By Alex Wang
Splunk Enterprise Security is the nerve center of security operations for many organizations. As the volume of machine generated data from various security technologies increases steadily, Splunk ES does an amazing job consolidating it to give organizations the insight and direction they desperately need in an overwhelming sea of data. Like many security technology solutions, Awake’s detection of attacker tactics, techniques and procedures (TTPs) can be consumed by the security team through this mechanism.
However, Awake goes further and has partnered with Splunk through its Adaptive Response (AR) program. Via this program, Awake’s Network Detection and Response platform uses network traffic analysis (NTA) to automate the most difficult and tedious parts of their jobs. This integration ensures Awake fits within the team’s existing detection-to-remediation workflow, enabling them to focus on decision making and managing risk rather than manually hunting or gathering context.
For instance, as the video shows, an analyst working through an alert queue in Splunk ES can instantly access deep context on the entities involved, via Awake’s EntityIQ™ device or domain profiles. That information in turn can trigger additional actions such as blocking domains or IPs at the firewall or proxy. All of this can be completed in a matter of seconds, so the team can deal with threats conclusively, lowering dwell time and ultimately minimizing risk to the organization.
The Awake Security adaptive response actions allow analysts using Splunk to pivot on an IP address, email or domain name to get detailed analytics on them quickly. Previously, this would have required using separate applications or databases (as many as 30 or 40, we found in talking to practitioners) to find the information needed to start an investigation and to then determine if an alert is even worth investigating further. Now, one click with an email address, IP address or domain delivers that information. Importantly, this context is derived purely from network data and doesn’t require any agents or integrations with centralized databases like CMDB and Active Directory that are often out of date.
In addition, Awake has also integrated with Splunk Enterprise. Analysts can pivot easily from an alert containing a victim IP address to an Awake device profile that shows the users that have been associated with that address and their roles, information on operating systems and applications on the device(s), and a listing of similar devices that have appeared on the network.