Splunk ES 8 SIEM of the Future

Splunk ES 8 SIEM of the Future

Splunk, now a Cisco company, recently released a major version of Splunk Enterprise Security and it is a winner.  It took awhile, but it is well worth it.

Splunk Enterprise Security 8 (ES8) brings a range of improvements designed to improve analyst workflow and on-screen context, along with some smooth integration coolness, a great way to go from detection, to investigation, to decision and action.

But for me, one of the biggest draw cards is the addition of Cisco Talos Threat Intelligence.  Cisco Talos have the world’s largest team of threat intelligence analysts (outside of government, because who knows what they have).  Cisco see more of the internet data than any other entity on the planet - most of the internet passes through Cisco networking, security or other equipment.

Having the world’s best threat intelligence built into the platform, something you would normally have to purchase separately, is a massive reason to either upgrade, or invest in Splunk Enterprise Security 8.  It is a no-brainer for me.  We use it, and we have assessed many options.

Splunk Enterprise Security has already been the leader in SIEM for more years than I have fingers, but the additional features in ES 8 provide the missing components of most SIEMs:

  • World leading threat intelligence built into to detect malicious activity quickly
  • A deep library of pre-built, and constantly updated, security detections
  • Improved Risk-based analysis and ‘rolled up’ detections (into attack chains/mitre) make it easier for an analyst to know which event to work on first, second and so on . . . Unlike many other ‘SIEMs’ that just bring in the alert criticality, missing any other related alerts or context that may raise or lower the importance of the event(s)
  • The ability to bring in security data, context data and overlay with business criticality and context not only reduces false positives, it also allows for excluding accepted/expected business processes and activities. These are huge time savers for an analyst.
  • The ability for analyst to have all of the information they need on the one screen - the alert, the context, the intel, the status and the any notes or comments
  • An analyst can make an immediate decision and take an immediate action
  • The close integration with Splunk SOAR means the analyst can run a playbook, or action to remediate the event rapidly; block an ip or domain, disable a user account, quarantine a host, reset a token, run a sweep of the indicators across the enterprise.
  • The simple query language for analysts to ask the questions they need and to get the answers quickly, along with the underlying raw events
  • The platform scales from as little as 1Gb/day to truely epic XX/Petabytes of data per day, all searchable rapidly
  • Of course it is the same Splunk that can receive data from virtually anything and anywhere
  • Additionally, with the magic of ‘schema on the fly’, you can ingest new data and have it enrich what you have, or you historic data, without having to refactor - massive benefits in time, flexibility and, for a security analyst, gold, as you can add useable context that may not have been in the event or system initially (such as forensic data).
  • Lastly, for me, the time saved not doing the ‘tick and flick’ of useless alerts allows for true analyst work - threat hunting - both taking an indicator or supposition and searching for its occurrence, or picking at loose strings, outlier events/activities to uncover potentially new or undetected threats/attacks.

I have probably left out many features and functions as I have only called out what i really care about. Apologies Splunk, please forgive me. I guess if you want to know more about the exact things included you can always check out Splunk’s offical words:  https://www.splunk.com/en_us/blog/conf-splunklive/introducin...

Of course, as with anything, Splunk is only an application.  Without the expertise to implement it properly, it will just sit there.  Maybe you will get some alerts in and have them in one place. Maybe you will add some additional data in, that is messy, inconsistent and all over the place, basically almost unusable. . . .this is the most common scenario we see.

If you really want to see your Splunk ES8 investment shine, return real value, and have security analysts that not only smile, but want to stay with your organisation, then you need Small Robot to implement and develop your Splunk ES8.

The team @Small Robot have extensive Splunk/Analytics/Security experience, along with using Splunk ES 8 & Splunk SOAR ourselves.  So do your self and your team a favour, take advantage of our knowledge, experience and prior learnings by reaching out to us to help upgrade, implement or make the most of your Splunk/Splunk Enteprise Security/Splunk SOAR.

Small Robot are a boutique Cyber Security company who focus on what matters in security.  Our focus is improved security and outcomes for our clients - we have your best interests at heart and we work hard and fast to achieve real security real quick. Being flexible and easy to engage/work with underpins our engagement model to make sure we can provide what you need. Unlike others, we can do long or short engagements (even as little as a day). Although we can do T&M, we prefer outcome based engagements so you pay only for the outcome - the risk sits with us. We back ourselves in this because we know what we are doing and work hard to not only meet, but exceed expectation.

Why not give us a try :)