phantom automation broker

Search code, repositories, users, issues, pull requests...

Provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

Splunk SOAR Connectors

• 76 followers
• https://www.splunk.com/soar

Splunk> SOAR

Welcome to the Splunk> SOAR Community! SOAR is Splunk's premier Security Automation, Orchestration, and Response ("SOAR") platform. With it, our customers can automate entire or partial workflows for their employees across an infinite number of use-cases.

This GitHub organization represents our efforts to open-source our SOAR Apps so our customers can look at how our code works, make improvements, and generally build a stronger community through the free exchange of ideas.

For more information on SOAR, please have a look at our pages:

• Splunk> SOAR product page
• SOAR Buyer's Guide

Splunk Slack Community

If you'd like to chat with fellow Splunk SOAR users, fill out our splunk-usergroups registration form and you'll be invited to our Slack community. Check out channels like #soar , #soar_app_dev , and #soar-app-changes .

Reporting Issues

If you've found a problem with an app but don't want to contribute a fix, that's ok! All you need to do is go to the Issues section of the app repo and click 'New Issue'. The page that appears will show our convenient issue templates. However, if the app doesn't have an Issues page, that means you need to submit a bug report via Splunk Support .

All you have to do is fill out the form...

...and our community will be able to help review and propose fixes.

Of course, you should definitely check if there is already an open issue and if so, add a thumbs-up reaction to it for visiblity.

Feature Requests

Have a feature or an app you'd like to see in SOAR? Head over to the Splunk Ideas portal to make your voice heard! Voting and sharing new ideas is a great way for us to see what's in demand.

Contributing

If you would like to contribute to our Apps directly, please have a look at our Contribution Guide

Legal and License

All SOAR Apps in this GitHub organization are licensed under the Apache 2.0 license. Please see LICENSE file and CONTRIBUTING documentation for further details.

Certain SOAR Apps may include third-party open source subcomponents with separate copyright notices and license. Your use of the source code for these subcomponents is subject to the terms and conditions of the corresponding license(s) contained in the respective subcomponent directory or source file(s).

Some repositories within this organization include binary (non-source code) blobs obtained from https://pypi.org . These files are subject to separate license terms and conditions, which can be found in the corresponding project subdirectory located therein.

Stores default community health files for the organization

Repositories

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Most used topics.

Technology Focused Hub

Security Automation

In today’s fast-paced digital landscape, ensuring robust security measures is paramount. Organizations increasingly turn to automation to bolster their security efforts as threats become more sophisticated. In this blog post, we will explore the world of security automation, its benefits, and how it can revolutionize how we safeguard our digital assets.

Security automation is utilizing technology to streamline and enhance security processes. It uses advanced algorithms, machine learning, and artificial intelligence to automate security tasks such as threat detection, incident response, and vulnerability management. By harnessing the power of automation, organizations can significantly reduce human errors, improve response times, and gain valuable insights into potential risks.

Highlights: Security Automation

• The Role of an Integrated Platform. 

If you are only using scripting in the security automation world, it will only get you so far. Eventually, you will need a fully integrated platform with your security and network infrastructure. For secure automation, there are different types of platforms you can use. This post will address two different types.

Firstly, how Red Hat Tower can integrate and configure network and security devices—also, Splunk SOAR. The SOAR meaning is about abstracting complexity away with security-focused playbooks. This reduces repetitive work and the ability to respond to security events in a standardized way.

• Platform Examples

Backing up configs and collecting logs is only a tiny part of automation. Red Hat Ansible Tower and Splunk SOAR have new ways to reach the most advanced use cases. For security automation, Splunk Security with Splunk SOAR has a security-focused application consisting of specially crafted playbooks for every security requirement.

For example, you can check the domain and file reputation or create your own. On the other hand, Red Hat Tower Ansible Architecture allows you to securely reach and support the most edge use cases with increased portability using execution environments and automation mesh. In addition, you can securely bring automation to the edge with a certain overlay functionality.

Related: For additional pre-information, you may find the following post helpful:

• Cloud Native meaning
• SASE Definition
• A key point: Video for Ansible Tower and the use of templates

In the following video, we will go through the critical components of Ansible Tower and its use of Templates. Tower’s workflow and job templates can fulfill several security automation use cases. We will look at the different job template parameters you can use to form an automation job that you can deploy to your managed assets.

Ansible Tower Job Template

Back to basics: security automation.

