Today we are proud to release the Splunk App for Enterprise Security 2.0, which I’ll call “the App” in this blog. The App acts a next-generation Security and Information Event Manager (SIEM). It excels at identifying and alerting on both known and unknown threats, and doubles as a powerful tool for security investigations and forensics.
The history behind the App is a compelling story. In a nutshell, we really didn’t set out to be a SIEM; our customers made the decision for us.
Back when we started shipping code in 2006, our focus was on building a highly-scalable, schema-less, big data platform that could ingest essentially all machine data and then be searched to enable visibility across all of IT to solve business problems. Our customers used us for use cases related primarily to IT operations and application management. But around 2007, security professionals at some of our customers began to see how the flexibility of Splunk could help them with security use cases. Specifically they realized that:
- All the machine data in Splunk, both security and non-security related data, could be analyzed to identify more advanced “unknown” security threats (zero-day malware, social engineered threats, cybercriminals, APTs, etc.) which masquerade as normal, everyday harmless user and machine activities and thus evade traditional security software.
- Traditional SIEMs on the marketplace simply could not meet the requirements to identify this new class of threats. Traditional SIEMs had fixed schemas and required the use of pre-built collectors for every data source – this limited what machine data could be indexed and then extracted from the index. Also, SIEMs could not go “back in time” to re-analyze old events with new information due to their serial nature.
- Traditional SIEMs didn’t have enough flexibility to explore the data using free-form search of massive amounts of highly variable data.
So some of these innovative Splunk customers began writing their own searches and reports on top of Splunk, to use it as a complement to their existing SIEM. These customers used Splunk for detailed security investigations that a SIEM could not perform. And some customers even began using us a full-blown SIEM (we displaced an existing SIEM, or it was the customer’s first SIEM purchase). Inevitably, new security use case customers began asking us to make time-to-value faster for them by packaging up SIEM-like functionally as an out-of-the-box app that could be installed on top of Splunk. So we listened and came out with v1.0 of the App, which offered out-of-the box searches, event correlations, dashboards, reports and visualizations tailored for security use cases.
Last year in Splunk Enterprise 4.2 we came out with real-time alerting that enabled us to meet the final, key requirements of our most demanding security customers. Fast forward to today and with Splunk App for Enterprise Security 2.0, we can leverage the real-time alerting capabilities of Splunk to enable real-time security correlations and alerts. 2.0 of the App has plenty of other new features in it including:
- More security-focused dashboards and reports
- More powerful drill-down and drill-across capabilities to access and pivot across raw data to follow an investigation wherever it leads
- The correlation of multiple user identities to identify and investigate user activities across the IT infrastructure
- Enhanced incident management to reprioritize, reassign and journal security events for quick resolution and incident response
- The operationalization of findings: Once a forensic investigation is complete, users can click the ‘save’ button to continuously monitor and alert for the same condition.
We now have hundreds of happy customers using Splunk for security. Thank you for pushing us years ago to realize that security can be a big data problem. And thank you for seeing that Splunk’s unique approach could be used as a next-generation SIEM. To learn more about how to use Splunk for security, please visit our web site for more information.
Thanks and happy Splunking!