Enriching SOC Investigations With Cloud Security Insights: VMware Secure State App For Splunk

Bhanu Agarwal
Technical Product Manager, Cloud Security
Mar. 24, 2020
6 minute read

In modern organizations, effective cloud security management is dependent on the collaborative effort among a large number of IT, engineering, and security teams. Each team plays a critical role in achieving the overarching goal of protecting the enterprise. In this shared responsibility model, the flow of consistent and accurate information about cloud configurations to all stakeholders is imperative for success.

Our goal at VMware Secure State is to enable each team to effectively understand and mitigate cloud security risk. We want to make cloud security intrinsic to the software lifecycle. We do this by providing a broad range of integrations, ranging from APIs that DevOps use to integrate our findings with their CI/CD pipelines to CSV reports that vulnerability management and compliance teams can use for follow-ups with service owners.

Today, we’re announcing another addition to our list of supported integrations—a native VMware Secure State app for Splunk—which brings the cloud security findings backed by our inter-connected cloud security model to Splunk, a powerful reporting and threat management engine. This blog post outlines how this new integration can empower your security teams.

Meeting each security stakeholder where they are

While multiple teams (Security Operations Center, Governance Risk & Compliance, Vulnerability Management, DevOps, IT Operations, etc.) work together to ensure cloud security, each team has its preferred set of tools needed for its day-to-day operations. At Secure State, we seek to enrich each team’s existing workflows and tools with cloud security insights so that they can continue to focus on their core priorities, while gaining the necessary cloud security context. 

To this end, we support a variety of integrations: email, Slack, Splunk, SQS, APIs, etc. Slack and email integrations can be used to setup alerts to provide team-wide visibility into new findings. SQS and APIs can be used to integrate with tools such as Jenkins or internal build/test pipelines as part of DevSecOps best practices. The Splunk integration can be used by SOC teams to understand cloud misconfiguration findings during threat investigations.

SOC teams spend a lot of time aggregating information from various sources, such as network devices, servers, and domain controllers, to investigate threats and events. Splunk is a popular SIEM with comprehensive dashboarding, querying, reporting, and automation capabilities. The VMware SOC team also relies on Splunk’s data aggregation and response automation capabilities to create playbooks for various threats. Although SOC teams make use of Splunk for threat investigations, they often lack context on the link between these threats and misconfigurations in their public cloud infrastructure. Common misconfigurations such as unencrypted S3 buckets, weak security group access control policies, or shared SSH keys are frequently correlated with broader attacks. 

VMware Secure State detects these connected security misconfigurations in real-time, and we wanted to bring that power to Splunk. This is why we’re introducing a native Splunk app that can be used to import cloud security findings into the tool of choice for SOC teams, giving them perspective on cloud configuration risk during their ongoing investigations.

A native Splunk app built on top of Secure State APIs

VMware Secure State app for Splunk provides curated dashboards designed for understanding cloud security findings and misconfigurations. SOC teams can use the app to view customizable visualizations that present an overview of their cloud misconfigurations, along with the capability to create custom queries to gather deep insights using Splunk’s query language. This provides SOC teams with the essential cloud visibility needed during investigations. The app utilizes VMware Secure State’s public APIs to export the data to Splunk and combines it with Splunk’s native visualization and reporting capabilities.

During a threat investigation, SOC teams want to view the recent VSS findings and drill down to see the details of the violating objects. The Violations Overview dashboard provides a starting point for such analysis, displaying distributions of violations by severity, rule, cloud accounts, service, etc. in a selected time range with the drill-down capability to do root cause analysis. By scoping the findings to the time range of the threat under investigation, SOC teams can quickly narrow down on the objects part of the threat. Similarly, when SOC teams investigate cloud resource abuse reports that relate to potential account compromises, they can use this dashboard to point out specific misconfigurations that might have been exploited and even retrace the attacker steps.

Violations Dashboard_0.png

The app also serves as a general cloud security education tool for SOC members. Dashboards visualizing rules, controls, and compliance frameworks, along with a full rule catalog, are included in the app so that security analysts can better understand the meaning of their findings as well as conduct all their research within this single pane of glass.

Rules Dashboard.png

Compliance Dashboard.png

Furthermore, all VMware Secure State data is stored in a Splunk index. Thus, a diverse set of data sources such as network flow logs, access audit trails, etc. can be aggregated and correlated with cloud misconfiguration information to draw a holistic view of enterprise security. 

SOC teams can also integrate these findings from cloud misconfigurations with SOAR tools such as Phantom to write response automation and playbooks to take the steps involved in risk mitigation. Finally, new visualizations can be created, and existing dashboards can be enhanced with cloud security playing an important role in the bigger security picture.

Continuing API first Development

VMware Secure State App for Splunk is another step toward bringing the cloud security perspective to every team and individual who owns security in the distributed responsibility world. It’s yet another example of how our APIs can be used to integrate with internal or 3rd party tools. Over the next few months, we will continue to expand upon our API capabilities and integrations natively supported, providing greater visibility into your cloud infrastructure within your favorite tools and platforms.

You can learn more about VMware Secure State here, download the Splunk app directly on Splunkbase, and can check our API documentation