Written By Chuck Leaver CEO Ziften
We were the sponsor in Las Vegas for a great Splunk.conf2014 show, we returned stimulated and raring to go to push on even more forward with our solution here at Ziften. A talk that was of specific interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Mitigate Threats” was the name of his talk. If you wish to see his slides and a recording of the presentation then please go to http://conf.splunk.com/sessions/2014
The use of Splunk to assist with mitigation, or as I want to describe it as “Active Response” is a great concept. Having all of your intelligence data streaming into Splunk is very effective, and it can be endpoint data, outside threat feeds etc, then you will have the ability to take action on this data really completes the loop. At Ziften we have our effective continuous monitoring on the endpoint solution, and being married to Splunk is something that we are actually extremely proud of. It is a really strong move in the right direction to have real time information analysis paired with the ability to respond and take action against occurrences.
Ziften have actually produced a mitigation action which utilizes the readily available Active Response code. There is a demonstration video included in this blog below. Here we had the ability to create a mitigation action within our Ziften App for Splunk as proof of concept. After the action is generated, results within Splunk ES (Enterprise Security) can be observed and tracked. This actually is a significant addition and now users will be able to monitor and track mitigations within Splunk ES, which supplies you with the significant benefit of being able to complete the loop and establish a history of your actions.
That Splunk is driving such an initiative thrills us, this is most likely to develop and we are dedicated to continuously support it and make further development with it. It is really exciting at the moment in the Endpoint Detection and Response space and the Active Response Framework built into Splunk being added will certainly promote a high degree of interest in my viewpoint.
For any concerns concerning the Ziften App for Splunk, please send out an e-mail to firstname.lastname@example.org