Embed Size (px)
Citation preview
PARTNER BRIEF
Zscaler™ and Splunk for Security
Managing the Deluge of ThreatsThreats against enterprises are growing. Bad actors are leveraging the increasing use of SSL to hide malware and malicious links. While known threats can be easily blocked, the remainder becomes increasingly harder to defend against. Advanced Persistent Threats (APTs) and targeted attacks are becoming more prevalent. Accenture’s Annual Cost of Cybercrime study finds that the average number of breaches against an organization has increased over 11 percent to 145 in a single year. The increasing number of security events can easily overwhelm a Security Operations Center (SOC), leaving potential holes for a future attack.
INTEGRATION BENEFITS• Leverage Zscaler’s global
threat visibility, user activity and IOCs within the Splunk Security Operations Suite to help prioritize notable events and high impact threats.
• Execute automated responses at machine speed with Splunk Phantom to stop threats from spreading
• Detect emerging threats with Zscaler Cloud Sandbox and respond quickly to contain affected devices
• Automated remediation using Zscaler’s APIs to lookup URL categories, reputation and block URLs
Concurrently, corporate data is being accessed increasingly by mobile users. However, scaling comprehensive Internet and Web Security to remote offices and mobile users is both costly and complex. A fresh strategy is needed to proactively defend today’s cloud-first, mobile-first enterprise, while managing any residual risks by transforming Security Operations to effectively monitor and quickly respond to any incidents or breaches.
To handle the increasing number of threats, a solution is needed that easily and efficiently scales to new users, applications and locations wherein all traffic including cloud bound SSL based communications, is inspected and unrecognized files are analyzed for possible malicious behavior. Events need to be correlated with other data sources so that simple threats can be identified with certainty and addressed automatically, allowing security analysts to prioritize and focus on the most sophisticated threat campaigns.
Zscaler and the Splunk Security Operations SuiteZscaler and the Splunk Security Operations Suite form a solution to reduce the torrent of security events by allowing SOC teams to prioritize and automate the remediation of security threats.
ZSCALER PARTNER SOLUTION BRIEF
Zscaler Internet Access™ delivers a security stack as a service from the cloud providing full content analysis of all traffic, including SSL communications and trusted content, across all ports and protocols. Zscaler can help deliver airtight internet security with Cloud Firewall, Cloud Sandbox, Content and URL filtering, Data Loss Prevention (DLP) and CASB. The Zscaler service provides detailed, real-time log consolidation across all locations giving unprecedented visibility of user, device and network activity. Zscaler customers can mine billions of transaction logs directly on the cloud platform or stream it to Splunk Enterprise for correlation with other data sources. Since Zscaler Internet Access is delivered as a cloud-based service, it allows enterprises to deliver consistent and comprehensive security, even as enterprises open new locations, on-board new users, add new applications or transform to cloud-first, mobile-first architectures.
While the Splunk Platform ingests a large amount of varied logs for fast search queries and long term retention, Splunk SIEM and Splunk UBA provide higher fidelity alerts to the security analyst. They monitor and correlate events from multiple data sources to automatically detect and prioritize notable events and incidents. This allows for a rapid understanding of threats in the environment and optimizes the workflow from triage, evidence gathering to incident investigation. These incidents are enriched with identity and profile information of the device/user which contributes to a risk score associated with the event. Splunk Phantom can then orchestrate an automated remediation response with its integration with Zscaler to update security controls and block threats.
ZSCALER PARTNER SOLUTION BRIEF
The IntegrationAn organization can set up Zscaler to forward its logs to Splunk Enterprise for ingestion. The Zscaler- Splunk integration starts with the Zscaler Technical Add-On for Splunk. This takes Zscaler’s data sources and normalizes it to Splunk’s Common Information Model (CIM). CIM provides a standard data model to allow for common patterns within Splunk. The Zscaler Splunk App contains a set of predefined searches, dashboards and sandbox results for the Zscaler environment. These add-ons can be downloaded from Splunkbase.
Splunk Enterprise, Enterprise Security (ES) and Splunk User Behavior Analytics (UBA) use ingested data to identify and raise security events, combines Zscaler data with other data sources, such as endpoint posture and user profiles, to orient security operations with IOCs and alerts that require immediate action. Splunk empowers security operations with meaningful context and an audit trail that helps decide how best to act on security threats.
