Why Did Ziften And Splunk Create The Active Response Framework? – Charles Leaver

Written By Charles Leaver CEO Ziften

We were the sponsor in Las Vegas for an excellent Splunk.conf2014 show, we returned stimulated and chomping at the bit to push on even further forward with our servicen here at Ziften. A talk that was of particular interest was by the Security Solutions Architect for Splunk, Jose Hernandez. “Utilizing Splunk to Automatically Mitigate Risks” was the name of his presentation. If you wish to see his slides and a recording of the presentation then please go to http://conf.splunk.com/sessions/2014

Using Splunk to help with mitigation, or as I like to describe it as “Active Response” is a great concept. Having all your intelligence data streaming into Splunk is really powerful, and it can be endpoint data, outside risk feeds etc, and then you will be able to act on this data really completes the loop. At Ziften we have our effective continuous monitoring on the endpoint system, and being married to Splunk is something that we are really extremely proud of. It is a really strong move in the right direction to have real time data analysis combined with the ability to react and act against incidents.

Ziften have actually created a mitigation action which utilizes the available Active Response code. There is a demo video included in this blog below. Here we were able to develop a mitigation action within our Ziften App for Splunk as proof of concept. After the action is created, results within Splunk ES (Enterprise Security) can be observed and tracked. This really is a major addition and now users will have the ability to monitor and track mitigations within Splunk ES, which offers you with the major advantage of being able to complete the loop and develop a history of your actions.

The fact that Splunk is driving such an effort thrills us, this is most likely to progress and we are committed to continuously support it and make additional development with it. It is extremely exciting at the moment in the Endpoint Detection and Response area and the Active Response Framework integrated into Splunk being added will definitely promote a high degree of interest in my opinion.

For any concerns concerning the Ziften App for Splunk, please send an e-mail to sales@ziften.com

Leave a Reply

Your email address will not be published. Required fields are marked *