RedSeal and Splunk Adaptive Response
Use your SIEM to identify IOCs and RedSeal to show access paths
The goal of Incident Response is to address and manage a security breach in a way that limits damage and reduces recovery time and costs. Your SIEM solution can identify an Indicator of Compromise (IOC) by analyzing and correlating the massive streams of machine data generated by your IT systems and technology infrastructure.
Through a seamless integration with the Splunk Adaptive Response framework, the combination of RedSeal and Splunk can result in a significant increase in network situational awareness and full visibility of network access paths to/from an IOC to critical assets and contain downstream risk, within minutes.
ACCELERATE INCIDENT RESPONSE WITH REDSEAL ADAPTIVE RESPONSE ACTIONS
RedSeal helps in accelerating Incident Response in two ways – providing insights for correlation to identify IOCs as well as providing immediate answers to the following questions:
- What is the compromised device?
- Where is it located both physically and logically?
- Where can the attacker traverse to? Can it reach my critical assets via a network access path?
- What containment options are available to me?
RedSeal provides three Adaptive Response actions to quickly answer the above questions:
Display Source Details
Get the device’s OS, applications, L2 information, policy group, etc.
List Top Reachable Groups, Launch RedSeal Incident Response
Identify all downstream assets that the compromised device can access, prioritized by the business value and the exposure
Launch RedSeal Incident Response to get more details in a separate browser window, including the L2 information on each of the reachable targets
View Detailed Network Access Path
Display network access path(s) from the source to the target, listing all the connected devices in-between, with details on the firewall(s) and the configuration rules permitting access
NETWORK SITUATIONAL AWARENESS WITH ACCESS PATHS
RedSeal’s model presents an accurate, up-to-date map of your network as it really is – including your cloud and virtual networks, and your physical and wireless infrastructure.
RedSeal’s model calculates all network access paths – intended, not intended, active and potential – between any two points on your network. With this network visualization, you can see all the individual devices between one point and another, and pinpoint the exact rules you need to change to affect access on each device.
Quickly locate IOC – including its physical location and other data
View all potential network access paths an intruder can take from IOC
List downstream assets prioritized by risk, with access paths for each
Locate firewall(s) and the rules to help block pathway
WHAT YOU NEED
Splunk Enterprise 4.5.X
Solution Brief – RedSeal and Splunk Adaptive Response