Splunk Security Products
Splunk Enterprise Security
GreenSentries relies on Splunk Enterprise Security SIEM to detect and defend against security incidents at our customer environments. GreenSentries can deploy Splunk ES SIEM either at customer premises (on customer hardware or VMWare platform) or at the GreenSentries SOC on the Cloud. Splunk ES is available to our customers as a perpetual client owned license or an annual term license that can be paid monthly along with our managed Security Services.
Splunk: Analytics-Driven SIEM
Splunk Enterprise Security (ES) is a SIEM that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding your business. Splunk Enterprise Security streamlines all aspects of security operations and is suitable for organizations of all sizes and expertise.
Whether deployed for continuous real-time monitoring, rapid incident response, a security operations center (SOC), or for executives who need a view of business risk, Splunk ES delivers the flexibility to customize correlation searches, alerts, reports and dashboards to fit specific needs.
Splunk ES provides organizations the ability to:
Optimize security operations through faster response times
Improve security posture with end-to-end visibility across all machine
Increase detection capabilities using analytics-driven security
Make better informed decisions by leveraging threat intelligence
All data from the security technology stack can be utilized to detect, understand and take rapid, coordinated action in a manual, semi-automated or automated fashion across the entire organization.
Leader in 2016 Gartner Magic Quadrant for SIEM
Gartner recently published two new reports – the 2016 Magic Quadrant (MQ) and the 2016 Critical Capabilities for Security Information and Event Management (SIEM). In both reports, Gartner evaluated Splunk Enterprise and the Splunk Enterprise Security solution, which are used by organizations around the world.
Splunk Enterprise Security meets the Critical Capabilities for Security Information and Event Management (SIEM) to improve the detection and response to advanced threats by providing broad security intelligence.
The advanced security analytics capabilities of Splunk are available from both native machine learning functionality of Enterprise Security and via integration with Splunk User Behavior Analytics (UBA) for more advanced methods, providing customers with the necessary features to implement advanced threat detection monitoring and insider threat use cases.
Based on the need to protect against advanced threats, we have seen a growing number of organizations are using Splunk to augment or replace their existing SIEM deployment.
Splunk Enterprise Security Features
Improve Security Posture
Get a library of security posture widgets to place on any dashboard or easily create your own. See security events by location, host, source type, asset groupings and geography. KPIs provide trending and monitoring of your security posture.
Incident Review and Classification
View a single event or get a roll-up of related system events and an incident management workflow for security teams. Easily verify incidents, change their status and criticality, and transfer among team members, all while supplying mandatory comments about status changes. Status changes are audited, monitored and tracked for team metrics. From within the incident review view, analysts can now use risk scores and in-context searches to determine the impact of an incident quickly and to generate actionable alerts to respond on matters that require immediate attention.
Built on a Big Data Platform for Security Intelligence
Spunk ES leverages Splunk Enterprise capabilities that include:
Index Any Data Source – The ability to bring in any data without custom connectors or vendor support enables analysts to quickly access, search and analyze the data they need to complete their investigation.
Scalability – The ability to index hundreds of terabytes of data per day. Splunk does not apply a schema at the time data is indexed and searches across terabytes of data can be performed quickly.
Flexible Dashboards – Dashboards can be easily created or customized for a quick graphical view of any data or correlation that is important to the organization. Organize multiple dashboards on a single screen for a customized view of the organization’s overall security posture.
Ad-Hoc Searches – Ad-hoc searches enable security teams to quickly understand what attacks are occurring in their environment to determine the best course of action.
Improve Security Operations
Create your own security portal based on your role and the things that matter to your organization. Organize and correlate multiple data sources visually in a single user interface to find relationships and gain context.
Visually correlate events over time for any IP address. This helps the analyst gain insight into time relationships across events.
Unified Search Editor
Use a user-friendly, consistent search creation experience—including guided searches—for key security indicator or key performance indicator correlation searches, and identity and asset investigation visualizations.
Pre-built dashboards will help you identify anomalies in event and protocol data. The dashboards are pre-built using auto-configuring thresholds and baselines.
Incident Review, Classification and Investigation
Splunk ES provides comprehensive incident review capabilities that include:
- Drill down from graphical elements to raw data and wire data captures to gain an understanding of all network communications.
- Unique workflow actions that augment the security investigation process and allow you to pivot on a single piece of common information—or any other data—to rapidly develop the threat context.
- Classification that allows for bulk event reassignment, changes in status and criticality classification, with all analyst activity available for auditing purposes
Incident Review Audit
For governance, auditing and protection against tampering, Splunk ES provides reports on all Splunk user and system activities for a complete audit trail. The Splunk platform uses data signing to maintain chain-of-custody and detect any alterations to the original log and event data.
With Extreme Search commands, security relevant information is available to security analysts at a greater level of depth and precision than when relying on quantitative measurements alone. Because counts, rates and thresholds are calculated using a dynamically updating model, analysts don’t have to manually adjust these values to get accurate results. Extreme Search also allows premium Splunk apps to offer key indicators and reports with easy to understand language cues, which are more contextual to the user than absolute numbers.