We can apply our knowledge of automation to different scenarios and workloads that revolve around security. For example, when tedious and everyday tasks are automated, individuals doing those tasks can focus on solving the security problems they are dealing with. This enables a whole new way of looking at how we learn about security, how much we can store, process, and analyze log data (DFIR), and how we can keep applying security updates without interruptions (security operations).

Understanding Security Automation

At its core, security automation involves using advanced technologies and intelligent systems to automate various security processes. It enables organizations to streamline security operations, detect real-time threats, and respond swiftly and effectively. From threat intelligence gathering to incident response and recovery, automation is pivotal in strengthening an organization’s security posture.

Key Benefits of Security Automation

a) Enhanced Threat Detection: By deploying intelligent monitoring systems, security automation can swiftly identify and respond to potential threats in real-time. This proactive approach minimizes the risk of breaches and allows security teams to stay one step ahead of malicious actors.

b) Accelerated Incident Response: Manual incident response can be time-consuming and prone to delays. However, with security automation, incidents can be detected, analyzed, and remediated swiftly and accurately. Automated incident response workflows can help contain and mitigate security breaches before they escalate, reducing the impact on the organization.

c) Efficient Vulnerability Management: Identifying and patching vulnerabilities is critical to maintaining a secure infrastructure. Security automation tools can continuously scan networks, applications, and systems, providing organizations with real-time vulnerability assessments. This enables security teams to prioritize and address vulnerabilities promptly, reducing the window of opportunity for potential attackers.

Overcoming Challenges and Implementation Considerations

While security automation offers numerous advantages, there are some considerations to consider. Organizations must carefully evaluate their existing security infrastructure, define clear objectives, and select the appropriate automation tools and technologies. Additionally, ensuring adequate training and collaboration between security teams and automation systems is essential to maximize the effectiveness of the automation process.

Continuous Adaptation and Updates

As cyber threats evolve, security automation solutions must stay up-to-date to counter new attack vectors effectively. Regular updates and continuous monitoring are necessary to ensure that automation systems are equipped to handle emerging threats.

Balancing Automation and Human Expertise

While automation brings numerous benefits, balancing automated security processes and human expertise is crucial. Human intervention is still essential for critical decision-making, advanced analysis, and addressing complex security challenges that may require contextual knowledge.

Security Automation: The World of Scripting

In the traditional world of security automation, it was common to use custom in-house automation frequently. As a result, we have a variety of self-driving scripting methods that solve specific short-term security problems. For example, for secure automation, you may need to collect logs from several devices for security. However, this is far from a scalable and sustainable long-term approach to an enterprise’s automation strategy.

With more self-maintained scripting tools and working in siloed, you are creating more security blind spots. With more point tools, you have to make more silos and potential security blind spots, which may trigger the adoption of more narrowly focused tools. The more tools you have, the less control over your environment that could easily open up the spread of lateral movements.

The need for a security platform

For example, look at lateral movements in an Active Directory (AD) network. Lateral movements are a real problem, with some advances in lateral movement techniques being performed using Metasploit, Impact, and PurpleSharp. However, it can be hard to detect that this is a bad actor or a sys admin carrying out daily activities.

Once the bad actor stealthily navigates the network with lateral movements, they can compromise accounts, find valuable assets, and gradually exfiltrate data. All of which can be unnoticed with a below-the-radar style of attacks. A favored vector is to use DNS as a method to exfiltrate data. Therefore, DNS often needs to be checked.

• SOAR meaning: A quick point.

In this case, you should integrate Splunk SOAR with User Behaviour Analytics (UBA) to detect deviations from the baseline. UBA works with unsupervised machine learning and builds profiles of entities on the network. Today’s attacks are distributed, and multiple entities are used to stage an attack.

An anomaly is sent once there is a significant deviation from normal entity behavior. Of course, an anomaly does not necessarily mean a threat. However, the anomaly can be combined with other network and infrastructure aspects to determine if a bad actor exists. So, for example, we would look at the time of day, frequency, or any other usual activity, such as privilege escalation techniques.

• A key point: Video on SOAR and SIEM from Splunk

In this product demonstration, we are going to address Splunk Security. Specifically, we will look at the Splunk SIEM and Splunk SOAR. Both of these products are well integrated and abstract a lot of complexity you have with security. We will first look at today’s challenging landscape that security teams face.

And how you can use Splunk Products to overcome these challenges. In today’s infrastructure, we have a lot of tools spread around that are not well integrated, which will decrease your security posture.

Introducing Splunk Security

Lack of Speed

Without integrated security tools with security automation and a lack of automated and orchestration processes. The manual response slows MTTR and increases the possibility of a successful threat. Bad actors can breach and exfiltrate data when the mean time to detect (MTTD) is too long.

