First Look: Corvil Security Analytics App for Splunk

Graham Ahearne, Director of Product Management, provides a first look at our new app which brings the power of Corvil’s wire data directly into Splunk workflows and visualizations, for Security Analysts.

First Look: Corvil Security Analytics App for SplunkBy Graham Ahearne    October 7, 2016      Product

Last week at Splunk conf. in Orlando, we were excited to provide customers, partners and industry analysts with an exclusive first look at our new Corvil Security Analytics App for Splunk.

Few Security Analysts would dispute that the packets flowing on our networks, if mined effectively, can be one of the richest data sources available. Unfortunately for most, it is too difficult to perform this mining effectively and translate the extracted data into actionable insights for advanced cyber protection.

Our new app streamlines many of the daily incident triage and investigation activities of security analysts. By bringing the power of Corvil’s streaming analytics and correlated endpoint data into Splunk, security analysts can get the information they need to act.

Here is a roundup of some challenges Security Analysts face during a typical investigation and how our app helps them know more with less effort (measured by number of mouse clicks) so they can get to the doing something about it in less time.

Security Analyst challenges How our App simplifies the workflow
Can’t determine what other hosts a specific host has communicated with in the last 7 days. Without this information it is difficult to explore suspected lateral movement from a specific host. Simple (1 click): New workflow action added to Splunk events, which, returns summarised flow information for a IP from the event (src,dst,application/protocol,bytes)
Can’t fetch the full packets associated with a specific, identified suspect connection and subsequent data transfer. This is needed to in order to extract file artifacts and replay traffic to reconstruct the session. Simple (1 click): New workflow action added to Splunk events, which provides single click retrieval of a PCAP which contains packets just for the specific suspect connection being investigated.
Don’t have a clear, joined up view of the attack chain across network and endpoint because various tools and datasets are silo’ed. Specifically, it's a struggle to figure out what process launched a suspect connection that was observed on the network. Automatic (0 clicks): Corvil has API-driven integration with Carbon Black to identify and enrich process related metadata with packet related metadata, which then flows up to Splunk.
Can’t reliably trace network traffic (even the likes of SSH) back to a user, rather than just Src/Dst IP. Without a user perspective, it is difficult to effectively map out an attacker’s movements on the network. Automatic (0 clicks): Corvil uses various techniques to identify and then enrich user context into its wire data. This enriched wire data then flows up into Splunk, enabling an analyst to search by username and get a view into all their associated network traffic returned.
While packets contain a lot of (very useful) multi-dimensional data, it's a little overwhelming to parse and navigate. Also what if we want to go as far as taking action after we explore the data? Simple (1 click): We know a picture can be worth a thousand words. Well, what about a dynamically created, interactive picture that shows a suspicious flow all the way from internal host-based process to external server? What about if this same picture offered convenient options for further contextual data exploration and active response? You got it.

Want to see our app in action? Check out the demo below.

First Look: Corvil Security Analytics App for Splunk

Graham Ahearne, Director, Product Management, Corvil
Corvil is the leader in performance monitoring and analytics for electronic financial markets. The world’s financial markets companies turn to Corvil analytics for the unique visibility and intelligence we provide to assure the speed, transparency, and compliance of their businesses globally. Corvil watches over and assures the outcome of electronic transactions with a value in excess of $1 trillion, every day.