Getty Images

Splunk SOAR low-code tool bridges IT automation gaps

Splunk's security orchestration tool bolstered low-code integration features this week, which in the case of Lockheed Martin eased self-healing IT infrastructure tasks as well.

Amid a rash of high-profile cybersecurity breaches, vendors such as Splunk are racing to polish their security orchestration tools for a growing audience.

This week, Splunk's cloud-based security orchestration and response (SOAR) tool broadened its low-code IT automation features in a move meant to increase the product's appeal in a crowded and cutthroat IT security market. The new Splunk SOAR App Editor offers a centralized low-code UI where users can create and edit apps that orchestrate integrations with third-party tools. Previously, such custom apps could be created only by engineers deeply familiar with the Python programming language and cloud-native infrastructure tech.

Trying to do SOAR and then having to go get a Python expert doesn't make any sense.
Christopher KisselAnalyst, IDC

"The low-code/no-code approach is fundamental," said Christopher Kissel, an analyst at IDC. "Trying to do SOAR and then having to go get a Python expert doesn't make any sense. You have to be able to drag and drop or have prompts for different filters and fields."

Low-code and no-code interfaces are especially relevant as companies migrate to cloud and increasingly rely on remote work as a result of the COVID-19 pandemic while contending with increased security threats, Kissel added.

"Last year when people immediately had to establish working groups to get to VPNs and certain applications, and you couldn't do it through a monolithic Security Operations Center, it was an important use case for SOAR," he said. "Low-code and no-code [interfaces] give that speed and agility."

Lockheed Martin puts Splunk SOAR to work on IT automation

For one major Splunk SOAR customer, that speed and agility were put to use by a DevOps team for both security and non-security tasks alike.

Aerospace company Lockheed Martin Corp., based in Bethesda, Md., previously used a set of homegrown scripts coded in Python to link Splunk SOAR, ServiceNow IT service desk and Ansible IT automation software via AWS Lambda functions to automatically update infrastructure in response to Splunk monitoring alerts. It also used the integrations to automatically address endpoint issues such as failed Windows drivers on employee workstations via a digital experience management utility called Tachyon.

"There was nothing wrong with it, except [it took] 448 lines of code," said William Swofford, cybersecurity systems engineer at Lockheed Martin, in a Splunk .conf presentation this week. "We had to be static for that use and that use only -- to reuse that code would have been a little difficult. We could have done it, but we would've had to do a lot of work to do so."

With the new low-code Splunk SOAR App Editor, however, Lockheed engineers were able to re-create those integrations using a drag-and-drop interface without writing any code, which provides a path for the average technical person at the company to develop sophisticated IT automation workflows, according to Swofford's co-presenter, David Walker, chief architect at Lockheed.

Moreover, other teams will more easily be able to reuse those custom apps for their own purposes, according to Walker.

"Sharing of code, visual code, being able to reuse [things] quickly -- that was key," he said. "Why re-code when we can reuse?"

Lockheed Martin Splunk SOAR
Lockheed Martin Splunk SOAR App Editor presentation

Splunk security tools bolster analytics

Splunk SOAR App Editor was among several updates to Splunk's security products this week. Others included the first integration between Splunk Enterprise Security (SES) information and event management (SIEM) tool and IP it acquired with threat intelligence vendor TruSTAR in May. TruSTAR will send insights and alerts into the SES UI with this week's release.

TruSTAR adds security analytics and automated anomaly detection that will enable Splunk's SIEM to better scrutinize individual user behavior for suspicious activity, according to IDC's Kissel.

"It's not integrated on their backplane for SES right now, but that's supposed to be in the next edition," Kissel said. "It normalizes and synthesizes information from threat intelligence feeds, transforms it and throws it back over to the SIEM."

TruSTAR IP will help keep SES competitive against emerging extended detection and response (XDR) products from vendors such as Elastic Inc. and Uptycs. Experts still debate how SOAR, SIEM and XDR product competition will shake out, but regardless of what technical category they fall into, security automation vendors face pressure to expand endpoint and user behavior monitoring features, Kissel said.

"We're still trying to define XDR -- it's sort of tricky," he said. "But if you're thinking about ... detection and response, refined alerts that cut down on false positives and get to a closer indicator of compromise, Splunk is pulling that together through TruSTAR and [other acquisitions]."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center