Last week at Splunk conf. in Orlando, we were excited to provide customers, partners and industry analysts with an exclusive first look at our new Corvil Security Analytics App for Splunk.
Few Security Analysts would dispute that the packets flowing on our networks, if mined effectively, can be one of the richest data sources available. Unfortunately for most, it is too difficult to perform this mining effectively and translate the extracted data into actionable insights for advanced cyber protection.
Our new app streamlines many of the daily incident triage and investigation activities of security analysts. By bringing the power of Corvil’s streaming analytics and correlated endpoint data into Splunk, security analysts can get the information they need to act.
Here is a roundup of some challenges Security Analysts face during a typical investigation and how our app helps them know more with less effort (measured by number of mouse clicks) so they can get to the doing something about it in less time.
|Security Analyst challenges||How our App simplifies the workflow|
|Can’t determine what other hosts a specific host has communicated with in the last 7 days. Without this information it is difficult to explore suspected lateral movement from a specific host.||Simple (1 click): New workflow action added to Splunk events, which, returns summarised flow information for a IP from the event (src,dst,application/protocol,bytes)|
|Can’t fetch the full packets associated with a specific, identified suspect connection and subsequent data transfer. This is needed to in order to extract file artifacts and replay traffic to reconstruct the session.||Simple (1 click): New workflow action added to Splunk events, which provides single click retrieval of a PCAP which contains packets just for the specific suspect connection being investigated.|
|Don’t have a clear, joined up view of the attack chain across network and endpoint because various tools and datasets are silo’ed. Specifically, it's a struggle to figure out what process launched a suspect connection that was observed on the network.||Automatic (0 clicks): Corvil has API-driven integration with Carbon Black to identify and enrich process related metadata with packet related metadata, which then flows up to Splunk.|
|Can’t reliably trace network traffic (even the likes of SSH) back to a user, rather than just Src/Dst IP. Without a user perspective, it is difficult to effectively map out an attacker’s movements on the network.||Automatic (0 clicks): Corvil uses various techniques to identify and then enrich user context into its wire data. This enriched wire data then flows up into Splunk, enabling an analyst to search by username and get a view into all their associated network traffic returned.|
|While packets contain a lot of (very useful) multi-dimensional data, it's a little overwhelming to parse and navigate. Also what if we want to go as far as taking action after we explore the data?||Simple (1 click): We know a picture can be worth a thousand words. Well, what about a dynamically created, interactive picture that shows a suspicious flow all the way from internal host-based process to external server? What about if this same picture offered convenient options for further contextual data exploration and active response? You got it.|