So, the manual approach to detecting, triaging, and responding to threats must be faster. For example, Ransomware is quick; once the binaries are executed, it’s game over. It would help if you focused your efforts on the detection phase of the kill chain. And catch any lateral movements even when they pivot to valuable assets.

The Need for Security Automation

To address this challenge, you need a security solution to tie together its existing security products to reduce the response and remediation gap. In addition, these automation and orchestration events must be carried out across all its security vendors and consolidate response and remediation.

For secure automation, a unified and standard response to security can be made using pre-approved policies, consistently configuring resources according to pre-approved guidelines, and proactively maintaining them in a repeatable fashion.

Security-focused content collection

This provides a faster, more efficient, and streamlined way to automate the identification, triage, and response processes to security events. In addition, we can use security-focused content. In the case of Red Hat Tower, this comes in the form of collections of roles and modules dedicated to security teams.

Splunk SOAR also has secure-focused applications and content ready to use in the Splunk database. The pre-approved policies and playbooks of Ansible Tower and Splunk SOAR will reduce the chances of misconfiguration and speed up all aspects of security investigation.

Secure Automation and Orchestration

When a few waves of Malware target you, Phishing, Ransomware, and under-the-radar attacks, Automation and orchestration are the only ways to combat this. Security automation does most of the work, so you no longer have to weed through and manually address every alert as it comes in or process every security action or task.

Level of automation maturity

For example, the level of automation you want to adopt depends on the maturity level of the automation you already have in our environments. If you are new to automation, you can have SOAR or Tower playbooks send an alert for further investigation. So, you can start with a semi-automated approach.

However, if you are further in your automation strategy, you can have different playbooks chained together to carry out a coherent security detection and response. It’s easy to do this in SOAR with a playbook visualizer, and Ansible Tower has workflow templates that can be used with role-based access control.

Red Hat Tower: How to Start

In most organizations, we have IT operations and a security team. These teams have traditionally disjoint roles and responsibilities. The IT Operations are hardening systems, managing the infrastructure, and deploying and maintaining systems. The security operations team would track ongoing threats, Intrusion Detection/Prevention, and perform firewall management activities.

Ansible has a common language.

With these two disjointed teams, we can use Ansible as the common automation language for everyone across your organization. Specifically, Red Hat Tower can be the common language between security tools and can be used for various security use cases that can bring the two teams together.

Red Hat Tower: Security Automation

Red Hat Tower can orchestrate security systems using a series of curated security collections of modules, roles, and playbooks to investigate and respond to threats using trusted content. This enables you to coordinate your enterprise security systems to perform several security duties, such as investigation enrichment, threat hunting, and incident response.

So, you can integrate Red Hat Tower with your security infrastructure here. And have pre-approved playbooks ready to run upon threat detection. So, for example, a playbook can be automatically triggered on the results of a security scan. The following lists some of the use cases for Ansible Tower playbooks.

Secure Automation: Security Patching

You could start with patching. Having your servers patched is one of the biggest causes of breaches. Automated patching boosts system security and stability, improving uptime. And this will be noticed straight away.

Secure Automation: System Hardening

Then, activities such as system hardening are something everyone can do for all systems. With automation, we can rapidly identify systems that require patches or reconfiguration. Then, more easily apply patches or change system settings according to defined baselines in a consistent manner across a large number of systems. For example, make changes to your SSH config.

Here, you can use automation to configure the SSH daemon, not to allow authentication using an empty password. You can run these playbooks in check mode so those that don’t require full automation rights can run checks safely. Again, I would combine this with role-based access control.

Secure Automation: Network Configuration 

For network management, you can configure an ACL or filter to restrict ACL or filter management access to the device from only the management network. You can also use automation to lock down who has managed to access specific subnets.

Secure Automation: Firewall Integration

If an increase in incident management tickets is due to incorrect firewall rules causing an increase in change requests, aim to reduce the number of tickets or change requests through automation. For our Firewall integration, the role of automation can speed up policy and log configuration changes.

For example, we can add an allowlist entry in the firewall configuration to allow traffic from a particular machine to another.

We can have a playbook that first adds the source and destination IPs as variables. Then, when a source and destination object are defined, the actual access rule between those is defined. All can be done with automation.

Secure Automation: Intrusion Detection and Prevention Systems

Tower can simplify the rule and log management for your intrusion detection and prevention systems. Automation can be used to manage IDPS rules, and IDPS roles are offered. These roles can work with multiple IDPS providers, so the corresponding playbook needs to have a variable stating the actual IDPS provider. 

