Today's rapidly expanding digital landscape brings organizations new security challenges. So, security teams play whack-a-mole trying to protect the expanding attack surface bombarded by incessant cyberattacks and undermined by multiplying vulnerabilities. Prove it, you say? Here are some cold, hard stats. The global Splunk State of Security 2023 survey reported that 53% of respondents felt it was harder to keep up with security requirements than two years prior. Research by Check Point uncovered that companies faced 38% more attacks in 2022 than in 2021, with a whopping 1,168 weekly attacks per organization, on average, in Q4 of 2022. The NIST National Vulnerability Database had 2,061 critical vulnerabilities and exposures (CVE) listed for April 2022 and 2,363 for April 2023, a 14.7% increase year over year.
Even though the prevalence of cyberattacks and vulnerabilities is a reality that security teams must live with, they can control how they deal with it. Splunk has been on a mission to help security teams address threats more efficiently and rapidly by improving security operations and analytics.
To boost efficiency of security operations, Splunk delivered, earlier this year, a unified security operations solution that eliminates swivel-chair security management. Splunk Mission Control allows security teams to automate workflows with Splunk SOAR and effectively manage the security incident lifecycle from a single console. Splunk has also been collaborating with its strategic vulnerability management partner, Tenable, to incorporate exposure management into the Splunk unified security operations experience, so vulnerability data can be immediately accessible and actionable for security analysts within Splunk.
To improve security teams’ analytics prowess, Splunk brings all security-relevant data and powerful security analytics capabilities at the analysts’ fingertips. This approach has brought Splunk industry recognition, with leading analyst firms Gartner, Forrester and IDC designating Splunk a leader in SIEM. Vulnerability intelligence is critical to providing analysts with the additional context they need to triage alerts and take the right response action. So, Tenable and Splunk built an integration that combines security logs, behavioral data and threat intelligence from Splunk with cyber exposure insights—data on assets, vulnerabilities, misconfigurations and unpatched components—from Tenable.
The integration is enabled by the Tenable Add-on and the Tenable App for Splunk, both available on Splunkbase. The Tenable Add-on for Splunk facilitates data ingestion from multiple Tenable sources, including Tenable.io, Tenable.sc Vulnerability and Tenable.sc Mobile into Splunk. The Tenable App for Splunk provides ready-to-use essential dashboards, visualizations, and reports based on pre-built, customizable correlation searches covering vulnerability and Nessus Network Monitoring (NNM) data.
With all the Tenable information normalized and ready to search in Splunk, analysts can parse the vulnerability data using Splunk queries. For example, all it would take to search in Splunk for open critical vulnerabilities in an environment is running a simple SPL query: index=* sourcetype=”tenable:sc:vuln” severity=critical state=open.
Analysts can also cross-correlate exposure data with other security-relevant information to help contextualize and prioritize security events for incident investigation and remediation. For example, when investigating a suspicious security event detected by Splunk and involving a particular host, the analyst would want to get vulnerability scan data for that host to see if it has any unpatched high-severity vulnerabilities and, if it does, whether they have been targeted. If the host was not scanned recently, the analyst could request through Splunk Enterprise Security’s Adaptive Response Actions a Tenable scan directly from the Splunk investigation console.
If the security team wanted to take vulnerability insights into account when assessing the organization’s cyber risk, they could use asset or host exposure status derived from Tenable data as a factor contributing to the risk score (Risk Modifier) in Splunk Enterprise Security’s Risk-Based Alerting. This way, presence of an unpatched critical vulnerability in a host would substantially increase the overall risk score, and events and alerts involving the host would be prioritized higher.
The Splunk and Tenable integration delivers security teams the following benefits:
- Complete visibility and ability to respond faster. The integrated solution provides comprehensive visibility into assets, vulnerabilities and security events, so security teams can detect and prioritize threats accurately and respond swiftly.
- Broader security context. The integration enriches security context with IT and OT exposure data for accurate risk assessment and effective incident investigation.
- Predictive prioritization. With Splunk and Tenable, organizations can prioritize incident investigation and response based on business risk. Predictive prioritization enables security teams to focus their efforts on vulnerabilities most likely to be exploited, thereby optimizing SecOps resource utilization and increasing efficiency.
- Streamlined workflows. Seamless collaboration between Splunk and Tenable solutions allows security teams to leverage adaptive response actions, request vulnerability scans, and access vulnerability-related context directly within the Splunk investigation console.
- Faster time-to-value. The proven, ready-to-use integration between Splunk and Tenable helps security teams simplify the implementation process, minimize integration costs and accelerate time to value.
Faced with expanding digital footprints and a growing number of attacks and vulnerabilities to deal with, security teams must improve the effectiveness and efficiency of security operations. The integration between Splunk and Tenable broadens the scope of capabilities accessible to analysts as part of the Splunk unified security operations experience. It also allows organizations to reduce cyber risk by detecting and addressing most critical threats prioritized by business risk based on event, behavioral and threat intelligence data from Splunk enriched and correlated with vulnerability insights provided by Tenable.