Splunk stalks cyberattackers

New visualisation tools have been added to the latest, Version 3.0, of Splunk’s App for Enterprise Security. The system is designed to give security professionals the tools they need to stalk cyberattackers, and the new visualisation tools enable them to detect threats in advance, resulting in a significant reduction in the time to incident discovery and response.

The Splunk App for Enterprise Security also includes a new threat intelligence framework, support for new data types, data models and pivot interface.

“The Splunk App for Enterprise Security provides the flexibility and customization necessary for an incident responder, security professional or SOC to pull the information they need to the surface quickly”

Threat detection speed and accuracy can be deciding factors in whether an attack becomes a massive data breach or a success story for security teams. In order to know and understand attacks as they unfold, organisations must collect any data that may be relevant to the security of a business and its information management systems, and correlate it with business data that can provide context for security events.

Combining App for Enterprise Security 3.0 with Splunk Enterprise 6 forms a security intelligence platform that can support advanced security analytics at scale for even the largest IT environments, in real time.

“The new Splunk App for Enterprise Security helps security professionals connect the dots to catch cyberattackers, watching their every step by enabling customers to monitor all data and see potentially malicious activity patterns,” said Steve Sommer, chief marketing officer, Splunk.

“The new visualisations enable both Splunk power users and newcomers to perform the complex actions needed to find and report on data anomalies and outliers. The threat intelligence framework delivers something security information and event management (SIEM) systems do not -- all threat feeds in a single view with de-duplicated threat information. These new enhancements can create tremendous efficiencies for security teams whose number one goal is to identify and react to threats in as little time as possible.”

The Splunk App provides the flexibility and customisation necessary for an incident team or security professional to surface the information they need quickly. It allows them to identify threats through a simple point-and-click interface and rapidly create alerts. The goal is to help security professionals resolve incidents in as little time as possible, quite often also then discovering the source of an intrusion.

The new visualisations can help security professionals visually correlate data to identify anomalous behaviour, providing a starting point for security investigations. Once an unusual data pattern for a person, application or system is identified, the analyst is never more than three clicks away from the raw data and can create a notable event for investigation and analysis workflows.

Version 3.0 also adds a new Threat Intelligence Framework designed for working with threat intelligence feed subscription services. It can organise and de-duplicate the data to make it more useful to security teams, instead of just viewing the data like most SIEM products.

A new Data Models and Pivot Interface allows anyone to create, save or export new, custom visualisations or reports without being an advanced Splunk user or having any knowledge of Splunk’s search processing language (SPL). Splunk already has available a large catalogue of visualisations as a starting point and developers can create custom visualisations using the programming language of their choice.

Support for new data types and threat feeds allows users to make decisions quickly within the context of business activity by supporting traditional log data, flow data, packet capture data, industrial control system data, external threat intelligence feeds and other business data that may be in databases.