Fac t S h e e t

Splunk App for Enterprise Security

Security Intelligence and Continuous Monitoring for
Known and Unknown Threats

Meeting the Challenge of Detecting Known and

Unknown Threats
Todays attackers have the time, expertise and resources to
create attack scenarios that bypass detection by security point
products and downstream security information and event
management (SIEM) systems. Their actions are hidden in the
terabytes of data generated through normal user activities. The
bad guys have realized that many security teams cant see these
attacks due to organizational data silos, data collection issues,
scalability challenges or a lack of analytics capabilities.
Listening to data from point security systems and using
statistics to analyze user activities can help close the uneven
gap between the attacker and security professional. This same
statistical analysis coupled with context from other enterprise
data sources (e.g., time management systems, HR databases,
asset databases) can be used to detect and understand
insider threats, including fraud and intellectual property theft.
Monitoring for known threats (as reported by traditional security
systems) and unknown threats are now part of a revised security
charter. What enterprise solution can meet the goal of providing
security intelligence and minimize business risk?
Detecting advanced threats and deterring malicious insiders
requires a new approach to security that can only be facilitated by
a big data security intelligence platform. This platform needs to
ingest system logs, binary data (flow and packet data) and threat
intelligence data and then correlate this data with context from
business systems across the enterprise. These capabilities enable
the security analyst to use statistical analytics on any data source
to help find unknown threats, while continuing to monitor known
threats detected by traditional security technologies.

Enterprise Security Intelligence Defined:

The collection of data from all IT systems in the enterprise
that could be security relevant and the application of the
security teams knowledge and skill resulting in business
value and benefit.

Automated Correlation Searchesthat use the Splunk Search

Processing Language (SPL) for cross data type correlations and
give the user an understanding of evolving threat scenarios in
real time
Statistical Analysiscommands native to Splunk Enterprise
employed to support dashboards that highlight anomalies in
HTTP communications, a key communications protocol for
advanced threats
Technology Add-onsthat map specific data sources and data
fields into a common information model
Flexible Dashboardsthat let you create your own security
portal based on your role in the organizations view of whats
important (see Figure 1)
Threat Analyzerthat supports visualizing patterns of host,
identity or IP activity across data types and across time that may
indicate a compromised host or malicious insider (see Figure 2)
Reports and Security Metricsany search result can be created
as a graphic, dashboard, table or raw data that can be exported
as a PDF or CSV; data models and pivot tables support turning
raw unstructured data into analytics
Incident Review, Classification and Collaborationsupported
as part of a comprehensive incident review capability that allows
for bulk event reassignment, changes in status and criticality
classificationfor any change to occur, comments are required
for auditing purposes
User Identity Correlationanswers questions about a specific
users activity across multiple identities required for access to
multiple applications
With time-indexed collection of any data, no up-front
normalization and the ability to apply a data schema at search
time, barriers to collecting and viewing application and
operations data for security event context are removed. The
Splunk platform can collect any structured or unstructured

The Splunk App for Enterprise Security

Whether deployed for incident response, a security operations
center or for executives that need a window into business
risk, the Splunk App for Enterprise Security (ES) gives you the
flexibility to customize views to fit specific needs. New features
in the Splunk App for Enterprise Security include point and
click predictive analysis visualizations, an easy-to-use threat
intelligence framework and a threat investigator that facilitates
viewing threat patterns for hosts or identities. Together, this
functionality helps you monitor for known and unknown
threats. Other out-of-the-box content includes:

Figure 1. Enterprise Security 3.0 Security Posture Dashboard

Fac t s h e e t

data from provisioning systems, GPS, RFID, DHCP servers,

DNS systems and view this data in the context of change
management, physical access or other data needed for
security investigation. Splunk Enterprise and the Splunk App
for Enterprise Security provide a single, flexible and scalable
security intelligence solution that extends beyond the limits of
traditional SIEM technologies.

Splunk App for Enterprise Security Overview

Security Posture
Get a library of security posture widgets to place on any
dashboard or build your own. See security events by location,
host, source type, asset groupings and geography. Key
performance indicators (KPIs) provide real-time trending and
monitoring of your security posture.

Incident Review, Classification and Collaboration

Incident Review provides a view of a single event or a roll-up of
related system events and an incident management workflow for
security teams. Security teams can verify incidents, change their
status and criticality, and transfer among team members, all while
supplying mandatory comments about status changes. Status
changes are audited, monitored and tracked for team metrics.

Access Protection
Simplify access control monitoring, exception analysis and audit
processes for applications, operating systems and identity
management systems across the enterprise. Satisfy compliance
and forensics requirements to track highly privileged users and
system access attempts on any business critical application.

stored in an asset database, active directory, spreadsheets or

CSV files and use information as context for security events in
reports and dashboards.

Incident Review Audit

One important aspect of governance is auditing the security
solution itself and the protection of event and log data against
tampering. The Splunk App for Enterprise Security provides
reports on all Spunk user and system activities for a complete
audit trail. The Splunk platform uses data signing to maintain
chain-of-custody and detect any alterations to the original log
and event data.

Adding New Data Sources

Splunk collects and indexes all machine-generated data without
the need for custom connectors or adapters, even for multi-line
custom application logs. This data can reside in databases, files
or Hadoop data stores. The app leverages Splunks ability to
index log data, configuration files, events and activities generated
by any application, server, network or security device without
custom connectors, complex schemas or expensive database
deployments.

Incident Response and Investigation

Built for speed, the security intelligence solution supports
drill-down from graphical elements to raw data. When working
with the raw data, built-in workflow actions (a feature unique
to Splunk and the app) augment the security investigation
process and allow the user to pivot on a single piece of
common information across data types to follow the trail of an
investigation wherever it leads.

Endpoint Protection
Increase the effectiveness of endpoint security products such
as Symantec Endpoint Protection, IBM Proventia Desktop or
McAfee Endpoint Protection. Prioritize threats and view long
term trends. Endpoint Protection includes searches, reports and
a library of alerts for malware, rare activities, resource utilization
and availability.

Network Protection
Monitor and detect events from network and security devices
across the enterprise. Discover anomalies across firewalls,
routers, DHCP, wireless access points, load balancers, intrusion
detection sensors and data loss prevention devices. The
apps capabilities include correlations, searches, reports and
dashboards for monitoring, alerting and reporting on networkbased events. Statistical analysis is employed on proxy data to
understand HTTP-based behavioral outliers.

Asset Center/Identity Center

Understanding where assets are, who owns them, their criticality
and who should be accessing critical information on systems
helps prioritize security events and investigations. The app
leverages Splunks ability to perform real-time lookups of data

250 Brannan St., San Francisco, CA 94107

Figure 2. Enterprise Security 3.0 Asset Investigator

Free Download
Download Splunk for free. Youll get a Splunk Enterprise 6
license for 60 days and you can index up to 500 megabytes
of data per day. After 60 days, or anytime before then,
you can convert to a perpetual Free license or purchase an
Enterprise license by contacting sales@splunk.com.

info@splunk.com | sales@splunk.com

866-438-7758 | 415-848-8400

www.apps.splunk.com

www.splunk.com
2014 Splunk Inc. All rights reserved. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Hunk, Splunk Cloud, Splunk Storm and SPL are trademarks and
registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.

Item # FS-SPLUNK-AppEntSec-110