Splunk and ExtraHop integration helps SOC analysts streamline their workflow
ExtraHop has unveiled a new integration between Reveal(x), its network detection and response (NDR) platform, and Splunk SOAR. Using the Reveal(x) integration, Splunk SOAR users now have expanded visibility with packet-level insights from IoT to the cloud including unmanaged devices, legacy systems, and all network assets.
Users can correlate logs with network intelligence to gain a greater understanding of threats and more confidence in automation of tier 1 and tier 2 incident response.
Analysts and IT security managers receive thousands of alerts every day, many of which are ignored due to bandwidth. In fact, according to a research study by ESG, 27% of cybersecurity teams surveyed said they spend most of their time addressing cybersecurity emergencies, not top tier priorities, leaving them little time to work on strategy or process improvement.
Even more alarming, 23% said not being able to keep up with the workload contributed to security events in the past two years. Most security teams simply don’t have enough people staffed to stay on top of their workload and be effective.
SOAR platforms excel at streamlining data-gathering from multiple security tools into a single interface, but logs alone are not always reliable and can be inaccurate, disabled, or destroyed by adversaries. ExtraHop for Splunk SOAR enables security teams to enrich any SOAR playbook with high-fidelity data about detections, devices, network artifacts, or even full packet capture.
In addition, Reveal(x) covers more network-detectable MITRE ATT&CK techniques than any other NDR product, covering nearly 90% —including privilege escalation, lateral movement, exfiltration, and command & control.
“The network is a source of ground truth, difficult for an attacker to evade, and nearly impossible to turn off. As such, network traffic analysis offers an effective means to detect suspicious behaviors and potential threats with high signal and low noise,” said Jesse Rothstein, co-founder and CTO, ExtraHop.
“Our new integration with Splunk SOAR combines our rich, contextualized data with an advanced platform to enable defenders to prioritize alerts, accelerate investigation, and run trusted playbooks to ultimately stop threats faster.”, Rothstein continued.
With strong expertise in attack detection, unusual behavior, and risk analysis, ExtraHop provides insights and full context analytics, powered by its cloud-based machine learning. Security analysts can respond to alerts that matter, and have everything they need to know about an incident automatically gathered before they start investigating.
“This integration between Splunk and ExtraHop helps overburdened SOC analysts streamline their workflow so they can leverage out-of-the-box playbooks to handle low level alerts and focus on orchestrating the response and forensics needed for the alerts that matter,” said Chris Kissel, research vice president, security and trust, IDC.
“A key benefit of integrating with ExtraHop is visibility into encrypted traffic. Encryption is vital for security and privacy, but it can be a double-edged sword when attackers use it to hide their actions. ExtraHop decrypts traffic and provides near real-time insights that are vital for SOC analysts to make faster decisions.”, Kissel continued.
“Together, ExtraHop and Splunk significantly increase the visibility we have into our environment, and the integration between products reduces the amount of time it takes our analysts to address security threats,” said Dan White, network engineering manager, Ketchikan Public Utilities.