Given all the powerful tools an organization can deploy as part of an effective SecOps arsenal, we are left wondering if there can be too much of a good thing.
To improve security operations of these many tools – and the alerts they generate – SIEMs are what many of us rely on to centrally manage security through a "single pane of glass" as the cliché goes.
Teams rely on their SIEM for insights from across their entire security posture for a few key reasons. First, they quickly identify serious threats the organization may face. Second, it allows for reduced investigation times in getting the relevant context and detail about attacks. And third, it lets teams respond faster with more automated actions and workflows.
With this being the case, vendors must offer clean integration with SIEMs to make life easier for security teams.
For this reason, Illumio has a deep integration with Splunk. Joint customers better understand their security posture and can respond to attacks in a few clicks. The Illumio integration uses intuitive and carefully crafted visualizations so teams can see and understand what is happening in a glance and respond in a click. With Splunk and Illumio, we let teams know what machines may be compromised in the data center or if there is a deficient segmentation policy.
However, being able to answer these important questions is just the beginning of the benefits of our Splunk integration:
Know where to put valuable team resources: Event alerts plainly highlight the security events that are occurring so teams know what assets may be impacted – and where to respond immediately.
Know if segmentation is secure: Experienced attackers may attempt to tamper with firewalls and segmentation settings to gain access to data. For this reason, we show you how secure your segmentation is by highlighting firewall tampering attempts in iptables or Microsoft WFP (Windows Filtering Platform). This shows you immediately if a server is attempting to gain illegal privileges or bypassing security policies.
See attempted attacks in progress: In an attack, lateral movement is often preceded by port scans. While they are not inherently bad, port scans often indicate someone is conducting reconnaissance to see where they can move internally. Our integration highlights port scans to know immediately that there is suspicious activity indicating an imminent attack.
See what machines are acting suspiciously: Our clear visualization of top blocked traffic by host so you know quickly if a host is being attacked. Additionally, this visualization can also tell you if the host segmentation policy is wrong, resulting in unexpected blocked traffic.
Perfectly thread the needle between business and secops: In one glance, you’ll know about any potentially blocked traffic before pushing policies into enforcement. This means you’ll easily confirm segmentation policies before going live to ensure you do not break the business application you are trying to protect.
Investigate fast: When investigating a workload exhibiting abnormal behavior, you’ll want to immediately discover what the problem is. All workload details, traffic events, and audit events are brought together into a single view, reducing the amount of investigative legwork involved.
Stop attacks in a click: Our integration delivers crisp security visibility in Splunk, but just as importantly, it also allows teams to take action. You can quarantine suspicious workloads that directly from Splunk in a single click.
Create alerts with a few clicks: Creating alerts requires teams to master syslog messages, understand their content, as well as context, deeply and then create regular expressions. With a graphical interface that allows users to create new alert configurations for the most critical Illumio PCE-generated messages, users can quickly leverage alerting from Splunk to help with administering their Illumio deployment.
We'll take a closer look at the features of our Splunk integration in another blog post, so sit tight.