The abundance of alerts that IT departments need to process and analyze makes it difficult to detect real security threats and, more importantly, address them. Splunk Enterprise Security enables companies to overcome these challenges, facilitating them to identify risks and take the necessary remedial action quickly. Datanet Systems recently organized a webinar in which it presented how the SIEM Splunk platform can be used to increase efficiency in Security Operations Centers.

Improving efficiency in Security Operations Centers (SOCs) is a critical priority for many companies, as only 56% of security events are investigated and only half (28%) of processed alerts report real threats (according to Cisco studies).

During the webinar “Efficiency in Security Operations Center with Splunk Enterprise Security“, recently organized by Datanet Systems, authorized partner for Splunk products in Romania, were presented and detailed the concrete ways in which the SIEM platform responds to these challenges.

Access below the full video registration of the “Efficiency in Security Operations Center with Splunk Enterprise Security” webinar:

 

„Splunk Enterprise is a platform for comprehensive analysis of the data from the IT infrastructure that removes any barrier between collecting actual information and generating response actions based on it. The platform centralizes structured data from the entire IT infrastructure, regardless of the source, interrogates and analyzes it, but the value is not only given by the ownership of the data but by the fact that, based on the results obtained, actions can be triggered quickly. Think of Splunk Enterprise as a «Google for data centers», with which you can quickly search for any information, applications, and associated events. By simply typing in some keywords, all the matching events are listed with details and time-stamps, that helps to observe the chronology of events. Any search can be transformed into a graph, to provide a more intuitive perspective, and then, through Drill Down analyzes, each specific element and any subset of data can be investigated to identify the causal chain of a security incident, whether we are talking about unauthorized access or cyberattacks“, explained Selim Seynur, IT security specialist, Soitron Group collaborator, of which Datanet Systems is also a part of.

The security specialist highlighted the idea that the value of the SIEM platform is given by the fact that a search can be associated with a set of correlated actions. Splunk Enterprise Security allows the creation of alerts defined according to certain trigger conditions, and based on these alerts, the platform can automatically trigger specific remedial actions of other security applications, such as Palo Alto, for example. In fact, one of the main competitive advantages of Splunk Enterprise Security is the ecosystem of applications – over 2,000 today – that can be integrated into the platform using the connectors available to Splunk customers.

 

Concrete solutions to real problems with Splunk Enterprise Security

To exemplify how Splunk Enterprise Security (Splunk ES) helps companies manage security risks, Selim Seynur briefly presented a set of frequent use cases:

• Security monitoring – Splunk SIEM continuously and automatically monitors IT infrastructures and their critical components. The platform delivers 24/7 real-time information on potential risks detected, compliance issues and alerts. Thus, Splunk Enterprise Security ensures extended visibility on vulnerabilities, facilitating the understanding of the context of detected threats and the analysis of any type of incident, through ad-hoc investigations, Threat Hunting methods, etc.
• Advanced Threat Detection – The SIEM platform detects compromised equipment and users, highlights activities in those accounts, and associated risks, providing an extensive list of indicators and information.
• Investigation of security incidents – Splunk facilitates the identification of the real causes of a security incident, offering the possibility to aggregate relevant contextual data associated with that event. The platform correlates investigations – both for cloud environments and on-premises infrastructures – in the dedicated “Investigation Workbench” module, providing security operational teams with the information needed to understand a situation and identify appropriate options for resolving incidents.
• Incident Response – Splunk Enterprise shortens the investigation cycle by confirming and prioritizing critical threats and quickly launching responses based on the type of risk associated with each threat. The platform integrates with many other IT security applications and equipment, and allows the rapid initiation, directly from the investigation module in Splunk ES, of corrective actions performed by those applications and devices.
• Operational automation in the security center – Splunk ES is the optimal solution for Security Operations Centers that need full visibility into a complex IT infrastructure and automation of current operations. The SIEM platform automates the centralized data collection, information sharing and launch of response actions, shortening the duration of detection processes, investigations and remediation measures.
• Simplification of audit processes – Splunk Enterprise allows companies to conduct security audit processes with minimal effort, by providing a real-time perspective on the level of security and recording and synthesizing the data required for auditing, with dedicated control and traceability features.

The webinar organized by Datanet Systems also included a demonstration session that presented how data sources are defined and integrated in the SIEM platform, how to perform security searches and investigations, how to set alerts and to configure automatic response actions.

The demo can be viewed by accessing the full recording of the webinar “Efficiency in Security Operation Center with Splunk Enterprise Security”: LINK: https://www.youtube.com/watch?v=MhvuDzFW1Eo .