Cybersecurity is an enormous information downside: The rising quantity and complexity of knowledge flowing out and in of enterprises have created new cybersecurity challenges. Current SIEM options can’t scale with the speed of knowledge development with out taxing safety budgets and draining current sources.
As we speak, cybersecurity firm Hunters is saying the provision of its SOC Platform for Databricks prospects. For the primary time, Databricks prospects will be capable of attain an end-to-end, safety operations platform on their very own Databricks Lakehouse Platform deployments, whereas holding the flexibleness of proudly owning all the information and having the ability to construct their very own extra safety analytics on the Lakehouse.
Hunters SOC Platform is a contemporary SIEM various that ingests, normalizes and analyzes information from all safety information sources of a company, together with endpoint telemetry, community visitors, identification administration, and cloud infrastructure. Not solely does Hunters present a greater variety of security-related information integrations, however the platform additionally identifies threats in real-time throughout the assault floor and offers safety groups prioritized incidents to deal with, lowering the time wanted to comprise and remediate threats to the group.
What can Databricks prospects do with Hunters to create much more worth?
Construct a Safety Information Lake
One of many largest burdens of safety groups immediately is managing the ingestion of terabytes of knowledge from dozens of safety merchandise. Hunters eases this course of with a state-of-the-art engine that gives scalable ingestion, monitoring and optimization. Furthermore, it comes prebuilt with a big library of off-the-shelf integrations that may be arrange in minutes.
Hunters SOC Platform ingests and performs the ETL of all security-related information into the client’s Databricks Lakehouse utilizing the client’s cloud storage: the client retains possession of all the safety information. The Hunters ETL follows the Databricks’ Medallion Structure mannequin storing the uncooked information and likewise normalizing the information right into a unified schema that may facilitate additional evaluation. Whereas Hunters already offers a wealthy set of analytical capabilities, prospects with superior cybersecurity analytics groups can increase the Hunters capabilities by leveraging Databricks Information Science and Machine Studying capabilities and the companion applied sciences within the Databricks ecosystem. For instance, many shoppers have AI/ML fashions for detecting threats which can be extremely particular and customised to their particular organizational context (eg. insider threats). Such detections are so particular that it doesn’t make sense for a vendor like Hunters to construct into their product. Hunters offers the flexibleness for purchasers to leverage the Databricks lakehouse for such use circumstances.
Detect and Examine Incidents
Hunters offers a library of lots of of built-in detection guidelines that cowl nearly all of the menace panorama, mapped onto a standard trade framework (the MITRE ATT&CK). This permits prospects to visualise protection and perceive their safety gaps. All detection guidelines are pre-verified on real-world buyer information to attenuate false positives and extreme alerting. The detection guidelines are deployed on to all buyer tenants with out requiring any motion or tweaking, thereby robotically lowering the cybersecurity danger with little operational overhead.
Every alert additionally passes by means of an investigation engine, the place it’s robotically enriched with contextual info from numerous sources, and complex dynamic scoring is utilized to it to cut back alert fatigue. Not all alerts from the identical detection logic require the identical urgency. For instance, alerts that contain delicate belongings (e.g., C-level, area servers, and so forth.) are prioritized, and danger for recognized benign behaviors is lowered (e.g., an executable IoC signed by Microsoft). Addressing the precedence of alerts or incidents with dynamic scoring helps safety groups handle their SOC workloads extra effectively.
When the SOC analyst will get to an alert, all contextual info is supplied in a single pane of glass to expedite triage and investigation. The contextual info goes past ‘easy’ enrichment of IP addresses with menace intelligence feeds, to deep correlation comparable to linking the consumer identify in a CrowdStrike EDR alert with login data from the Okta authentication logs. Hunters’ deep correlation functionality is powered by a graph correlation engine: Alerts throughout entities and assault surfaces are robotically correlated on a graph. This graph correlation functionality permits Hunters to spotlight high-fidelity menace exercise and offers analysts the flexibleness to leverage low-fidelity alerts which can be typically missed with out producing extra noise.
For incidents requiring investigations from a number of organizations together with third get together service suppliers and/or authorities companies, Databricks offers cleanrooms the place collaborating investigators can collectively examine an incident utilizing the related subsets of knowledge and the customized analytics that may be proprietary to totally different organizations.
Search & Incident Response
Having all your safety information saved in a contemporary information lake has nice benefits for incident responders, and anybody who desires to realize insights on huge quantities of knowledge.
Utilizing Hunters and Databricks, prospects cannot solely retailer petabytes of knowledge, but in addition make use of them of their day-to-day investigations and of their most crucial incidents. Some capabilities that help this are the next:
- IOC Search: Goal-built search functionality, permits responders to go looking all organizational information ingested by Hunters that resides on the Lakehouse for IOCs (IP, area, hash) in seconds throughout the SOC Platform itself.
- Entity Search: Makes it straightforward to see all details about an entity within the setting in a centralized place. For instance, from one suspicious login alert, prospects can simply pivot to see the most recent logins of the consumer in query throughout all endpoints, cloud infrastructure, and SaaS suppliers. In the identical consumer interface, a responder can observe which alerts a consumer in query was concerned in, and what’s their position within the group. Entity associated views create large efficiencies and productiveness for safety groups.
- Uncooked information entry: all your safety information is obtainable so that you can dive into as you see match, each from throughout the Hunters console, and out of your acquainted Databricks interface. You’ll be able to run queries on months of knowledge to search out that needle in a haystack, create operational dashboards that assist expedite investigations, and run your personal AI/ML fashions.
The openness of the Hunters and Databricks integration encourages safety groups to innovate of their battle in opposition to cyber criminals. The Hunters SOC Platform not solely helps safety groups to do their day-to-day job extra effectively and successfully, but in addition offers all the information in a Databricks lakehouse the place they’ll experiment, create, and take a look at their very own safety analytics and AI/ML fashions and contribute these again to the cybersecurity group at massive. Cybersecurity is a crew sport. Let a thousand flowers bloom.
If you wish to attempt Hunters out in your Databricks Lakehouse, please request a demo!