By: Justin Fimlaid
If you are looking to leverage Splunk for Security, there’s a couple ways to approach this task. In this post I’ll be explaining some of the differences between Splunk Enterprise Security and Security Essentials.
What is Splunk?
Splunk is a best of breed data analytics platform. Many people use Splunk for Security, but the power of the platform comes in the different of use cases you can fulfill with a single software. Splunk can do everything from monitoring IT Operations, used to look for Fraud, used for Cybersecurity, and even monitor Heating Venting and Air-conditioning (HVAC) systems to name a few. The use cases are endless and as long as you grab data in machine readable format (ASCII) you’re only limited by your creativity.
About NuHarbor Security
NuHarbor Security is one of the leading Cybersecurity firms in the country. We’re often asked by companies to implement Splunk to assist them in monitoring for Security use cases. One question that is commonly asked is what’s the difference between Splunk’s Security Essentials App versus Splunk Enterprise Security.
Splunk Security Essentials
Splunk Security Essentials is a free application on Splunkbase. It’s a reference application that contains example Splunk Search Language (known as SPL) commands to look for specific security events. In other words, you can think of “SPL” and Security Essentials similar to a collection of pre-formatted “Google” searches of your data for specific security events. The Security Essentials App also does a nice job organizing and categorizing security searches by security capability and complexity.
Splunk Enterprise Security
Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today’s enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses the search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains. Enterprise Security is Splunk Security Incident and Event Management (SIEM) platform. In simple terms it contains everything in Security Essentials but adds the ability to manage events by risk, adds the ability to do deep security data correlations, and adds other useful features such as SOC automation. (e.g. If Splunk identifies a DDOS attack on an open port, you can automate the action to close the port on the firewall).
Difference Between Splunk Security Essentials and Splunk Enterprise Security
These two solutions are very different in the objective and intent. Unfortunately many people get these two solutions confused. Splunk Security Essentials is a free security reference application on Splunkbase that contains foundational Security Use Cases. The great part about Security Essentials is that all use cases are organized in stages, among other useful categorizations:
The complexity of the searches can vary across the above stages. As you increase in stages, you’ll see the evolution from simple data collection and aggregation to full threat feed integration. A lot of this can be done within Core Splunk, but if you have Enterprise Security you can easily do this with the Risk Framework that adjusts the risk score based on the asset involved.
Splunk Enterprise Security is Splunk’s SIEM (Security Incident and Event Management) platform. In the most simple terms Splunk Enterprise Security detects patterns in your data and automatically reviews the events in a security-relevant way using searches that correlate many streams of data. Additionally, Splunk compares the identified event against the assets and asset value in your environment to prepare a comprehensive view of Enterprise Security Risk. Splunk Enterprise Security also contains other valuable features such as Incident Review, Investigation Management tools, Glass Tables, etc. These other features aren’t covered here. What’s interesting about Splunk Enterprise Security is the statistical analysis of data. From a security investigations standpoint and the purpose or creating security alerts Splunk Enterprise Security can identify specific security events as well as statistical deviations from your baseline data. Overtime, as you get more familiar with your data and you’ve had a chance to see the outlying security events it will begin to inform how you tune and optimize Enterprise Security for maximum benefit of streamlined investigation and security alerting. The goal over time is to tune Enterprise Security to the point where you’ve removed the “hay” and are left with the “needle”, so when alert triggers you are left with a high-fidelity security event.
High-level Security Use Case Mapping
|Use Case||Splunk Security Essentials (Core Splunk) or Splunk Enterprise Security|
|Security Monitoring||Essentials or Enterprise Security|
|Advanced Threat Detection||Essentials or Enterprise Security (adds statistical analysis and kill chain methodology)|
|Compliance||Essentials or Enterprise Security (some compliance standards require ability to identify indicators of compromise, and require SIEM capability)|
|Fraud Detection and Insider Threat||Essentials|
|Incident Investigation||Enterprise Security|
|SOC Automation||Enterprise Security (adds automated response actions)|
|Incident Response||Enterprise Security (adds indicators of compromise)|
If you’re interested in Splunk for Security and need an idea sounding board I’d encourage you to reach out. I often see folks need security help but often leverage firms with no true security experience–this is a recipe for failure (or at least reduced return on investment). NuHarbor Security is a national leader in Security Operation Center and MSSP development using Splunk.