IT security strategies used to focus on blocking viruses, spyware and similar threats. While threat prevention is still important, it is ineffective against advanced persistent threats (APTs) that use multiple steps across multiple attack vectors to find and exploit vulnerabilities. Security experts say that an analytics-driven approach is the only way to combat APTs.
This stark reality has brought dramatic growth to the security information and event management (SIEM) market. According to Gartner, SIEM technology “supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It also supports compliance reporting and incident investigation through analysis of historical data from these sources.” It integrates security information management (SIM) and security event management (SEM) into a single, holistic system for security management.
In a nutshell, SIEM collects and reviews security-related data from across the organization, and looks for unusual trends and patterns that may signal a security issue. Data is collected from user devices, servers, network hardware and security systems and forwarded to a central console for inspection and correlation. However, a 2015 study by Enterprise Strategy Group (ESG) found that many organizations use SIEM primarily for regulatory compliance and monitoring due to the inflexibility of legacy SIEM tools.
Common Limitations of SIEM Tools
In a May 2015 report, ESG Principal Analyst Jon Oltsik explained the four key limitations of many SIEM tools when it comes to threat investigation and analysis:
- Events collected from security device log files are correlated using predefined schemas. While this is effective for identifying which alerts require attention, it is less useful for investigating APTs.
- SIEMs use relational databases that restrict the amount and type of data that can be collected. This limits the analyses that can be performed and creates significant management overhead.
- Legacy SIEM tools cannot analyze the context of an event without customization, impeding IT’s ability to quickly detect incidents.
- Customizing SIEM tools with additional data sources, rules, reports and dashboards requires significant time, resources and cost.
Splunk as the Solution
Splunk is different. Splunk can consolidate any machine data, including structured, unstructured and complex application logs, making it possible to rapidly search and correlate security events and drill down and pivot across data. In addition to traditional monitoring, reporting and alert functions, Splunk provides true analytics technology, enabling security pros to trace and link the events associated with APTs by spotting relationships across any available data sets. Users can also quickly create custom correlations and alerts in order to identify compromised hosts and successful attacks.
The Splunk App for Enterprise Security is a next-generation SIEM platform that features a broad library of correlations, analytics, dashboards and reports. Named a leader in Gartner’s 2015 Magic Quadrant for SIEM for the third straight year, Splunk helps organizations improve the detection, response and recovery from APTs by providing broad security intelligence from data collected across IT, the business and the cloud.
As a Splunk Partner, Technologent has helped organizations utilize Splunk to speed the detection and prevention of today’s advanced security threats. Let us show you how your organization can benefit from a more sophisticated security strategy using the analytics capabilities of Splunk.