Splunk Enterprise: SIEM product overview
Expert Karen Scarfone examines Splunk Enterprise, a security information and event management (SIEM) product for collecting and analyzing event data to identify malicious activity.
Splunk Enterprise is a product that specializes in security information and event management (SIEM). Splunk Enterprise can collect security event log data from a wide variety of sources, including security controls, operating systems and applications, and then perform analysis on this data to identify activity that violates security policies or is otherwise suspicious. By identifying potential problems quickly, it triggers human or automated responses to stop attacks before they can be completed. Further, the attacks that do manage to succeed are limited as to what damage they can cause.
Product versions
Splunk Enterprise is available as locally installed software. Splunk also offers a Splunk Cloud service, which has nearly identical capabilities to Splunk Enterprise, only they are cloud-based. See here for a comparison of the features offered by Splunk Enterprise and Splunk Cloud.
Additional security capabilities
Splunk Enterprise offers all the basic SIEM capabilities, and these can be extended through the use of add-ons. For example, Splunk Enterprise can support ingestion of threat intelligence feeds through third-party apps such as ThreatStream. Splunk also has an Enterprise Security App that offers a framework for using third-party threat intelligence feeds. Splunk Enterprise's add-ons currently provide minimal support for other advanced security capabilities; for example, they can parse a network traffic packet capture file, but not record their own packet captures.
Reporting capabilities
According to Splunk documentation posted here, Splunk offers reporting capabilities for various security compliance initiatives, including the following:
- Federal Information Security Management Act (FISMA) of 2014
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act
- International Organization for Standardization/International Electrotechnical Commission 27001/27002, Information Security Management
- North American Electric Reliability Corporation Critical Infrastructure Protection
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
At least some of these reporting capabilities are provided by specialized apps added onto Splunk Enterprise, such as the Splunk App for PCI Compliance and the Splunk App for FISMA Continuous Monitoring.
Licensing
A 60-day free trial of Splunk Enterprise is available here. The Splunk Enterprise software is available for various Windows, Linux, Solaris, Mac OS X, FreeBSD and AIX platforms. The free trial supports processing of up to 500 megabytes of log data each day. After the 60-day trial ends, an organization can change the deployment to use a free license, or the organization can purchase an enterprise license, which provides more functionality than the free license and also enables larger volumes of daily log data processing. See here for additional information on Splunk Enterprise licensing.
Conclusion
Splunk Enterprise offers a unique approach to deploying and customizing a SIEM product. It is available through a software download or a cloud-based service (branded as "Splunk Cloud"), and it can then be enhanced in many ways by acquiring add-on apps. Although Splunk Enterprise has fairly limited capabilities, its support for add-ons enables it to do much more, such as use threat intelligence feeds and offer security compliance reporting capabilities. Organizations interested in evaluating Splunk Enterprise for their SIEM product should do so in conjunction with an evaluation of its add-ons.
