New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
2008 Best Deployment Scenario

Splunk, IT Search Engine



If your organization is like most,  you’ve deployed a wide varity of security technologies.  Multiple IDS systems for “defense in depth,” firewalls, web proxies, access control systems, and more.  All this technology generates a huge amount of data, which is both a blessing and a curse.  Splunk lets you search, alert and report in real-time on any user, network, systems or application activity, configuration changes, and other IT data from one place.

Info Security Products Guide
this article
COMPARE and print reports
RATE products

Tomorrow's Technology Today - Large Enterprise Security Solution


Splunk’s IT Search is a comprehensive solution for large enterprise security across four primary security areas: Network Security, Data Security, Fraud and Insider Threats.

Outdated network security technologies offer slow and inefficient response to intrusions. Network security teams use IDS consoles or security information management tools to identify and prioritize alerts. However, responding to suspected intrusions is still a highly manual process. It takes more data to identify whether an attacker compromised a server or application and identify timebombs, backdoors, information theft, rogue processes and other impact they may have had than it does to alert on suspected intrusion. Network security analysts spend hours logged into different servers to obtain logs, configurations and find running processes. For investigations that may lead to HR, civil or criminal actions, setting up a central repository of data and documenting chain-of-evidence is a burden. Security information management tools are too inflexible and hard-to-maintain for their core task of alerting and reporting on intrusions.

Our technology provides immediate assessment and containment.  Splunk indexes all of the data generated by all security systems, network devices, servers and even applications in real-time. Configuration changes, actual configurations, log files, network syslog, Windows event logs can all be captured in real time, forwarded to a central index with data signing and an audit trail to support chain-of-evidence. Network security analysts can search across this data using an intuitive web-based interface and freeform search language. Searches can be saved and turned into alerts to improve security monitoring coverage. Alerts can directly send emails or SMS and create RSS feeds, or trigger scripts to integrate with existing security consoles.

Outdated information silos mask suspect data flows. Information security's number one priority is the protection of intellectual property, customer information and other sensitive data. Enterprises deploy a wide range of technologies from content monitoring and filtering to data-at-rest encryption, client security suites and network access control in an attempt to eliminate different risk scenarios. However, business realities force new control technologies to be deployed to monitor rather than block many suspicious flows. This results in more data for already inundated security teams to monitor and analyze when leaks are suspected. Rigid security event management tools lack support for new data formats, and the sheer volume of data about every information flow in the organization overwhelms any tool.

With Splunk, powerful, universal search pinpoints leaks quickly. Splunk indexes all data, regardless of format, including content monitoring, firewall activity, and logs from email, IM, web proxies and client security that could be leveraged to understand any data leakage scenario. It scales linearly to handle terabytes of data per day in a single deployment. It can index call detail records and physical security system badge access logs! Security analysts can search and navigate data in real-time using an intuitive, interactive interface that lets them follow the winding paths of data leakage scenarios. Splunk's powerful search language and transaction search capabilities allow for instances of complex suspicious patterns to be found with single searches that can be scheduled to generate proactive alerts. Splunk the most versatile possible monitoring tool for any kind of data leakage risk.

Outdated inflexible tools block fraud detection. Phishers and scammers are continuously thinking of new ways to compromise customers' accounts and take advantage of loopholes in transaction design. Every service and application has different potential fraud scenarios. These diverse and evolving threats defeat narrow monitoring and analysis tools.

Splunk’s IT Search lets you discover fraud patterns. Splunk lets you search across all web access and transaction logs in real time. Interactive results, histograms and charts let you navigate and visualize your data to discover suspicious transaction patterns you didn't expect. Once any fraud scenario has been identified, you can create sophisticated searches to find instances of that scenario and schedule them to alert you in the future. Splunk's audit trail and data signing features help you preserve chain-of-evidence should you need to prosecute or take civil action against perpetrators.

From an insider threat perspective, outdated technologies provide nothing more than reactive, cumbersome manual analysis. Everyone in security knows that malicious insiders are the source of damaging security incidents including logic bombs, data thefts that circumvent application controls and malicious scripts.  Detecting and investigating insider threats require analysts to inspect every  kind of IT data from configuration files and scripts on every host to logs from every tier of the infrastructure. Application, database, and filesystem auditing are just the start — badge systems and physical security logs even come into play. Monitoring tools don't cover many of the data sources where insiders can leave a trail.

IT Search powers insider threat detection. Splunk indexes all of your IT data, regardless of format or location, so you can search across every place a malicious insider may have passed through to steal information or plant something dangerous. Instantly retrieve every access for a specific badge, every administrative logon, every access to a given file, every new script or configuration change — all from one place. Then turn these searches into alerts so you can be proactively notified of suspicious activity. Or put together a dashboard of routine activity that bears regular review. Splunk finally makes it possible to watch the watchers.

Conclusion: Splunk end users receive fast, in depth incident response to lower exposure and risk.  Accelerate incident response, lower exposure and risk, identify unanticipated threats before exposure occurs, continuously observe the changing threat landscape, eliminate false positives, make your people smarter and more effective. 

Splunk, Inc.
118 King Street, 5th Floor
San Francisco, CA 94107
Tel: +1-415-848-8400
CLICK HERE to download whitepaper