Splunk Enterprise Security: Use Cases, Features, and Process
What Is Splunk Enterprise Security (Splunk ES)?
Splunk Enterprise Security (Splunk ES) includes the Splunk security information and event management (SIEM) solution. It can help you aggregate to achieve visibility and leverage security intelligence across the organization. Splunk Enterprise Security provides simplified threat management that facilitates quick threat detection and response and minimizes risk.
Splunk ES can help you achieve continuous monitoring, support your security operations center (SOC), implement incident response, or inform stakeholders about business risks. You can run the solution in various environments, such as public and private clouds, on-premises infrastructure, and hybrid deployments.
Splunk ES is available as software when using Splunk Enterprise. It is also delivered as a cloud service available for Splunk Cloud customers.
Splunk provides several other security products and solutions. Read our guide to Splunk security.
How Splunk ES Can Help Organizations
Here are a few common use cases of Splunk Enterprise Security.
Continuously Monitor Security Posture
Splunk ES helps visualize your organization's security posture using predefined dashboards and Custom Glass Table views. These views include security and performance metrics, trending indicators, and static and dynamic thresholds. Splunk ES also offers a Use Case Library to facilitate quicker detection of new and known threats.
Prioritize and Act on Incidents
Splunk ES offers several capabilities to help you optimize your incident response workflows. Notable features include centralized logs, pre-defined reports and correlations, alerts and incidents, correlations for specific views, and incident response workflows.
Splunk ES facilitates rapid investigations by offering ad hoc search capabilities alongside static, dynamic, and visual correlations to help detect malicious activities. It lets you investigate and pivot on various fields from any data to develop threat context quickly. You can leverage threat context when tracking attacker steps to verify evidence and look for more information.
Handle Multi-Step Investigations
Splunk ES lets you investigate and analyze breaches to trace activities associated with compromised systems. You can employ ad hoc searches, Splunk ES capabilities, the investigator journal, and the investigation timeline to gain insights into the attack lifecycle.
Splunk Enterprise Security Features
Splunk Enterprise Security offers the following features to help you gain visibility into your security posture:
A library of security posture widgets—you can add widgets to your dashboards or create your own.
View security events by categories—you can view events by location, source type, host, geography, and asset groupings.
Use KPIs to assess security posture—you can use KPIs to see trends and monitor your security posture.
Incident Review and Classification
Splunk Enterprise Security offers the following features for incident review and classification:
Review—Splunk ES lets you view incidents as a single event or as a ‘roll-up’ of related events. It also provides an incident management workflow designed for security teams.
Classify—Splunk ES lets you verify incidents, change the status and criticality of incidents, and transfer incidents among team members.
Track—Splunk ES audits, monitors, and tracks status changes for team metrics.
Splunk Enterprise Security offers the following endpoint protection features:
Endpoint protection—Splunk ES provides reports, searches, and a library of alerts for rare activities, malicious software (malware), and resource utilization and availability.
Threats prioritization—Splunk ES helps prioritize threats and view long-term trends.
Integration—you can Splunk ES with other endpoint security solutions, including Symantec Endpoint Protection, McAfee Endpoint Protection, and IBM Proventia Desktop.
Splunk Enterprise Security offers capabilities to help you monitor and detect events from various network and security devices. Notable capabilities include searches, correlations, dashboards, reports, and alerts on network-based events.
The solution applies statistical analysis on proxy data to help understand HTTP-based behavioral outliers. It can help you discover anomalies across various components, including firewalls, DHCP, routers, load balancers, wireless access points, data loss prevention (DLP) devices, and intrusion detection sensors.
Threat Intelligence Framework
Splunk ES helps enhance incident investigations by letting you use threat feeds from various sources. Feeds can be weighted according to relative value. It can also collect, aggregate, and de-duplicate feeds automatically. Here are common feeds:
Open source feeds—available as flat files via an API service.
Subscription-based feeds—available via TCP streaming.
Law enforcement or local environment feeds—available through manual download.
Shared threat feeds—available as OpenIOC or STIX documents via the TAXII protocol.
Splunk Enterprise Security lets you assign a risk score to assets, events, users, and behavior. You can assign scores according to the relative importance of each component or according to its value. Risk scores can help you prioritize security events and investigations. You can also track the security status of components to understand and actively manage your business risk.
Here are key capabilities:
Index all data sources—the solution enables you to use all data without using custom connectors or obtaining vendor support. This level of flexibility enables rapid access, search, and analysis of data relevant to the investigation.
Scalability—the solution lets you index hundreds of terabytes of data daily. Additionally, it does not apply any schema when indexing data to ensure you can quickly perform searches across terabytes of data.
Flexible dashboards—the solution provides dashboards that you can easily create or customize to generate a graphical view of important data or correlation quickly. You can customize the view to display multiple dashboards on one screen and see the organization's overall security posture.
Ad hoc searches—the solution lets you perform ad hoc searches to quickly locate current attacks within the environment and determine the best course of action.
How Does the Incident Review Process Work?
Let’s take a closer look at the incident review process. The Incident Review dashboard displays security events and their status, and lets you filter and explore the data to triage security incidents.
The dashboard uses the concept of a “notable event”. A notable event is one or more data points correlated across multiple data sources as belonging to the same security incident. For example, a notable event can be repeated abnormal network usage, one or more unauthorized access attempts to a certain system, or hosts communicating with known bad IPs.
Here is a sample workflow for triage of notable events:
An administrator or entry-level analyst reviews the dashboard, using sorting and filtering to identify new notable events.
When an event requires investigation, the analyst assigns this event to a Tier 1 analyst for investigation.
A Tier 1 analyst changes the event’s status to In Progress.
The Tier 1 analyst collects information about the event using fields in the event object. She records her findings in the Comments section of the event.
The analyst can now perform adaptive response actions via actions available for the event.
Once the event is fully investigated and remediation tasks are performed or escalated to other teams, the analyst changes the event’s status to Resolved.
The Tier 1 analyst assigns this event to a Tier 2 analyst for verification.
The Tier 2 analyst validates the investigation and actions taken to resolve this issue, and then changes the issue’s status to Closed.
Splunk Enterprise Security Pricing
Splunk Enterprise Security available pricing plans:
Workload Pricing—this plan is based on the compute capacity consumed by your search and analytics workloads. Splunk offers several licensing options to help you control how your total capacity is used across different scenarios and Splunk capabilities.
Ingest Pricing—this plan is based on volume consumption calculated according to GB/day data ingestion. You can use more data by purchasing the next available ingest level. This well-known pricing option continues to be available to current customers.
What are the licensing options for Splunk Enterprise Security?
Splunk Enterprise Security offers Term Licenses restricted to specific periods. Terms typically last a year, but multi-year term license options are available too. During the specified period, you can access and use Splunk Enterprise Security. You can purchase new licenses or stop using the software at the end of the term.
Are there discounts for users of other Splunk products?
Yes. Splunk offers discounts when you purchase multiple Splunk Security Operations Suite products, such as Splunk Enterprise Security, Splunk SOAR, and Splunk UBA.