As most of you reading this will be well aware a SIEM, or Security Information and Event Management (SIEM), is an approach to managing security and cyber threat detection/response that combines SIM (security information management) and SEM (security event management) functions into a single cybersecurity system.

In the never-ending, mostly-losing battle against cybercrime, SIEMs have become one of the few approaches to have proven truly valuable to companies that desire effective, meaningful threat detection, response and mitigation.

SIEMs most often allow for the aggregation of myriad data sources and feeds from low-level hardware logs to 3rd party threat identification feeds to application outputs and everything in between. In doing so, they let their users detect anomalies and act on alerts and observations faster across entire enterprise networks.

One of the most immediately-fruitful ways SIEMs can help network administrators and cybersecurity analysts is at the boundaries of enterprise networks along the endpoints, apps, and APIs that define most modern businesses. By helping identify and repel attacks and by turning away connections with malicious intent, businesses can markedly improve their chances against cyber threats and greatly reduce risk to valuable corporate assets – before they get inside their walls.

What’s the key to using a SIEM in this way? Well, by knowing what connections and clients are most likely to be cyber “baddies” in the first place.

Using our Musubu IP data and cyber threat info APIs as an everyday input to your SIEM allows your operators to easily spot IPs that have participated in botnets, phishing, ransomware, and more then immediately blacklist them so they don’t get through.

Now, you may be saying, “Sounds great, but I don’t have time to integrate that solution into my SIEM.” Well, read on and we’ll show you just how quick and easy it is to instantly bring in our cyber threat data by IP address into one of the most ubiquitous and powerful SIEMs on the market today, Splunk.

Using Splunk as a SIEM with IP Data to Respond to Cyber Threats Faster

Splunk has been one of the most successful, most helpful network, app, and security monitoring tools of the last decade. Nowadays, network and security personnel are realizing its full potential as a SIEM that allows for visibility across every networked asset in their enterprise so anomalies and threats can be instantly identified and acted upon.

According to Splunk’s informative white paper “ADOPTING SPLUNK’S ANALYTICS-DRIVEN SECURITY PLATFORM AS YOUR SIEM,” here’s what makes up a good SIEM (and why there’s is so useful):

New Criteria for Today’s SIEM Enterprise security teams must use a security information and event management (SIEM) solution that not only solves common security use cases, but advanced use cases as well. To keep up with the dynamic threat landscape, modern SIEMs are expected to be able to:

• Centralize and aggregate all security-relevant events as they’re generated from their source

• Support a variety of reception, collection mechanisms including syslog, file transmissions, file collections, etc.

• Add context and threat intelligence to security events

• Correlate and alert across a range of data

• Detect advanced and unknown threats

• Profile behavior across the organization

• Ingest all data (users, applications) and make them available for use — monitoring, alerting, investigation and ad hoc searching

• Provide ad hoc searching and reporting from data for advanced breach analysis

• Investigate incidents and conduct forensic investigations for detailed incident analysis

• Assess and report on compliance posture

• Use analytics and report on security posture

• Track attackers’ actions with streamlined ad hoc analyses and event sequencing

• Centrally automate retrieval, sharing and responses across the security stack

• Assess threats from the cloud, on-premises and hybrid apps and data sources

Since Splunk’s SIEM covers all the bases on the above, it makes it especially good at identifying and controlling access to network endpoints, apps, sites, and APIs for better security before threats get in your front door.

That, is, if you have the right data plugged into Splunk.

Using our Musubu IP and Cyber Threat Info API in Splunk allows you to see whether any IP addresses that contact any of your corporate networks or endpoints is potentially malicious or not.

partial musubu API output

(Click the image above for full API data output listing)

We even show you, by IP, what type of cyber badness is associated with the calling IP and how much cyber badness has been observed (a lot or a little).

From there, it makes it very easy to update firewall rulesets to blacklist offending traffic and, voila, your enterprise is a little bit safer.

To get our API data into Splunk is a breeze. Splunk’s platform makes it easy to collect data from RESTFul web service APIs to bring 3rd party data sets into sharp visibility in their SIEM.

splunk-restful-apis

First, head over to our Musubu API pricing page and buy the right-size plan that fits your IP address lookup needs:

https://musubu.io/pricing/

Checkout is fast and easy with Stripe right there on the page and, for most companies, our $29 API plan is more than sufficient for their needs at an almost-giveaway price. You can always upgrade for more requests per day if needed later on down the road.

Once you checkout, check your email for your API key and to respond to us with a whitelist of IPs that will be calling our APIs (we do security this way too, you know!).

Then, just login to your Splunk instance and follow their simple, easy-to-follow directions. I’ve included them here in toto via a PDF. Just click the image below to configure our APIs in your Splunk SIEM:

configure splunk to call restful web service API

Got Questions or Want to Buy Now?

Buy your Musubu API plan here or fill out the form below to get more info on how to use Splunk as a SIEM with Musubu IP and Cyber Threat API:


About the Author

Wayne Wheeles

Wayne Wheeles is a serial entrepreneur and is most recently the CEO of Release 2 Innovations LLC. Seasoned by over two decades of experience and results in network forensics, insider threat detection, and information security, Wayne’s work spans multiple disciplines and several technology-related industries. Wayne is a proven practitioner with extensive hands-on experience in the fields of network security thought leadership, client implementation stewardship, and product development direction. Prior to establishing Release 2 Innovations, Wayne served as an industry thought leader who built three of the top cybersecurity practices in the Commercial and Federal industries. Wayne continues to serve as a developer, practitioner, and liaison between commercial and federal clients with the development and sales teams. Wayne has served in a variety of roles and has been recognized for developing and delivering solutions which have yielded measurable results for clients. He has been independently identified and recognized as a thought leader in big data, analytics, and cybersecurity. His merits would include being a member of the Cloudera Champions of Big Data and in consideration for the President’s Council on Cybersecurity. He is a tireless serial entrepreneur who has repeatedly built "future proof" process-oriented commercial and federal cybersecurity teams.

Contact Me