The Five Essential Capabilities of an Analytics-Driven SOC: Threat Intelligence

In this series about the characteristics of an analytics-driven security operations center (SOC), we have already discussed an adaptive security architecture. Next we will discuss what it means for an analytics-driven SOC to adopt threat intelligence capabilities.

Gartner defines threat intelligence as:

...evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

Splunk’s Offer

Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution that helps SOC teams gain insights to quickly detect and respond to internal and external attacks, while simplifying threat management, minimizing risk, adding organization-wide visibility and security intelligence for continuous monitoring, incident response and SOC operations. Splunk ES also helps SOC operations teams map to the five essential capabilities defined by Gartner.

Splunk ES maps directly to these capabilities with its Threat Intelligence framework, which consumes and manages threat feeds, detects threats and alerts. The framework consists of modular inputs that collect and sanitize threat intelligence data and lookup-generation searches, to reduce data for optimized performance. Searches correlate data and alert on the results, and data modeling accelerates and stores results. The framework also includes a number of audit dashboards that enable introspection into threat intelligence retrieval, normalization, persistence and analysis.

City of Los Angeles Integrates Real-Time Security Intelligence Sharing Across 40+ City Agencies

The City of Los Angeles uses Splunk ES and Splunk Cloud to protect its digital infrastructure, providing situational awareness of its security posture and threat intelligence for its departments and stakeholders.

The port of San Pedro Bay in Los Angeles. Courtesy: City of LA

In the past, the city’s more than 40 agencies had disparate security measures, complicating the consolidation and analysis of data. Los Angeles wanted a scalable SaaS SIEM solution to identify, prioritize and mitigate threats, gain visibility into suspicious activities and assess citywide risks. Since deploying Splunk Cloud and Splunk ES, the city has seen benefits including:

  • Creation of citywide security operations center (SOC)
  • Real-time insight into threats
  • Reduced operational costs

Los Angeles uses its integrated SOC for more than collecting information. In fact, the city’s analytics-driven SOC actually provides information. It translates data from Splunk Cloud into timely threat intelligence, which the city shares with its agencies as well as external stakeholders like the FBI, the Department of Homeland Security, the Secret Service and other law enforcement agencies. With this information, the city collaborates with federal agencies to identify risks and develop strategies for deterring future network intrusions. Want to know more about the City of Los Angeles? Read the full case study.

Learn more about how organizations are using Splunk ES to drive their analytics-driven SOCs in our customer e-book, "Data Secrets Revealed: A Collection of Security Customer Stories." Want to see how Splunk ES maps to essential capabilities of an analytics-driven SOC? Check out our free whitepaper on the Five Essential Capabilities of an Analytics-Driven SOC.

Girish Bhat

Posted by


Join the Discussion