Once the role is imported, and this is the first step, the new IDPS rule is handed over via defined variables:

Secure Automation: Privileged Access Management (PAM) Tools

Ansible Tower can streamline the rotation and management of privileged credentials to automate the prevention. So we can streamline credential management, which is hard to do manually. 

Secure Automation: Endpoint Protection

Automation can simplify everyday endpoint management tasks, integrate into Endpoint Protection, and provide event-driven detection, quarantining, and remediation. 

Advanced Red Hat Tower Features

Job Templates vs. Workflow Template

When creating a job template, we choose a job or workflow template. We choose the job template if we want to be able to develop simple employment out of this template. However, creating more complex jobs composed of multiple job templates, with flow control features between one position and the next, is possible with a workflow template . This workflow template can also be integrated into your CI/CD pipelines and Jenkins.

Security Benefits

This makes it easier to have playbooks that are job templates from different teams. This is used in large environments, so multiple job templates are connected. Then, complex interactions between jobs can be defined in a workflow before the next job starts, depending on the previous position. Any inventory and any credentials can be used. So, it brings a lot of flexibility to automation.

In its multi-playbook workflows, the user can create pipelines of playbooks to be executed in sequence on any inventory using one or more users’ credentials. Security teams can configure a series of jobs that share inventory, playbooks, or permissions to automate investigations or remediations fully, bringing a lot of consistency and security benefits.

Ansible Tower and Scheduling

With Ansible Tower, we have Templates with the Launch feature; think of this as an ad hoc way to run Ansible for one of the tasks. However, if you are using Tower, you should use Schedules to control your automation better. For example, you may have a maintenance window when you apply changes. Here, we can set the times and frequency of playbook runs.

Scheduling this playbook in Tower will automatically refresh systems significantly out of spec, including calling back into Tower to apply our basic configuration once new instances are spun up with the provisioning callback feature. I find this useful for dynamic cloud environments.

• A key point: Ansible Tower For Beginners

In this product demonstration, we will review the critical components of Ansible Tower and its functionality, which is a considerable step up from the Ansible CLI you may have used with Ansible Core.

We will discuss the autonomy of an automaton job that shares similar objects when using the CLI but has considerable differences, such as Job Templates, better Credentials management, and inventory that you may have encountered with Ansible CLI and Ansible Tower Projects.

Ansible Tower for beginners

GitHub for Playbooks

GitHub is all about version control, so you can have multiple people on different types of code and review and merge changes. So, it’s all about managing change in your other environments. So when Red Hat Tower runs the playbooks, it checks the URL specified in your playbooks, and it’s here we can have multiple options that can enhance your GitHub integrations, such as webhooks and personal access tokens.

Benefits: Removes Inconsistency of Playbooks

This is an important feature to enable as if you don’t have it checked, there is the possibility that someone notices a problem in a playbook and fixes it, then they run the playbook feeling sure that they are running the latest version. Someone must remember to run the synchronization task before running the playbook, effectively running the older version. Therefore, when using this option, we are removing the inconsistency of playbooks . So, increasing your security posture is very important. A lot of security breaches first start with a simple misconfiguration.

SOAR for Automation: SOAR Meaning

SOAR Meaning

The difference bet ween that attack being a routine annoyance versus a catastrophic event comes down to the robustness of a product and the technologies you choose to adopt. Splunk has several products that can help you here—ranging from the Splunk SIEM to the Splunk SOAR. There are also several Observability products, all of which are well-integrated and can assist you with security automation. 

Customers can solve their primary SIEM use cases using Splunk Enterprise and Splunk Cloud, which are core Splunk platforms, providing collection, Indexing, search, and reporting capabilities. So, the Splunk SIEM collects or ingests the machine data and can make this available to the Splunk SOAR.

Splunk SOAR Meaning

Splunk SOAR drives accuracy and consistency in the incident response process. With SOAR, workflows can be orchestrated via integrations with other technologies and automated to achieve desired outcomes. Utilizing automation with Splunk SOAR can dramatically reduce the time to investigate malware alerts, driving accuracy and consistency across its incident response processes.

SOAR and Phantom

SOAR is the rebranding of Phantom but has multi-deployment options. Phantom was just on-premise, but now we have both delivery on-premises and on-cloud.  Consider SOAR as a layer of connective tissue for all security operations.

So, it needs to automate the decision-making and acting. SOAR can take proceeds and take them into playbooks so we can create complex security operation workflows.

