Written By Charles Leaver CEO Ziften
We were the sponsor in Las Vegas for a great Splunk.conf2014 show, we returned stimulated and raring to go to push on even further forward with our solution here at Ziften. A talk that was of specific interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Using Splunk to Automatically Reduce Risks” was the name of his talk. If you want to see his slides and a recording of the talk then please go to http://conf.splunk.com/sessions/2014
Making use of Splunk to assist with mitigation, or as I want to describe it as “Active Response” is an excellent idea. Having all your intelligence data flowing into Splunk is extremely effective, and it can be endpoint data, outside risk feeds etc, then you will have the ability to take action on this data truly completes the loop. At Ziften we have our effective continuous monitoring on the endpoint solution, and being married to Splunk is something that we are really extremely proud of. It is a truly strong move in the right direction to have real time data analysis coupled with the ability to respond and act against incidents.
Ziften have actually developed a mitigation action which utilizes the readily available Active Response code. There is a demo video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is created, results within Splunk ES (Enterprise Security) can be observed and tracked. This actually is a significant addition and now users will be able to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and establish a history of your actions.
That Splunk is driving such an effort thrills us, this is most likely to progress and we are dedicated to constantly support it and make more progress with it. It is really exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework built into Splunk being added will certainly promote a high degree of interest in my opinion.
For any questions concerning the Ziften App for Splunk, please send out an e-mail to firstname.lastname@example.org