Adversaries continue to use a wide range of technologies, techniques and procedures to compromise and access sensitive data. In addition to preventative solutions, it is common to see security operations teams adopt advanced detection, incident response solutions, threat intelligence, orchestration and automation to scale investigations, accelerate response and remediate advanced threats.
Today, we are pleased to share that Aflac, a Fortune 500 company providing financial protection to more than 50 million people worldwide, has deployed Splunk Enterprise Security at the heart of its internal Threat Intelligence System (TIS). With Splunk® Enterprise Security (Splunk ES), augmented by Splunk User Behavior Analytics (Splunk UBA), Aflac has embraced the analytics-driven approach to security. It is always rewarding when the customer refers to value realized as "through the roof."
Automated Threat Hunting and Security Analytics
Like all enterprises, Aflac has been fighting the onslaught of targeted attacks, malware infections and spear phishing, and was looking to accelerate identification of malicious insiders and attacks. Splunk was chosen to help with automatic threat intelligence gathering and information sharing between toolsets. Splunk was initially used for operationalizing threat intelligence to implement an automated threat hunting and threat management platform.
Figure 1: Splunk Enterprise Security “Threat Activity” Dashboard
Aflac subscribes to several threat intelligence services and this use case was a perfect fit for Splunk ES, with its built-in threat intelligence framework, ability to automate and report on threat activity. Splunk quickly became Aflac’s core threat analytics platform and provided the ability to visualize and correlate threat data with critical endpoint security data. Splunk ES is used to automate and orchestrate more than 20 unique data sources within its Security Operations Center (SOC).
Identifying Insider Threats, Replacing Legacy SIEM and Anti-Fraud
Soon after automating threat hunting, Aflac realized the power of Splunk Enterprise Security as a security analytics platform and started using it for additional use cases such as incident response, anti-fraud and more.
Aflac’s existing legacy SIEM was replaced by Splunk Enterprise Security and is used to determine risk ranking for automated remediation.
Figure 2: Splunk Enterprise Security “UBA Anomalies” Dashboard
Aflac uses Splunk UBA to identify internal threats, and recently started using Splunk for fraud and compliance use cases.
Aflac initially started using Splunk UBA to find unknowns in a sea of data. Splunk UBA baselined the users and ranked each user based on the user’s activity. The Splunk UBA calculated insider risk and external risk was used for internal reporting by Aflac.
By using charts and trends that includes user’s login activity across servers, data movement by device/domain, event types, and IP addresses used, Aflac was able to accelerate investigations.
Zero to operational in weeks with value “Through the Roof”
Even though only two security staffers with no prior Splunk experience were involved with the project, it took them just a few weeks to ramp up and start implementing the solution. Aflac went from having zero visibility into threats to building a rich and sophisticated platform with the ability to automate threat hunting in weeks.
Within a six-month period in 2016, the Aflac security team blocked more than 2 million connections, with less than 12 false positives.
Within two months, Aflac went from manual editing of spreadsheets to automating 90% of security metrics, saving approximately 30 hours/month. Now that time is spent on strategic planning as opposed to mundane tasks and busy work. Aflac is now proactive about security defense and strategic planning, and continues to streamline global projects.
If you are not familiar with Splunk Enterprise Security, use the free 7-day Splunk Enterprise Security sandbox to get started.
Contact us to find out how customers are already reducing investigation and remediation times by automating decisions or by using human-assisted decisions.