Challenge: Operationalizing large amounts of CTI data at scale
A leading U.S.-based finance company was facing difficulties correlating the large amounts of threat intelligence data that the organization collected via Splunk.
Our customer needed to pass noisy Splunk data streams through a series of high-confidence validations to produce true positive alerts, across a range of workflows that interacted with numerous other cybersecurity platforms, and inform teams on where their collective efforts should be focused.
In doing so, the organization wanted to act quicker – and with more confidence – on various APT infrastructure targeting their organization, across a range of attack vectors.
Leadership tasked itself with reducing alert fatigue, and improving productivity by reducing the number of false positive correlations that occurred across the security stack with a slicker, more reliable series of integrations.
Solution: Using the Silent Push Splunk integration to correlate threat data
Silent Push features native integrations with Splunk – via two dedicated SplunkBase apps for SOAR and SIEM – that connects a Splunk instance with IOFA™ data, via the Silent Push API.
Silent Push passes a range of enriched data types through to Splunk that can either act as a starting point for CTI investigations, or used to corroborate data that’s already been passed through to Splunk from perimeter defenses, or from another cybersecurity platform.
Supported data types include:
- Domain and IP Information: Domain risk scores, live WHOIS information, and certificate data
- Reputation scores: ASN, nameserver, and subnet reputation
- Passive DNS data: Forward and reverse lookups, and proprietary metrics such as IP diversity scores
- IOFA™ feeds: Live, curated lists of true positive domains and IPs related to a specific TTP, attack vector, and APT group
- Enrichment information: Contextual data for individual domains and IPs across 150+ categories
Once they’d onboarded, our customer used their API key to integrate their Splunk instance with our first-party IOFA™ data, to fulfil a range of use cases, including (but not limited to):
- High-confidence domain scoring
- Known malicious infrastructure
- URL, email sender, IP and hostname enrichment
Using our integrations, the customer was able to adjust their security stack in such a way that made it quicker and easier to monitor and block both known and hidden infrastructure, by correlating existing threat data and gaining insight on emerging domains and IPs as they were being deployed, without needing to rely on stale post-breach intelligence for validation.
Custom correlation and indicators dashboards provided them with an at-a-glance view of their entire attack landscape, including any new indicators validated as malicious within Silent Push, and a full breakdown across 150+ enrichment categories with full access to the raw data for additional pivots.
The Silent Push Difference: Immediately actionable SOC and IR intelligence
With so many alerts and data feeds that lack the underlying intelligence for teams to fully evaluate unknown domains and IPs, SecOps staff struggle to create predictive models and detect malicious infrastructure before it’s weaponized.
Silent Push drastically reduces the time it takes for teams to fully operationalize threat intelligence data by providing teams with a wealth of context on each individual hostname and IP that appears on their radar.
Our customer realized an immediate improvement in key metrics such as MTTD and MTTR, and gave staff the breathing space they needed to focus on critical tasks without needing to swim through an ocean of noisy information.
Learn More About Our Unique Approach to Preemptive Threat Intelligence
Find out how Silent Push helps you to locate hidden and known threat infrastructure, and stop digital assaults at the source before they occur using Indicators Of Future Attack™
IOFA™ are domain and IP datapoints that preemptively pinpoint adversary intent BEFORE an attack is launched, and reveal searchable digital fingerprints of attacker activity.
Get in touch here for more information.
