Splunk .conf23 Highlights the Benefits of Automation and AI

It’s not the most intuitive thing, but sometimes you just need to take some time away from your desk to find out how to get time back in your workday. Las Vegas in July turned out to be a good place for that. Fortunately, for the security engineers and analysts who attended .conf23 this year, they were able to learn about many ways that advances in automation and AI could save them time with threat detection, investigation and response.

Splunk itself announced many new automation and AI-related features. For example, they introduced their newly renamed Splunk AI Assistant (formally SPL copilot), a preview feature that allows users to search their data using plain English. It translates prompts into query ideas within the Splunk interface and provides explanations for generated SPL queries in plain English.

Splunk also announced Attack Analyzer, which automates threat analysis by directly submitting identified samples for analysis. Splunk executes the threats in a safe environment and then provides a comprehensive view of attack details. 

Similarly, Splunk announced new AIOps capabilities including their Machine Learning Toolkit (MLTK) and the Splunk App for Data Science and Deep Learning (DSDL), to allow SecOps teams to detect and respond to threats more quickly. 

Finally, Splunk announced that it is automating response workflows further with the addition of a playbook editor in Splunk SOAR (Security Orchestration, Automation, and Response). The playbook editor provides a visual platform to create playbooks without coding to help teams streamline and enhance their security operations.

Automate Tuning to Optimize Your SIEM Detection Rules

As one of our solution architects noted, the search for more automation also drove “98% of the conversations” the Picus Security team had with Splunk professionals at .conf23. Many organizations approached Picus to inquire how we could help them to go beyond their time-intensive detection engineering processes. One SOC analyst summed up why folks spoke to Picus in saying, “the primary reason we reached out to you guys is that we're looking at potential solutions for automation for some of the things that we're currently doing right now in a manual process. We're trying to optimize, make it more efficient, cut out some of the low hanging fruit so that we can put the brain power to the hard problems that are required.”

At .conf 23, engineers repeatedly told us how they have a Splunk optimization initiative in their action plan every year, but they don’t get to it. A primary reason is that detection engineering remains stubbornly manual. With Splunk it also requires specialization and expertise, which limits the number of staff that can research, test and improve existing detection rules or create new ones.

Fortunately, the AI and automation in the Picus Detection Rule Validation (DRV) solution can reduce the time it takes to do detection engineering tasks from months to minutes. For example, Picus DRV uses AI to automatically map your rules to attacker tactics and techniques outlined in the MITRE ATT&CK framework so you clearly understand what your rules will detect. It also allows you to reduce false positives by tuning noisy detection rules. 

Additionally, you can leverage  Picus Security Control Validation (SCV), a breach and attack simulation (BAS) solution, to simulate existing and emerging threats. With Picus SCV, you can automatically and continuously validate your detection efficacy and easily identify critical detection gaps. Picus SCV not only allows you to quickly identify attacker techniques that you aren’t detecting but it also provides you with direct recommendations to improve your logging and alerting capabilities so that these malicious activities could be detected going forward.

The ROI of Automation and AI

Engineers at .conf23 consistently told us that they don’t have a good grasp of how their detection rules are working. Without automation, they are stuck between a lack of resources and an overwhelming number of competing priorities to be able to maintain their detection rules. This is why we continue to invest in solutions like Picus DRV and SCV that help automate those tedious tasks.

To turn the conversation on its head, ask yourself, how much are you spending on maintaining your SIEM? If it’s virtually nothing, and you are getting poor outcomes from your SIEM, then you should probably expect poor outcomes to continue. Next ask yourself how much you spend on your SIEM overall. It is probably a significant amount. To put that expense in perspective, consider what percentage of your overall security budget you spend on your SIEM. I’m sure it’s meaningful. The news from .conf23 is that Splunk is investing heavily in AI and automation to expand the functionality of your SIEM. Isn’t it time for you to also use AI and automation to optimize that investment?

Maximize Your Splunk Potential: Learn to Optimize Threat Detection & Enhance Performance