Using orchestration tools with Splunk to automate and respond to events of interest and what types of use cases and logs you can leverage AWS/Cloud as the source.
Delivered as part of the Splunk User Group in Edinburgh in August 2017
The best security operation centers (SOCs) are built on efficiency and speed-to-response. But if you’ve ever worked in a SOC or on a security team, you know it’s tough to get your security systems, tools and teams to integrate in a way that streamlines detection, response, and remediation.
One of the most tedious tasks of all is cobbling together alert details to assess if a security event is a real threat, along with correlating data and coordinating the appropriate response.
That’s why security tools need to be connected, security processes need to be efficient and as an industry, we need to start working together. As new technologies arrive on the scene every day (IoT, BOYD and continued virtualization of all the things), security teams need a way to become more agile.
This is where security orchestration comes in. Orchestration is not a new term by any means. You’ve probably heard of DevOps orchestration, which seeks to automate infrastructure deployments and document ‘infrastructure as code’. Now it’s time to apply this to security processes.
Orchestration is the process of taking a “simple” task and creating a workflow. The basic idea of a workflow is taking the task at hand, breaking it down as much as you can, adding logic along with input(s), then outputting a value that is either an output of the logic, interaction, or possibly a Boolean value.