Skip to main content

 

Splunk Lantern

Incident collaboration

 

Collaboration holds the key to improved time to detection and response, so teams within your organization can better address large-scale attacks as well as the regular daily stream of threats. Many organizations have a multitude of teams who need to collaborate well - the Security Operations Center (SOC), Incident Response (IR), Risk Management, Vulnerability Management, Endpoint and Network teams - and potentially more. All these teams need to not only collaborate well within themselves but also across teams for the collective good, ultimately improving the security posture of your organization.

Collaboration in Splunk Enterprise Security 

Splunk Enterprise Security aids collaboration among security analysts as well as other teams. The Splunk Enterprise Security Investigations dashboard allows analysts to view, assign, and work an investigation from within the Splunk interface. All investigative actions are recorded and documented and can be shared with team members and management.

There are two different types of collaboration which Splunk Enterprise Security can encourage:

  • Active collaboration. Working with someone to produce something.
  • Passive collaboration. Sharing information that at some point will further another person’s work.

Active collaboration

This form of collaboration focuses on engaging with another person to accomplish a shared goal through tasking and coordination. It’s what typically comes to mind when we think of collaboration, but traditionally has been extremely difficult and time-consuming for security professionals to do. Most security operations or investigations are chaotic, as teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead-end, or key information falls through the cracks. 

What’s needed is a single collaborative environment that fuses threat data, evidence, and users, so that all team members involved in the investigation process can collaborate. In an active collaboration environment:

  • Teams have visibility into how the work of others impacts and further benefits their own work.
  • Managers also have visibility into the analysis, which allows them to manage when and how they need to be coordinating tasks between teams, while monitoring timelines and results.
  • Teams work together on investigations so they can more effectively mitigate risk.
  • Coordinated efforts on investigation and remediation can continue longer than a typical work day because hand-offs across teams and timezones are seamless. 

Passive collaboration

The core component of passive collaboration is information sharing. Often, when one team member researches an event or alert and doesn’t find information that is relevant to them, they put that information aside and move on to the next task. Or, after taking action on information, they might consider it no longer important or worth sharing. Information sharing requires letting go of assumptions that if something isn’t relevant or no longer important it can be discarded. That information could still be important to someone else working in a different context.

Sharing information across teams to take advantage of potential synergies is complex because security teams are organized into silos and each uses its own tools. However, a central repository that contains all global threat data, augmented and enriched with context from internal threat and event data, has many benefits.

  • Individual team members and different security teams can access the intelligence they need to do their jobs as part of their workflow.
  • Collaboration becomes more natural and little additional effort is required to actively share or directly communicate amongst teams.
  • As team members use the repository and update it with observations, learnings, and the documentation of investigations, they get consistent threat intelligence.
  • The repository can serve as a centralized memory to facilitate future investigations.
  • Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and reduce the window of exposure and breach.

Improved collaboration

Both active and passive collaboration improve how teams and team members detect and respond to threats. For example, in most security operations it’s fairly standard practice that when the SOC detects something malicious, it pushes the indicator to the IR team to manage. But with better active and passive collaboration, the SOC shares the indicator with all the security operations teams for deeper investigation and correlation with other activities. The endpoint and perimeter teams can check hashes and reputation lists to block anything that is known to be similar or associated with the attack campaign. Teams can also conduct retrospective analysis to see if an attack is in process or a breach has already occurred, and quickly take steps to mitigate risk. 

Ultimately, to improve security posture, teams must share information and engage with each other.