Security Automation and Orchestration With Splunk SOAR
Using Splunk SOAR's Python-based Apps and Playbooks, Blackstone is now able to execute actions quickly, ensuring a repeatable and auditable process for investigating malware alerts. A Splunk SOAR Playbook is triggered when an email malware alert is received. Due to the lack of context in these alerts, Splunk SOAR's first order of business is to query Blackstone’s security information and event management (SIEM) solution for all recipients, then Active Directory to collect context from the profiles of all affected users — business group, title and location.
Next, Splunk SOAR orchestrates a “hunt file” action in Carbon Black and queries iSightPartners’ threat intelligence database before concluding with a file reputation check on VirusTotal and an assessment by Cylance’s Infinity model. This information is immediately presented back to the security team in a quick-analysis format for review and action.
Starting with a well-defined manual process is essential for automation, and has allowed Blackstone to quickly implement Splunk SOAR Playbooks. Once the Blackstone team was familiar with Splunk SOAR's platform, they were able to write Playbooks in a matter of hours. Blackstone already has a roadmap for additional use cases such as automating time-consuming operational tasks and addressing additional incident response scenarios.
As a next step, Blackstone plans to create remediation Playbooks, which would allow analysts to take immediate action based on the initial Playbook result. Such actions could include additional investigation tasks, notifying users, or even isolating hosts, which would be integrated with multi-factor authentication to ensure the action is properly authorized.