Threat information sharing is a weapon that security vendors and enterprises need to do more of to meet the rising amount of cyber threats, say experts. Splunk Inc. will shortly add a new feature to one of its security applications that allow more sharing of analytics with other users of its platform.
The announcement was one of several the company made Tuesday at its annual user group conference in Las Vegas.
The extensible analytics and collaboration capability will be part of the new Splunk Enterprise Security 4.0 (formerly Splunk App for Enterprise Security, a security information and event management solution), to be released Oct. 31
It “opens up the platform so anyone can built content for it” and with one click can be shared with others using SES, Monzy Merza, the company’s chief security evangelist, said in an interview.
So an analyst — or a Splunk partner — who creates a dashboard, correlation search, a summary, or a KPI can share it by selecting appropriate boxes in the suite’s Content Management page, then click an export button which creates a package that can be transmitted. The person receiving the package only has to click a button to install.
The capability will let SES users “extend their ability to disrupt breaches and defend themselves better,” Merza said.
There are also two other new features in SES 4.0:
–Investigator Timeline, for helping security analysts as they piece together the history of an event. They often have to assemble facts by scribbling notes on paper, in Excel spreadsheets while keeping several tabs open in a browser. “Its hard to keep context, hard to maintain that broader view of where I’m headed,” Merza said.
The Timeline allows security users to add any event to the chronology being assembled with a click;
–Investigator Journal, which tracks an analysts’ actions — what he saw onscreen, what he typed. It’s a capability for auditors, corporate counsel or human resources who might want to know how analyst came to a conclusion and see if proper procedures were followed, Merza explained. The analyst can use the record as a teaching instrument for others.
SES runs on top of Splunk Cloud or Splunk Enterprise 6.3, which analyzes data generated from networks, servers and applications, and is priced separately.
Also on Tuesday the company announced a new version Splunk User Behavior Analytics (UBA), an application that came from its US$190 million purchase of Caspida in July, which will enhance SES 4.0.
The existing version of UBA uses machine learning to look at spot changes in employee online behavior. The new version integrates with Splunk Enterprise Security 4.0 so alerts go into SES.
That will improve detection of cyberattacks and insider threats, Splunk [Nasdaq: SPLK] says.
The new version will also be released Oct. 31