Written By Charles Leaver CEO Ziften
We were the sponsor in Las Vegas for a terrific Splunk.conf2014 program, we returned energized and raring to go to push on even further forward with our solution here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Using Splunk to Automatically Mitigate Risks” was the name of his talk. If you wish to see his slides and a recording of the talk then please go to http://conf.splunk.com/sessions/2014
The use of Splunk to assist with mitigation, or as I like to describe it as “Active Response” is a great idea. Having all your intelligence data streaming into Splunk is very effective, and it can be endpoint data, outside threat feeds etc, then you will be able to act on this data truly finishes the loop. At Ziften we have our effective continuous monitoring on the endpoint service, and being married to Splunk is something that we are truly extremely proud of. It is a really strong move in the right direction to have real time information analysis paired with the capability to react and take action against events.
Ziften have developed a mitigation action which uses the offered Active Response code. There is a demo video included in this post below. Here we were able to create a mitigation action within our Ziften App for Splunk as proof of concept. After the action is produced, results within Splunk ES (Enterprise Security) can be observed and tracked. This really is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which provides you with the major advantage of being able to complete the loop and establish a history of your actions.
That Splunk is driving such an initiative delights us, this is likely to develop and we are committed to continuously support it and make further development with it. It is really exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework built into Splunk being included will definitely promote a high degree of interest in my opinion.
For any concerns regarding the Ziften App for Splunk, please send out an email to firstname.lastname@example.org