3 Steps to Improve Your AppSec Using ThreatX and Splunk Phantom

Splunk Integration Blog_7-15-2020 (1)

Modern AppSec and security teams face enormous challenges of scale when it comes to their daily workload. Organizations need to secure more applications and APIs than ever before, and those apps and APIs are under constant attack from increasingly sophisticated methods. Security staff has to parse and analyze an avalanche of alerts and data to stay ahead of bad actors and continuously improve the security posture of their organization. Collectively, this is a perfect storm that can put even the best security teams under intense strain.

That strain is starting to show! A recent survey found that 83% of cybersecurity works felt overworked, and 82% of their teams were understaffed. And with the shortfall in cybersecurity talent expected to hit 3.5 million in 2021, we as an industry aren’t going to solve this problem by throwing people at it.

The combination of ThreatX and leading Security Orchestration and Automation (SOAR) tools such as Splunk Phantom gives AppSec teams the force-multiplier they need to vastly improve their security posture while also reducing their operational workload.

We’ve teamed up with Splunk to break it down for you:

Step 1:
Better Security and Reduced Sprawl with ThreatX

As the security landscape has evolved, many organizations have acquired a wide variety of specialized security tools that require their own configuration and maintenance and generate their own alerts and logs. Even many supposedly integrated solutions rely on multiple independent modules that behave like separate products. This increases the management overhead on staff and creates the tedious problem of correlating and analyzing logs and alerts from multiple sources of truth, all to get a complete view of risk. 

ThreatX brings an Easy Button to this problem. Our WAAP++ platform is a truly unified approach to AppSec that covers all types of threats. Instead of separate solutions for WAF, behavioral analysis, anti-bot protection, DDoS mitigation, and API protection, ThreatX provides a single platform. Just as importantly, ThreatX brings together a wide variety of analytical and detection techniques to deliver a continuously updated view of risk. This means that application profiling, attacker profiling, fingerprinting, active interrogation, and deception techniques all work as a unified detection engine. We track suspicious and malicious activity in real-time and deliver a single verdict on a potential threat, resulting in fewer tools to manage. With ThreatX, the endless monotony of manually correlating alerts can finally become a lost art!

Step 2:
Enriched Intelligence with ThreatX and Splunk Phantom

Information within ThreatX can also be invaluable for use in investigation and response workflows. Through our integration with Splunk Phantom, security analysts and staff can automatically leverage the unique intelligence and context in the ThreatX platform.

For example, ThreatX discovers and maintains extensive information on each entity that interacts with a protected application, including a variety of low-level traits and behaviors that uniquely identify the entity. Using the Splunk integration, this entity profile can be shared with other systems to inform both defensive and forensic actions. The ThreatX/Splunk Phantom integration delivers a unified, up-to-date view of an entity’s total risk to the organization. And this can all be integrated into custom or pre-built investigation playbooks for malware, command-and-control, ransomware, and more.

Step 3:
Automatically Adapt and Defend with ThreatX and Splunk Phantom

In addition to investigations, security teams can use the combination of ThreatX and Splunk Phantom to take automated and proactive action when threats are detected. ThreatX provides the inherent ability to take action against hosts. The Splunk Phantom integration allows security teams to extend ThreatX enforcement decisions to other tools in their defense arsenal.

For example, the integration can allow any system such as a network firewall to block or unblock an IP address based on information from ThreatX. Likewise, specific hosts can be dynamically added to blacklists or whitelists. These designations can also be triggered to adapt based on ThreatX’s internal risk score. This means that as risk rises for a particular entity, it can be blocked, and it can likewise be automatically unblocked once the threat has passed. This saves staff the often-manual work of cleaning up after a blocking incident.

Two great products, three easy steps, one massively improved security posture!

What I covered above represents some of the most common examples of how security teams automate and integrate via ThreatX and Splunk Phantom. The advantage for organizations is two-fold:

  • a unified view of risk, and
  • an overall better security posture!

If you’d like to learn more about ThreatX and our integration with Splunk Phantom, schedule a ThreatX demo and let us know you how it works.

*** This is a Security Bloggers Network syndicated blog from ThreatX Blog authored by Tom Hickman. Read the original post at: