Streamlining Vulnerability Management with Splunk Phantom

By Splunk

Vulnerabilities are weaknesses in the security infrastructure that bad actors can exploit to gain unauthorized access to a private network. It is nearly impossible for security analysts to patch 100% of the vulnerabilities identified on any given day, but an application vulnerability management plan can ensure that the highest risk vulnerabilities (those that are most likely to cause a data breach), will be addressed immediately. Any vulnerability alert has the potential to turn into a security incident —which can be extremely detrimental to the organization if it is not identified and patched. Organizations must have a plan in place to proactively identify, evaluate, and patch vulnerabilities to reduce cyber risks.

Five Common Phases of a Vulnerability Management Cycle

Garter recently shared an updated Vulnerability Management Guidance Framework, which sheds light on how most organizations are currently handling vulnerabilities in their IT security systems today.

Assess: A vulnerability scanner or endpoint agent is used to scan for vulnerabilities in a network.
Prioritize: An analyst will evaluate each alert to determine the risk level of the alert and how much time is required to patch the existing vulnerability.
Act: After the analyst determines that the vulnerability needs to be patched based on the analysis of available artifacts, they will notify the responsible team by creating a ticket with all the necessary information. The responsible team will review the details within the ticket and patch the vulnerability.
Reassess: After the responsible team has validated the fix, the ticket will need to be marked “closed”.
Improve: The team will evaluate the current process and look for ways to improve any inefficiencies.

Many security analysts currently go through each step within the entire vulnerability management (VM) cycle manually — and the entire lifecycle could take upwards of 38 days or more! You’re probably thinking, “So how can I beat the threat actor in this race and patch the vulnerability before it can be exploited?”

How Splunk Uses Automation to Manage Vulnerabilities

Gartner states that one of the characteristics of a successful VM program is that the program “leverages advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.”

Our internal security team at Splunk did just that. They leveraged Splunk Phantom, a security orchestration, automation, and response (SOAR) tool, to manage the entire vulnerability management lifecycle — from automating vulnerability prioritization to creating vulnerability remediation tickets and tracking the remediation process — without ever leaving the platform. A SOAR tool like Splunk Phantom can help security teams orchestrate actions across disparate tools from a single platform, and automate responses quickly so that your team can focus on mission critical tasks.

Upon implementing Splunk Phantom, the Splunk security team saw a 40% reduction in mean time to detect and mean time to respond. The automated workflows allowed the team to quickly add important enrichment context to the vulnerability data that is pulled from various sources, and then filter and categorize by label, plugin ID, severity, number of hosts affected, SLAs and more. These fields can be customized so that the analyst can easily view all the necessary information at a glance and clearly identify which vulnerabilities to prioritize. In addition, the team also used Phantom automated playbooks to effectively communicate with the remediation team by creating, updating, and closing tickets from a ticket software, such as Jira or ServiceNow, in seconds.

To learn more about how our internal Splunk security team uses Splunk Phantom to manage vulnerabilities, make sure to join us for the webinar, "Streamlining Vulnerability Management with Splunk Phantom" where our senior security engineer, Dominic Salas, walks us through an in-depth demo.

----------------------------------------------------
Thanks!
Kelly Huang

Detect Fraud Sooner with the Splunk App for Fraud Analytics

Leverage your data to detect, investigate and respond to fraud sooner with the Splunk App for Fraud Analytics.

Security 6 Min Read

ML Detection of Risky Command Exploit

Discover how to use machine learning algorithms to develop methods for detecting misuse or abuse of risky SPL commands to further pinpoint a true security threat.

Security 6 Min Read

Macro-ATT&CK 2024: A Five-Year Perspective

Splunk’s Ryan Fetterman and Tamara Chacon dive into attacker techniques, trends, and blue team tips for analyzing and visualizing data from the past year.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.