Without a doubt, Splunk is a leading competitor in the cyber security space. Compared to other security information and event management systems (SIEM), we collaborate with it the most in our field and notice customers talk highly of it. Splunk becomes a true SIEM when it’s enhanced with Enterprise Security.
Let me guess. You are here because you are tired of your old SIEM and are looking to upgrade. Or you have taken up a new job role and have been handed a Splunk SIEM tool to work out of.
Regardless of the two, you will find useful takeaways from here.
- 1 What are the Concepts of Splunk?
- 2 The Architecture of Splunk SIEM
- 3 How Does Splunk SIEM Compare to other SIEMs?
What are the Concepts of Splunk?
Splunk is a popular log management tool cyber security professionals use to address the challenge of responding to tons of alerts and logs.
It is a SIEM that analysts use to analyze and visualize large amount of data. Cyber security engineers build correlation rules on top of the data to trigger notable events in real-time. The real power of Splunk is to ingest any type of human readable data.
Before going too deep into Splunk, it is worth explaining general concepts.
It is the basic form of the tool that can come in two flavors: On premise or cloud. Technically, it is a data analytics platform that makes sense of copious amounts of data.
In short, Splunk Enterprise is a software whereas Splunk Enterprise Security is an application on top of it which turns it into a true SIEM.
We have seen companies utilize the base enterprise flavor to function as a SIEM as well, but most have the Enterprise Security add-on.
It comes with the ability to:
- Aggregate and query logs
- Build correlation rules for monitoring and alerting
- Generate reporting and metrics
- Incorporate machine learning
Splunk Enterprise Security:
Enterprise Security comes with all the base Enterprise features, but it is when Splunk becomes a SIEM. It can do everything Enterprise can but more including the following frameworks:
- Asset and Identity Correlation
- Notable Events
- Threat Intelligence
- Risk Analysis
- Adaptive Response
Collection of Frameworks
Asset and Identity Correlation
Sometimes events have fields or properties that include information relevant for identifying an asset or user. To name a couple, these fields could be an IP, DNS, or MAC address or a LDAP username.
Engineers can create custom data collection add-ons to extract and prepare this data for ingestion by Splunk ES and dispatch saved searches to create lookup tables. Analysts can use these saved searches, lookup tables, and dashboards to identify assets and users within their networks.
Only available in Enterprise Security, an engineer can build notable events to better manage the ownership, triage process, and the state of incidents. Most notable events trigger via correlation searches, but engineers can also create them manually.
An example could be correlating outbound traffic against confirmed C2 servers supplied by threat intelligence. When a match is found by the correlation, trigger a notable event.
This framework allows analysts to triage and prioritize those triggered events.
The Threat Intelligence framework does what the name implies: consuming and managing threat feeds. With this, an engineer can correlate existing data with threat intelligence to create notable events on matching activity. The framework supports a large amount of threat intelligence types. The types correspond to the KV store collections where the threat intel resides:
- X509 Certificates
- File names
- IP addresses
- Registry entries
The Risk Analysis framework goes hand in hand with the Identity framework. Using the gathered identities, an Engineer can build risk modeling on their activity, base lining it on normal behavior.
Splunk ES comes with built in correlation searches for risk analysis and to correlate machine data with asset and identity data. Correlation searches search for a conditional match to a question. When a match is found, an alert is generated as a notable event, a risk modifier, or both.
Events that modify risk are called risk modifiers. These live in the risk index which contain a:
- Object Type
A risk score is a single metrics that shows the relative risk of a device or user over time whereas a risk object represents a system, a user, or an unspecified other.
Our favorite piece of the technology is this one. Adaptive Response allowed preconfigured actions to automatically trigger by correlation searches. A splendid example often used by mature teams is to automatically create ServiceNow tickets via adaptive response actions.
The special part are the technology add-ons. Enterprise Security can integrate with all kinds of technologies like vulnerability management ticketing systems, or endpoint agents.
There are two ways to invoke response actions:
- Match the trigger conditions of a correlations search
- Manually running the action
The Architecture of Splunk SIEM
Splunk is a SIEM not an IDS. It needs to accomplish two things: indexing and searching.
Think about it. You are throwing terabytes of data, all of which is structured in unique ways. Splunk needs to make sense of this data so when you can query and search it. This is where indexing takes place and is where Splunk strives compared to its competitors.
The indexer transforms raw data into events, thus placing the results into an index. It can also search already indexed data in response to search requests.
So. What happens when you have multiple indexes? Good question. Use a search head.
In a distributed search environment, the search head’s main objective is to direct searches to the correct index and to merge results back to the user who performed the search.
Sometimes data needs to be shared between or sent from one index to another. There are three types:
Universal forwarder: a dedicated version that contains only the essential components needed to send data. In most situations, this is the best way to forward data to indexers. Its main limitation is that it forwards only unparsed data.
Heavy forwarder: has a smaller footprint than a Splunk Enterprise indexer but retains most of the capabilities. Its exception is it cannot perform distributed searches. Unlike other forwarder types, a heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event. You must use this type of forwarder to route data based on event contents.
Light forwarder: has most features disabled and has been depreciated as of Splunk Enterprise version 6.0.0. It has the least impact on system resources.
Lastly, a Splunk instance can server as a deployment server. This is the tool to distribute configurations, apps, and content updates to groups of instances. You can use it to distribute updates to most Splunk components: forwarders, indexers, and non-clustered search heads.
How Does Splunk SIEM Compare to other SIEMs?
Benefits of Splunk SIEM
When it comes to the benefits, Splunk SIEM has 4 core standouts:
Scaling: Out of all of it’s competitors, Splunk scales the most effectively. It happens to be the reason Splunk gained incredible popularity in the first place. Scaling is especially important whether on-premise, cloud, or hybrid. You don’t need to worry when it comes to log retention and adding additional log sources.
Flexible search and reporting: You can customize just about anything in Splunk. All of the dashboards and graphs are powered by the same searching method using Splunk Querying Language (SPL). The underlying data can be manipulated and presented in exactly how you want it to look. If you’re tired of lame built in dashboards and graphs that you can’t change then this is the tool for you. This is the main reason Splunk is the best SIEM.
Ability to index any data type: This is one of Splunk’s biggest bragging points. Being a machine learning platform, it can ingest any human readable, non-binary data. You can even connect to databases to collect access and behavior logs.
Technology add-ons: Just about every big cyber security vendor integrates with Splunk. When it comes to choosing a SIEM, you want to make sure it can integrate with your existing toolsets.
Limitations of Splunk SIEM
For the most part, Splunk is our SIEM of choice. With any perfect tool, though, there are limitations. We find those to be:
Tough to learn: To really get value out of Splunk SIEM, you will need at least 2 full time dedicated engineers building out correlation searches and notable events. It can take years to truly master SPL.
Costs: It isn’t cheap. Splunk has the business model of charging based on the data you are bringing in. As you bring in logs, you will want to continuously add more once you realize how awesome it is to be able to search from a single pane of glass.
Heavy on resources: Although it scales great, be prepared to constantly be upgrading the specs you’ve installed Splunk SIEM on to support it’s capabilities.