May 2024 Update to the Corelight App for Splunk | Corelight

Security operations centers (SOCs) play a vital role in detection, containment and mitigation of today’s advanced cyber attacks. SoC teams are also responsible for proactively hunting for threats, and improving the organization’s overall security posture. Modern SOC analysts struggle with alert fatigue. A ceaseless flood of alerts, varying in severity and often inaccurately labeled, can inundate security analysts, obstructing their ability to sift through the noise and identify real threats amidst numerous false positives. This challenge is compounded by the sheer volume of information to process, making the extraction of relevant insights a Herculean task.

Today’s analyst experience is complex and overwhelming resulting in burnouts. Analysts want an improved experience and easier workflows that will enable them to focus on what matters when it comes to securing the enterprise.

Improving the analyst experience with contextual intelligence

Richer insights for enhanced network visibility
The updated Corelight App for Splunk offers enriched context to network visibility, empowering analysts at all skill levels. Central to this release is the Security Posture Dashboard, a robust overview of network activities emphasizing security posture, enabling quick assessments of encrypted vs. unencrypted traffic, DNS patterns, and remote activity trends. This “entry point” dashboard is instrumental in identifying potential security gaps and aligning practices with industry standards.

Insight Series: In-Depth analysis to extend security posture insights
The Insight Series, an extension of the Security Posture Dashboard, delves deeper into specific areas, providing nuanced understanding and actionable intelligence across three key modules:

1. Secure channel
Enhanced analysis of encrypted traffic
This module visualizes encrypted traffic patterns, aiding in the analysis of TLS/SSL protocols, certificates, and potential anomalies. It leverages additional details from Corelight Sensors, such as SSL/TLS analysis, including X.509 certificate data. Deep dive links facilitate a seamless transition from analysis to action, enhancing the capacity to respond to encryption hygiene and encrypted traffic threats.

2. Name resolution insights
Detailed DNS activity for proactive security measures
"Name Resolution Insights" provides a granular view into DNS activities, pivotal for uncovering and responding to potential security threats. This module builds on the foundational detection capabilities at the sensor level, where initial anomaly identification occurs. Here’s how the Splunk app further enhances these findings:

• DNS traffic analysis: This feature leverages sensor-detected DNS queries and responses, enriching them with additional metadata from the Splunk app to highlight unusual patterns that may indicate security threats.
• Malicious domain detection: While the initial detection of suspicious domains is handled by Corelight sensors, the Splunk app enhances these findings by integrating broader threat intelligence. This allows for a more comprehensive analysis and confirms the malicious nature of the domains, ensuring that analysts can act on reliable, corroborated data.
• Trend identification: The app plays a crucial role in visualizing long-term DNS query trends identified by sensors. By exposing and contextualizing these trends within Splunk, the app ensures that analysts do not overlook or underestimate potential issues, enhancing proactive security measures.

By enhancing the raw data with additional context and visibility, the Splunk app ensures that potential problems are not only identified but also acted upon efficiently by SOC teams with the right context.

3. Remote activity overview
Mapping and securing external network connections
The "Remote Activity Overview" module is specifically designed to focus on external connections such as RDP (Remote Desktop Protocol) and VPN (Virtual Private Network), which are common entry points for security threats. This module leverages Corelight's precise inferences about RDP and VPN traffic to expose potential threats hidden within these connections. Here’s a glimpse on how the module enriches security operations:

• Connection mapping: This feature visualizes all external connections to the network, providing a clear and comprehensive view of remote access patterns. It is crucial for identifying unauthorized access attempts or unusual remote activities.
• RDP and VPN analysis: By analyzing RDP and VPN traffic, the module detects and highlights suspicious behaviors and patterns. It uses Corelight's accurate inferences to identify potential security vulnerabilities and risks associated with these connections.
• Threat contextualization: By integrating Corelight’s detailed data and its powerful analytics packages, this tool sharpens the visibility of security threats. The module contextualizes each potential risk and detected threats within the network’s operations, making it easier for analysts to understand the impact and urgency of the security issues identified.

Additionally, this update to the Corelight App for Splunk groups events by combinations of these inferences. It provides a logical rationale for their significance, guiding analysts on what to focus on and where to direct their investigative efforts next. This structured approach helps in prioritizing response actions and enhances the overall security posture.

For deeper analysis, the Insight Series modules link to other dashboards that may provide further details to these and additional inferences. Alternatively, it guides the user to the native Splunk search, equipped with more contextual information. This empowers users to craft their own searches with a clear understanding of what to look for and where, significantly improving the efficiency and precision of security operations.

Conclusion: continuous improvement and advantages for security teams
The enhancements introduced in the Corelight App for Splunk are just the beginning of our commitment to continuous improvement of SOC analyst experience and security posture. By providing focused dashboards and deep insights, the updated app allows security teams to quickly understand network data implications, streamline event investigations, and upscale SOC capabilities.

These updates are part of a broader project which entails several new modules that will become the "de facto” tool in any modern SOC’s arsenal.

“Change your approach to cybersecurity using data you already trust!!!”

Download the new Corelight App for Splunk on Splunkbase today and experience a more efficient, insight-driven security workflow.