What was once the thing of spy movies and industrial espionage news headlines is now, sadly, a common occurrence for public organizations and private enterprises around the globe. Insiders… employees, consultants, partners… have emerged as one of the most immediate and serious threats facing IT and cyber security teams and practitioners today.
It is not however because every insider has turned malicious. To the contrary, employees are more in-tune with cyber security, privacy and information protection than ever before. The vast majority understand their role in protecting their organizations information and why it is important to their employer and for themselves to be vigilant and take an active role as a ‘human firewall.’
Unfortunately, what were positive gains has seen a regression in the last 18 months due in large part to the sudden shift to remote work, anxiety about job security and furloughs, and, more recently, a massive trend in career professionals proactively changing jobs in what has become an incredibly ‘hot’ job market termed the ‘Great Resignation’ Migration.
The decentralization of the modern enterprise — and the digital empowerment of the insider — have since expanded the attack surface, compounding the need for a zero trust strategy. As such it is important to adopt the premise that an attacker is already in your environment and may be a trusted insider. The way in which we need to approach security has changed dramatically and the actions and intent of the human must take center stage.
Splunk and DTEX Systems have partnered to offer an integrated solution that captures, analyzes and streams a single, noise-free endpoint data signal. This telemetry describes genuine user intent and delivers the contextual human activity intelligence and endpoint meta-data as ‘Indicators of Intent’ ignored by 'several' or 'many' NGAV, UEBA and DLP tools.
Splunk Enterprise Security (ES) takes DTEX InTERCEPT’s ‘Indicators of Intent’ and provides customers with forensic intelligence that answers the questions of who, what, when, where and for how long an insider interacts with data, applications, machines and other users. This real-time, user behavior lineage highlights deviations from baseline activity to identify emerging insider threats, compromised account events or data loss scenarios.
Early adopter customers are advancing three use-case scenarios and realizing immediate time to value including:
- Visibility and collection of hundreds of unique meta-data elements and user activities transformed into Splunk CIM format (no contextual losses) for a noise-free endpoint data signal.
- Accelerated response times and root cause analysis within the Splunk ES console using real-time, detailed inside risk analytics and risk-based notifications.
- Notable event enrichment with human-behavioral intent telemetry to support faster, more automated remediation.
What makes Splunk ES and DTEX InTERCEPT unique is a simple and clear view of endpoint telemetry complete with human activity. The graphic below on the left illustrates a short sequence of user activities representing high-risk behavior that creates several thousand windows events that can be very difficult to review and interpret. By contrast, DTEX InTERCEPT data is filtered at the source, and the context provided reduces the number of truly notable events from 2500 Windows Security Event Logs to less than 100.
In a similar construct with Splunk SOAR, DTEX InTERCEPT’s risk-score stacking and streaming behavioral analysis delivers a noise-free signal that expresses user activity to accurately inform automated response processes. The graphic below on the right is an example of a response orchestration utilizing DTEX InTERCEPT’s human intelligence telemetry.
Getting DTEX InTERCEPT telemetry into Splunk is fast and easy. The direct integration between DTEX InTERCEPT and Splunk Cloud makes endpoint telemetry and insider risk intelligence ingestion fast and simple. Data is streamed securely and reliably over HTTPS. With DTEX and Splunk, security teams can focus on security, not managing infrastructure. With this integration, actionable data is visible in a single console, reducing the need to pivot across disjointed point products during investigations.
Together, Splunk and DTEX are accelerating security response times and root cause analysis, driving faster event resolution with advanced analytics and reporting, and decreasing manual security and IT operations with DMAP+ telemetry that provides the full context regarding the data, machines, applications, and people involved in a notable event.
We’re very excited to partner with DTEX on this superior, cloud-to-cloud approach to security. We hope that you take advantage of this powerful integration to improve your zero trust maturity today.
To stay up to date on all things DTEX and Splunk, head over to our DTEX Global Strategic Partner Page. We’ll be updating this with all of the content that we create together.
This article was co-authored by Rajan Koo, Chief Customer Success Officer at DTEX Systems.