Information security has always entailed multiple controls on a variety of devices, applications and data, but it is becoming increasingly difficult to counter advanced threats without a comprehensive view of security events. The term big data is commonly used to describe data that is generated in high volumes, from a variety of devices and in real or near real time. This definition also describes what infosec professionals face on a typical day. Splunk, which is well known for its ability to collect and ingest log and other data, is an example of a platform that is applying itself to the infosec realm of big data security analytics.
Splunk Enterprise Security (ES) is a security platform designed to improve utilization and analysis of existing security-related data through the use of big data security analytics -- the platform also has traditional SIEM capabilities and features, which can be found here. It is meant to provide security professionals and decision-makers with the tools to properly analyze threats, not necessarily deal with them, however. As such, some of Splunk ES's features are designed with compatibility with other services in mind. The product can be integrated with public, private and hybrid cloud deployments, as well as software as a service-based environments.
Widgets and dashboards
Splunk ES's functionality centers on a customizable selection of widgets and dashboards, which can be created with specific user responsibilities in mind. And can be customized with an existing library of Splunk security widgets. Splunk ES also comes with prebuilt dashboards for statistical analysis of event data. Using the widget library and custom dashboards, security professionals and investigators have a number of options for how to view collected data.
Splunk ES allows users to find and categorize data based on location and data type. This includes data stored in active directories, spreadsheets, asset databases and CSV files. Any outside data source can be indexed in Splunk ES without the need for third-party or in-house connectors. Additionally, all indexed data is available for customizable, ad hoc searches. Data points can also be pivoted on when looking at security reports, showing correlations between event factors.
Like most security monitoring products, Splunk ES features alert management capabilities. This alert management includes the ability to assign a risk value to each event and assign events to specific users for investigation. Splunk ES is also integrated with a Threat Intelligence Framework, which aggregates public security threat information from a variety of sources, including government authorities, open source databases and other organizations.
Splunk ES also integrates with the Splunk User Behavior Analytics (UBA) platform. Splunk UBA is used to detect anomalous behavior from both inside and outside sources. Data gathered from UBA can be treated just as any other data source, and certain events or behaviors can be associated with alerts and can be applied to correlation searches when investigating a threat or past event.
Although Splunk Enterprise Security is designed with customization in mind, the product provides a number of out-of-the-box threat detection settings, including premade data swim lanes that can be used immediately to look at authentication issues, IDS and malware attacks, and user or endpoint anomalies.
Pricing and deployment
The Splunk Enterprise Security platform can be deployed on premises or in the cloud. Pricing is based on volume and license lifetime, either per year or perpetual. A gigabyte daily index volume with annual term license is $1,800 per GB; a perpetual license for GB daily index volume is $4,500 per GB. Per GB prices decrease with higher volumes. At 100 GB/day index volume, the annual license is $600 per GB while the perpetual license at the volume is $1,500 per GB. Splunk Cloud annual pricing ranges from $8,100 to $24,000 for 5 GB/day to 20 GB/day of indexing volume; custom quotes are available for larger volumes.
Information security is now and will be -- for the foreseeable future -- dependent on big data analytics techniques to address the array of threats businesses face. Splunk ES is well suited for large and midsize enterprises with large volumes of security data. Splunk Cloud, meanwhile, may be a better option for organizations that do not have the resources to maintain a Splunk ES deployment on premises.