Splunk: Integrating for Better Threat Recognition

Security operations centers are drowning in data. More than half of all companies—55 percent—have to deal with more than 10,000 alerts every day. This deluge leaves 74 percent of IT workers feeling overwhelmed by threat alerts, one 2017 study found.

Trying to pick out the true threats in such an environment can be impossible without the right tools. Information-Security specialists at a company were unable to determine the true nature of a generic threat—labeled "malware.binary"—and decided not to follow up on a threat alert, resulting in the leak of 110 million records in the retailer's 2013 breach.

And the problem is only getting worse. Only three years ago, the number of alerts were much smaller, only 37 percent of companies had to deal with 10,000 alerts every month, not daily. More data has led to more alerts, but not necessarily more visibility.

Splunk is continuously innovating to reverse this trend. We have always endeavored to help companies sift through their massive mountain of data to find the nuggets of information that they need to inform and run their business.

So, in June 2017, when Symantec opened up its data platform and launched its Technology Integration Partner Program (TIPP), Splunk knew that we wanted to be onboard. Through TIPP and together with Symantec, we created a set of eight Splunk Apps that integrate Symantec's data from on-premise endpoints and servers—as well as cloud security data—to give better visibility to our customers.

As Peter Doggart, Symantec's VP of Business Development explains about TIPP, "While many partner programs exist today, we have decided to focus on the technical integration aspect of partnership. This is the single most important aspect of making a difference in security. By working to integrate our data feeds, linking together our defensive platforms, leveraging each other’s advanced detection suites, automating workflows to increase productivity, only then can we make a real impact."

Key to the integration was accessing the Integrated Cyber Defense Exchange (ICDX) data from Symantec. (Controlled Availability) These days, cyber attacks are sophisticated and the typical SOC analyst is always faced with trying to figure out, from disparate data sources, whether alerts are signs of attack or compromise. When our customers initially analyze alerts as part of the security investigation and response process, they want to be able to look at everything in their environment.

So having all the data from ICDX, customers can not only do things like observe what is going on in their environment, but also use other analytics to speed up incident response and investigations.

Using our Symantec-specific automation and orchestration playbooks for our Phantom SecOps Platform, security specialists can augment alerts with threat intelligence data, giving analysts more context to gauge the criticality of the alert. Potentially malicious binaries can be automatically sent to malware scanners to "detonate" the files and confirm their malicious behavior. And, customers can easily check all their endpoints for similar code by automatically comparing indicators of compromise.

The end result is a tool for security operations centers that, not only increases visibility, but speeds response. Last month at .conf18, our annual Splunk conference, Starbucks discussed how it utilized the Splunk and Symantec platform integration to allow them to respond to potential issues in minutes, rather than hours.

In addition, the integration can bring other benefits. One of the Splunk Phantom playbooks created by Starbucks automates the response to employees who find an URL blocked by the system. Taking these types of requests off the plate of security analysts helps reduce the daily noise that can otherwise distract them from focusing on security.

For the first time, Splunk and Symantec users have a simple way to access the data provided by the plethora of security tools and bridge the gap between two vendors' products. In the past, companies had to deal with each product as a separate feed. Our integration with Symantec allows companies to access all their security information through a simple set of apps.