So we have an extensive collection of security-focused SOAR applications that interact with the API of existing security and network infrastructure, such as your Firewalls, to support activities such as containment and recovery. We’ll talk about these in just a moment.

Automation Broker

We have an Automation Broker, a modified version of Splunk SOAR with reduced features, so it’s a reverse proxy for automation actions. The Automation Broker is a docker container that uses an encrypted and outbound connection from Splunk Cloud SOAR to the customer premises. It would help to open inbound ports to the perimeter firewall, as the communication is set outbound on the firewalls.

SOAR Meaning: Security-Focused Playbooks

Instead of manually going into other security tools and injecting data, enrich logs and carry out actions such as blocking or manual analysis intervention. SOAR playbooks can be used. You can have several security-focused playbooks that automatically carry out the tasks. The SOAR playbook can automate many repetitive duties. For example, you no longer have to respond manually to repetitive incidents. For example, you can have Splunk SOAR respond to malicious emails with playbooks. 

Actions based on the Playbooks

Then, we could have a list of actions based on playbook results. This could include additional investigation tasks or notifying users. Finally, when you want to push the boundaries of automation, we could have several steps to isolate or quarantine hosts depending on the results of the previous playbooks, which would be integrated with multi-factor authentication to ensure the action is appropriately authorized. 

Additionally, over 800 other security-related apps on Splunkbase with pre-built searches, reports, and visualizations for specific third-party security vendors. These ready-to-use apps and add-ons help monitor security, a next-generation firewall, and advanced threat management capabilities. You can even build your custom application, from monitoring and Observability to improving safety.

SOAR Meaning: SOAR Apps

So you are using many tools from many vendors, and when you respond, each one of these tools does a different event, and each tool does another function. Splunk integrates with all devices with API, and SOAR can directly integrate all tools to act in a specific sequence.

So it can coordinate all security actions by all means. So, with SOAR, you don’t get rid of your existing tools, but SOAR can sit in the middle of these tools and abstract a lot of complexity.

Think of Splunk as the conductor that supports over 350 apps. they have tools to build apps; you can create your own if it has an API. In addition, it can perform over 2000 actions. SOAR apps are Python modules that collect events from anything, SIEM, and then normalize the information and make them available to playbooks.

SOAR Meaning: Example: SOAR playbooks

So, we have a network-based sandbox to detect malware that can enter via email. So, an Alert is received from SIEM, sent to SOAR, and triggers a playbook. SOAR communicates back to SIEM to query Active Directory to identify who is there and which department, and based on that, SOAR can query Carbon Black to see how the threat lives.

Finally, the SOAR can notify an analyst to manually intervene and double-check the results. This could take 30 mins by hand, but SOAR can do it in 30 seconds. 

Let’s look at another SOAR playbook in action. A Splunk SOAR playbook is triggered when an email malware alert is received. Due to the lack of context in these alerts, Splunk SOAR’s first order within the playbook is to query the security information and event management (SIEM) solution for all recipients, then Active Directory to collect context from all affected users’ profiles, business groups, titles, and locations.

A key point: SOAR means with workbooks and phases

Another name for a playbook is the SOAR workbook. and Each workbook can have several phases, and each phase can have tasks to carry out our security actions. In this scenario, there will be one phase. And several playbooks in a single step. Some playbooks can be triggered automatically, and some are invoked manually.

Then, some are being gathered manually but will have prompts for additional information. These tasks will be semi-automatic because they can automatically import data for you and enrich events. Furthermore, they can import this data and enhance events from several platforms. 

Splunk and Lateral Movements

You can have playbooks to hunt for lateral movements. There are many ways to move laterally in active directory networks. For example, Psexec is a sysadmin tool that allows admins to connect to other machines and perform admin tasks remotely. However, what if psexec is used to gain a remote shell or execute a PowerShell cradle on a remote machine? When looking for lateral movement, we identify processes connecting remotely to a host.

To start a threat investigation, we could have a playbook to conduct an initial search for a known lateral movement activity. There is a wealth of information in Windows security logs. The playbook can look for authentication events over the network from rare or unusual hosts or users.

Event Window Code

For example, in a Windows event log, you would see a Windows event code for successful login, another log for a network connection, and another for privilege escalation events. Each event doesn’t mean much by itself but indicates a threat together. For example, here you can see that someone has used an admin account to connect over the network from a particular host and gained command-line access to a victim host.

