Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Splunk Enterprise: SIEM product overview

Expert Karen Scarfone examines Splunk Enterprise, a security information and event management (SIEM) product for collecting and analyzing event data to identify malicious activity.

Splunk Enterprise is a product that specializes in security information and event management (SIEM). Splunk Enterprise can collect security event log data from a wide variety of sources, including security controls, operating systems and applications, and then perform analysis on this data to identify activity that violates security policies or is otherwise suspicious. By identifying potential problems quickly, it triggers human or automated responses to stop attacks before they can be completed. Further, the attacks that do manage to succeed are limited as to what damage they can cause.

Product versions

Splunk Enterprise is available as locally installed software. Splunk also offers a Splunk Cloud service, which has nearly identical capabilities to Splunk Enterprise, only they are cloud-based. See here for a comparison of the features offered by Splunk Enterprise and Splunk Cloud.

Additional security capabilities

Splunk Enterprise offers all the basic SIEM capabilities, and these can be extended through the use of add-ons. For example, Splunk Enterprise can support ingestion of threat intelligence feeds through third-party apps such as ThreatStream. Splunk also has an Enterprise Security App that offers a framework for using third-party threat intelligence feeds. Splunk Enterprise's add-ons currently provide minimal support for other advanced security capabilities; for example, they can parse a network traffic packet capture file, but not record their own packet captures.

Reporting capabilities

According to Splunk documentation posted here, Splunk offers reporting capabilities for various security compliance initiatives, including the following:

At least some of these reporting capabilities are provided by specialized apps added onto Splunk Enterprise, such as the Splunk App for PCI Compliance and the Splunk App for FISMA Continuous Monitoring.

Licensing

A 60-day free trial of Splunk Enterprise is available here. The Splunk Enterprise software is available for various Windows, Linux, Solaris, Mac OS X, FreeBSD and AIX platforms. The free trial supports processing of up to 500 megabytes of log data each day. After the 60-day trial ends, an organization can change the deployment to use a free license, or the organization can purchase an enterprise license, which provides more functionality than the free license and also enables larger volumes of daily log data processing. See here for additional information on Splunk Enterprise licensing.

Conclusion

Splunk Enterprise offers a unique approach to deploying and customizing a SIEM product. It is available through a software download or a cloud-based service (branded as "Splunk Cloud"), and it can then be enhanced in many ways by acquiring add-on apps. Although Splunk Enterprise has fairly limited capabilities, its support for add-ons enables it to do much more, such as use threat intelligence feeds and offer security compliance reporting capabilities. Organizations interested in evaluating Splunk Enterprise for their SIEM product should do so in conjunction with an evaluation of its add-ons.

Next Steps

In part one of this series, learn about the basics of SIEM products in the enterprise

In part two of this series, find out about the enterprise benefits of SIEM products

In part three of this series, read about the seven questions to ask before buying a SIEM product

In part four of this series, compare the best SIEM systems in the industry

This was last published in November 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Buyer's Guide

The top SIEM products: A buyer's guide

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Has your organization ever used or tested Splunk Enterprise SIEM product?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close