Taking Automation Beyond the SOC With Advanced Network Access Control

By Splunk

Security orchestration, automation and response (SOAR) tools are most commonly known for automating manual security operations processes in order to expedite security investigations or cyber response. For instance, Splunk’s SOAR technology, Splunk Phantom, is most commonly used to automate alert triage, phishing investigation and response, threat hunting and application vulnerability management.

But in reality, a robust SOAR technology like Splunk Phantom is not a “SOC-only” technology. It should allow you to automate any process using any tool as long as that third-party tool has an API on the backend of it. Through that API, Splunk Phantom can instruct that tool to perform actions automatically in response to any stimulus. You can bring in any meaningful data from any tool into the platform, whether it’s security-related data, such as “notables” from Splunk Enterprise Security (ES) and newly detected vulnerabilities, or non-security related data, such as ticket status or email content from an inbox. Ultimately, you can leverage Splunk Phantom’s capabilities in a variety of ways to automatically execute processes at machine speed.

Automation for IT, Security and Beyond

Booz Allen Hamilton, a consulting firm, helps U.S. government entities build solutions that adhere to the requirements laid out by the Department of Homeland Security (DHS) and the Continuous Diagnostics and Mitigation (CDM) Program. They help government entities reduce cyber risk and provide security visibility across various federal agencies, including safeguarding sensitive data that is distributed across government networks and restricting access to unauthorized users.

To deliver on this promise, Booz Allen needs to be able to answer four key questions:

What is on the network? Identification of all types of hardware and software operating on the network is crucial.
Who is on the network? They must also be able to identify all users and systems with access authorization and indicate the level of authorization.
What is happening on the network? The capability to analyze events, incidents and cyber risks on an ongoing basis is also critical.
How is data protected on the network? Finally, Booz Allen needed a way to collect security information and activity logs of the users and devices, regardless of location.

Traditional network access control (NAC) solutions like Forescout CounterACT and Cisco Identity Services Engine can certainly help block wired endpoints using standard policies that are native to the NAC solution, but the Department of Homeland Security (DHS) wanted to increase security by using automation to block all endpoints using posture assessment. After analyzing and understanding the relationship between the network, systems and users, Booz Allen Hamilton was ready to supplement traditional NAC solutions with automation and orchestration.

Booz Allen approached the Splunk Phantom team and asked, “Can Splunk Phantom automate processes associated with network access control? Moreover, can we block all endpoints using Comply-2-Connect (C2C) posture assessment with automation and orchestration?” After a moment of head scratching, the Splunk Phantom team said, “Yes, we can do that,” and then got to work creating NAC automation playbooks that had to meet very robust performance requirements, including:

Running three different posture checks quickly
Making a decision and executing a NAC action that would take 4 minutes or less
Reducing the bottleneck for network connection with the ability to run the playbook 50,000 times per hour to be able to potentially adjudicate 50,000 endpoints (the average number of endpoints coming online, per agency, at the peak hour of work).

Piece of cake, right? To learn how Splunk Phantom and Booz Allen Hamilton achieved these goals and helped the Department of Homeland Security implement advanced network access control, join us for a webinar, "Taking Automation Beyond the SOC With Advanced Network Access Control."

----------------------------------------------------
Thanks!
Kelly Huang

TruSTAR Enclave: Not Your Grandpa’s 'Trusted Circle'

TruSTAR’s Enclave technology is the most advanced cloud-based governance engine for enterprise cyber intelligence – read on to discover how it has evolved to meet the needs of integration, automation and intelligence sharing.

Security 10 Min Read

More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities

The Splunk Threat Research Team (STRT) provides a deep-dive analysis of NjRAT (or Bladabindi), a Remote Access Trojan (RAT) discovered in 2012 that's still active today.

Security 2 Min Read

Splunk SOAR: Anyone Can Automate

If you haven’t heard the news, Splunk Phantom is now Splunk SOAR – available both on-prem and in the cloud. Read on to find out what that means for you.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk

Taking Automation Beyond the SOC With Advanced Network Access Control

Automation for IT, Security and Beyond

Related Articles

TruSTAR Enclave: Not Your Grandpa’s 'Trusted Circle'

More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities

Splunk SOAR: Anyone Can Automate

About Splunk

Subscribe to our blog

Connect with Splunk on X

Connect with Splunk on Instagram