM) platform from Splunk.
Corin Imai, senior security advisor for DomainTools, said that as more organizations employ Splunk as both a SIEM and an IT operations analytics platform they want to be able to launch the DomainTools App for Splunk that correlates threats against domain names, the individuals who control them and the infrastructure that supports them.
The goal is to reduce the time required to identify the severity of a potential threat based on either sources of malware that have been previously identified or domains that are in proximity to those domains, said Imai.
The DomainTools App for Splunk leverages the DomainTools Iris Enrich application programming interface (API) and a PhishEye API for Splunk to enable cybersecurity teams to apply tags to domains, attach risk scores to domains using machine learning algorithms before they become weaponized, and track Whois, IP, active DNS, website and secure sockets layer (SSL) data to surface evidence of malicious activity.
DomainTools App for Splunk, Imai said, will make it easier for IT operations teams investigating an incident to launch high-volume queries against the log records captured by Splunk against known domain sources of malware.
Imai said cybersecurity teams can also monitor and tag newly registered domains for discovering phishing attacks that are often the source of phishing attacks.
The goal is to reduce the amount of time it takes for cybersecurity teams to investigate an incident, said Imai. As the volume and sophistication of attacks continues to increase, cybersecurity teams that are chronically understaffed need to be able to identify and block the sources of threat as quickly as possible. More challenging still, the rate at which cybercriminals can switch domains to launch attacks appears to be accelerating as they employ a wider range of deception techniques to acquire credentials from unsuspecting end users. In effect, cybersecurity teams are now playing a game of spy versus spy to not only investigate attacks, but also anticipate from where the next one might be launched.
It’s not clear to what degree tools from DomainTools and Splunk will be able to mitigate attacks before they are launched. However, if the alternative is to wait for attacks to be launched before trying to mitigate them, the amount of damage likely to be inflicted will only increase. Cybersecurity teams need tools that help mitigate threats at their source instead of after malware has been deposited on their system. Of course, there’s no such thing as perfect security, so the next priority becomes hunting for malware on systems before it becomes activated. Between those two activities, it then becomes feasible to reduce the number of attacks to a somewhat manageable number.
Given the chronic shortage of cybersecurity expertise, it’s unlikely organizations will be able to throw bodies at threat mitigation activities anytime soon. The only alternative is to arm cybersecurity teams with a combination of tools that enables each one of them to do a whole lot more without them burning out.