Out With the Old, In With the New: Why Legacy SIEMs Aren’t Adequate in Today’s Threat Environment...
Top 5 Splunk-Based Apps Used in the Federal Government
Splunk Has Over 1,000 Apps and Add-ons—What Brings the Greatest Value in the Federal Space?
The Role of Splunk in the Public Sector
Splunk is a major contributor to the success of federal agency initiatives, and brings great benefit to public sector CIOs and CISOs. Splunk delivers an Operational Intelligence platform that makes efficient, definite decisions on the behalf of machines possible for strong, optimized, and more secure IT operations. Further, it’s the only software company that provides an extensible analytics platform for machine data that can scale massively and yield enterprise-wide visibility to a central location.
Splunk has proven to be such an effective tool that all three branches of government, all four branches of the U.S. Military, and all 15 cabinet-level departments have deployed it. Here’s what they’re getting from it:
- Extremely fast time to value; benefits can be gained within hours or days rather than weeks or months.
- The flexible data platform accommodates for a multitude of use cases from data collected once.
- Splunk Enterprise has been granted the Common Criteria certification (VID #10807) by the National Information Assurance Partnership (NIAP).
Before we get into the apps we see used most frequently in the federal space, it’s important to note that there are two different types of apps in the Splunk store. Regular apps include prebuilt dashboards, visualizations, and other included features. There are also add-on apps, or TAs (technical add-ons), which don’t include visualization, but will contribute to either bringing data into Splunk, or normalizing it.
Top 5 Splunk-based Apps Used by Federal Agencies
August Schell specializes in partnering with enterprises and government organizations to deliver Splunk for IT Operations while addressing the unique needs of security teams. With a team of Splunk engineers that have extensive expertise, we work with Splunk regularly and have assisted with many implementations spanning an array of applications. Here are the ones we see being used most frequently:
The Splunk App for Windows Infrastructure provides examples of:
- Pre-built data inputs
- Searches
- Reports
- Dashboards for Windows server and desktop management.
You can monitor, manage, and troubleshoot Windows operating systems, including Active Directory elements, all from one place. Inputs for performance metrics, user and audit data, and event logs are included, which makes the beginning stages of deploying Splunk easy. The app also includes the dashboards necessary for monitoring your Active Directory environment, and allows for correlation from Active Directory data back to the Operating System.
A few additional add-on apps you’ll want:
- Splunk add-on for active directory
- Splunk add-on for DNS
- Splunk Support add-on for active directory
Splunk Security Essentials is a free app that detects insiders and advanced attackers inside of your environment. By using Splunk Enterprise and Search Processing Language (SPL), the app showcases over 55 instances of anomaly detection linked to entity behavior analysis (UEBA). Every use case included actionable searches and sample data that can be put to use in your environment immediately.
Use cases utilize analytics to provide analysts with the ability to detect unusual activity such as spike detection, first seen behavior, file name changes as a detection evasion tactic, etc. Every use cases includes:
- Expected alert volume
- Explanation of how search works
- Description of security impact
- Ability to save searches directly from the app
- Enable alert actions you’ve installed, like creating a Notable Event or Risk Indicator in ES, External Alarm in UBA, or sending a review email.
Splunk Enterprise Security (ES), a paid premium application, is a SIEM that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. Splunk ES enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding your business. Splunk ES streamlines all security operations and works for businesses of all sizes.
Splunk ES can be deployed for:
- Continuous real-time monitoring
- Rapid incident response
- A security operations center (SOC)
- For executives who need a view of business risk
Splunk IT Service Intelligence, also a paid premium app, is a next-generation monitoring and analytics solution that uses machine learning and event analytics to simplify operations, prioritize problem resolution, and align IT with business objectives.
Splunk IT Services Intelligence enables the following capabilities:
- A central, unified view of critical IT services for powerful, data-driven monitoring
- Maps critical services with KPIs to easily pinpoint what matters most
- Uses artificial intelligence and machine learning to detect patterns, dynamically adapt thresholds, highlight anomalies and pinpoint areas of impact
- Provides business and service context to prioritize incident investigation and triage
- Supports drill downs to rapidly troubleshoot outages and service degradations and fix what’s broken
Splunk DB Connect is an excellent solution for working with databases from Splunk. It can help quickly integrate structured data sources with your Splunk real-time machine data collection. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, and Teradata.
Splunk DB Connect also includes some unique capabilities for extending your analysis of databases.
- Inputs can be used to import structured data for powerful indexing, analysis, and visualization.
- Outputs can be used to export machine data insights to a legacy database to increase your organizational insight.
- Lookups add meaningful information to event data by referencing fields in an external database.
- Query commands can help build live dashboards mixing structured and unstructured data.
Mastering Splunk With August Schell
August Schell works with federal agencies to implement and optimize the use of Splunk regularly. If your security team needs insight on how to make the most out of Splunk, or are evaluating a future implementation, get in touch with an August Schell specialist, or call us at (301)-838-9470.
Free eBook: Top 3 Unique Splunk Integrations
How Insight Engines, Recorded Future, and Splunk ES Can Increase the Value of Your Splunk Practice and Improve Your Security Posture