Splunk SOAR’s visual playbook editor

Splunk SOAR comes with 100 pre-made playbooks, so you can start automating security tasks immediately and hunt for lateral movements. To simplify life, we have a Splunk SOAR visual playbook editor that makes creating, editing, implementing, and scaling automated playbooks easier to help your business eliminate security analyst grunt work.  

• SOAR Meaning: Splunk Intelligence Management (TruSTAR) Indicator Enrichment

Then, we have a Splunk Intelligence Management (TruSTAR) Indicator Enrichment. This playbook uses Splunk Intelligence Management normalized indicator enrichment, which is captured within the notes of a container, for an analyst to view details and specify subsequent actions directly within a single Splunk SOAR prompt for a manual response.

• SOAR Meaning: Crowdstrike Malware Triage

There is a Cowdstrike Malware Triage. This playbook walks through the steps performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.

• SOAR Meaning: Finding and Disabling Inactive Users on AWS Splunk SOAR’s

Then, there are playbooks specific to cloud environments. Finding and Disabling Inactive Users on AWS Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are available from your mobile device.

Conclusion:

In an evolving threat landscape, security automation emerges as a powerful ally. By embracing automation, organizations can bolster their security posture, improve incident response times, and minimize potential risks. However, it is crucial to approach security automation thoughtfully, considering each organization’s unique requirements and challenges. With the right strategy and implementation, security automation can revolutionize how we protect our digital assets, enabling us to stay one step ahead in the ongoing battle against cyber threats.

• Latest Posts

• Fortinet’s new FortiOS 7.4 enhances SASE - April 5, 2023
• Comcast SD-WAN Expansion to SMBs - April 4, 2023
• Cisco CloudLock - April 4, 2023

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)
• Click to share on WhatsApp (Opens in new window)
• Click to email a link to a friend (Opens in new window)

Comments are closed.

Privacy Overview

NetCraftsmen, a BlueAlly Company

• Consulting Projects
• Managed Services
• Outsourced IT Services
• Collaboration
• Blog – Business
• Blog – Technology
• Success Stories

Gigamon (and Splunk and Phantom) at NFD16

Gigamon and its partners Splunk and Phantom demonstrated improvements to network security at NFD16. APIs and integration between products from different vendors will be playing an increasing role in network security.

Network Packet Flow Analysis Without Negative Impact

Gigamon is known as a packet broker product. It is a network tap that monitors network traffic and forwards the traffic to network management and network security tools. Gigamon, Splunk, and Phantom used this session to tell us about an integration between their products to increase network security.

Ananda Rajagopal of Gigamon kicked off the session by reviewing their model of handling network security. (See the recordings at Gigamon Presents at Network Field Day 16 .)

Gigamon’s starting premise is that preventing all security intrusions is impossible. I think that’s a realistic premise. To prevent all attacks, you have to cover 100 percent of your IT system’s vulnerabilities. That’s simply not possible. The approach that several vendors have taken is multipronged. Gigamon calls its system The Defender Lifecycle Model . It consists of prevention, detection, prediction, and containment (see graphic below).

Prevention is the standard function of applying basic security best practices to the network. Detection should be obvious—identifying threats, as they occur. The word prediction implies that it predicts a vulnerability; I think of it as simply the step between detecting a security event and the containment of that event. You can also think of it as the step that predicts what systems, protocols, network devices, and links will be affected. Finally, containment is the step of responding to the threat and taking actions to restrict or eliminate the threat.

Ideally, the sequence identified by the red arrows would run in near real-time such that, as a threat is detected, the affected systems are identified and containment actions are taken. Of course, automation is required to make it run in near real-time — particularly in the Gigamon model where some of the functionality is performed by products from other vendors.

Gigamon’s role in this model should now be clear. Detecting a threat is done by performing big data packet flow analysis. The source of the data is from Gigamon tap infrastructure. Instead of forwarding full packets, it can forward a subset of the packets using either NetFlow or IPFIX format. In the presentation, you’ll hear the company refer to it as packet metadata ; but it is really just full flow data feed. Using full flow data feeds is needed to perform complete network security analysis, especially when you consider that some attacks may be contained in just a few packets.

Gigamon talked about using the packet metadata for security analysis. There was some discussion about the wording. The company used the term ‘analysis,’ but my take on it was that its functionality is not so much analysis as it is extracting metadata from the packets — rewriting the data in a form that other tools can ingest. The value of a packet broker like Gigamon is that a hardware NetFlow platform can do full packet capture, not packet sampling that would result from running a collector on most network platforms.

