The complexity and heterogeneity of security infrastructures prevent IT departments from seeing the forest because of the trees. They have too much data to go through in order to be able to detect and block all relevant events. With a SIEM Splunk solution, security teams automate the aggregation and analysis of data needed to identify attacks and receive actionable information to eliminate them. IT departments are overwhelmed by the volumes of data generated by the digital “tools” they need to use or protect. Thus, 53% of cyber attacks penetrating security systems could not be detected in a timely manner (according to the Mandiant report for 2020). The causes of this phenomenon are multiple.

On the one hand, mobile devices, cloud services and IoT solutions are constantly being added to the standard infrastructure components (network, servers, storage) that need to be protected. On the other hand, the number of threats is constantly increasing and the security infrastructures are expanding, becoming more and more heterogeneous. Thus, many companies that have invested in security solutions are now unable to aggregate and analyze the data generated.

 

 

 

Security Information & Event Management (SIEM) systems are the solution to this problem. SIEM integrates security information management applications – which store and analyze log data – with event monitoring. A SIEM solution helps companies achieve:

  • Detection of security incidents that go unnoticed. According to Mandiant Security Effectiveness Report 2020, 91% of attacks do not generate any direct alert. To remedy this problem, SIEM collects data from applications, infrastructure components, terminal equipment, etc., which it correlates and analyzes using statistical algorithms.
  • Streamlining the management of security events. SIEM systems increase the response speed of IT departments, automatically identifying access points, attack routes, and compromised elements. Using correlated data, SIEM can reconstruct the chronology of events, helping companies discover what their nature is and what impact they have.
  • Compliance with requirements. A SIEM solution automatically generates reports of all detected security events, which should otherwise be compiled manually from multiple sources. Currently, SIEM systems cover the requirements of HIPAA, SOX, PII, NERC, COBIT 5, FISMA, PCI, GDPR, etc.

Splunk Enterprise Security, market leader for 7 consecutive years 

Currently, the global SIEM market is dominated by Splunk (according to Datanyze estimates). The leading position is also confirmed by the analyzes of Forrester Research and Gartner, Splunk being present in the top for 7 consecutive years. The main differentiators of Splunk Enterprise Security (ES) – the name under which the SIEM system is marketed – are:

  • a large number of predefined data sources and the ability to collect data without the need for custom connectors;
  • data collection directly from on-premises infrastructures, multi-Cloud architectures and hybrid environments;
  • ability to index thousands of Terabytes of data daily;
  • long-term storage of recorded events;
  • the ability to conduct ad-hoc investigations to detect potential threats and identify appropriate courses of action;
  • automatic anomaly detection and signaling systems, as well as advanced data correlation options for creating predefined alerts;
  • ranking the alerts according to the events criticality level and methods of reducing the number of false-positive alerts;
  • the use of a wide variety of detection and investigation methods (DNS analysis, HTTP categories, traffic monitoring, etc.) and advanced Drill-down analysis functionalities;
  • visualization of data and events in multiple formats, predefined control consoles, and the possibility of creating custom dashboards and portals;
  • improvements in the operational area by automating response measures and decision support. Support includes both common work scenarios (compliance issues, data theft, fraud, etc.) and recommended methods for detecting advanced real-time and post-compromise threats;
  • security incident audit and multiple reporting options;
    compatibility with next-generation security standards, such as STIX, TAXII, DHA, AIS, Facebook Threat Exchange, OpenIOC etc.;
  • the possibility to address and analyze work scenarios that are not strictly related to the security area.

Splunk, integration options 

Another important asset of Splunk Enterprise Security is the Adaptive Operations Framework (AOF), which simplifies the integration of SIEM into heterogeneous infrastructures. AOF connects Splunk Partner ecosystem products and technologies, ensuring native integration with over 240 products and 1,200 APIs. With the help of AOF, companies benefit from:

  • direct access to structured and unstructured data from a wide variety of sources;
  • actionable information enriched from several sources;
  • the possibility to orchestrate several technologies for conducting investigative and remedial operations.

A special place among the partner ecosystem is occupied by Cisco, Splunk SE integrating natively with products from the portfolios of networking, Data Center, security, Branch & Remote Office, collaboration, etc.

Splunk Enterprise Security uses Cisco network solutions to both collect data and improve the efficiency of investigations and responses with pxGrid. Umbrella expands SIEM coverage in the Cloud, automatically supplementing security alerts issued by Splunk SE with data about malicious domains and IPs.

However, the range of integration options is much wider. For example, a SIEM Splunk solution can collect data about the security position of end-user equipment through ISE and can perform remedial operations ( using Cisco pxGrid). By integrating with Firepower, Splunk administrators can collect data via eStreamer and analyze the reports provided by the Cisco solution. The Cisco AnyConnect Network Visibility (NVM) module for Splunk allows IT administrators to analyze and correlate end-user behavior data and the equipment they use in SIEM. In turn, Splunk SE offers the possibility of integrating a module dedicated to advanced behavioral analysis – User Behavior Analytics (UBA) -, a topic that we will detail in a future article.

Datanet Systems Services

Datanet Systems specialists can help you effectively design, implement, configure, and use a SIEM Splunk SE solution within your company and expand its detection and remediation capabilities by integrating with existing solutions. We have the advantage that:

  • we are an official Splunk partner;
  • we are one of the main system integrators locally;
  • we have experience in implementing and developing critical security infrastructures;
  • we are the largest Cisco partner in Romania.

For more information about SIEM technology and the benefits of Splunk Enterprise Security and Datanet’s business offer, please email us at: sales@datanets.ro.