Written By Chuck Leaver CEO Ziften
We were the sponsor in Las Vegas for a terrific Splunk.conf2014 program, we returned stimulated and raring to go to push on even further forward with our solution here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Mitigate Threats” was the name of his talk. If you want to see his slides and a recording of the presentation then please go to http://conf.splunk.com/sessions/2014
Using Splunk to assist with mitigation, or as I want to describe it as “Active Response” is a very good concept. Having all of your intelligence data streaming into Splunk is extremely effective, and it can be endpoint data, outside risk feeds etc, then you will have the ability to act on this data really finishes the loop. At Ziften we have our effective continuous monitoring on the endpoint service, and being married to Splunk is something that we are truly extremely proud of. It is a truly strong move in the right direction to have real time information analysis combined with the ability to respond and take action against incidents.
Ziften have produced a mitigation action which utilizes the readily available Active Response code. There is a demonstration video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is generated, results within Splunk ES (Enterprise Security) can be observed and tracked. This actually is a significant addition and now users will have the ability to monitor and track mitigations within Splunk ES, which supplies you with the major advantage of being able to complete the loop and establish a history of your actions.
That Splunk is driving such an effort thrills us, this is most likely to progress and we are dedicated to continually support it and make more progress with it. It is very exciting at the moment in the Endpoint Detection and Response space and the Active Response Framework integrated into Splunk being added will definitely promote a high degree of interest in my viewpoint.
For any questions concerning the Ziften App for Splunk, please send out an e-mail to firstname.lastname@example.org