ORLANDO – Splunk has announced both an overall broadening of their security portfolio, and some new features for their core Splunk Enterprise Security product. The portfolio news is that Splunk has added Phantom and their SOAR [security automation, orchestration and response] technology acquired earlier this year to their Splunk Enterprise Security SIEM and their Splunk User Behavior Analytics [UBA], to add a remediation capability to the portfolio and round off a complete cycle of detection, investigation and remediation. The SIEM product news is the addition of new event sequencing capability and a new Use Case library. All these announcements were made at the Splunk .conf18 user conference here.
“I’m incredibly proud to announce Spunk Enterprise Security 5.2,” said Monzy Merza, VP Security Research at Splunk. “This year in April we welcomed Phantom to the Splunk family, creating a security nerve centre of a data platform with incredible analytics and operations layers.”
One new feature in 5.2 is event sequencing.
“Event sequencing looks at the threat from beginning to end to optimize threat detection, and determine subsequent lateral movement,” Merza said. It pulls content and context into the investigation level of the SIEM to create a better workflow.
“It also integrates with Phantom, and when the threat is sent there, Phantom executes a playbook using over 200 integrated apps,” Merza added. “It sends out a notification, and the admin can receive the alert in the mobile app, and approve a block for a user account being abused for lateral movement.”
Spunk Enterprise Security 5.2 also adds a new Use Case Library. It both provides ready-to-use and actionable security content that is relevant to their security operations, as well as an automatic way to discover new use cases, such as adversary tactics, cloud security, abuse or ransomware.
“The big news in the security story though is really a ‘better together story’” said Jon Rooney, Splunk’s VP of Product Marketing. “We have had the Enterprise Security SIEM for a long time, and it is an industry-leading product in a very established field. However, you also need other things for a full solution. UBA 4.2 handles unsupervised machine learning. A chronic problem in security is that many practitioner roles are unfilled because of a lack of skilled people, So companies want to leverage machine technology for lower level tasks. UBA finds threats and unusual behavior that a human would be able to find.”
New features in Splunk UBA 4.2 include user feedback learning, which enhances anomaly model scoring to improve severity and confidence in threat detection. Data ingestion performance has been improved, by up to 2x. New single-sign-on authentication support has also been added.
The addition of Phantom’s technology completes the end-to-end process, Rooney said.
“After you have found potential problems, Phantom lets you do something about them. UBA’s job is to find something that looks weird. Enterprise Security investigates it and determines if there’s a rule to handle it. Phantom lets you take remediative measures if it is determined that there is a problem. Phantom was an integration partner before we acquired them. They were a very fast-growing security company, who round out our portfolio and give us a much better resource in our Go-to-Market strategy.”
Splunk Phantom’s SOAR technology helps SOCs to orchestrate tasks and automate complex workflows. The new version adds clustering support to help customers scale their operations to a scale that Merza said had never been seen before, a new indicator view that gives analysts a threat-intelligence-centred way to perform investigations and improved onboarding that has Splunk Phantom up and running within minutes of deployment.
Splunk ES 5.2 and Splunk UBA 4.2 will be generally available on October 16, 2018. Splunk Phantom is available for free download now.