Easy Read Time: 3 Minutes

The Security and Information Event Management ( SIEM) market is defined as the requirements of the customers to analyze event data in real-time to detect targeted attacks and data breaches early and to collect, store, investigate and report log data for incident response, forensics and regulatory compliance. SIEM technology aggregates the data generated by security tools, network resources, systems, and applications. The main data source is log data but other types of data, such as network telemetry, can also be analyzed by SIEM technology. It integrates event data with specific user information, and information about resources, threats, and vulnerabilities. The data can be normalized so that events, data, and contextual information from different sources can be analyzed for specific purposes, such as monitoring network security events, monitoring user activity, and reporting compliance. For a historical analysis, the technology provides real-time analysis of events for security monitoring, evaluating, and long-range analytics. Security and risk management stakeholders are constantly searching for SIEM platforms with capabilities that enable early identification and response to targeted attacks. Users have to balance advanced SIEM capabilities with the necessary resources to run and tune the platforms.

Splunk

This Security Intelligence Platform consists of Splunk Enterprise and three solutions: Splunk Enterprise Security, Splunk User Behavior Analytics, and Splunk Phantom. Splunk Enterprise provides the collection, search, and visualization of events and data for various uses in IT operations and some instances of security use. The premium Enterprise Security (ES) software includes much of the security-monitoring-specific features, including security-specific searches, visualizations, and dashboards, as well as some functionality for event management, reporting, and incident response. User Behavior Analytics (UBA) adds advanced analytics that is driven by ML. Phantom has SOAR capabilities. Additional security-use applications are available through Splunkbase. Splunk Cloud is a SaaS solution hosted by Splunk and-operated using the AWS infrastructure. Components of Splunk Enterprise and Splunk Cloud consist of Universal Forwarders, Indexers, and Search Heads that support n-tier architectures. Splunk is licensed based on the amount of data that is ingested into the platform, with DNS and NetFlow data pricing discounts. ES is often licensed by gigabytes a day, while UBA is licensed by an organization’s number of customer accounts, all of which are offered as either permanent or temporary licenses, with different choices for enterprise-wide pricing and true-ups. Phantom is measured by the number of activities Users are taking action on. Splunk is a good choice for companies looking for SIEM applications that can share infrastructure and vendor management through SIEM and other IT use cases, and finding a modular approach with a wide range of options from simple log management to sophisticated analytics and response.

Features and Benefits:

  • Splunk software can be used for the design and operation of security centers of any size
  • Support the full spectrum of information protection practices, including the evaluation of posture, tracking, alert and incident management, CSIRT, breach and response analysis and event correlation
  • Proven big data-based integrated security intelligence framework
  • advanced breach analysis using ad-hoc searches
  • On-premises deployment, cloud based deployment, hybrid on-premises deployment options
  • Improve operational efficiency by using Splunk as a security nerve center with automated and human-assisted decisions
  • Out-of-the-box SIEM and Security Use Cases
  • Known and unknown threats can be identified, investigated with compliance determined and in-depth security analytics used

The platform’s versatility and architecture play a key role in determining if the SIEM can fulfill the organization’s requirements. The SIEM software should be able to measure and quickly index all the original, raw data at a large volume – between several hundred terabytes and petabytes of data indexed per day. Horizontal scaling with commodity hardware means that high cost physical devices are not able to meet the scalability and flexibility. The use of distributed search and index technologies with fast searches, reporting and analysis makes it possible to convert results quickly to a wide variety of interactive reports and visualizations. The Splunk security platform fulfills the requirements for a conventional SIEM system, but it also offers data monitoring tools, offering useful information and contextual feedback to help data teams make faster and better security decisions. Adaptive response behavior allow customers and partners to use Splunk Enterprise Security(ES) as an analytic-driven SIEM solution, and to allow them to register and customize response activities.

The visibility of each Adaptive Response Entity ‘s capability and actions helps customers to view the list of available actions, select appropriate actions, and deploy and manage the organizations and their actions in ways which are best suited to their environment, deployment and security. Analysts can take suggested response actions to quickly gather more context or take action in the Incident Management dashboard after evaluating the notables. Analysts can also perform any action from a notable event context, and they can collect information or take steps to resolve an incident such as “block,” “unblock,” “open” or “close”. Splunk provides many options for businesses looking to deploy their first SIEM system or switch from their existing SIEM, which provides on-site, cloud or hybrid delivery options to choose from.

Using Splunk Enterprise and Splunk Cloud, which are main Splunk platforms, customers can solve their basic SIEM use cases which provide collection, indexing, search and reporting capabilities. For a simple SIEM experience, many Splunk security customers use Splunk Enterprise or Splunk Cloud to create their own real-time correlation searches and dashboards. Splunk offers a customized solution, Splunk ES, enabling advanced SIEM use cases with ready-to-use dashboards, correlated searches, and reports. Splunk ES runs on, or both, Splunk Enterprise, Splunk Cloud. In addition to pre – built rules and alerts regarding correlation.

Additionally, Splunkbase provides over 800 other security-related applications with pre-constructed queries, reports, and visualizations for various third-party security vendors. Such ready-to-use applications and add-ons provide features that range from security monitoring, next-generation firewall, automated threat detection and more. These tools increase the security coverage and are provided by Splunk, Splunk affiliates and other third-party providers. There are many ways to move Splunk from the old or complex SIEMs. Splunk has technical resources, including trained security specialists, who can collaborate with you to identify the best path to migration.

References:

https://virtualizationandstorage.files.wordpress.com/2018/03/magic-quadrant-for-security-information-and-event-3-dec-2018.pdf

https://www.splunk.com/en_us/siem-security-information-and-event-management.html

https://www.cybermak.net/wp-content/uploads/2019/07/Use-Splunk-as-SIEM.pdf

https://www.infosecurityeurope.com/__novadocuments/254098?v=636052152332900000