Amid a wave of high-profile cybersecurity breaches, vendors like Splunk are scrambling to polish their security orchestration tools for a growing audience.
This week, Splunk’s cloud-based security orchestration and response (SOAR) tool expanded its low-code IT automation capabilities in an effort to increase product appeal in an IT market. cluttered and relentless computer security. The new Splunk SOAR Application Editor provides a centralized, low-code user interface where users can build and modify applications that orchestrate integrations with third-party tools. Previously, such custom applications could only be created by engineers familiar with the Python programming language and cloud native infrastructure technology.
Christophe kisselAnalyst, IDC
“The low-code / no-code approach is fundamental,” said Christopher Kissel, analyst at IDC. “Trying to do SOAR and then go get a Python expert doesn’t make sense. You have to be able to drag and drop or have prompts for different filters and fields.”
Low-code and no-code interfaces are particularly relevant as businesses migrate to the cloud and increasingly rely on remote work due to the COVID-19 pandemic while facing increased security threats, Kissel added.
“Last year, when people immediately had to establish workgroups to access VPNs and certain apps, and you couldn’t do it through a monolithic security operations center, it was a case of ‘important use for SOAR,’ he said. “Low-code and no-code [interfaces] give that speed and agility. “
Lockheed Martin puts Splunk SOAR at the service of IT automation
For a major Splunk SOAR customer, this speed and agility was put to good use by a DevOps team for security and non-security tasks.
Aerospace company Lockheed Martin Corp., based in Bethesda, Md., Previously used a set of local Python-coded scripts to link Splunk SOAR, ServiceNow IT Service Desk, and Ansible IT automation software through AWS Lambda functions to put automatically updates the infrastructure in response to Splunk. alert monitoring. It also used the integrations to automatically fix endpoint issues like failed Windows drivers on employee workstations through a digital experience management utility called Tachyon.
“There was nothing wrong with that except [it took] 448 lines of code, “said William Swofford, cybersecurity systems engineer at Lockheed Martin, in a Splunk .conf presentation this week.” We had to be static for this use and use only – reusing that code would have been a bit difficult. . We could have done it, but we should have done a lot of work to do it. “
However, with the new low-code Splunk SOAR app editor, engineers at Lockheed were able to recreate these integrations using a drag-and-drop interface without writing any code, allowing the average enterprise technician to develop sophisticated IT automation workflows, according to Swofford co-presenter David Walker, chief architect at Lockheed.
Plus, other teams will be able to more easily reuse these custom apps for their own purposes, according to Walker.
“Code sharing, visual code, being able to reuse [things] quickly – that was the key, “he said.” Why recode when we can reuse? “
Splunk Security Tools Boost Analytics
Splunk SOAR App Editor was one of several Splunk security product updates this week. Others included the first integration between the information and event management tool (SIEM) Splunk Enterprise Security (SES) and IP acquired with threat intelligence vendor TruSTAR in May. TruSTAR will send information and alerts to the SES user interface with this week’s post.
TruSTAR adds security analytics and automated anomaly detection that will allow Splunk’s SIEM to better examine the behavior of individual users looking for suspicious activity, according to IDC’s Kissel.
“It’s not integrated on their backplane for SES at the moment, but it’s supposed to be in the next edition,” Kissel said. “It normalizes and synthesizes information from threat intelligence flows, transforms it, and feeds it back to SIEM. “
TruSTAR IP will help SES remain competitive with new Extended Detection and Response (XDR) products from vendors such as Elastic Inc. and Uptycs. Experts are still debating how the competition between SOAR, SIEM, and XDR products will unravel, but whatever technical category they find themselves in, security automation vendors face pressures to extend functionality for monitoring endpoints and user behavior, Kissel said.
“We’re still trying to define XDR – it’s a bit tricky,” he said. “But if you’re thinking about… detection and response, fine-tuned alerts that reduce false positives and arrive at an indicator closer to compromise, Splunk brings it together through TruSTAR and [other acquisitions]. “
Beth Pariseau, Senior Editor at TechTarget, is an award-winning computer journalism veteran. She can be reached at [email protected] or on Twitter @PariseauTT.