Splunk is expanding its scope from log analysis to a security analysis system. I don’t think this could be done through log analysis alone. It needs multiple sources of data to be a good SIEM, and data from Gigamon is just one of the sources.

An interesting use-case by Splunk was to correlate an application internal failure with an unanswered customer call, and then a subsequent complaint on Twitter. Note: It wasn’t clear how much effort would have been required to create these associations for each individual call. It also was not clear how this example fit into the security theme, other than an example that demonstrates the type of complex associations that can be detected quickly.

During the presentation, Wissam Ali-Ahmad, lead solutions architect at Splunk, positioned Splunk as the central nerve center of a security alerting system. I can see that this might be a reasonable position, given most organizations are deploying multiple security analysis tools — each with their own logging and alerting systems. Centralizing the logs and alerts would certainly be an advantage.

Phantom is a security operations center product that focuses on reducing the time it takes to determine that a security event has occurred and to take action. The actions that the security staff would take are embodied in a set of playbooks that the automation system executes when an event is detected. The company’s system seems to be rule-based (based on Phantom’s internal description by Robert Truesdell). I wonder if it is working on machine learning technology. If not, it should.

Phantom seems to best fit into the prediction and containment phases of the Gigamon defender lifecycle model. An interesting example was to automate the process of investigating phishing email attacks.

The Defender Lifecycle Model sounds like an alternative to the Cisco Tetration data collection mechanism, covered in Cisco’s NFD16 session . What’s the difference? Gigamon relies on partners like Splunk and Phantom to do the “big data” analysis and perform actions on platforms from multiple vendors. Is it a viable alternative to Tetration? I’ll leave it up to you to decide which platform best meets your organization’s needs.

Leave a Reply

You must be logged in to post a comment.

Related Topics

• Blog: Understanding Brain Capture
• Blog: Edge Computing
• Blog: Networking Service Awareness
• Blog: Elisity Update: Version 15.0
• Blog: Forward Networks Gets Cloudy

• Shopping cart (0)

• Add to cart
• Sample order
• Request a quote
• Applikationen
• Produktübersicht
• Declaration of Conformity

MQTT broker on the DIN rail

The MQTT.box is a high quality Mosquitto MQTT broker for DIN rail mounting. It enables communication between network-capable automation components using MQTT protocol. Thanks to the second network interface data can also be made available for an additional network segment without allowing access from one network to the other.

The user management functionality lets devices located in the network to be authenticated with their own access data. With the additional configuration of an Access Control List (ACL) each user can be given "topic"-specific read and write authorization.

Interfaces:

• 2 x network

Management and connectivity:

• Startup using WuTility (three clicks and you’re done)
• Web-based management
• MQTT broker for the DIN rail
• User Management
• Access control via ACL (Access Control List)

Power supply:

• Screw terminal
• Phantom power using data pairs
• Power over unused wire pairs
• controlled shutdown when disconnecting from the power supply

Standards & more

• High noise resistance per EN 61000-6-2
• Low noise emission per EN 55032:2015 + A1 Cl. B, EN 61000-3-2 & EN 61000-3-3
• 5 year guarantee

Technical data

Connections and displays:.

• 2 x 100/1000BaseT Autosensing/Auto-MDIX, RJ45
• RJ45 network connection min. 1500 V
• Power over Ethernet (PoE) or
• 24 ... 48V DC (+/-10%) per screw terminal
• Plug-in screw terminal
• PoE Class 2 (3.84 ... 6.49W) and
• typ. 140mA @ 24V DC with external supply
• LEDs for System, Error and Network Status

Hard- and software

• Marvell 88F6820
• Flash: 4GB (eMMC)
• RAM: 1 GB (DDR3)
• BusyBox: v1.31.1
• Kernel: v5.4.110
• Mosquitto: v2.0.11

Housing and other data:

• Plastic housing with integrated DIN rail mount
• 105 x 22 x 75mm (L x W x H)
• approx. 100g
• -40 ... +70°C
• 0 ... 95% relative humidity, non-condensing
• Quick start manual

Accessories

Power supplies.

• Plug-in power supply, 24V / 500mA DC with Euro plug
• Power supply for DIN rail, 24V / 630mA DC (merchandise, 2-year manufacturer’s guarantee)

Mechanical Accessories

• Mounting bracket for wall mounting
• 19" DIN rail

* Our offering is intended only for commercial users. We will be happy to refer private end customers to trading partners through whom our products can be purchased.

