Splunk is a tremendous platform for ingesting machine generated data. However, most organizations struggle with the volume of security events and notifications generated by Splunk.
Organizations usually pick one of two bad options:
- Take in all security alerts and somehow try to pick and choose what incidents to investigate while ignoring others.
- Reduce the number and/or type of security events created, which is the most common response. End users will increase alert thresholds, turn off security feeds, and restrict types of security events to arbitrarily reduce the number of incidents created.
When Splunk is integrated with the Advanced Threat Analytics Platform, you can seamlessly send hundreds of thousands of Splunk events, alerts, and logs every day. After you have downloaded the Advanced Threat Analytics Security Operations add-on for Splunk from Splunkbase, you are ready to use the integration.
The key technology component of the ATA Platform is our Alert Classification Engine that collects ALL security events from an organization and massively reduces the number of security events requiring investigation – in many cases by > 99.9%.
This is accomplished via multiple mechanisms:
- Human Supervised Machine Learning
- Orchestration integrations with security vendors to automate incident investigation completely
- Security Orchestration that simplifies the manual tasks typically performed by a security analyst during investigation
- Network effect from having a cloud-based multi-tenant system – ATA takes information learned from one customer and applies to all other clients when applicable. 75% of triage decisions apply to multiple organizations regardless of size. It’s the number of organizations that is important, versus the total number of endpoints.
Technologies like SIEM try to create rules to determine known bad – essentially a signature based approach used by IDS and traditional anti-virus. It doesn’t work well and misses new attack methods.
ATA uses a security model that assumes every security event should be an incident unless previously investigated to be a “known good” or not requiring investigation. The network effect combined with the human supervised machine learning enables the Alert Classification Engine to scale and increase effectiveness as the number of customers and endpoints increase(s).