Splunk Upgrades App for Enterprise Security

By Darryl K. Taft  |  Posted 2014-01-21

Splunk Upgrades App for Enterprise Security

Splunk, maker of a popular operational intelligence and real-time analytics platform, announced a key upgrade of its Splunk App for Enterprise Security, which allows users to detect cyber-attacks and zero in on and root out the attackers.

Splunk App for Enterprise Security 3.0 features new visualizations that enable advanced threat detection, reducing the time to incident discovery and response. It also includes a new threat-intelligence framework, support for new data types, data models and pivot interface.

"The new Splunk App for Enterprise Security helps security professionals connect the dots to catch cyber attackers, watching their every step by enabling customers to monitor all data and see potentially malicious activity patterns," said Steve Sommer, chief marketing officer at Splunk, in a statement. "The new visualizations enable both Splunk power users and newcomers to perform complex actions needed to find and report on data anomalies and outliers."

Moreover, Sommer said the threat intelligence framework in the Splunk App for Security delivers something security information and event management (SIEM) systems do not—all threat feeds in a single view with de-duplicated threat information. "These new enhancements can create tremendous efficiencies for security teams whose number one goal is to identify and react to threats in as little time as possible," he said.

Splunk officials said threat detection speed and accuracy can be deciding factors in whether an attack becomes a massive data breach or a success story for security teams. To get a grasp on the nature of cyber-attacks as they unfold, organizations must collect any data that may be security relevant and correlate it with business data that can provide context for security events. Splunk Enterprise 6 and the Splunk App for Enterprise Security 3.0 combine to form a security intelligence platform that can support advanced security analytics at scale, in real time.

"The Splunk App for Enterprise Security provides the flexibility and customization necessary for an incident responder, security professional or SOC [security operations center] to pull the information they need to the surface quickly," said Adrian Sanabria, senior security analyst at 451 Research, in a statement. "Researching a security incident is stressful enough—being able to identify threats through a simple point-and-click interface and easily create alerts is essential. The Splunk App for Enterprise Security helps the security professional work incidents and perhaps discover the source of an intrusion in as little time as possible."

New visualizations in Splunk App for Enterprise Security 3.0 enable security professionals to visually correlate data to identify anomalous behavior, providing a starting point for security investigations. And once an unusual data pattern for a person, application or system is identified, security personnel can access raw data and can create notable events for investigation and analysis workflows.

In addition, Splunk Enterprise 6 and the Splunk App for Enterprise Security includes a catalog of visualizations as a starting point and developers can create custom visualizations using the programming language of their choice with the Splunk Web framework.

Splunk officials also note that all data is security-relevant, and the Splunk App for Enterprise Security bolsters quick decision making within the context of business activity by supporting traditional log data, flow data, packet capture data, industrial control system data, external threat intelligence feeds and other business data that may be in databases.

As an example, IDT, a telecommunications and payment services provider, is using Splunk Enterprise 6 and the Splunk App for Enterprise Security to cut threat incident response times, Splunk officials said.

Splunk Upgrades App for Enterprise Security

"Splunk software already helped IDT security teams cut incident response times from minutes to seconds, and the new version of the Splunk App for Enterprise Security will further improve our security posture for internal and external threats," said Golan Ben-Oni, chief security officer and senior vice president of network architecture at IDT, in a statement. "One of the biggest improvements in this new version is the new visualizations which make it easier for our security investigators who aren’t Splunk experts to get their hands on all of the data. The threat intelligence framework is also a welcome addition, as it will allow us to not only view all of our feeds in one place but also eliminate duplicated information on new threats."

Version 3 of the Splunk App for Enterprise security requires version 6 of Splunk Enterprise. Splunk customers who have purchased the Splunk App for Enterprise Security can download version 3.0 of the Splunk App for Enterprise Security on Splunk Apps.

At its Splunk Worldwide Users’ Conference in October, Splunk said eight of the world's top 10 telecommunications companies use Splunk software to manage security-related searches and to secure and troubleshoot global telecom networks when there are blips in service.

In December, Splunk announced that IDT was expanding its use of Splunk Enterprise 6 to become the company’s core operational intelligence platform across its entire organization. IDT originally selected Splunk Enterprise in 2009 to manage security-related searches and later introduced Splunk software to IT and engineering teams where Splunk is now used around the clock for securing and troubleshooting the company’s global telecom network.

However, last month, Splunk announced that IDT was replacing its legacy database technology and custom applications with Splunk Enterprise to centralize and gain visibility across huge volumes of machine data. The new features in Splunk Enterprise 6 support IDT’s plan to visualize and share business analytical insights with marketing and business teams.

"Splunk is a strategic part of our IT and business infrastructure because Splunk Enterprise is a key driver of the continuous innovation happening at IDT," Ben-Oni said in a statement. "Using Splunk Enterprise, we have vastly improved our security posture and responsiveness while also increasing our network’s effectiveness. Our business and marketing teams now eagerly anticipate the ability to visualize and report on business-related machine data, which we think will help us discover new market opportunities and revenue. The new features of Splunk Enterprise 6 that make it easier for business users to be hands on with Splunk software are a huge help in this endeavor."

IDT is expanding its use of Splunk Enterprise to gain visibility across the company’s networks, servers, applications and call detail records (CDRs), which will give the telecom company’s business executives and marketers real-time insights into the usage patterns and trends connected to their telecommunications products and services, company officials said.

Moreover, Splunk software is already being used to help IDT in IT operations, where IDT reports the mean time to resolve IT incidents improved by more than 20 minutes per incident as overall network uptime dramatically increased. IDT is using several Splunk apps including the Splunk App for Enterprise Security, Splunk App for PCI ComplianceSplunk App for Palo Alto NetworksSplunk App for Unix, and Splunk App for Microsoft Windows.

"Eight of the world’s top ten telecommunications companies use Splunk software because of the value it delivers to the business, and IDT’s broad adoption of the platform is a prime example of how to gain visibility into machine data generated inside a complex telecom infrastructure," said Vishal Rao, Splunk’s vice president of the Americas, in a statement. "IDT proves how effective Splunk software is at helping improve operations, accelerate innovation and mitigate risk."

Meanwhile, Splunk is not alone in using analytics to assist in rooting out cyber attacks and electronic fraud. SAS also is addressing the problem via SAS Analytics.

At a SAS Premier Business Leadership Series event in Orlando last October, SAS highlighted how financial institutions lack the ammunition to properly combat cyber-threats and how SAS is applying analytics to prevent and detect attacks.

"Though cyber-security is clearly a cross-industry issue, financial institutions are leading a trend toward convergence of fraud and cyber-crime prevention technology and operations in support of a holistic approach to cyber-security," said Stu Bradley, director of security intelligence Solutions at SAS. "This strategy will require new capabilities, not least to fill gaps in the technology marketplace as part of solving the biggest data challenges to date, and in proactively using better analytics to make real-time, risk-based decisions."

Rocket Fuel