SecureAuth

Solution Brief

SecureAuth & Splunk

Discover security threats early with SIEM-powered insights

The Challenge

The ongoing fight with cyber criminals has forced security professionals to automate much of the cyber threat detection. However, this automation has not been an easy task – the attack surface spans remote workforce, cloud platforms like AWS or Azure, hundreds of SaaS apps, and often in-house built applications with a set of API endpoints.

To build an automated security alert system, IT security teams must first mesh and analyze multiple data sources to understand how each entity interacts with the rest of the ecosystem. A key component of this analysis is user identity and user behavior patterns which are critical in identifying emerging or persistent cyber risks within the organization’s distributed, multi-cloud IT ecosystem.

The Solution – SIEM and IAM integration

SecureAuth has partnered with Splunk to provide a detailed view into what cyber risks the organization may face.

The integration with Splunk allows SecureAuth IAM SaaS to bring identity security data and authentication events into the Splunk Cloud platform. From there the IT security team has immediate access to the SecureAuth Dashboard for Splunk. The Dashboard provides key insights into what authentication events are occurring, what apps are accessed, what authentication issues or unusual patterns are emerging.

Within Splunk the IT security team can set up queries to correlate attributes across multiple data sources with SecureAuth event logs being one of those data providers. Next, the security team will set up alerts when unusual behavior or new patterns start to emerge.

Solution Highlights

  • Connect users to Splunk SIEM with SecureAuth SAML connector for Splunk and make Splunk available through SecureAuth SSO Portal.
  • Protect your Splunk Cloud with risk-based adaptive MFA to protect your data lake and data analytics platform.
  • Mesh and correlate data with SecureAuth IAM being the provider of identity security data.
  • Utilize data from Splunk to recognize risk and control user access.
  • Provide a single source of truth of SecureAuth IAM data to every team who needs the data: your IT security, IT / DevOps and help desk teams.
  • Optimize your cloud spend based on the frequency of logins.
  • Decommission or de-provision resources where you see low usage and minimal logins.
  • Analyze MFA utilization across your IT stack and MFA enrollment across your user groups.

Security Benefits of SecureAuth + Splunk

Get Stronger Analytics

With SecureAuth-sourced authentication data, IT security teams can correlate third-party events in Splunk with specific user identities.

Detect Emerging Threats

Uncover unexpected authentication attempts within your IT ecosystems and match them with expected user behavior patterns.

Optimize Performance

Use the SecureAuth Dashboard for Splunk IT to see if specific login flows or MFA device enrollment takes longer than expected.

This diagram shows the SecureAuth IAM + Splunk SIEM integration.
  1. SecureAuth IAM SaaS collects events generated by users, apps, resources, etc.
  2. Through the SecureAuth+Splunk integration these events are pushed to Splunk Cloud or Splunk on-prem.
  3. Blended security data are displayed in the SecureAuth Dashboard for Splunk.
  4. Splunk pushes system-wide user risk scores back to SecureAuth IAM for processing.

The combination of SecureAuth and Splunk

SecureAuth Dashboard for Splunk provides unprecedented user access visibility into your enterprise resources such as VPN and ADC, cloud application access as well as on-prem applications.

Resources

SecureAuth Splunk App at Splunkbase
SecureAuth Dashboard – sample queries

Pin It on Pinterest