Splunk is truly hot in Fed! It was mind blowing to welcome over 200 people to learn more about Splunk at our recent SplunkLive in DC–more than doubling the number of attendees from the event we held just 6 months ago! The agenda was customer driven, featuring a Federal civilian agency focused on space exploration and The Washington Post, plus partner presentations from Blue Coat and Big Fix. Godfrey Sullivan, Splunk’s CEO provided the keynote along with great technical presentations by s Co-Founders Erik Swan and Rob Das covering SOA, Virtualization, and Big IT Data.
Why is Splunk so hot? For one, Splunk is used in by a majority of the Federal Agencies. In some cases–there simply aren’t other products that can compete with Splunk’s complete (software) solution. Firstly, Splunk will ingest anything you throw at it, and scales easily versus some SIEMs making it easy to look at all of your security relevant content for true correlation.
Correlation is of course one of the core tenets of successfully protecting against hackers, malware and other security risks—which brings me to the next presentation from Terry Brugger, PhD, and contractor for a large Federal agency. He was recently tasked to find a solution to integrate Splunk with their SIEM and provide situational awareness across globally distributed sites.
In scoping the solution, they deemed source flexibility, data accessibility, security, scalability, usability and performance as critical requirements.
In his analysis, he uncovered several limitations with a straight SIEM solution. Many SIEMs are unable to accept custom formats or easily add new sources. Some SIEMs are limited in their ability to provide long-term log retention for forensic analysis. And Terry’s team needed a fast, easy-to use tool to create custom queries.
They ultimately decided to complement Splunk with a SIEM solution—using the SIEM for real-time correlation and alerting and Splunk for deep forensic investigation.
For now though, they’ve focused on using Splunk for incident investigation. They can truly correlate across a heterogeneous data set from one place to track emerging and evolving threats, understand patterns over time and create ad hoc reports and dashboards for compliance.
Terry also shared a few tips for optimizing a Splunk install. He suggests:
- Using TCP over UDP where possible
- Using rsyslog instead of syslog-ng
- Using Splunk Lightweight Forwarder instead of syslog forwarding
- Earmark Splunk boxes with load balancing vs. running syslog and Splunk to the same box
- Running all data directly into Splunk for syslog aggregation
- Allowing Splunk to write all files for SIM connector
Thanks Terry, we’re excited to learn what you uncover next!
If you’re hungry for more ideas for ways Splunk is helping Federal customers, check out these videos from Federal Systems Integrators: Sean Wilkerson at Aplura, Joel Shprentz, and our own John Topp, back before he worked for Splunk.
And this is a great overview you can use to help sell management on the value of Splunk in a Security context.
Our partners presented how Splunk can be a tool to enhance technologies such as BlueCoat and the ability to easily build customized applications with Splunk.
Thank you to for everyone’s participation in making the event a success!
And whether you joined us for a recent SplunkLive or not–don’t miss The First Splunk Users’ Conference, August 9-11, 2010 in San Francisco. We’ve got 40 sessions in 7 tracks featuring customer presenters from Autodesk, Cisco, Pegasus Solutions, VeriSign and Voxeo.
Register for the Users’ Conference by June 25 to save $100.
See you there!
VP, Splunk Federal