Jumpstart Your SIEM Migration Using the Splunk App for CEF

We've seen this script many times before: legacy Security Information and Event Management (SIEM) solutions can’t keep up with the sophistication of modern threats and the rate at which security events need to be investigated and handled.

The growing adoption of cloud services expands the threat vectors, and enterprises need to monitor user activity, behavior and application access across key cloud and SaaS services—as well as on-premise services—to determine the full scope of potential threats and attacks.

Despite the known challenges, many organizations continue to keep the legacy SIEM lights on due to several reasons:

  • The customer is locked into a long-term contract
  • No short-term recourse—legacy SIEM caring and feeding consumed the SecOps budget
  • Using legacy SIEM for simple log management use cases
  • Near-term goal to appease auditors
  • Legacy SIEM migration or replacement is being planned

This legacy SIEM problem is a recurring security nightmare which seems like a throwback from the iconic movie “Groundhog Day.”

So, to make it possible for customers stuck with a legacy SIEM to migrate and realize the benefits of an analytics-driven SIEM and overcome SecOps challenges, Splunk introduced the Splunk App for Common Event Format (CEF), and recently released the latest version 2.1.

Why Splunk App for CEF?

To address current threats while deciding on SIEM migration, customers impacted by a legacy SIEM often start by augmenting their legacy SIEM with Splunk. This helps them solve current and advanced threats using Splunk.

Enter the Splunk App for CEF, which quickly aggregates all relevant logs from data sources that represent potential threats using Splunk and transforms them into the Common Event Format (CEF). The Splunk App for CEF uses the capabilities of the Splunk platform, including raw data indexing, add-ons and data models to transform raw data before sending it to a CEF-compatible application, such as an existing legacy SIEM.

The Splunk App for CEF reformats search results into the Common Event Format. You can then use the CEF output for processing in compatible applications such as Microfocus ArcSight. The diagram illustrates how the Splunk App for CEF allows you to select data that is indexed in a Splunk deployment, translate it into common event format, then send that data out to a syslog receiver for use in a CEF-compatible tool.

The Splunk App for CEF uses a data model search to filter and map fields to the pipe-delimited key-value pairs required by the CEF standard. Details on this app can be found on Splunk Docs.

i.e.,  Leverage the power of Splunk with augmentation, while your migration project to Splunk gains momentum.

The Splunk Analytics-Driven Security Portfolio

Our comprehensive security portfolio solves your basic and advanced SIEM use cases, and are available for cloud, on-premises and hybrid deployment models to fit your needs.

Splunk Enterprise Security (ES) is used as an analytics-driven SIEM solution by thousands of customers to power their security operations to accelerate the detection, investigation and response to threats. Splunk User Behavior Analytics (UBA), our machine learning-based solution to detect advanced threats and attacks. The newest addition to the Splunk portfolio is Phantom, the leading security orchestration and automation (SOAR) product in the market.

Splunk UBA and Phantom are tightly integrated with Splunk ES, providing the insights needed to build and manage security operations and respond to threats in real-time.

Splunk apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types. Splunk and its partners have released more than 760 apps that help expand the security use cases that can be solved using Splunk.

A Few Resources to Get You Started

A Splunk financial services customer who processes and analyzes massive amounts of data was challenged to protect that data against new and unexpected threats. The customer's legacy SIEM solution, despite high costs, was providing limited value. After migrating to Splunk Cloud and Splunk ES—the customer has seen the following benefits, including:

  • The ability to ingest data from 170 different applications and run ad hoc queries
  • Flexible scaling in a pay-per-use model matching cost to demand
  • Insight into every financial transaction

Find out how TransAlta, a power generation and wholesale marketing company with operations in Canada, the U.S. and Australia, migrated from their legacy SIEM to Splunk and realized the following benefits:

  • User investigation time reduced from days to minutes
  • On-time delivery of new energy trading platform
  • Cost savings of up to $1 million

This buyer’s guide is good start on who, what, where, when and why of buying an analytics-driven SIEM solution.

Navigate to this information repository and get started with your SIEM migration journey today.

The Time Is Now

Don’t risk the future of your organization to legacy solutions. You can immediately begin exploring the power of Splunk’s analytics-driven SIEM by signing up for 7 days of free access to the Splunk Enterprise Security online sandbox.

If you are looking to replace your SIEM or if you have any questions, contact a SIEM expert now.

Girish Bhat
Director, Security Product Marketing
Splunk Inc.

Girish Bhat

Posted by