Respond to Security Incidents in Splunk Faster
Most of us know there’s a shortage of experienced SOC analysts. Even if you have permission to hire more analysts, you can’t. So you need the analysts you have focused on identifying and solving critical issues as fast and efficiently as possible. Not only this, but the sheer number of data breaches over 2019 and 2020 has shined a spotlight on the reality that companies don’t have the visibility they need in order to prevent attacks from happening.
What if you could give your analysts the alerts and visibility they need to detect and investigate attacks on corporate applications based on the behavior of users and accounts accessing those resources?
What could your SOC team achieve they had the intelligence at their fingertips to identify if and when something suspicious has occurred?
Let’s do a few thought experiments to see how this plays out if you had detailed access and user behavior intelligence from the Axis Security Application Access Cloud service.
You’re a large hotel group who has to be especially vigilant about data security to protect against data breaches, especially considering the recent data security hacks that have happened to others in the past.
On a Tuesday morning, Thomas, a senior SOC analyst gets an alert that there is an unusual volume of failed logins across multiple systems including the application that you are using to book guests. This system collects PII like credit card information, addresses, phone numbers, and names so a breach has the potential to be very damaging.
In the past, Thomas would have had to manually import user activity logs from each individual enterprise application into your SIEM directly in order to search for activity indicating a breach. Now, Thomas receives the failed login attempts alert triggered by Axis and instantly can review the details on user and account requests for that application to discover if there has been a breach and to understand exactly what happened. Because these logs were automatically integrated into Splunk from Axis, his incident response time and MTTR improved dramatically.
Thomas gets an alert about outbound traffic attempting to communicate with a C&C server. The incident in question was from an SSH service account. Because he had Axis logs for that account, Thomas was able to identify if there had been a breach, what activity had taken place, what accounts were involved, and could quickly address the problematic SSH server.
Your company has just implemented new SQL database servers. Everything seems to be going smoothly until Thomas realizes that these new critical resources have an exploitable vulnerability.
In the past, Thomas would have had to manually scour the database and server logs for evidence of an exploit against this vulnerability, but now the Axis Security Splunk app does the heavy lifting for him. At the click of a button, Thomas is able to review Application Access Cloud data directly in his Splunk Enterprise environment. By reviewing reporting dashboards and scanning logs in the Axis app, he was able to get practical event information on user and account requests associated with the vulnerable databases and identify if there had been a security incident.
21st Century Problems, 21st Century Solutions
Not only does Axis help you securely connect users anywhere to the applications and resources needed to get work done, it helps you protect those resources. With the Axis Security App for Splunk, you can boost your investigation and response effectiveness and maximize the capabilities of your current SOC analyst team. With this unique visibility over user and account behavior delivered automatically, investigating and mining for a potential breach is as simple as the click of a button.
Have questions? Learn more about the Axis Security App for Splunk or contact us to speak with one of our specialists.