3 Steps to Improve Your AppSec Using ThreatX and Splunk Phantom

PUBLISHED ON July 16, 2020
LAST UPDATED August 2, 2021

Modern AppSec and security teams face enormous challenges of scale when it comes to their daily workload. Organizations need to secure more applications and APIs than ever before, and those apps and APIs are under constant attack from increasingly sophisticated methods. Security staff has to parse and analyze an avalanche of alerts and data to stay ahead of bad actors and continuously improve the security posture of their organization. Collectively, this is a perfect storm that can put even the best security teams under intense strain.

That strain is starting to show! A recent survey found that 83% of cybersecurity works felt overworked, and 82% of their teams were understaffed. And with the shortfall in cybersecurity talent expected to hit 3.5 million in 2021, we as an industry aren’t going to solve this problem by throwing people at it.

The combination of ThreatX and leading Security Orchestration and Automation (SOAR) tools such as Splunk Phantom gives AppSec teams the force-multiplier they need to vastly improve their security posture while also reducing their operational workload.

We’ve teamed up with Splunk to break it down for you:

Step 1:
Better Security and Reduced Sprawl with ThreatX

As the security landscape has evolved, many organizations have acquired a wide variety of specialized security tools that require their own configuration and maintenance and generate their own alerts and logs. Even many supposedly integrated solutions rely on multiple independent modules that behave like separate products. This increases the management overhead on staff and creates the tedious problem of correlating and analyzing logs and alerts from multiple sources of truth, all to get a complete view of risk.

ThreatX brings an Easy Button to this problem. Our WAAP++ platform is a truly unified approach to AppSec that covers all types of threats. Instead of separate solutions for WAF, behavioral analysis, anti-bot protection, DDoS mitigation, and API protection, ThreatX provides a single platform. Just as importantly, ThreatX brings together a wide variety of analytical and detection techniques to deliver a continuously updated view of risk. This means that application profiling, attacker profiling, fingerprinting, active interrogation, and deception techniques all work as a unified detection engine. We track suspicious and malicious activity in real-time and deliver a single verdict on a potential threat, resulting in fewer tools to manage. With ThreatX, the endless monotony of manually correlating alerts can finally become a lost art!

Step 2:
Enriched Intelligence with ThreatX and Splunk Phantom

Information within ThreatX can also be invaluable for use in investigation and response workflows. Through our integration with Splunk Phantom, security analysts and staff can automatically leverage the unique intelligence and context in the ThreatX platform.

For example, ThreatX discovers and maintains extensive information on each entity that interacts with a protected application, including a variety of low-level traits and behaviors that uniquely identify the entity. Using the Splunk integration, this entity profile can be shared with other systems to inform both defensive and forensic actions. The ThreatX/Splunk Phantom integration delivers a unified, up-to-date view of an entity’s total risk to the organization. And this can all be integrated into custom or pre-built investigation playbooks for malware, command-and-control, ransomware, and more.

Step 3:
Automatically Adapt and Defend with ThreatX and Splunk Phantom

In addition to investigations, security teams can use the combination of ThreatX and Splunk Phantom to take automated and proactive action when threats are detected. ThreatX provides the inherent ability to take action against hosts. The Splunk Phantom integration allows security teams to extend ThreatX enforcement decisions to other tools in their defense arsenal.

For example, the integration can allow any system such as a network firewall to block or unblock an IP address based on information from ThreatX. Likewise, specific hosts can be dynamically added to blacklists or whitelists. These designations can also be triggered to adapt based on ThreatX’s internal risk score. This means that as risk rises for a particular entity, it can be blocked, and it can likewise be automatically unblocked once the threat has passed. This saves staff the often-manual work of cleaning up after a blocking incident.

Two great products, three easy steps, one massively improved security posture!

What I covered above represents some of the most common examples of how security teams automate and integrate via ThreatX and Splunk Phantom. The advantage for organizations is two-fold:

  • a unified view of risk, and
  • an overall better security posture!

If you’d like to learn more about ThreatX and our integration with Splunk Phantom, schedule a ThreatX demo and let us know you how it works.

About the Author

Tom Hickman

Tom has a long track record of building and scaling product delivery capabilities at mid- and growth-stage startups. He served as the VP of Engineering at Edgewise Networks, where he led engineering through early releases of Edgewise’s zero-trust micro-segmentation product. While at Veracode, a leader in AppSec, Hickman led engineering through an Agile transformation and helped the company become a true multi-faceted AppSec platform prior to its acquisition by CA Technologies in 2017. Tom holds a B.S. degree in mechanical engineering from the Georgia Institute of Technology.