The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating to the cloud and increasing their use of web, mobile, and social platforms. This digital transformation expanded their attack surface beyond the scope of network security controls like firewalls, DLP, and network monitoring—and enabled attackers to exploit them in ways not possible before.
The security implications of the enterprise's digital footprint exploding beyond the firewall's friendly confines are clear. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. To defend against the now rampant phishing attacks, typosquat registrations, and misinformation spreading through websites, security teams need to think beyond cybersecurity. Instead, they should be taking a holistic view of defense, focusing on attack surface management.
Together, RiskIQ and Splunk Deliver Attack Surface Management
Attack surface management means having the technology to collect enough data to cover the entire scope of where your organization can be attacked—from the corporate network to the cloud to the edges of the open internet—and the technology to put it to use. The nexus of these two imperatives are RiskIQ's Apps and add-ons for Splunk.
RiskIQ has long held integrations with Splunk but has brought our full suite of offerings to the Data-to-Everything platform. These s integrations give SecOps teams several ways to access RiskIQ's Internet Intelligence Graph, which extracts terabytes of internet data to map the billions of relationships between internet-exposed infrastructure worldwide. This comprehensive data now combines with Splunk's search, monitoring, and analysis capabilities to deliver a best-in-class attack surface management.
RiskIQ Security Intelligence Services for Splunk
RiskIQ Security Intelligence Services (SIS) for Splunk enables security teams to scale and automate their threat detection programs rapidly. The SIS add-on will automatically ingest and store RiskIQ Intelligence directly within Splunk so that analysts can apply it against local log information and fuel dashboards that inform them of suspicious infrastructure.
How to Use It
Current Event Abuse: Attackers looking to capitalize on trust and people's willingness to consume information, will often use current events as an attack theme. RiskIQ has observed this with the current pandemic and has even gone as far as providing the community with listings of newly registered COVID-themed infrastructure. Using the SIS add-on for Splunk, customers can easily query all the data RiskIQ has for any event.
Here is RiskIQ newly observed host data inside Splunk showing new infrastructure leveraging the U.S. election:
Newly observed hosts from RiskIQ inside Splunk
Here's RiskIQ detection data showing phish leveraging the COVID-19 pandemic:
Phish detection data from RiskIQ inside Splunk
Log Correlation: Splunk makes it easy to ingest log information and even easier to search through it. It's not tenable for security teams to manually review billions of log entries every single day. However, using Splunk Query Language, it's possible to correlate log sources to surface anomalies. SIS add-on for Splunk enables this to occur as it's automatically ingesting RiskIQ intelligence every hour when an update is published.
Here's RiskIQ's internal intelligence enriching firewall log data:
Firewall log data and RiskIQ intelligence
Here's enriching log data with RiskIQ's malware intelligence:
Enriching firewall logs with RiskIQ's external malware analysis
Brand Infringement: Like current events, brands are a common theme for attackers to abuse in their never-ending quest to compromise an organization, which is why the SIS add-on for Splunk also includes lists of newly registered domains. If you're worried about your organization's brand being abused, build out a dashboard with an alert trigger anytime a new domain is ingested matching your search. If you find any suspicious infrastructure, you can investigate it for free directly from Splunk using RiskIQ PassiveTotal for Splunk.
Brand infringement dashboard
Get the RiskIQ SIS Add-on Today
Current events are not going to stop, and brand infringement is never going away. Security teams need new tools in their arsenal to stay a step ahead of their adversaries. With RiskIQ's SIS add-on for Splunk, security teams stay several steps ahead of the threat by having the data to detect, correlate, and investigate suspicious activity across their local log data.
RiskIQ is willing to provide a free 14-day trial for commercial organizations with a verified RiskIQ Community account. To request access to see if you qualify, please fill out this contact form.
The tens of thousands of RiskIQ and Splunk users can also access the other Splunk offerings leveraging RiskIQ data directly from Splunkbase. Find detailed support information on our RiskIQ Interlock Partner Page here.
