Speeding Incident Response Across the Security Ecosystem

Hey, Splunk fans! Can you believe it’s already time for RSA Conference 2018?

Our momentum with Adaptive Response continues to bloom, and today I’m delighted to announce 55 technology partners have engaged with us to support Adaptive Response in the name of delivering greater value to security organizations. Newcomers include: Accenture, Awake Security, Cofense, Cybersponse, Datiphy, Graphistry, LogicHub, Netskope, Pinn, Sans, SentineIOne, Shodan, Syncurity, tCell, Tenable, Valimail, VMRay and Zscaler.

We established the Adaptive Response initiative two years ago with the goal of helping customers get a single, end-to-end view across their security technology stack—regardless of the tools and vendors they’ve selected—to more easily make informed decisions and respond. As organizations become more comfortable with automating and orchestrating certain parts of the security investigation and remediation cycle, Adaptive Response provides the ability to take specific actions in response to incident investigation or mitigation activities.

As you may know, Splunk recently acquired Phantom. Not only will this help customers work smarter and manage their organizational risks better by fully embracing an analytics-driven approach to security, but they’ll also be able to use Splunk and Phantom to help automate their SOC (Security Operations Center) for accelerated incident response. Together, we will help customers improve the efficiency of their security operations and address an industry-wide skill shortage for cybersecurity. Essentially, we’ll help SOCs run smarter and faster than ever before.

That said, we can only bring the nerve center to life when we have great partners with whom we can innovate to deliver this integration and these bi-directional capabilities, allowing our customers to take action and thereby getting closer to responding at machine speed. So if you’ve selected a different orchestration vendor, worry not—we’ll continue to support an open ecosystem of partners, all in the name of helping security practitioners speed response and mitigate risk.

Here’s how we think about these automation and orchestration capabilities:

  1. Orchestration is needed to automate manual tasks, both on the investigation and response side
  2. Adaptive Response meets the need for security automation and is focused on single-step actions
  3. Security orchestration is the machine-based execution of interdependent security actions across multiple technologies and integrations
  4. Phantom AR Actions serve as a gateway to execute Phantom playbooks


There simply isn’t enough time or talent to tackle all of the security incidents in most organizations.  As such, we will continue to support our broad ecosystem.

Announcing new actions is exciting for us as it gives our customers ideas on how to automate certain activities or actions across their multi-vendor environment. Here’s a sampling of a few of our partners whose actions showcase creative use of AR within their respective domains:

Cofense (formally PhishMe) Intelligence AR action queries the Cofense Intelligence API for indicators of phishing and returns results on human-verified phishing domains, URLs, IPs and hashes.

Netskope’s AR actions enable the analyst to pivot from discovery in the Splunk Enterprise Security dashboard to customized policy enforcement in the Netskope Cloud Security platform.

Pinn AuthX’s AR integration provides IT admins with greater visibility into identity across their networks and the ability to audit suspicious authentication requests.

tCell’s AR action allows customers to incorporate threat intelligence and create flexible blocking rules for automatic blocking against attacks.

Valimail’s AR action can mitigate the threat posed by fraudsters and criminals impersonating your domains. By alerting on these primary vectors of cyberattack, Valimail’s Adaptive Response action provides an early risk indicator directly back into Splunk.

VMRay’s AR action allows for end-users to submit URLs from Splunk to VMRay Analyzer. VMRay will dynamically analyze the file or website connected to the URL.  

Lastly, we at Splunk believe we are only as successful as our customers. For Aflac, use of Adaptive Response helped them build custom threat incident responses to the rapidly increasing security threats targeting its network of 15,000 worldwide employees.

“Since implementing Splunk ES as the brain in our security nerve center, we have found Splunk to be the right solution to quickly and effectively create and implement security analytics across a wide array of data sources and security use cases.” – Senior Vice President, Chief Global Security Officer, Aflac

Aflac chose Splunk ES to be the analytics nerve center within its solution due to Splunk’s ability to consume large amounts of disparate threat data and turn it into action.  

With that in mind, we are delighted to announce a brand new Adaptive Response Actions Showcase app for Splunk designed to enhance the customer experience. The app will be available on Splunkbase this week. Key features include:

  1. Catalogue of latest Ecosystem AR Actions

  2. Easy search capabilities by Use Case and Security Domain

  3. Per action documentation

  4. Links to artifacts on SplunkBase and other repositories

  5. Content auto-update

To learn more about Adaptive Response or other ways to get involved in our ecosystem, please visit us on the RSA show floor (#N3409), participate in our AR passport program or attend our in-booth speaking session (Wednesday, April 18 at 10:30am).

Thanks, as always, for your continued investment in Splunk and have a great show!

Posted by