 |
| Overview |
All IT Data is Security-relevant
Security teams need access to IT data from security systems, plus the operating systems and applications they protect, wherever they are physical, virtual or in the cloud. New, stealthy persistent threats require automated review of much larger data sets over longer periods of time watching for anomalous patterns of activity that can mean the start of a security event. |
|
 |
| |
|
|
 |
|
Splunk Provides Operational Intelligence
IT data contains a record all human-to-machine and machine-to-machine interactions. The value of this data to the security team to solve problems, proactively monitor for threats, and provide business insight is huge. The key to extracting value from IT data is having a single, easy-to-use solution that can scale, collect system or application data regardless of format and turn it into meaningful information supporting business decisions.
Splunk can become the enterprise-wide system of record where you monitor, search, and report on real-time data from any user, network, system, or application activity. Correlation across this data is key to solving fraud, data security, insider threat and network security problems before they happen. This increases team performance resulting in a reduced risk to the business. |
| |
|
|
Splunk and SIEM
Splunk can compliment an existing security information and event management system (SIEM). Traditional SIEM deployments help reduce the amount data security teams need to review while correlating different data sources using a rule-based approach to reduce false positives. This data reduction model forces users to decide what data will be included in a security investigation before a security event actually occurs. This artificially limits incident investigations and may lead to false conclusions, often times away from the root-cause. In contrast,
Splunk’s scalability and schema-less approach expands the amount and types of data collected and analyzed.
Splunk augments the SIEM “rules-based” approach with its pattern-based analysis capabilities. Additional alerts can be created based on application error rates or other thresholds. This approach breaks down silos between operations and security teams.
Splunk includes real-time APIs that can stream data to a SIEM correlation engine, allowing you to drill-down from the SIEM into Splunk while preserving legacy processes, workflows and technology investments. |
|
 |
| |
|
|
 |
|
Pattern-based Malware Detection
In 2010 McAfee reported over 10 million new, never-before-seen pieces of malware. Rule-based systems such as anti-virus or intrusion detection systems, depend on vendor updates to detect malware already seen in the wild and are easily defeated. Monitoring for anomalous patterns of machine behavior in system data is a better approach for detecting new types of persistent, stealthy malware-based attacks. |
| |
|
|
Fraud Detection
Splunk can discover evolving fraud patterns with real-time search across all of your web access and transaction logs. Complex, suspicious patterns can be found with correlations and transaction searches, these can also be scheduled to generate proactive alerts. Audit trail and data signing preserves chain-of-evidence for audits or if you need to prosecute or take civil action. |
|
 |
| |
|
|
 |
|
Insider Threat
Malicious insiders are often the source of the most damaging security incidents. Detecting logic bombs and data thefts that circumvent application controls and malicious scripts is reactive at best with cumbersome manual analysis. Specialized monitoring tools don’t cover many of the data sources where insiders leave trails. Splunk lets you monitor user behavior before malicious activity can impact your business. |
| |
|
|
Click here to download Splunk for Security whitepaper
|
|
|