What Is SIEM?
Security Information and Event Management (SIEM) systems are the foundation of most processes in a modern Security Operations Center (SOC). SIEM eliminates the need for security analysts to monitor multiple systems and aggregate vast amounts of log data manually—a SIEM solution does it for them, providing alerts that combine data from multiple systems.
SIEM systems integrate with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems. SIEM also captures and analyzes log and event data and generates alerts when identifying suspicious activity that deserves further investigation.
What Is Splunk?
Splunk is a US-based company providing a popular open source software platform, with an enterprise offering built around it. Splunk indexes machine data into searchable and actionable intelligence. It aggregates and analyzes logs from a variety of sources, including APIs, applications, servers, mobile devices, and websites.
Splunk’s log management and analytics platform uses its own search processing language to traverse large datasets of machine data and perform contextual queries. Splunk uses a distributed architecture and is able to handle very large volumes of data with high performance.
Splunk has established itself as a security information and event management (SIEM) company. By consolidating log file data collected from disparate systems and devices across your IT environment, it allows users to perform advanced security analysis and system health assessments from a single interface.
What Is Splunk Enterprise Security (Splunk SIEM)?
The Splunk SIEM solution, called Splunk Enterprise Security (Splunk ES), helps organizations rapidly detect, analyze, and remediate internal and external security threats and attacks.
Splunk Enterprise Security is built on the Splunk Operational Intelligence Platform. It uses discovery and correlation capabilities to enable users to capture, monitor, and report data from security devices, systems, and applications. Once issues are identified, security analysts can quickly investigate and remediate security threats across identities, endpoints, and networks.
Splunk Enterprise Security Overview
Splunk Enterprise Security collects activity data and stores it in a searchable format. It consolidates logs generated by various components across the IT ecosystem, including software, firmware, and operating systems. It also provides threat intelligence and vulnerability scanning features to help analyze the information and detect threats.
Log Management
Splunk provides a log server and log file management system that collects log messages from various sources and stores them centrally in a searchable format. This functionality is especially critical to maintain compliance with regulations like the GDPR and HIPAA, which require logging all actions related to sensitive data logged and making these logs available for auditing.
Network Traffic Monitoring
Splunk Enterprise Security gathers network data, stores it for analysis, and correlates events occurring on the network and various endpoints and servers across the ecosystem. This functionality can track various aspects, including availability, disk or storage performance, hardware, and interface problems. It provides the visibility needed to establish performance baselines and improve efficiency and productivity.
Threat Intelligence
Splunk’s threat intelligence functionality enables examining data in various forms, such as aggregating, searching, and sorting system data. The solution provides pre-written search strings derived from threat intelligence.
Most SIEM solutions offer an automatically updated feed of attack vectors fed directly into the tool to add relevant detection rules continuously. Since Splunk does not have a research lab to supply this information, the solution lets you use seven specific threat intelligence sources delivered in a format Splunk can read.
Vulnerability Scanning
Splunk Enterprise Security performs vulnerability scanning for data searches driven by threat intelligence. The solution allows you to extend its standard functionality with various plugins and add-ons available on Splunkbase, a user community forum. Most Splunkbase apps are free, but the library also offers paid tools. Alternatively, you can deploy an existing vulnerability scanner already in use as part of your security stack.
Splunk Enterprise Security Pricing
Splunk Enterprise Security can be deployed on-premises or in the cloud. To use Splunk Enterprise Security in the cloud, you must purchase a Splunk Cloud license.
Splunk offers three pricing plans:
- Workfload-based pricing—Customers are charged for the number of Splunk Virtual Computing Units (SVCs) they use, based on the number of search and analytics operations being performed.
- Entity Pricing—costs are based on the number of monitored and managed hosts.
- Ingest pricing—on-demand quantity-based pricing based on data ingestion into Splunk products, measured in terms of GB per day.
All plans include standard support including new releases and updates, documentation, live product roadmaps, online case submission with status, phone support, and membership in the Splunk Answers community. Premium support is available at an additional cost, speeding up response times and providing direct access to Splunk’s premium support team.
Conclusion
In this article, I explained the basics of Splunk’s SIEM solution and covered the following aspects of the product:
- Log management
- Network traffic monitoring
- Threat intelligence
- Vulnerability scanning
Finally, I discussed pricing implications of the Splunk ES solution. I hope this will be useful as you evaluate the use of Splunk as a SIEM in your organization.
Recent Comments