Given the cybersecurity threat landscape, from massive breaches like the Equifax data breach to the continuing threat of ransomware, it can seem like IT security defenders are always a step behind attackers. Splunk wants to challenge that assumption. At the company’s .conf2017 event in Washington, D.C., Splunk unveiled new tools to help IT security teams detect and respond to threats more easily.
Splunk debuted Enterprise Security Content Update (ESCU), a new subscription service that brings human intelligence and machine data closer together, and offers IT teams prepackaged analysis guides called analytic stories. Those guides can help identify threats sooner and provide advice on how to respond. The goal is to let IT pros investigate threats faster so they can respond more quickly and protect their IT environments.
“I believe that defense can have an unfair advantage over the adversaries,” Monzy Merza, Splunk’s head of security research, said during a keynote session at .conf2017. “I believe that defenders can succeed. Security, IT and infrastructure people all come together when there is a problem. All we need is a nerve center so that we can share and learn.”
Nerve centers mean different things to different IT professionals, Merza said. For CISOs, they provide situational awareness. For IT security analysts, they reduce noise, provide a clearer security picture and let security analysts take action when they are ready to do so. And for threat hunters, nerve centers provide answers to any question they want to ask about threats.
Splunk Helps Detect Cybersecurity Threats Faster
It’s incredibly important for IT security teams to be able to learn about the tactics and techniques of attackers, Merza said, but what they really want is to be able to put that information to use and reduce the time it takes for an investigation or response.
ESCU, which Merza said is free as a download from the Splunkbase library, is designed to “take the understanding of the threat and package it up into an analytic story.” Users still need to be customers and have a Splunk Enterprise Security platform to use ESCU though.
IT security teams look across networks, endpoints and applications to detect threats. Splunk does that through ESCU. The Splunk security research team categorizes each threat as an analytic story, providing actionable guidance for detecting, analyzing and addressing it, according to the Splunk website. As the company discovers new threats, the tool will regularly deliver dynamic new content to security practitioners to detect specific threats and help them respond.
The stories contain the searches security operations teams need to implement in their own Splunk Enterprise Security environment. “Now, your security operations team has a research team that is an extension of you at Splunk,” Merza said. However, the goal is not just to give IT security teams more capacity to detect threats, he said, but also the ability to investigate, contextualize threats and take action.
Users can search for stories that Splunk already provided, such as for ransomware, or ask Splunk to provide new ones, Merza said. Each story describes the threat and then lets users search for specific indicators of it in their environment. For ransomware, that could mean searching for whether the shadow copies of files have been deleted from the system, Merza noted, which an attacker would do so victims couldn’t recover their files from the copies.
Users can run that kind of search to see if it applies to their IT environment, or they can run all of the detection searches associated with a particular analytic story (and corresponding threat). Merza said that ESCU provides information on how to implement the searches. And users can schedule detections for particular stories.
Take Action After Detecting Cyberthreats
All of the searches for a particular story create correlation rules for search events, Merza said. After conducting the searches, ESCU provides next steps that offer advice on the actions IT security teams should take.
Further, ESCU creates adaptive response actions associated with searches, so if users want to contextualize the searches in their larger IT environment or investigate further, they automatically can, according to Merza.
“You can have a broader understanding of what the threat is doing,” Merza said. “And you have the mechanism to take action and to learn without having to start from scratch.”
Users can request that Splunk’s security research team investigate other threats via a feedback mechanism in ESCU. The research team will then reach out to users to get more information, Merza said, “and together, we can build new analytic stories, we can tweak the ones that you are already interested in, and bring out to the forefront what you care about.”