• Wykrywanie podatności
• Weryfikacja podatności
• Edukacja pracowników
• Ochrona komunikacji z internetem
• Monitorowanie ruchu SSL/TLS
• Ochrona przed APT
• Aktywne wykrywanie włamań
• Zarządzanie incydentami
• Monitoring i diagnostyka
• Ciągłość działania aplikacji krytycznych
• Audyt i dokumentacja
• Troubleshooting
• Modelowanie i optymalizacja
• Zarządzanie IT
• Infrastruktura dostępowa
• Projekty cloud
• Riverbed AppResponse
• Riverbed Transaction Analyzer
• Riverbed NetProfiler
• Riverbed NetIM
• Riverbed SteelHead
• Riverbed Modeler
• Endpoint Central
• Passus StressTester
• Splunk Enterprise Security

Splunk Phantom

• Secure Endpoint
• Cisco Umbrella
• Secure Network Analytics
• Nessus Profesional
• Security Center
• Fidelis CyberSecurity
• Data Loss Prevention
• Endpoint Server Security
• Messaging Gateway
• SSL Visibility Appliance
• Security Analytics
• CORE Security
• Passus Proxy
• Ambience ICAP Broker
• Ambience CAS
• Ambience AV
• Ambience SWG Management Console
• Passus Analytics Platform
• Mira Security
• Webinaria Passus
• Nagrania z webinarów
• Materiały do pobrania
• Profil firmy
• Władze Spółki
• Grupa kapitałowa
• Dobre praktyki
• Dokumenty informacyjne
• Aktualności
• Polityka RODO

Splunk® Phantom jest rozwiązaniem typu SOAR (Security Orchestration, Automation and Response), które przyspiesza i upraszcza proces reagowanie na incydenty bezpieczeństwa. Przetwarzając 50 000 incydentów na godzinę umożliwia koordynację i automatyzację serii współzależnych działań związanych z bezpieczeństwem w obrębie złożonej infrastruktury. Zespoły ds. bezpieczeństwa mogą efektywniej realizować szeroki zakres funkcji SOC, takich jak zarządzanie zdarzeniami, współpraca między zespołami i raportowanie. Splunk Phantom integruje się z produktami Splunk Enterprise i Splunk Enterprise Security tworząc kompleksowe rozwiązanie do zarządzania bezpieczeństwem IT. Automatyzacja działania Security Operations Center Phantom usprawnia pracę zespołów SOC automatyzując wykonanie szeregu zadań i skracając ich realizację z godzin do sekund. Uwolnienie specjalistów IT od wielu powtarzalnych zadań pozwala skupić się na podejmowaniu decyzji w kluczowych z punktu widzenia organizacji kwestiach.  Playbooki Phantoma pozwalają na definiowanie przepływów pracy (workflows) zarówno za pomocą edytora wizualnego (nie są tu wymagane umiejętności kodowania) jak i  zintegrowanego z aplikacją środowiska programistycznego. Orkiestracja Phantom integruje istniejące narzędzia bezpieczeństwa zapewniając ich lepsze współdziałanie.  Koordynuje działania oraz przepływ informacji między zespołem SOC i systemami bezpieczeństwa, sprawiając, że każdy element obrony aktywnie uczestniczy w realizacji spójnej strategii przeciwdziałania zagrożeniom.  Zespół SOC może się skupić się na celach i strategii postępowania, podczas gdy platforma Phantom przekłada je na działania specyficzne dla danego urządzenia. Reagowanie na incydenty Phantom pomaga zespołom ds. bezpieczeństwa szybciej identyfikować zagrożenia i na nie reagować. Funkcje automatycznego wykrywania, śledzenia i reagowania na niebezpieczeństwa przyczynia się do minimalizacji okresu aktywności złośliwego oprogramowania, a tym samym poprawy wskaźnika MTTR - mean time to resolve.  Wykorzystanie aplikacji Phanton on Splunk Mobile pozwala na prowadzenie działań za pomocą urządzeń mobilnych i reakcję z dowolnego miejsca w dowolnym czasie. Co istotne, dane doyczące. konkretnego przypadku są przechowywane i udostępniane z jednego głównego repozytorium. Ułatwia to komunikację ze współpracownikami oraz przypisywanie zadań odpowiednim członkom zespołu.

Pobierz dodatkowe materiały

Masz pytania?

[email protected]

+48 695 444 803

Ta strona wykorzystuje pliki cookies w celu gromadzenia danych statystycznych. Ustawienia cookies można zmienić w przeglądarce internetowej. Korzystanie z tej strony internetowej bez zmiany ustawień cookies oznacza, że będą one zapisane w pamięci urządzenia. Więcej informacji >>