Splunk is a big data BI analytics tool that allows you to do deep dives into your data, especially into your machine data. But Splunk is also presenting itself as a security solution. I was at the Splunk Live conference in Toronto last week, and fully a third of the sessions were focused on using Splunk for security. But what does analytics have to do with security?
Quite a lot, it turns out. Splunk’s strength is its ability to report on machine data, including interactions between one machine and another. Every time one machine interacts with another, data is created – and Splunk reports on this data. Because it can report on every machine interaction all the time, it can report on anomalies that look suspicious. An employee accessing a system they’ve never logged into before? Or downloading many more files than normal? These are anomalous data points that might indicate that their credentials have been hacked and are being used by a bad actor to breach.
The ability to implement these notification queries are technically available right out of the box with Splunk – once you’ve figured out how to write all of the complex queries you’d need. But Splunk offers a free toolkit to help you leverage your analytics right away. Splunk Security Essentials (SSE, free with Splunk Enterprise) is Splunk’s analytics-driven security solution. What SSE gives you is a powerful set of use cases, some of which you might be able to figure out yourself, and others you might never have thought of. These use cases come with a description of what the use case is, what the security impact of using it will be, the volume of alerts you can expect, and some demo data. This will help you to figure out what you need and what you don’t. When you have determined that one of the uses cases would be valuable for you, you can implement it directly from SSE.
For example, SSE can be used to detect ransomware attacks. In SSE you can set up a query to detect the first time one of your users launches a suspicious executable file. You’d need to maintain a list of attacker tools, but when SSE finds a user execute anything on that list, Splunk would flag that as an anomaly and immediately send you an alert, identifying both the user and the file executed, giving you much more notice to contain the breach as well as insight into exactly where it hit. Here’s a short video from Splunk detailing this example as well as a few others.
SSE comes with a whole slew of use cases like this, many of which are the result of real-world requirements from Splunk customers and users. So yes, Splunk is a great tool for deep dives into your organization’s machine data – but it’s not just for analyzing your data, it can help you protect it as well!