What is Splunk and Should I Be Using It?

   
July 19

Why Today’s Business Environment Calls for a Tool Like Splunk

Why Do You Need a Tool Like Splunk?

There are nearly endless devices, users, servers, ex-devices, network hardware, IoT, and more connected to the average network of today. As a result, the ability to keep track of how many things you have on your network or potentially on your network has been diminished, while potential vulnerabilities and attack vectors are on the rise. All of these elements combined engender a need for a tool that collects all log information and data of different devices, as well as what they’re doing and who’s talking to them. Using such a tool gives you an opportunity to gain a centralized point where you can conduct comprehensive monitoring and see if there’s anything you would define as unusual activity, such as:

  • Finding out that your internet connected services are being controlled by IP addresses from another country
  • General suspicious user activity
  • Apps and their potential vulnerabilities (known or unknown)

Ultimately, your IT and security team will be better able to define what needs to be locked down and responded to. In many ways, the internal threat landscape can be more dangerous than the external threat landscape, which makes being able to track patterns and visualize where people are coming from, as well as where accesses are going to, all the more important. Bringing a central view of your entire environment into focus needs to be a key initiative.

Most breaches originate inside the network, whether intentionally or unintentionally. Users are given varying degrees of access to the kingdom, oftentimes more than necessary. While your users do need to be network connected, they don’t need comprehensive access, and if anyone has misguided intentions, exfiltration of data is a risk. Don’t forget, people on the inside know where to look, so tracking what users are doing, depending on your environment, is equally, if not more, important than tracking what people outside are trying to do to you.

We recommend Splunk: software that aggregates, analyzes and gets answers from your machine data with the help machine learning and real-time visibility.

What Kinds of IT Challenges Create the Need for Splunk?

When it comes to the primary use cases for Splunk, there are many, but here are the two we see frequently:

  • Sheer quantity of data

Many organizations simply don’t know what data they have, or how much, and find themselves in search of a tool that will provide a handle on what’s on their network. In recent years, different ways of obtaining IT resources, shadow IT in particular, have brought about an even more dramatic need for a tool like Splunk that can track applications and data. When people are standing up their own infrastructure and tools, IT management may only know about 10,000 servers and 4,000 desktops when there are actually 20,000 systems being used. Remember, unknowns are often worse than knowns. Splunk will allow you to discover what is in your environment.

  • Performance and troubleshooting application and system problems

Invariably, problems happen. Being able to look at the different systems touching different processes and find when or where a problem happened is key to its solution.

*Real-world example: ISPs allow you to call in and request new email addresses. Traditionally, if someone else were to request that same email address, it would not be issued. However, because of an internal glitch in software, one ISP’s system was dual-provisioning requested email addresses to be attached to entirely different customer accounts as an alias, and both customers were seeing the exact same inbox as a result. It was a small breach for the size of the company, but given the type of information that’s often found in email (password resets, bank statements, and other sensitive data), this became a problem that the ISP had to solve.

Fortunately, because the ISP pushes all core system logs into Splunk, engineers at August Schell were able to create a report that could pinpoint inside the three systems that were not quite working together correctly to find out what was going on. The provisioning system’s time was slightly off from the directory system’s time – the system that indicates whether the email addresses had already been issued. The directory [apparently] took too long to respond because it was ahead of the provisioning system by 4 or 5 seconds. The provisioning system had too short a timeout on requests from the directory, so if it took more than that to respond the provisioning system viewed a non-response as an OK. Normally, the response from the directory, if it’s not there, is blank.

The intersystem timeout was increased to account for possible different system times and network latency, and solved the problem. This was something they definitely needed to address for FCC (and possibly other) compliance reasons, but they’d have had no way of tracking down this problem without Splunk collecting logs from the different systems talking to each other. It was an easy fix once they got it debugged, but finding the problem would’ve been impossible without a tool like Splunk.

Should Your Business Be Using Splunk?

The primary reason this question gets asked is when an organization is using Splunk simply to check a box on an audit compliance report: they need to retain some form of critical data for a particular amount of time. Most often, the organization is never actually using the data, but merely storing it.

The question, then, is really not, “Should I be using Splunk?” but rather, “What can I do with what I have?”

Reframing in this way leads to the much more useful question of what you actually want to get out of Splunk. If all you’re using it for is to check a box on an audit a compliance report, that’s ok—it’s important to be compliant with standards – but when you start exploring what else you can do with the data, you can find new opportunities to generate business value, if only by starting with some of the fundamental dashboards and reports you can easily build, as well as the online training classes.

In some respects, Splunk can seem so powerful that it can be overwhelming. Without guidance, you could end up greatly underutilizing its capabilities. This is where having a partner such as August Schell on your team to help you identify the unique, value-generating use cases that your business is looking for is most helpful. If you’re looking for Splunk guidance, reach out to us, or call us at (301)-838-9470.



Subscribe to Email Updates