Splunk Enterprise Security
Advancing analytics-driven security
Detect. Investigate. Respond.
Splunk Enterprise Security (ES) is a premium security solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding your business. Splunk Enterprise Security streamlines all aspects of security operations and is suitable for organizations of all sizes and expertise.
Whether deployed for continuous real-time monitoring, rapid incident response, a security operations center (SOC), or for executives who need a view of business risk, Splunk ES delivers the flexibility to customize correlation searches, alerts, reports and dashboards to fit specific needs.
Splunk Enterprise Security helps organizations address the following:
- Real Time Monitoring — Get a clear visual picture of the organization’s security posture, easily customize views and drill down to the raw event
- Prioritize and Act — Gain a security-specific view of your data to increase detection capabilities and optimize incident response
- Rapid Investigations — Use ad hoc search and static, dynamic and visual correlations to determine malicious activities
- Handle Multi-Step Investigations — Conduct breach and investigative analyses to trace the dynamic activities associated with advanced threats
Splunk Enterprise Security
Splunk Enterprise Security runs on top of Splunk® Enterprise or Splunk Cloud. Splunk ES can be deployed as software, as a cloud service, in a public or private cloud, or in a hybrid software-cloud deployment.
Improve Security PostureOptimize security monitoring, prioritization, response, containment and remediation processes by analyzing all machine data to understand the impact of alerts or incidents.
Prioritize Security Events and InvestigationsEnhance decision-making and align risk posture with the business by applying risk scores to any event, asset, behavior, or user based on their relative importance or value to the business.
Detect Internal and Advanced ThreatsVerify privileged access and detect unusual activity by using UBA anomalies, applying user- and asset-based context to all machine data to monitor user and asset activities.
Make More Informed DecisionsEnhance incident investigation, breach investigation, and scoping by leveraging threat feeds from a broad set of sources, including free threat intelligence feeds, third party subscriptions, law enforcement, FS-ISAC Soltra (via STIX/TAXII), Facebook ThreatExchange, internal and shared data.
Operationalize Threat IntelligenceMultiple threat intelligence sources can be aggregated, de-duplicated and assigned weights so a wide range of Indicators of Compromise (IOCs) can be used for all aspects of monitoring, alerting, reporting, investigation and forensic analysis.
Monitor in Real TimeDetect unusual activities associated with advanced threats by leveraging statistical analysis, UBA anomalies, correlation searches, dynamic thresholds, and anomaly detection.
Optimize Incident ResponseStreamline investigations of dynamic, multi-step attacks with the ability to visualize, and therefore more clearly understand, the attack details, as well as the sequential relationship between various events to quickly determine the appropriate next steps.
Splunk Enterprise Security Tour
Security Posture Dashboard
The Security Posture Dashboard provides continuous monitoring and at-a-glance situational awareness by tracking key security indicators and security metrics across identity, access, malware, endpoint and threat intelligence data sources. All aspects of data source, key indicators, and visual displays are configurable and customizable to suit any organization’s operating procedure. The point-and-click interface provides integrated workflows and actions from the graphical display.
Quickly triage, prioritize, and respond to notable events by understanding the priority of any incident and which hosts were involved. Gain contextual insights about the incident and host and pivot on any incident or host attribute to find additional indicators and related events. Security team members can collaborate and review all activities related to the host and incident in a single location, as well as explore the raw data and view the journal of incident activities.
The Asset Investigator allows you to visually correlate activities across devices that employ disparate technologies. You can adjust timeframes and build a story from the events and then either create searches to detect those events or share the story with a team member. Watch the video.
The Threat Activity dashboard provides direct access to events that correlate to all threat intelligence sources: third-party subscriptions, law enforcement, internal and shared sources. It provides insights into the trends, activities, users, and host event information associated with threat intelligence. Utilize threat intelligence as the starting point of your workflow, or use threat intelligence across various aspects of monitoring, reporting and investigation. Watch the video.
The Investigator Journal streamlines multi-step analyses and investigations by enabling you to focus on tracking attack activities while the system tracks your searches, activities and notes taken throughout the investigation. Add relevant events, activities and notes to the Attack & Investigation Timeline to visualize, and more clearly understand the attack details, as well as the sequential relationship between various events – and as a result, more quickly determine the appropriate next steps.
Protocol Intelligence provides fast access to wire data and includes dashboards for the most important fields in the most common protocols that are provided by the Splunk App for Stream or provided by network forensics tools. Pre-built reports that use key fields extracted from wire data simplify profiling to spot unusual activity. Protocol intelligence also applies threat intelligence to email envelopes, DNS queries and responses, and SSL certificates to accelerate incident response and detection.