By Splunk March 01, 2016
As we kick off this year’s RSA conference, we are very excited to announce the Adaptive Response Initiative, which brings together the best technologies across the security industry to help organizations combat advanced attacks. Splunk is proud to be leading this initiative, with other founding participants comprised of industry leaders from several security categories: Carbon Black, CyberArk, Fortinet, Palo Alto Networks, Phantom, Tanium, ThreatConnect and Ziften. All of these companies will be demonstrating their adaptive response bi-directional integration with Splunk at RSA.
The Initiative aligns best-of-breed vendors – across different security areas – who recognize the importance of helping customers get the most out of collective security intelligence.
“Designing an Adaptive Security Architecture for Protection from Advanced Attacks” Neil MacDonald and Peter Firstbrook, Gartner. Published 12 Feb 2014. Refreshed 28 Jan 2016
What is collective security intelligence?
Most modern security architectures have network controls, endpoint solutions, identity and access management, threat intelligence, and so on — all functionally different solutions for each security domain doing their role extremely well. They play a very specific role in a layered architecture; each generating machine data about what they are seeing – generating specific security intelligence. These individual layers often require people to “bridge” security domains and then get additional information/evidence/context and then bring everything together – to provide collective intelligence.
Defending against modern attacks requires end-to-end visibility and analysis of data – not just from security devices but machine data from anywhere and everywhere in the organization. Historically, traditional SIEM’s ability to meet this requirement was limited due to the underlying architecture, consisting of fixed schema data stores and other rigid aspects. So in that regard, traditional SIEMs fell short due to their lack of flexibility.
It turns out that the biggest problem – that is, the problem that takes up the most time and is most costly to SecOps teams, is making good decisions quickly, and taking effective actions quickly. This may sound generalized, so I’ll put it another way:
- “good decisions” only happen if you have “adequate verification based on enough information”
- “effective actions” mean you are making “the right adjustments in a timely manner”
When working across multiple security domains, verification and adjustments get complex. Verification means many steps – identification, scoping, and root cause analysis. Adjustments also means many steps – containment and mitigation, possibly observation and characterization of the threat, before implementing a more permanent policy change to adjust security posture. In any case, complexity is a killer when it comes to SOC efficiency:
It also happens that verification and adjustment are the most time-consuming, taking up between 72% of the overall time to respond to an incident.
Which brings us full circle.
Security teams are the ones with the “collective security intelligence” needed to disrupt attacks and substantially increase the cost to the threat actors attempting to breach organizations today.
Splunk’s success is centered around customer success and production deployments –Customers made it clear that Splunk was the ideal solution for solving the “all data is security relevant” problem by ingesting any and all machine data they could find into Splunk.
These same customers, are the same ones who are driving the Adaptive Response Initiative. These customers are utilizing logical extension of capabilities within Splunk security solutions to also include bi-directional communication back out to the security domains to gather more data, take a range of actions and share information. They are asking us to work with alliance partners to develop an open, extensible multi-vendor framework that anyone can take advantage of – these capabilities include actions such as retrieve detailed traffic analysis within a specific subnet when an incident requires deeper analysis; Or as a result of suspected endpoint infection, gather endpoint memory dump and if the infection is confirmed, take action such as terminate a process or if the infection is associated with a physical media like a USB device, the action could be to eject the USB device. The possibilities are endless; customers are already demonstrating through their demand for the Initiative’s collective effort and alliance partners are working with us to solve these incredible important customer problems.
We are honored to be leading the Initiative and proud to have our founding participants join us to fulfill this very important market need. Come visit us and our partners at RSA 2016 to see Splunk as a security nerve center come to life on the show floor.
Haiyan Song
SVP of Security Markets, Splunk
----------------------------------------------------
Thanks!
Haiyan Song