After a great Splunk .conf2014 show which we were a sponsor at in Las Vegas, we came back energized and chomping at the bit to move even further forward with our offering here at Ziften. One particular talk that was very interesting was by Jose Hernandez, a Security Solutions Architect for Splunk. His talk was entitled ‘Using Splunk to Automatically Mitigate Threats’. You can go to http://conf.splunk.com/sessions/2014 and find his slides and recording of the talk.
The idea of using Splunk to help with mitigation or as I like to call it, Active Response, is a great idea. The power of having all of your intelligence data flowing into Splunk, whether that is network data, endpoint data, outside threat feeds, etc, and then being able to act on that data, is really completing the loop. Ziften’s power of continuous monitoring on the endpoint, makes this marriage with Splunk something we are very proud of. Real-time data analysis with the ability to respond and now act on incidents is a strong move forward.
We recently created a mitigation action using the available Active Response code. We have a demo video attached to this blog below. This proof of concept shows us being able to create a mitigation action within our Ziften App for Splunk. Once generated, you can see and track the results within Splunk ES (Enterprise Security). This is a great addition that will enable users to monitor and track mitigations within ES, which is an important feature to complete the loop and have history of your actions.
We are thrilled that Splunk is driving such an initiative, we understand that it may evolve and we are committed to continuing supporting it and making progress with it. These are exciting times within the Endpoint Detection and Response space and the addition of an Active Response Framework built into Splunk will certainly generate a lot of interest in my opinion.
For any questions regarding the Ziften App for Splunk, please email email@example.com.