You asked, and we listened: NodeZero now offers an app via Splunkbase, enabling you to leverage NodeZero and the attacker’s perspective to improve the effectiveness of your Splunk deployments and ensure you’re logging the right data to get the most out of Splunk.
The NodeZero app for Splunk enables you to automate pulling data from NodeZero APIs and ingesting it into Splunk Cloud Platform. The app will integrate with the Splunk user experience to help users:
- Find, fix, and verify logging blind spots
- Decide where to increase and decrease logging based on the criticality of the host
- Take inventory of assets and reconcile the attacker’s perspective of your cyber terrain
Splunk administrators are often under pressure to maximize their license value – it’s often impossible to log everything, so how do you know if you are expending resources appropriately to ensure you’re logging the right data? NodeZero can help identify where logging is most needed, so your resources are deployed for maximum impact.
NodeZero maintains an action log of every command it has executed during a pentest. The NodeZero App for Splunk offers insights to identify blind spots in logging and create a fast feedback loop to find, fix, and verify missing data by using the action log to highlight what should have been detected when particular exploits were executed.
Identifying critical hosts
Not all hosts are critical. Some are important enough to log everything, while others may not have access to data or critical systems and thus have less requirements for logging. NodeZero is able to identify risk on specific hosts with context. For Example: A “low” criticality server in the CMDB might have enabled an attack path where NodeZero ultimately achieved Domain Admin – NodeZero would dynamically reclassify this host as CRITICAL risk based on the proven attack path and impact during a pentest operation.
You’ll be able to use the attacker’s perspective provided by NodeZero to inform your logging strategy with Splunk.
Combining the attacker and defender perspectives
NodeZero inventories every reachable host within your environment during a pentest. This can often easily reveal a blind spot: are all those hosts seen in Splunk? Often organizations will find hosts they didn’t know existed, were unaware had been added, or even rogue devices that aren’t known to anyone (shadow IT). Using the app, you’ll be able to reconcile NodeZero discovered hosts with existing IT assets in Splunk – marrying the traditional and attacker’s perspective to achieve greater insight.