Security

Splunk takes security investigations one level deeper. Instead of just monitoring log data, you can also run Splunk as a forwarder on your boxes to regularly index run-time information, such as the running processes, or the open ports and network connections. In addition, by running Splunk on your machine, you can also monitor the file system of your machines. This additional information greatly helps investigate security incidents and gather additional information.

The Splunk for Network Security application is a way to get you started with your network security needs. The application contains a variety of searches, reports, dashboards, and alerts to provide visibility into your network, and also help monitor for specific violations.

IT search for security

• Consolidated view across diverse set of consoles / solutions
• Consumes any data source:
  • logs, multi-line logs, files
  • host data: running processes, open ports
• Threat landscape has changed
  • Application layer data
• Unification of security - network mgmt - system mgmt
• Re-use security data for other use cases
• Very fast, ad-hoc investigations
• Knowledge accumulation
• Automate activities through alerts
• Analyze transactions instead of individual events
  • For example to reflect application logic
• Visualization and graphical reporting of security posture
• Correlation of heterogeneous events

Customer Splunk for security uses

• Firewall data correlation
• IDS - firewall correlation
• Insider threat detection
  • Precursor analysis
  • Role-based monitoring (e.g., through transactions)
• Security policy monitoring
• Traffic flow (e.g. NetFlow) analysis (e.g., for DoS attacks)
• Utilize Splunkbase to share the knowledge