hello I'm an elk kuznia VP of technology
for algo sec in the following few
minutes I will demonstrate a new algis a
cap for incident response that
integrates with Splunk Splunk is used to
detect and analyze potential breaches
while algo SEC manages security policies
and augments them with business context
the new Albus X blank app enhances and
automates the incident response in the
following ways algo SEC highlights the
potential impact on business
applications and business processes algo
SEC also adds information regarding the
infected servers exposure to the
Internet or access to sensitive internal
networks this provides the security
analyst with key information about the
severity and urgency of the incident in
addition Alberta can automate the action
performed to contain the incident such
as automatically isolating the infected
server from the network all in a single
click now let's see the new app in
action so here is my Splunk dashboard
now let's look for some interesting
events so let's assume that this IP
address happens to be suspicious for
some reason under workflow actions I now
have a few new actions let's take a look
at the first one find affected business
applications clicking on that will open
a business flow window listing all the
impacted business applications that are
really relevant for this IP address for
example let's look at this one the
payroll and we see that the HR Payroll
server happens to be the exact server we
were looking for sounds important I can
also see here the business owners and
where the relevant contacts for this
application now let's see what else I
have so you can see here that we also
have analyzing a basic incident analysis
app clicking on this will open the new
algis X blank app you can see here many
interesting details about this
suspicious IP address so first the
business impact we can see here a list
of all the business applications that
are impacted by this IP address here is
the payroll application we saw before
and some indication about whether these
applications are critical
not in this case they are we can also
see here some more details which opens
the business flow window we saw before
in addition I can see here additional
information about the exposure to the
Internet for this server so you can see
that some traffic is allowed and
clicking on the further details I can
see the entire information about the
connectivity of this server to the
Internet the full path the relevant
firewalls on the path and even the
relevant rules it allowed the traffic
and which services are allowed so let's
say this server is indeed suspicious and
we want to disconnect it from the
network and I go now to isolate server
from the network and clicking on that
will issue a new change request to
acoustic fire flow to block the traffic
to and from this server clicking on the
details link will open this change
request in fire flow you can see here
that this is a request to block the
traffic from end to this server we can
also track the progress of the
implementation of this change request
now all these capabilities that we just
saw can be used either as is within this
spunk app or you can pick and choose and
incorporate them in your own stunk apps
thank you
