We are pleased to unveil new versions of Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA), which form our analytics-driven SIEM. These new versions—Splunk ES 5.3 and Splunk UBA 4.3—can be downloaded from Splunkbase.
Our analytics-driven SIEM helps organizations solve a wide range of basic and modern SIEM use cases such as security monitoring, advanced threat and attack detection, insider threat detection, compliance, incident investigation and forensics, incident response and automation.
Manage Security Threats at Scale Using Enterprise Security 5.3
Splunk Enterprise Security delivers an end-to-end view of organizations’ security posture with actionable intelligence to prioritize incidents and act. With comprehensive security-specific views of data, customers can detect threats faster and optimize incident response.
With Splunk ES 5.3, customers can manage threats at scale across multiple threat vectors using all security relevant data. This version addresses the scale needs of cloud first customers and customers expanding to the cloud to solve their security operations use cases. The expanded Use Case Library reduces the time to resolve top-of-mind security use cases and advanced threats.
Use Improved installer With Search Head Clustering To Scale Your Deployment
The Splunk Enterprise Security installer now integrates directly with the deployer in a search head cluster environment and no longer requires a staging server. Now, Splunk ES with Search Head Clustering makes it possible to horizontally scale out to levels previously unattainable with SIEM solutions. You can review the requirements and processes for implementing search head clustering in Splunk Docs here: "Install Splunk Enterprise Security in a search head cluster environment."
Monitor Performance Using Managed Lookups Audit Dashboard
The Managed Lookups Audit dashboard reports on managed lookups and collections such as services, data, transforms, KV Store lookups, and CSV lookups in Splunk ES.
Administrators can use this dashboard to determine if any managed lookups are growing too large in your environment and if they need to be adjusted.
Improves Performance by Migrating Trackers to Key-Value (KV) Store
With Splunk ES 5.3, the CSV-based trackers (User account, Malware, IDS attack, Listening Port, Whois, Local Process and Access) have been migrated to the Key-Value (KV) Store to improve performance in large deployments.
New Default Maximum Age for Threat Intelligence Feed
As you are aware, Splunk ES includes a Threat Intelligence (TI) framework that allows security practitioners to automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources, including open sources, subscription based, law enforcement, local and shared from other organizations. This capability uses the KV store, which with the Splunk ES 5.3 release has a 30-day default maximum age for KV Store retention; so if you store data in the KV Store indefinitely, plan accordingly.
Updated Use Case Library
The Use Case Library in Splunk ES helps strengthen cyber defense, manage threats and reduce risk with readily available, usable and relevant content.
Splunk ES 5.3 installation by default includes Analytic Stories, and you can update your use case library by installing the latest version of Splunk ES Content Update.
Simplify Investigations and Improve Analyst Experience with Splunk UBA 4.3
Splunk UBA is our machine learning powered solution that finds unknown threats and anomalous behavior across users, endpoint devices and applications. Splunk UBA 4.3 delivers even tighter integration with Splunk ES, greatly simplifying investigations while improving analyst experience. In addition, with Splunk UBA 4.3, Splunk admins can centrally monitor UBA installations and onboard auxiliary data sources from any vendor.
Enhanced Workflow with Splunk ES
In Splunk UBA 4.3, we’ve made it even easier for you to streamline your security operations by synchronizing notable events in Splunk ES with the corresponding threats in Splunk UBA. Now you can easily manage threats sent from Splunk UBA to Splunk ES when they appear as notable events on the Incident Review and Security Posture dashboards. You can quickly expand event details and see the description, threat category, and correlation search referenced from Splunk UBA. Furthermore, the enhanced workflow actions enable you to seamlessly view contributing anomalies and drill down to the threat details in UBA.
Centralized Monitoring Within Splunk Enterprise
With the Splunk UBA Monitoring App, Splunk admins can centrally monitor the health of Splunk UBA installations and investigate UBA issues within Splunk Enterprise. Now you can easily create alerts, KPIs and dashboards on UBA system diagnostics all within your centralized Splunk platform.
Ease of Data Ingestion for Use Case Expansion
In Splunk UBA 4.3, you can now onboard auxiliary data sources such as badge, database, printer, and cloud storage, enabling you to easily add new uses cases for UBA.
Customer Successes Adopting Splunk ES and UBA as Analytics-Driven SIEM
Time and time again, customers have turned to Splunk ES and Splunk UBA for an analytics-driven security approach to protect their business. Since deploying Splunk ES and Splunk UBA together, customers such as Aflac have seen benefits like time savings and improvement in analyst efficiency. Nasdaq uses Splunk ES and Splunk UBA to accelerate investigation of advanced and insider threats, and has seen a 50% increase in speed of security investigations.
Get Started Now
If you are an existing Splunk Enterprise Security or Splunk User Behavior Analytics customer, you can download the latest versions of each in Splunkbase.
If you are not familiar with Splunk Enterprise Security, use the free seven-day cloud Splunk Enterprise Security Sandbox to get started in minutes. You can also contact us to take advantage of a free cloud-based sandbox trial of Splunk UBA.
How can you benefit from Splunk Security solutions? Contact us to find out.
Girish Bhat (@girishb) and Patriz Regalado (@patrizr)