Crest Data addressed these challenges by designing Adaptive Response actions in Splunk that enable quick threat comprehension and trigger automated workflows. Crest Data’s expert team implemented this functionality that scans malicious indicators and automatically creates CSV files with Indicators of Compromise (IOCs) and their metadata. They are forwarded to numerous customer gateways for processing. This streamlined solution allowed end-users to enter real-time values using custom HTML forms, thus accelerating the detection and response times by allowing gateways to perform the required remediation actions.

About the Customer

The customer is a multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security, and security management.

Customer Challenge

Without the help of appropriate automated tools, the process of gathering and analyzing the corresponding data needed to confirm and fix the problem can sometimes take days or weeks in the case of a possible security risk. The customer was facing the challenge of integrating threat intelligence into their product by specifically using Splunk to detect and report malicious indicators.

The main challenge was to establish a means of reporting all the malicious indicators identified in the Splunk events to the customer gateway. The lack of such capability prevented the customer from using its product to undertake critical, real-time security measures – such as blocking, isolating, or quarantining threats- in order to have a fully secure network environment.

Customer Solution

Crest Data worked with the customer to develop and deploy Adaptive Response actions within Splunk to automate threat detection and remediation. The solution relies on an Adaptive Response Framework, which triggers automated workflows that allow quick understanding of threats within the environment.

The major technical components of the solution include:

• Malicious Indicator Scanning: This system is intended to run searches to scan malicious indicators on a real-time basis.
• Automated IOC Export: On finding Indicators, an action is generated in Splunk to create a CSV file with the Indicators of Compromise (IOCs) and their metadata.
• Multi-Gateway Integration: The solution can push such CSV files to multiple gateways of the customer at the same time.
• Remediation Implementation: The gateways are able to automatically implement the required security measures once the file has been processed, which may include blocking, isolating, or quarantining the detected threats.
• Interactive Input Forms: Crest Splunk engineers added a “upload IOC” feature, which supports a custom HTML form, allowing users to provide static values or information derived directly from search results.

Outcomes

The collaboration process between Crest Data and the customer led to a more responsive and automated security infrastructure, which provided the following main advantages:

• Accelerated Threat Response: The solution enabled the client to develop a swift understanding of the threats through the use of an Adaptive Response Framework, which initiated automated workflows. This improved the speed of detection and response times, which might have otherwise taken days or weeks.
• Automated Remediation: The integration also allows customer gateways to automatically process reported malicious indicators and execute important security measures, including blocking, isolating, or quarantining malware, etc.
• Improved Network Security: The network environment has been made safer with the capability to send malicious indicators that are detected in the Splunk events to the customer gateway.
• Scalable Threat Management: The solution was configured to provide Indicators of Compromise (IOC) information to multiple customer gateways in parallel so that it would provide the same level of protection to the entire infrastructure.
• Enhanced Operational Efficiency: Crest Splunk specialists made threat reporting easier through the provision of a custom HTML form, which allows users to easily submit identified IOCs and their metadata in a standardized CSV format.

About Crest Data

Crest Data is a data and AI-first product engineering and technology solutions provider with deep expertise in cloud and AI, cybersecurity, observability, data analytics, and workflow automation. In this case study, Crest Data applied its security automation and SIEM engineering capabilities to help the customer accelerate their threat response and automate remediation workflows across their network infrastructure. It was supported by custom Adaptive Response actions, automated IOC metadata processing, and seamless security orchestration.