Operationalizing TDIR: Building a More Resilient, Scalable SOC

Here are a few more resources you may find interesting, enjoy!

The SecOps Handbook to TDIR: Discover how to pare down systems and integrate tools across your enterprise environment.

Blog Posts

• The TDIR Lifecycle: Threat Detection, Investigation, Response
• Innovations in Splunk Security Expands Unified TDIR Experience to On-Premises and FedRamp Moderate Environments

Lantern: Automate complete TDIR life cycle

Here are a few top of mind questions from the live Tech Talk

Q. What approach would you take to entice a client who is still resistant to switching to a risk framework?

A. The approach would highlight how risk-based alerting saves analysts' time by grouping different basic alerts into risk-based findings, allowing them to focus on critical alerts and deep-dive into more important investigations instead of reviewing hundreds of basic alerts daily.

Q. Can the AI assistant be leveraged to lower false positives, and if so, how?

A. Yes, the AI assistant can help identify different types of false positives by analyzing trends within alerts generated by detections, with the right prompts.

Q. For intelligence, does Splunk use Cisco Talos?

A. Yes, whenever a client gets a Splunk Enterprise Security license, they receive Cisco Talos integration for free, allowing them to use enrichment information from Cisco within Splunk Enterprise Security.

Q. Can Splunk use most threat intelligence feeds?

A. Yes, even though Cisco Talos integration is included for free, Splunk can integrate with many other threat intelligence feeds, such as Virus-Total and IBM X-Force Exchange.

Q. Is Cisco Talos the only intelligence platform they use or are there others too, like Crowd-strike intelligence?

A. No, while Cisco Talos integration is included out-of-the-box and for free with a Splunk Enterprise Security license, Splunk can integrate with many other security intelligence feeds. Examples include Virus-Total and IBM X-Force Intel.

Q. What are some of the primary connectors in SOAR that are most impressive for a SOC to use?

A. The most impressive connectors in SOAR depend on the specific use case and organizational needs. However, key examples highlighted include the Cisco Talos connector for automatic enrichment of investigations and findings, Virus-Total for threat intelligence, and connectors for ticketing systems like ServiceNow or Jira, which can automate tasks such as opening new tickets for investigations.

Q. Does EDR (Endpoint Detection and Response) telemetry ingestion in Splunk provide benefits, considering it can consume a lot of ingestion volume?

A. Yes, EDR telemetry is highly beneficial for creating meaningful detections. While it can consume a significant amount of ingestion, data models can help manage this volume.

Q. Is the AI assistant a free add on?

A. Yes, the AI assistant is a free add-on.

Q. How does Splunk handle Protected Health Information (PHI) when using the AI assistant?

A. Any data within the Splunk environment, including PHI, stays within Splunk, and interactions with the AI assistant are private to the user.

Q. Is it possible to pull KPI metrics on the Splunk platform?

A. Yes, Splunk comes with over 100 dashboards out-of-the-box that can be used or customized to track KPIs. These dashboards provide views on security posture, findings over time, urgency, and executive summaries, including metrics like mean time to triage and mean time to resolution.

Q. Does this prioritize the response list based on the type of incident, to help guide the analyst towards what response is most appropriate?

A. Yes, Splunk uses "response plans" which are designed to guide analysts on what to do for specific alerts coming from particular detections. This means that analysts will not treat every detection or alert the same way, as the response plans help tailor the actions to the incident type.

Q. Here you have some of the links shared on the presentation:

A. The SecOps Handbook to TDIR
Automate complete TDIR life cycle
Innovations in Splunk Security Expands Unified TDIR Experience to On-Premises and FedRamp Moderate E...
The TDIR Lifecycle: Threat Detection, Investigation, Response