Splunk is well known for analyzing data in large volumes either within a local Splunk installation or within the Splunk Storm their cloud service. However, there has been a general lack of security related capability within both these tools. Yes they can correlate some security data, but requires a bit of hands on work to make happen. This has changed with the introduction of Splunk App for Enterprise Security v2.4. They now have some very powerful out of the box analysis for enterprise security and one that could solve a growing issue outlined within the latest Verizon Breach Report: the time it takes to determine a breach actually happened.
Splunk App for Enterprise Security looks at the vast amount of data it gathers is looking for statistical differences between what is considered the norm and what is considered different. This is the same approach they take for application performance management. Once you understand what is normal, you can then determine anomalous behavior and from there drill down to determine if the problem is really a security issue, or a predictable change to the environment (such as when a new release of a product occurs).
Looking at anomalous behavior is one way to find unknown-unknowns as well as known security issues. For individual applications,using APM for Security is a powerful tool. One which, Splunk has taken to the next level, by using different approaches to APM and anomalous activity detection. APM is generally tied to an application programming language, yet Splunk looks at data fed to it from network and log file sources. These sources provide a very large amount of data for a small environment, for a larger environment this data can grow to terabytes a day. Going through it requires a big data engine, as we are not only looking at the quantity of data, but the velocity which the data arrives, and the speed in which we get an answer.
We need an answer to whether a breach occurs in far less time than we are getting it now. By combining APM and traditional log and network analysis, Splunk App for Enterprise Security gives us a framework for asking even more questions of the data to get those answers even faster. The time it takes to realize a hack or breach has occurred is time that the attacker has to infiltrate further, and get access to even more data.
This is time we can ill afford to give an attacker, we need to know that an attack is occurring now, not some time in the recent or distant past. Which is a common issue outlined in the Verizon Breach Report. Splunk App for Enterprise Security is a step in the proper direction.