Security orchestration, automation and response (SOAR) tools are most commonly known for automating manual security operations processes in order to expedite security investigations or cyber response. For instance, Splunk’s SOAR technology, Splunk Phantom, is most commonly used to automate alert triage, phishing investigation and response, threat hunting and vulnerability management.
But in reality, a robust SOAR technology like Splunk Phantom is not a “SOC-only” technology. It should allow you to automate any process using any tool as long as that third-party tool has an API on the backend of it. Through that API, Splunk Phantom can instruct that tool to perform actions automatically in response to any stimulus. You can bring in any meaningful data from any tool into the platform, whether it’s security-related data, such as “notables” from Splunk Enterprise Security (ES) and newly detected vulnerabilities, or non-security related data, such as ticket status or email content from an inbox. Ultimately, you can leverage Splunk Phantom’s capabilities in a variety of ways to automatically execute processes at machine speed.
Automation for IT, Security and Beyond
Booz Allen Hamilton, a consulting firm, helps U.S. government entities build solutions that adhere to the requirements laid out by the Department of Homeland Security (DHS) and the Continuous Diagnostics and Mitigation (CDM) Program. They help government entities reduce cyber risk and provide security visibility across various federal agencies, including safeguarding sensitive data that is distributed across government networks and restricting access to unauthorized users.
To deliver on this promise, Booz Allen needs to be able to answer four key questions:
- What is on the network? Identification of all types of hardware and software operating on the network is crucial.
- Who is on the network? They must also be able to identify all users and systems with access authorization and indicate the level of authorization.
- What is happening on the network? The capability to analyze events, incidents and cyber risks on an ongoing basis is also critical.
- How is data protected on the network? Finally, Booz Allen needed a way to collect security information and activity logs of the users and devices, regardless of location.
Traditional network access control (NAC) solutions like Forescout CounterACT and Cisco Identity Services Engine can certainly help block wired endpoints using standard policies that are native to the NAC solution, but the Department of Homeland Security (DHS) wanted to increase security by using automation to block all endpoints using posture assessment. After analyzing and understanding the relationship between the network, systems and users, Booz Allen Hamilton was ready to supplement traditional NAC solutions with automation and orchestration.
Booz Allen approached the Splunk Phantom team and asked, “Can Splunk Phantom automate processes associated with network access control? Moreover, can we block all endpoints using Comply-2-Connect (C2C) posture assessment with automation and orchestration?” After a moment of head scratching, the Splunk Phantom team said, “Yes, we can do that,” and then got to work creating NAC automation playbooks that had to meet very robust performance requirements, including:
- Running three different posture checks quickly
- Making a decision and executing a NAC action that would take 4 minutes or less
- Reducing the bottleneck for network connection with the ability to run the playbook 50,000 times per hour to be able to potentially adjudicate 50,000 endpoints (the average number of endpoints coming online, per agency, at the peak hour of work).
Piece of cake, right? To learn how Splunk Phantom and Booz Allen Hamilton achieved these goals and helped the Department of Homeland Security implement advanced network access control, join us for a webinar, "Taking Automation Beyond the SOC With Advanced Network Access Control."