Creating the Identity Aware Security Operations Center
In order to stay ahead of today’s ever-changing IT security landscape, many organizations employ an array of tools to gain strategic visibility into where attacks are happening and where existing vulnerabilities may lie. Security Information and Event Management (SIEM) tools like Splunk are designed to help enterprises keep track of their security posture by collecting and aggregating log data generated throughout an organization’s technology infrastructure. This includes capturing events such as successful authentication or failed login attempts, packet traffic, and access related activity to name a few. The intent is to report on these event activities as well as alert if suspicious activity is detected which could indicate a potential security issue.
While this is a foundational component of any security operations center (SOC), a SIEM’s effectiveness is increased when valuable information, such as threat intelligence feeds, can be consumed and correlated to provide greater visibility into actual versus benign events.
In order to maintain a truly secure infrastructure, today’s modern enterprises leverage the power of identity context to enrich and fortify their security efforts. By sharing identity information with your SIEM tool, you incorporate valuable identity details with data in event logs across multiple data sources that result into distilled actionable insights. Due to the sensitive nature implicit to user access, identity information is a critical part of this multi-faceted security strategy. In fact, some of our customer’s most relevant security data exists within SailPoint’s application data.
For this reason, we’ve worked in concert with Splunk, the market leading SIEM provider, to make it easy for security operation centers to realize the benefits of identity. SailPoint recently introduced the IdentityNow AuditEvent Add-on in SplunkBase. This official Add-on enables the rich identity data from IdentityNow to be integrated into Splunk Enterprise and Splunk Cloud allowing security and system administrators to gain greater insight into events across the organization. For example, brute force hacking attempts can be exposed through identity related authentication and password interactions. Also, real time visibility into the provisioning of access to new applications can expose unusual patterns and lead to risk mitigating activities such as the tuning of roles or the creation of separation of duty policies.
Having a Splunk-certified add-on available in SplunkBase not only simplifies the integration of event log data and identity data to a single click, but also further increases the effectiveness of a Splunk Enterprise or Splunk Cloud implementation.