Splunk App for Enterprise Security
The Big Data Approach to Security Intelligence
Today's attackers have realized that many security teams simply can't see threats buried within operations data, due to organizational data silos, data collection issues, scalability challenges or a lack of analytics capabilities. They also have the resources to create attack scenarios that bypass security point products and traditional security information and event management (SIEM) systems. How can security professionals identify threats when they're hiding with terabytes of data generated through normal user activities?
Monitoring for known and unknown threats has become part of the revised security charter. Detecting advanced threats requires a flexible approach that can only be enabled by a scalable security intelligence platform. Splunk is able to make all data security relevant, empowering the business and security teams to work together to create business driven security and risk priorities. Only Splunk can turn tens of terabytes of data per day into information fueling comprehensive analysis of business risks.
Splunk App for Enterprise Security
With the Splunk App for Enterprise Security you can use statistics on any data to help find unknown threats, while continually monitoring for known threats detected by traditional security products.
The Splunk App for Enterprise Security runs on top of Splunk Enterprise and provides the monitoring, alerting and analytics required to identify and address known and unknown threats. Suitable for a small security team or an enterprise security operations center, the app is the primary data interface for the security professional faced with a growing list of challenges.
Out-of-the-box features include:
- Automated Correlation Searches for cross data-type correlations that give the user an understanding of evolving threat scenarios in real time
- Statistical Analysis native to Splunk Enterprise, is employed to support dashboards that highlight anomalies in HTTP communications, a key communications protocol for advanced threats
- Technology Add-ons that map specific data sources and the data fields to a common information model
- Data Visualizations that help you view potentially malicious patterns of activity over time with drill-down to raw data analysis
- Reports and Security Metrics can be created from any search result, and can be turned into a dashboard, table or raw data that can be exported as a PDF or CSV
- Incident Review, Classification and Collaboration allow for bulk event reassignment, changes in status and criticality classification
- User Identity and Asset Correlation help you to answer questions about a specific user's activity across multiple identities and assets
Application Screen Shots
Security Posture Dashboard
The security posture dashboard provides a SOC-style, fully customizable view of key security metrics across security domains. The Splunk App for Enterprise Security contains a library of prebuilt security metrics widgets that support situational awareness and continuous monitoring of security domain-based risk. All graphics support drill-down into the incident review dashboard.
The Incident Review section provides the analysis workflows required to understand the priority of the incident, incident context, its type and which hosts were involved. One click and you're exploring the raw data or viewing a journal of incident activities. Pivot on any piece of data known about the host to find out additional information or see related events.
Asset and Identity Investigator
Unique to the Splunk App for Enterprise Security, the Asset and Identity Investigator gives security analysts the ability to view threat patterns across a wide variety of security event types for any asset or identity. Simply select an event time frame and one or more events representing a suspicious pattern of activity across event types and Splunk automatically displays a synopsis of the security story represented by the pattern. With one more click, you're able to see all the raw data laid out chronologically, export a live view to a colleague or create a new search that watches for a reoccurrence of this series of events.
The predictive analytics dashboard offers a point and click solution for understanding future trends and forecast outliers based on Splunk 6 data models and the predict command. Simply select the data model, any object contained in the data model, the type of function to be performed, an attribute and a time period for the analysis model you want to create.
Threat List Activity
The Splunk App for Enterprise Security offers out-of-the-box support for 18 open source threat data feeds to augment your security view. The new framework for threat list activity data allows you to add your own open source and paid data feeds with just a few clicks and without the need for a services engagement. Splunk has partnered with Norse Security's global real-time IPViking threat data service and has implemented a 30-day free trial for all customers of the Splunk App for Enterprise Security.
Splunk vs. SIEM
Making a decision to purchase a new system for monitoring the security posture of your organization is the most difficult challenge the business and the security team will face. It must address current problems and threats but also scale and provide a means for addressing threats well into the future.
Some of your most critical security questions must be answered, such as what do the threats of the future look like and how will you be able to detect them? There are four important considerations that you should keep in mind throughout the selection process:
- Does the solution allow me to perform statistical analysis to figure out what's normal and what's not?
- Will the solution support and foster the ingenuity and creativity needed to combat future threats?
- Does the solution support the convergence of IT operations, application management and security use cases?
- Will I spend more time getting data into the system than on analysis of the data?