The knowledge of events and processes taking place in information systems is the basis for their effective protection.
General information

The main source of this knowledge are logs generated by systems, devices and applications. Their collection and analysis are also more and more often required by numerous standards and regulations related to security such as PCI DSS or SOX.

The SIEM-class products have been developed to meet these requirements. Such systems allow to:

  • collect, save and protect logs against modifications in the form of a single data repository,
  • make reports on the basis of the collected logs and information coming from other systems,
  • alarm about all events that carry potential threats, also based on symptoms coming from different sources of information through correlation tools.

A correctly implemented SIEM will allow administrators to:

  • identify and analyse incidents related to attacks and abuses committed by users,
  • detect malware infections,
  • identify failures and problems occurring in the infrastructure,
  • monitor changes in the configuration and enforce the observance of procedures related to the management of changes,
  • evaluate the effectiveness of the implemented security technologies.

Splunk Enterprise Security allows security management teams to quickly detect and respond to external and internal threats to the security of an enterprise.

Splunk Enterprise Security is a SIEM system that enables the analysis of any data coming from systems such as network devices, workstations, authentication system, antivirus protection system, identity management system or any other source of computer data.

It can be used for the purpose of continuous, real-time monitoring of IT and security infrastructure, quick responding to incidents, reporting important business-related threats to the management or for the purpose of building a Security Operation Center (SOC). The flexibility of Splunk Enterprise Security in creating correlations, alarms, reports and dashboards makes it possible to adapt the solution to specific requirements.

Splunk Enterprise Security

Splunk has prepared a ready-to-use Splunk App for Enterprise Security that uses the analytical features of Splunk and is a fully-fledged SIEM solution recognised in the market and which has been ranked in a quadrant of leaders in the Gartner report for several years.

Splunk Enterprise is a universal platform used for managing the so-called machine data. Machine data is one of the most rapidly developing types of application of systems in the field of BigData. The information that they carry may include user transaction logs, client's activities, sensor readings, behaviours of machines, threats to security, frauds and many other.

Splunk Enterprise gathers all machine data regardless of where it is generated, including from physical, virtual or cloud environments. It allows for searching, monitoring and analysing data from one place in real time. Problems can be resolved and security incidents can be investigated. The result becomes a matter of minutes, not hours or days.

Splunk Enterprise is used by many companies as a basic tool for managing machine data in the scope of information security and audit.

Splunk Enterprise Security

The application uses a wide range of options offered by the Splunk Enterprise platform in order to analyse events and data from the point of view of security, while providing the following functions:

  • A common data model for logs and other information collected from source systems – all logs are being normalised to a coherent model where events of the same importance (e.g. authentication) have the same attributes.
  • Coherent management of resources and identities – Splunk ES maintains an identity database containing all possible accounts and attributes of a user. As a result, correlation of logs coming from heterogeneous systems and applications is possible. A similar resource database contains detailed information about servers, workstations, networks, and other IT resources. Databases can be synchronised with external CMDB or IDM systems.
  • Incident management – incident management mechanisms include the possibility to create correlation rules that detect threats symptoms, incident management console and mechanisms for creating the so-called investigations, which include screens visited by the user during the investigation process. It is possible to share investigations among users.
  • Risk-based threat analysis – any event occurring in the infrastructure can affect the risk associated with individual objects, e.g. hosts, users, individual services, etc. The analysis of such risk by the Splunk ES mechanisms allows for quick identification of objects which pose a potential threat or are victims of incidents.
  • Threat Intelligence – Splunk App for Enterprise Security allows for using any subscriptions that available on the market, the so-called IOC (Indicators of compromise), including OpenIOS and STIX formats. Any objects, such as IP addresses, domain names, files, processes, certificates or other objects that indicate a potential infection, can be searched.
  • Extreme search – an add-on in the form of a series of SPL commands that support quick and extensive analysis of anomalies, prediction of values and alarming about abnormal events that have been detected.
Unique Feautures of Splunk and Splunk Enterprise Security

The Splunk Enterprise solution offers many unique features that make it suitable to be used for the purpose of SIEM. Certain features are presented below:

  • The solution is delivered as a complete software package – Splunk Enterprise is delivered as a complete software package to be installed on a general-purpose platform. It does not require any additional tools, e.g. databases or BIGData systems. The performance is limited only by the power of the server on which it is installed.
  • Scalability – Splunk is successfully applied in installations where analyses of single gigabytes of data are carried out, as well as in environments where hundreds of terabytes of new data are processed every day. It is noteworthy that the Splunk license does not set a limit for the number of sources or servers on which it may be installed.
  • On-the-fly normalisation – in Splunk, data are stored in a raw form and their normalisation takes place at the time of data reading – not at the time of recording. It allows to freely change the log structures without the need of rebuilding the database or re-importing the data. Moreover, data enrichment does not require linking at the moment of data indexing, as it takes place at the moment of data search.
  • Easy downloading of different types of data – Splunk enables downloading of any log formats and types Multiline logs support is possible. Due to the so-called Modular Input API it is possible to easily create support for sources that do not support standard protocols or API. The SplunkBase website (https://apps.splunk.com) offers several dozen different add-ons that support non-standard data acquisition protocols.
  • Other potential applications – Splunk is successfully applied not only in the field of security and IT but it is also used in other areas such as applications management, Internet Of Things, industry, medicine and others. It enables a much higher return on investment in one, coherent data management technology.
Our partners in the field of Security Monitoring
See also