The Five Essential Capabilities of an Analytics-Driven SOC: Automation

In this series about the characteristics of an analytics-driven security operations center (SOC), we have been discussing each capability, having previously written about an adaptive security architecturethreat intelligenceadvanced analytics and the ability to proactively hunt and investigate threats. Next on the list is automation.

We talk about semi-automation, which Gartner says is a balance between full automation and analyst oversight. Gartner calls this "automatability" or the ability of automating parts of the SOC where automated actions are in support of human decisions.

Being able to automate certain tasks helps control the costs associated with traditional SOC operations and helps organizations work around not having enough highly skilled analysts to defend against more advanced threats.

Splunk’s Solution

Splunk Enterprise Security (ES) is a SIEM solution that helps SOC teams gain insights to quickly detect and respond to internal and external attacks, simplify threat management, minimize risk, gain organization-wide visibility and security intelligence for continuous monitoring, incident response and SOC operations. Splunk ES also helps SOC operations teams map to the five essential capabilities defined by Gartner.

Splunk ES includes a common framework for interacting with data and invoking actions.

The Adaptive Response framework resides within Splunk Enterprise Security and helps optimize threat detection and remediation using workflow-based context. Analysts can automate actions or individually review response actions to quickly gather more context or take appropriate actions across multi-vendor environments.

The Splunk Adaptive Response framework enables security teams to quickly and confidently apply changes to the environment. Splunk ES can automate the response as well, enabling the security infrastructure to adapt to the attacker using a range of actions appropriate to each domain.

Adaptive Response is designed for heterogeneous security architectures. By leveraging the Splunk-led initiative, customers can benefit from best practices derived from leading vendors who are collaborating to address modern cyberthreat challenges.

Adaptive Response is a common interface for automating retrieval, sharing and responses in multi-vendor environments to help automate and optimize threat detection and remediation. Many Splunk security customers are already using automation to eliminate routine tasks, to accelerate detection and streamline their response times.

The framework provides the ability to register and configure automated or assisted response actions, enabling organizations to effectively leverage their existing security products, including firewall, IDS/IPS, endpoint, threat intelligence, incident response and identity, with Splunk ES serving as the central security intelligence platform.

Users can use UI wizards and dashboards for specifying the nature of actions, categorizing actions, and receiving feedback on the status of actions and results across a wide range set of entities.

The visibility into the capabilities and actions of each Adaptive Response entity helps Splunk customers view the list of actions available, select appropriate actions, and deploy and manage the entities and their actions in ways best suited to their environments, deployments and security operations.

Analysts can also automate actions or individually review response actions so that they can quickly gather more context or take appropriate actions across a multi-vendor security ecosystem.

Jabil Trusts Splunk Enterprise Security as its Global Security Nerve Center

Jabil Circuit is one of the largest manufacturers in the world, with 190,000 employees and $18 billion in revenue.



Since deploying Splunk ES as its analytics-driven SIEM platform, Jabil has seen benefits including:

  • Improved visibility across its infrastructure
  • Quicker incident response
  • Automated tasks to improve efficiency

Splunk ES has changed the way Jabil responds to threats partly because of the platform’s ability to automate certain tasks. The automation has enabled Jabil’s security team to focus on where threats are and what the potential impact of a threat might be.

The ability to automate certain tasks has also allowed Jabil’s security lead to create identifiers of compromise that other analysts can then use in a repetitive way without having the technical depth of the lead analyst. This has improved the efficiency and productivity of Jabil’s security team.

Want to learn more about how organizations are using Splunk ES to drive their analytics-driven SOCs? Check out our customer e-book, "Data Secrets Revealed: A Collection of Security Customer Stories." Want to see how Splunk ES maps to the essential capabilities of an analytics-driven SOC? Check out our free white paper on the Five Essential Capabilities of an Analytics-Driven SOC.

Girish Bhat

Posted by