Organizations continue to undergo rapid digital transformation. Moving from legacy systems to multiple cloud-based services can free up resources and introduce large-scale innovation. Any good security program must be able to meet the demands of this transformation, protect the business, and enable that innovation.
Furthermore, any good security program must have data in its DNA. A data-centric solution can aid in more accurate detections and faster investigations. Without it, organizations will continue to face long dwell times, perform shallow investigations that barely scratch the surface, and experience harmful breaches that lead to financial and reputational damages.
And finally, any good security program must help security teams overcome the burdens of everyday life in the SOC—too many alerts, repetitive security tasks, limited resources and a cybersecurity skills gap, security visibility, lack of security standard operating procedures, and lack of speed to detect, investigate, and respond to threats.
A Data-Centric Security Platform for a Data-Centric SOC
Splunk offers a fundamentally different approach than other security vendors. This approach frames data as a security problem at the center of everything that we do, helping customers deliver a data-centric security operations center. Our security analytics advantage starts with our Splunk Platform that ingests, normalizes, and provides insights into any data at enterprise scale, making sure threats do not go undetected. Next is Splunk’s massive community of technology partners and users which enables a customer network effect to help all customers.
Building on our platform and community advantage, we apply a unique combination of ML-powered analytics to detect and deliver key insights across multi-cloud environments; risk-based alerting that transforms noisy alerts into high fidelity incidents prioritized by an organization’s risk profile; and integrated threat intelligence enrichment to quickly understand threat context, prioritize triage, and accelerate investigations and response. We add further context with a focus on entity – both user and asset – through the lens of anomaly detection delivered in real-time. Customers have immediate access to information to assess a notable or alert and make a decision right away.
So… what’s new?! Let’s start with new innovations from Splunk Enterprise 9.0 and Splunk Cloud Platform:
- Ingest actions enable admins to deploy ingest-time transformations and routing, reducing ingestion and storage costs for non-critical datasets, and enabling customers to bring in key data critical to security use cases. For example, customers can filter specific data they want from large streams of endpoint data, ensuring high-value data comes into Splunk. They can route less critical data to S3, perform masking on sensitive data at ingest-time, and add additional context necessary to understand their security data.
- Already available for AWS, new SmartStore support for Azure enables flexible options for Azure customers. Customers can ingest and store voluminous security data sources like endpoint and deep telemetry that are critical for searches during forensic investigations, for instance in Azure Blob Storage. This provides greater capacity with high availability at a lower cost.
- Threat hunting using Federated Search across distributed environments, on-prem or in the cloud. Federated search with both standard and transparent modes enables customers to bring distributed data to security use cases, and perform threat hunting on remote data sets at scale using data models and tstats.
- Data Manager lets you onboard data from multiple services and accounts quickly. Data from AWS, Azure, and soon GCP can be ingested extremely easily, and we have multi-cloud security monitoring dashboards that build on this data. Achieve faster time to implementation with multi-cloud sources that enable customers to deploy over 150 out-of-the-box detections from Splunk Threat Research aligned with risk-based alerting in Splunk Enterprise Security.
Let’s add new innovations from Splunk Enterprise Security and Splunk SOAR that help security teams process more alerts per day, detect and respond to threats faster, and reduce the manual burden on security analysts:
- Risk-based alerting from Splunk Enterprise Security attributes risk to users and systems and only generates alerts when risk and behavioral thresholds are exceeded. It lets you transform a huge volume of noisy alerts into fewer high fidelity incidents, prioritized by risk to your organization. It also groups related events into a single incident to drive faster investigation and resolution. This gives you time back in your day, and more control over your security operations. Give risk-based alerting a try today.
- Enforce Zero Trust, automatically. Zero Trust Architecture is increasingly important in a cloud-first, perimeter-less world. Your team has to monitor and protect identities, devices, virtual networks, applications, and data with an always up to date set of detections and controls. With Splunk Enterprise Security risk-based alerting, you can use a zero trust mindset to watch out for new access patterns and new types of attacks. And you can enforce this zero trust approach, and ensure rapid time to action, by automating tasks using Splunk SOAR and the Risk Notable Playbook Pack. To see this in action, check out this webinar
We’re excited for you to get hands-on with these new capabilities from Splunk Security. It’s easy to get stuck in the vortex of defending against an expanding threat landscape, within an increasingly complex environment. Splunk’s data-centric approach to security can begin to unburden you from that cycle, and help you achieve cybersecurity resilience to combat unpredictable threats to your business.
To learn more about Splunk Security, visit splunk.com/security.
Follow all the conversations coming out of #splunkconf22!