In this series about the characteristics of an analytics-driven security operations center (SOC), we have already discussed an adaptive security architecture, threat intelligence and advanced analytics. Next, we will get into the ability to proactively hunt and investigate threats.
Gartner defines the ability to proactively hunt and investigate threats as:
“Proactive threat hunting and investigation is used to detect unknown and advanced threats. Hunting entails analyst-driven investigation rather than relying on signature or rule-based detection mechanisms. In addition, hunting and investigating is proactive, seeking out IOCs and incidents rather than waiting to be alerted and reacting.”
Splunk Enterprise Security (ES) is an analytics-driven security information and event management (SIEM) solution that helps SOC teams quickly detect and respond to internal and external attacks, simplify threat management, minimize risk, gain organization-wide visibility and security intelligence for continuous monitoring, incident response and SOC operations. Splunk ES also helps SOC operations map to the five essential capabilities defined by Gartner and implement an Analytics-Driven SOC.
Depending on an organization’s maturity, domain and product experience, the Splunk security portfolio—consisting of Splunk Enterprise and Splunk ES—can be used with network, endpoint, threat intelligence and access data to automatically and proactively hunt for threats.
Splunk ES can specifically help organizations with automatic threat intelligence gathering and information sharing between toolsets. The Splunk platform can be used for operationalizing threat intelligence to implement an automated threat hunting and threat management platform. Splunk ES can take organizations from having zero visibility into threats to building a rich and sophisticated platform with the ability to automate threat hunting in a matter of weeks.
Aflac Automates Threat Hunting and Security Analytics With Splunk Enterprise Security
Adversaries continue to use a wide range of technologies, techniques and procedures to compromise and access sensitive data. In addition to preventative solutions, it is common to see security operations teams adopt advanced detection, incident response solutions, threat intelligence, orchestration and automation to scale investigations, accelerate response and remediate advanced threats.
Aflac is a Fortune 500 company that provides financial protection to more than 50 million people worldwide. The company recently deployed Splunk ES as the heart of its internal Threat Intelligence System (TIS). With Splunk ES, augmented by Splunk User Behavior Analytics (UBA), Aflac has embraced the analytics-driven approach to security.
Aflac was looking to proactively identify malicious insiders and attacks as the company was fighting an onslaught of targeted attacks, malware infections and spear phishing. Splunk was chosen to help with automated threat intelligence gathering and information sharing between toolsets. Splunk was initially used for operationalizing threat intelligence to implement an automated threat hunting and threat management platform.
Splunk Enterprise Security “Threat Activity” Dashboard
Splunk ES—with its built-in threat intelligence framework, ability to automate and report on threat activity—was a perfect complement to Aflac’s existing security services. Splunk quickly became Aflac’s core threat analytics platform and Aflac now uses the Splunk platform to visualize and correlate threat data with critical endpoint security data, and to automate and orchestrate more than 20 unique data sources within its SOC.
Soon after automating threat hunting, Aflac realized the power of Splunk Enterprise Security as a security analytics platform and started using it for additional use cases such as incident response, anti-fraud and more. Aflac also replaced its existing legacy SIEM with Splunk ES.
Aflac had two security staffers (with no prior Splunk experience) to launch Splunk ES in their environment. It took them just a few weeks to ramp up and start implementing the solution. Aflac went from having zero visibility into threats to building a rich and sophisticated platform with the ability to automate threat hunting in weeks.
Within a six-month period in 2016, the Aflac security team blocked more than 2 million connections, with less than 12 false positives.
Within two months, Aflac went from manual editing of spreadsheets to automating 90 percent of security metrics, saving approximately 30 hours per month. Now that time is spent on strategic planning as opposed to mundane tasks and busy work. Aflac is now proactive about security defense and strategic planning, and continues to streamline global projects.
Want to learn more about how organizations are using Splunk ES to drive their analytics-driven SOCs? Check out our customer e-book, "Data Secrets Revealed: A Collection of Security Customer Stories." Want to see how Splunk ES maps to the essential capabilities of an analytics-driven SOC? Check out our free white paper on the Five Essential Capabilities of an Analytics-Driven SOC.