Splunk 5 – What it means for security and compliance use cases

As you may have read, today we announced Splunk Enterprise 5.0, a major upgrade to the core Splunk platform. There are many new benefits enabled by this release, but I wanted to call out three benefits to security practitioners looking to improve their security and compliance posture.

Easier to Build and Faster Security/Compliance Reports

Often times for security or compliance use cases, reports are needed that cover very large data sets which might even span TBs a day. This could be an aggregation of firewall, IDS, authentication, or anti-malware log events. Maybe you are using these reports to see how threats are trending with time, or to baseline threat levels to then spot deviations from the norm which could be advanced threats. Or maybe you need reports like this for compliance purposes to show your auditor summary event information over large time ranges. Regardless, reports covering large data sets like this can sometimes take more time to load than you would like. Before Splunk Enterprise 5, summary indexing helped alleviate this by creating data summaries populated by background searches. Now we have introduced the “report acceleration” feature which is similar to summary indexes, but for eligible reports is better because:

• It is easier to set up and requires just a click of a checkbox and a time range

• The summary can automatically be shared with similar searches

• The summary is stored on the indexer, not search head, for map reduce parallelism

The net benefit is easier-to-build and faster reports which cover large data sets. Get faster insight into your security and compliance posture.

More Efficient Security Incident Investigations and Research

For security and compliance use cases, maybe you want to be able to control exactly what happens when a user clicks on a table or a chart in Splunk. Maybe you don’t want the user to just go to the underlying Splunk search and raw data behind it. Instead you want the user to go from a dashboard to a form, or maybe from a dashboard to a 3rd-party tool that accepts URLs. And at the same time, you want the value that was clicked on to be passed to the destination. An example could be a user clicks on a Splunk dashboard that lists in-process security events. The user then goes directly to a web page in a third-party case management system which has the underlying detail behind that specific event. Or maybe a Splunk chart lists top network attack names. When a user clicks on an attack name, they go to a new page in Splunk with a form box pre-filled with the attack name that was just clicked on and the raw attack events below the form box. In Splunk Enterprise 5 we have made this easy with a new capability referred to as “dynamic drilldowns” in dashboards and forms. With dynamic drilldowns you can define custom destinations to link to when a user clicks on fields in a simple table, dashboard, or form. The value captured by the click is passed to the destination. The destination can be another dashboard, form, or view within your Splunk installation or an external web page. You can create intelligent workflows into your dashboards that deliver a more intuitive user experience. This new feature uses simplified XML, not advanced XML, so it is easy to leverage. The net benefit is time (and dollars) saved via more efficient incident investigations and research. Get to root cause faster and improve your security posture as a result.

High Availability at a Low Cost for Your Security/Compliance Data

For security and compliance use cases, having highly available data is key. All the original data you indexed needs to be there as you expect it to be. Perhaps you need the historical data for forensics to determine after the fact how a threat got in, where it has spread to, etc. Maybe you need the data to look back at what a specific employee was doing over a certain time period. Perhaps for compliance purposes you need the data to meet data retention requirements (like with PCI you need log data immediately available going back three months). Or maybe your auditor comes to you with an ad-hoc request that requires you gather specific, historical data. Regardless of the use case, you need the data to be highly, and immediately, available. Prior to Splunk Enterprise 5 you could do this by using SAN storage. But of course SAN is not the most cost-effective approach. Now we have introduced a capability called “ index replication” which enables Splunk indexers to be grouped together to replicate each other’s data, maintaining multiple copies of all data – preventing data loss and delivering highly available data for Splunk search. Using index replication, if one or more indexers fail, incoming data continues to get indexed and indexed data continues to be searchable. And this can be done on commodity hardware, not costly SAN hardware. Besides lower cost, there are numerous benefits including:

• Data availability: an indexer is always available to handle incoming data, and the indexed data is available for searching.

• Data fidelity: you never lose any data. You have assurance that the data sent to Splunk is exactly the same data that gets stored in Splunk and that a search can later access.

• Data recovery: your system can tolerate downed indexers without losing data or losing access to data.

• Improved search performance: by spreading your data across multiple indexers, searches can read buckets from many indexers in parallel, thus reducing the I/O load on any particular indexer.

Net benefit is that you can be assured the critical data you need to search on for security or compliance use cases is there when you need it. This results in a stronger security posture, as well as accurate measurement on your state of compliance.

Joe Goldberg

Posted by