Figure 1: Zscaler Splunk App Overview Dashboard
Figure 2: Zscaler Splunk App Threat Dashboard
ZSCALER PARTNER SOLUTION BRIEF
Finally, Splunk automated remediation is driven by Phantom, which leverages the Zscaler APIs to block, unblock, query URLs and get Sandbox detonation results.
Use casesThe Zscaler-Splunk integration enables security operations to incorporate the Observe, Orient, Decide, Act (OODA) loop framework and detect threats earlier in the kill chain. Two common use cases of the integration are described here.
Patient Zero
Zscaler Splunk AppZscaler Technical Add-On for Splunk
Nanolog
Zscaler Cloud Sandbox allows new threats to be identified by observing the behavior of attachments such as executables, dlls, pdfs, and office documents. The Sandbox observes the files in an isolated environment for suspicious activity. Zscaler Cloud Sandbox can operate in two modes: Quarantine or Allow. Quarantine blocks the file until the sandbox analysis is complete, while Allow analyzes the file in the background, giving users immediate access to the file. In this situation, there is a possibility that a malicious file has been downloaded.
With the integration, even when the policy is set to Allow and Scan, Splunk Phantom can trigger a notable event to stop further spread of an attack. Consider the case where the user has downloaded a malicious file. During that time, the Zscaler Cloud Sandbox is observing the behavior of the file.
After analysis, Zscaler Cloud Sandbox determines that file is malicious. Within the Zscaler Cloud, it blocks users from downloading that file. The Zscaler cloud generates an email event containing the md5 signature of the file and a list of users/devices that could be compromised during the time the file was being analyzed. The email is ingested by Splunk ES and a notable event is generated.
The Splunk Phantom patient zero playbook runs an automated action to determine the file reputation. It then configures the endpoint security platform to block the execution of files matching the hash. It also queries the endpoint security platform to look for that file on endpoints, quarantining the device wherever it is found. These steps are run automatically to contain the threat and prevent further damage.
Parse Zscaler SandboxResults email
Exact md5 hash and metrics Reputation lookup of file Create ticket with
all information
Call Endpoint Security platform - BLOCK
FILE HASH
Call Endpoint Security platform - FIND FILE HASH
Call Endpoint Securityplatform - QUARANTINE
DEVICE
Executivesuspicious files
in sandbox
Analyzefor malicious
behaviour
Updatethreat
database
PARTNER BRIEF
© 2020 Zscaler, Inc. All rights reserved. Zscaler ™, Zscaler Internet Access ™, ZIA ™, Zscaler Private Access ™, and ZPA ™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners. V.062220
Zscaler, Inc.120 Holger Way
San Jose, CA 95134+1 408.533.0288
www.zscaler.com
Threat HuntingThreat hunting involves proactively searching for attackers lurking in the network using suspicious URLs as a trigger. It can start with a newly identified malicious URL. Threat hunting begins by triggering a Splunk Phantom playbook to evaluate the URL’s reputation. If the URL is determined to be malicious, the playbook continues and searches through the Zscaler logs to identify other devices that visited the site. Containment takes place automatically by quarantining the devices and calling the Zscaler API to block the malicious URL. The threat is now isolated, and further compromise blocked by Zscaler.
SummaryThe joint Zscaler-Splunk solution enables organizations to deliver scalable Internet and Web security with the agility to effectively monitor and respond to incidents or breaches. Users can seamlessly leverage high resolution network and user activity data from Zscaler within the Splunk Security Operations Suite to monitor, detect, investigate and remediate threats using automated security operations workflows. Contact Zscaler or visit www.zscaler.com for more information.
Zscaler Event - POSSIBLEMALICIOUS URL
STAR
T
Reputation lookup of URL Query Splunk data fordevices visiting URL
Call Endpoint Securityplatform - QUARANTINE
DEVICE
Call Zscaler API - BLOCKURL
Create ticket
About Zscaler Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud-first world. Its flagship services, Zscaler Internet Access™ and Zscaler Private Access™, create fast, secure connections between users and applications, regardless of device, location, or network. Zscaler services are 100 percent cloud-delivered and offer the simplicity, enhanced security, and improved user experience that traditional appliances are unable to match. Used in more than 185 countries, Zscaler operates a multi-tenant distributed cloud security platform, protecting thousands of customers from cyberattacks and data loss. Learn more at zscaler.com or follow us on Twitter @zscaler.
