WHITE PAPER

Adopting Splunk’s
Analytics-Driven Security
Platform as Your SIEM

Improve your security posture by using

Splunk as your SIEM
 WHITE PAPER

New Criteria for Today’s SIEM

Highlights Enterprise security teams must use a security
• Splunk software can be used to build and information and event management (SIEM) solution
operate security operations centers of any size that not only solves common security use cases,
• Support the full range of information security but advanced use cases as well. To keep up with the
operations, including posture assessment, dynamic threat landscape, modern SIEMs are expected
monitoring, alert and incident handling, CSIRT, to be able to:
breach analysis and response, and event • Centralize and aggregate all security-relevant
correlation events as they’re generated from their source
• Out-of-the-box support for SIEM and security • Support a variety of reception, collection
use cases mechanisms including syslog, file transmissions, file
collections, etc.
• Detect known and unknown threats, investigate
• Add context and threat intelligence to
threats, determine compliance and use advanced
security events
security analytics for detailed insight
• Correlate and alert across a range of data
• Proven integrated, big data-based security
• Detect advanced and unknown threats
intelligence platform
• Profile behavior across the organization
• Use ad hoc searches for advanced breach
• Ingest all data (users, applications) and make
analysis
them available for use — monitoring, alerting,
• On-premises, cloud, and hybrid on-premises and investigation and ad hoc searching
cloud deployment options • Provide ad hoc searching and reporting from
• Improve operational efficiency with automated data for advanced breach analysis
and human-assisted decisions by using Splunk as • Investigate incidents and conduct forensic
a security nerve center investigations for detailed incident analysis
• Assess and report on compliance posture
• Actionable guidance on how to investigate
and take action on threats detected in your • Use analytics and report on security posture
environment using Analytic Stories • Track attackers’ actions with streamlined ad hoc
analyses and event sequencing
• Centrally automate retrieval, sharing and responses
Early detection, rapid response and collaboration are across the security stack
needed to mitigate today’s advanced threats. But these
• Assess threats from the cloud, on-premises and
needs impose a significant demand on security teams.
hybrid apps and data sources
Reporting and monitoring logs and security events is
no longer enough. Security practitioners need broader
insights from all data sources generated at scale across
All Data Is Now Security Relevant
the entire organization from IT, the business and the The evidence of an attack, as well as its activities, exists
cloud. In order to stay ahead of external attacks and in an organization’s machine data. For
malicious insiders, companies need an advanced security teams to properly investigate security incidents
security solution that can be used for rapid response and identify threats, all data, including
detection, incident investigation and coordination of more than security data from traditional security
CSIRT breach scenarios. In addition, companies need products such as firewalls, IDS or anti-malware
the ability to detect and respond to known, unknown should be brought into the SIEM. Organizations are
and advanced threats. often missing the data needed to see the real-time
status of their security posture.

Adopting Splunk’s Analytics-Driven Security Platform as Your SIEM 1

 WHITE PAPER

The activities of these advanced threats are often only Automated Anomaly and Outlier
in the “non-security” data, such as operating system
Detection
logs, directory systems, such as LDAP/AD, badge data,
DNS, and email and web servers. To detect advanced threats, all non-security and
security data must reside in a single repository. This
Machine data often needs to be supplemented with
represents a massive amount of data and will provide
internal and external threat context, such as threat
a repository to baseline normal user and traffic activity.
intelligence feeds and other contextual information to
Using this baseline, analytics can detect the anomalies
aid during incident response and breach detection.
and outliers that may be advanced threats. Statistics

Keeping Pace With the Volume can help with this detection by looking for events that
are standard deviations of the norm. Correlations can
and Scale of Data also help by detecting combinations of events that are
The amount and types of data needed for making the rarely seen and are suspicious.
most effective data-driven security decisions requires
a solution that will scale to index hundreds of terabytes
of data per day without normalization at collection
time and applies a schema to this data only at search
(query) time.

A New Approach to SIEM

While many SIEMs purport to meet the new criteria, it may not be suitable for your organization. The table below
lists the key capabilities to consider while evaluating a new SIEM or re-evaluating a legacy SIEM against new
requirements:

Key Capability Benefit

Single platform One product to install and manage, which simplifies operations

Providing cost effective scaling–hardware options can match

Software requirements and expand as needed. Hardware costs are minimized since
commodity hardware can be used

Index any data using variety of Fast time-to-value. Customers should realize value from their SIEM in
mechanisms hours or days

Large number of pre-defined data A rich partner ecosystem reduces reliance on SIEM vendor and custom
sources collectors

All values and fields from all data sources can be searched, reported
Flat file data store providing access to on, and correlated as predefined alerts or for ad hoc investigation.
all data values and data fields with no All the original data is retained and can be searched, as compared to
schema or normalization legacy SIEMs that requires transforming different log formats into single
“taxonomy” to facilitate.

Single data store with distributed

indexing and searching for scale and Scalability and speed issues are non-existent
speed

Adopting Splunk’s Analytics-Driven Security Platform as Your SIEM 2

 WHITE PAPER

Key Capability Benefit

Flexible search for automated base-

Enhances the ability to find outliers and anomalies
lining and advanced correlations

Ability to use, create and edit existing tables, charts or scatterplots

Visualization of data and incidents in
provides much needed flexibility that is suited to diverse customer
multiple formats and renderings
environment

Out-of-the-box support of APIs

Interface with third-party apps to extend the capability of SIEM
and SDKs

Support of common IT use cases such

as compliance, fraud, theft and abuse As security teams work in concert with other IT functions, the visibility
detection, IT operations, service from other use cases results in a centralized view across the organization
intelligence, application delivery and with cross-department collaboration and stronger ROI
business analytics

