The Role of Splunk in the Public Sector
Splunk is a major contributor to the success of federal agency initiatives, and brings great benefit to public sector CIOs and CISOs. Splunk delivers an Operational Intelligence platform that makes efficient, definite decisions on the behalf of machines possible for strong, optimized, and more secure IT operations. Further, it’s the only software company that provides an extensible analytics platform for machine data that can scale massively and yield enterprise-wide visibility to a central location.
Splunk has proven to be such an effective tool that all three branches of government, all four branches of the U.S. Military, and all 15 cabinet-level departments have deployed it. Here’s what they’re getting from it:
Before we get into the apps we see used most frequently in the federal space, it’s important to note that there are two different types of apps in the Splunk store. Regular apps include prebuilt dashboards, visualizations, and other included features. There are also add-on apps, or TAs (technical add-ons), which don’t include visualization, but will contribute to either bringing data into Splunk, or normalizing it.
Top 5 Splunk-based Apps Used by Federal Agencies
August Schell specializes in partnering with enterprises and government organizations to deliver Splunk for IT Operations while addressing the unique needs of security teams. With a team of Splunk engineers that have extensive expertise, we work with Splunk regularly and have assisted with many implementations spanning an array of applications. Here are the ones we see being used most frequently:
The Splunk App for Windows Infrastructure provides examples of:
You can monitor, manage, and troubleshoot Windows operating systems, including Active Directory elements, all from one place. Inputs for performance metrics, user and audit data, and event logs are included, which makes the beginning stages of deploying Splunk easy. The app also includes the dashboards necessary for monitoring your Active Directory environment, and allows for correlation from Active Directory data back to the Operating System.
A few additional add-on apps you’ll want:
Splunk Security Essentials is a free app that detects insiders and advanced attackers inside of your environment. By using Splunk Enterprise and Search Processing Language (SPL), the app showcases over 55 instances of anomaly detection linked to entity behavior analysis (UEBA). Every use case included actionable searches and sample data that can be put to use in your environment immediately.
Use cases utilize analytics to provide analysts with the ability to detect unusual activity such as spike detection, first seen behavior, file name changes as a detection evasion tactic, etc. Every use cases includes:
Splunk Enterprise Security (ES), a paid premium application, is a SIEM that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. Splunk ES enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimizing risk and safeguarding your business. Splunk ES streamlines all security operations and works for businesses of all sizes.
Splunk ES can be deployed for:
Splunk IT Service Intelligence, also a paid premium app, is a next-generation monitoring and analytics solution that uses machine learning and event analytics to simplify operations, prioritize problem resolution, and align IT with business objectives.
Splunk IT Services Intelligence enables the following capabilities:
Splunk DB Connect is an excellent solution for working with databases from Splunk. It can help quickly integrate structured data sources with your Splunk real-time machine data collection. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, and Teradata.
Splunk DB Connect also includes some unique capabilities for extending your analysis of databases.
Mastering Splunk With August Schell
August Schell works with federal agencies to implement and optimize the use of Splunk regularly. If your security team needs insight on how to make the most out of Splunk, or are evaluating a future implementation, get in touch with an August Schell specialist, or call us at (301)-838-9470.
How Insight Engines, Recorded Future, and Splunk ES Can Increase the Value of Your Splunk Practice and Improve Your Security Posture