Splunk integration: A deep dive into the adaptive security architecture

Splunk integration: A deep dive into the adaptive security architecture

Splunk integration: A deep dive into the adaptive security architecture

Chris Morales
February 9, 2017

Integration decreases cost and increases effectiveness. For this reason, Vectra is adaptive by design. Everything we do considers how to help our customers be more efficient and faster at fighting attacks. Sometimes it involves determining where to deliver sophisticated threat intelligence beyond the Vectra. Working with Splunk is a great example of this integration.

According to Gartner, “The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them."

The Vectra App for Splunk provides an extraordinary range of threat intelligence to the Splunk machine-data repository, including detections of unknown malware and attack tools, threats that hide in common apps and encrypted traffic, and in-progress threats in every phase of the attack kill chain.

Vectra also precorrelates threat events to specific physical hosts to enable faster threat investigations and incident respons. Splunk captures, indexes and correlates Vectra threat detection data in real-time, making it available in a searchable repository where you can generate graphs, reports, alerts, dashboards and visualizations.

The Vectra App for Splunk brings all Vectra detections directly into the Splunk ES dashboards, allowing them to be easily integrated into existing security operational workflows.

Additionally, it allows security teams to easily correlate Vectra host and detection information with intelligence from other systems, such as URL filtering solutions and firewalls. A link back into the Vectra user interface allows for a seamless transition to drive prioritization and workflow.

Hosts ranked by risk

The Vectra solution automatically associates all malicious behaviors to the physical network host – even if the IP address changes – and scores the host in terms of its overall risk.

The Vectra App for Splunk provides an interactive dashboard to quickly show the number of hosts classified as critical, high, medium, and low risk. These scores remove the need for analyst to manually investigate events, and vastly improve the time to respond.

Furthermore, drill-downs into each category in the Vectra App for Splunk redirect you to the host’s page and filter on that particular severity to help speed the investigation.

Visibility into threats across the kill chain

The Vectra App provides critical insight into specific threats as well as the progression of threats across the cyber attack kill-chain.

This visibility allows security teams to quickly distinguish opportunistic botnet behavior from the more serious targeted threats, and take action before data is stolen or damaged. Correlation rules pull additional context from other systems that integrate with the Splunk platform.

Correlation to other solutions

Vectra’s unique approach to detection allows security teams to detect threats that may have been missed by other solutions. The Vectra App for Splunk makes it easy to connect and correlate Vectra findings with other solutions.

The Vectra correlations page enables faster and deeper investigation into events by allowing security teams to correlate source and destination IP addresses from Vectra events with other events in Splunk.

Webinar: Automatically correlate attacker behavior detections and Splunk events

Join Albert Caballero, chief information security officer for HBO Latin America, to learn how to automatically correlate real-time attacker behaviors detected by the Vectra cybersecurity platform with events in Splunk Enterprise. Register Now

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author

Security operations

Incident Response and Knowing When to Automate

October 28, 2020
Read blog post

What We Saw in 90 days from 4 Million Microsoft Office 365 Accounts

October 13, 2020
Read blog post

The Office 365 Tools and Open Services Attackers Love to Use

October 19, 2020
Read blog post