Operate on-premises, in the cloud Operate a single logical solution that allows users to search, report and
and in hybrid environments operate when data is stored in either on-premises or the cloud

Cloud deployment option (BYOL

Helps you consolidate your business in the cloud
and SaaS)

Hybrid deployment with on-premises Optimize your business needs using SaaS or on-premises deployments—
and cloud options without sacrificing visibility

Improve operational efficiency with automated and human-assisted

Response Actions
decisions

Security teams can quickly and effectively translate threat information

Threat intelligence operationalization into intelligence that can be actionable to detect threats and protect your
organization

Know the relative risk of a device or user in your network environment

Risk scoring
over time

Ad hoc searching over extended Identify breaches and conduct detailed breach analysis by drilling down
periods of time into machine data to get deep, precise insight

Gain visibility into an attack, understand adversary’s objectives, monitor

Supports applying the kill chain
activities during an attack, record key information and use it to defend
methodology of investigation
your organization

Helps identify advanced targeted attacks, also known as advanced

Support analysis of the five styles of
persistent threats from the network, payload and endpoint, in near real
advanced threat defense
time and post-compromise

Adopting Splunk’s Analytics-Driven Security Platform as Your SIEM 3

 WHITE PAPER

The flexibility and architecture of the platform plays event context, so they can gather information or take
a key role in determining if the SIEM can scale to meet action such as “block,” “unblock,” “open” or “close” to
the needs of an organization. It’s important that the remediate an incident.
SIEM software can scale and is able to quickly index Splunk offers several options for enterprises looking
all the original, raw data at massive volumes – from to deploy their first SIEM solution or to migrate
several hundreds of terabytes to petabytes of data from their legacy SIEM, and offers the choice of
indexed per day. on-premises, cloud or hybrid deployment options.
Scaling horizontally, using commodity hardware, Customers can solve their basic SIEM use cases using
provides the flexibility and compute scalability that Splunk Enterprise and Splunk Cloud, which are core
expensive physical appliances are unable to meet. Splunk platforms, providing collection, indexing, search,
The use of distributed index and search technology and reporting capabilities. Many Splunk security
with fast searches, reporting and analytics enables customers use Splunk Enterprise or Splunk Cloud
the quick transformation of results into a wide range to build their own real-time correlation searches
of interactive reports and visualizations. and dashboards for a basic SIEM experience.
Splunk offers a premium solution, Splunk ES, which
Splunk as Your SIEM supports advanced SIEM use cases with ready-to-use
The Splunk security platform meets the criteria for dashboards, correlated searches and reports. Splunk
a modern SIEM solution but it also delivers security ES runs on Splunk Enterprise, Splunk Cloud or both. In
analytics capabilities, providing the valuable context addition to pre-built correlation rules and alerts.
and visual insights that help security teams to make
Splunk ES also improves visibility and responsiveness
faster and smarter security decisions.
for security analysts with focused threat detection to
better accelerate incident investigation. It also reduces
risk by enabling faster detection and incident response
to newly discovered and ongoing threats. And Splunk
ES also includes a feature called the Investigation
Workbench that helps analysts better understand the
full scope of incidents and make real-time decisions
to get ahead of threats.
For security teams of all sizes and maturity levels, the
Splunk Use Case Library makes it possible for security
analysts to proactively stay current with the changing
threat landscape by leveraging additional knowledge
from the Splunk Security Research team. Within Use
Adaptive Response actions provide provides the Case Library, subscribers get regular updates to help
ability to register and configure response actions, security practitioners of all skill levels stay current with
enabling customers and partners to use their existing the latest cyberthreat trends and defense tactics in
capabilities with Splunk Enterprise Security (ES) as an order to quickly address those threats.
analytics-driven SIEM solution. The visibility into the Additionally, there are over 800 other security-related
capabilities and actions of each Adaptive Response apps on Splunkbase with pre-built searches, reports
entity helps customers view the list of actions available, and visualizations for specific third-party security
select appropriate actions, and deploy and manage the vendors. These ready-to-use apps and add-ons provide
entities and their actions in ways best suited to their capabilities ranging from monitoring security, next
environment, deployment and security operations. generation firewall, advanced threat management
Analysts can take suggested response actions to and more. These increase the security coverage and
quickly gather more context or take action when are provided by Splunk, Splunk partners and other
reviewing notables in the Incident Review dashboard. third-party providers.
Analysts can also execute any action from a notable
Adopting Splunk’s Analytics-Driven Security Platform as Your SIEM 4
 WHITE PAPER

There are several ways to migrate from the legacy or

complex SIEMs to Splunk. Please contact Splunk sales
to learn more. Splunk has technical resources, including
dedicated security specialists, who can work with you
to determine the best migration path.
Thousands of customers use Splunk software for
SIEM and advanced security use cases. Splunk has
won numerous industry awards including placement
as a leader in the Gartner Security Information and
Event Management (SIEM) Magic Quadrant.but there’s
very little that can be done to prevent cybercriminals
from launching these attacks. Worse yet, most IT
organizations simply don’t have the manpower to keep
up with those attacks on their own. The difference
between that attacks being a routine annoyance versus
a catastrophic event invariably comes down to the
robustness of an organization’s SIEM platform.
The good news is that setting up an analytics-driven
SIEM is easier than ever. Add to that the sophistication
that a modern SIEM can now apply to defending the
IT environment and it quickly becomes not a question
of whether an IT organization needs a SIEM, but rather
how quickly can it be implemented before the next
wave of cyberattacks get launched.

Download Splunk for free or explore the Splunk Enterprise Security online sandbox. Whether cloud, on-premises, or for large or
small teams, Splunk has a deployment model that will fit your needs. Learn more.

Learn more: www.splunk.com/asksales www.splunk.com

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. 2020-SEC-Adopting Splunks Analytics-Driven SIEM-110-WP