Introduction
Have you ever thought about using Splunk Enterprise Security but were overwhelmed by the many features and security options it provides? Splunk is a threat detection tool that can easily get lost.
There are 12 different features included in Splunk Enterprise Security, each coming together to provide you with the best insights into analytics so that you can have a complete overview of the behavior of events in your organization. Here is an overview of what each one entails.
- Analytics and Insights
The Security Posture dashboard provides insights into events across your security operation center. This dashboard tracks correlation searches to detect suspicious activity. Once the correlation search has been performed, it can create an event if there is a suspicious pattern- for example, an attempted sign-in with a one-time password mistake and a scripted attack against the company. This dashboard creates a notable event when a correlation search finds a suspicious pattern to stop threats before they can escalate.
The Executive Summary provides information on how the security program operates. It offers different KPIs (Key Performance Indicators), including the ‘mean time to triage,’ which measures the time between a notable event first reported and when the action is performed (like when it is assigned or commented on). The ‘mean time to resolution’ is when a notable event is reported to when it is moved to an end state, such as closed or resolved. The ‘investigations created’ is the number of investigations that indicate high-risk cases that are to be thoroughly investigated.
Under the notable events section, you can keep track of how many significant events you come across by domain, urgency, and source. You can also see what correlation sources are contributing to your notable events. With risk-based alerting, you can track the number of risk notable events compared to actual notable events, how many risk events turned into significant events, and which risk event types usually do not become notable.
Splunk Security’s SOC (Security Operations Center) operations help you get complete visibility into the SOC environment. The KPI (Key Performance Indicators) section is the same as the executive summary dashboard, with the addition of a workload section. The workload section gives you a look into notable assignments or the significant events that do or do not get assigned over time; the notables in the end state, which keeps track of the number of notables that are closed, and the analyst close rate provides an analysis of each analyst and their close rate.
- Incident Review
The Incident Review dashboard provides a complete view of what is going on in their environment, displays notable events triggered, and acts as a starting point if there is ever an investigation. Each significant event expands for more detail, and an analyst can create filters to find relevant information. Using this dashboard, you can explore notable events as a starting point to finding out what may be wrong.
- Risk-Based Alerting (RBA)
Users who use RBA have noticed an 80% reduction in alert volume and a 30% decrease in false positives. The RBA is both the feature and methodology in Splunk ES (Enterprise Security), is all about contributing risk to users and systems and only generating risks when a threshold has been met. The RBA will keep track of a risk score updated every time minor attacks are recorded. When the risk score is high enough, it will trigger a notable risk. Even though the RBA keeps track of each attribution, this does not always mean that each attribution contributes to risk, but when all the risky attributes are compared, it makes it easier to detect a real threat. The RBA has an event timeline to show you what occurred from start to finish before a notable risk was generated. Using this feature, you can determine the highest threat level your company faces to prioritize taking out the most credible threat first.
- Cloud-Based Streaming Analytics
With Cloud-Based Streaming Analytics, you can enable scalable, real-time streaming analytics for a broader range of more advanced security threat detection, make sure analysts understand the scope of the security incident to be able to respond quickly and have a clear visualization of MITRE ATT&CK tactics in Risk Notable Events to be able to utilize the MITRE ATT&CK framework when responding to notable events. This type of analytics allows users to detect suspicious behavior quickly with real-time threat detections, scalable analytics, and easy integration with Enterprise Security. Users can respond to incidents more accurately than before, too, with a comprehensive view of the security incidents and the ability to identify everything impacted by the threat with no code.
- Visualizing Threat Topology
Threat Topology helps gauge the threat of an incident to reduce the time it takes to determine the scale of a risk object and its impact on an organization by mapping all the risks in threat objects. Under incident review, you can navigate to a Risk Event to view the contributing factors to the risk and view the Threat Topology under the Risk Events tab next to the Timeline option.
This will also show you details of the risk object, such as the email that the risk object originated from, and personal details, such as name and phone number associated with the object. Each Threat Object can have multiple Risk Objects and even navigate to threat activity in the ‘View Threat Artifacts’ dashboard. You can hover over a Risk object to see details and priority level, visualize it in the Risk Dashboard, and select a timeline to see associated data within a specific time. Threat topology will allow you to see the full scope of the security incident to determine how to react quickly and save time fighting against threats.
- The MITRE ATT&CK Framework
To help with better visualizations for techniques in the MITRE ATT&CK Framework, the MITRE ATTA&CK visualizations have been added to Splunk Enterprise Security. In incident Review, under Risk Notable, you can see a feature called MITRE ATT&CK Notable to see all techniques used in detecting this notable. You can see the percentage of techniques by tactics detected by the notable and see details and ID of each notable. Quickly build situational awareness around an incident in the MITRE ATT&CK Framework.
- Behavior and Anomaly Analytics
Using UBA (User Behavior Analytics), users can gain visibility into hard-to-detect threats you cannot typically find using usual detection methods. User Behavior Analytics uses unsupervised machine learning to detect complicated and complex threats faster and more accurately than ever before. Users can augment risk-based, alerting, and human-driven correlation in Splunk ES with the machine learning available in behavior, analytics, and learning with ease and accuracy.
The Access Anomalies dashboard visualizes anomalies across user behavior to display authentication attempts from different IP addresses and any unlikely travel anomalies detected using user credentials and location-specific data.
- Threat Intelligence and How to SOAR (Security Orchestration, Automation, and Response) Using it.
With Threat Intelligence, you can operationalize all your security intelligence sources across your entire system, including tools and outside sources, such as partners. Splunk ES integrates with other Splunk products to help you maximize your security operations efficiency. One tool it integrates with is Splunk Intelligence Management to prioritize notable events, enabling teams to operationalize internal and external security intelligence sources. With Splunk, SOAR reduces time spent on incident triage and accelerates incident investigation.
- Asset Investigation & Security Domains
Splunk has dashboards to expedite investigations. The Asset Investigation Dashboard is one such dashboard that aggregates events over time to show event categories such as Authentication, Malware, or Notable Events and defines periods of high or low events.
The Security Domain dashboard allows you to reduce remediation time by providing details such as tracking login attempts, breach endpoints, or network intrusions that can be cross-referenced so that users can see where a threat may be coming from.
- Risk Analysis
Splunk also helps you proactively reduce risk. The Risk Analysis Dashboard tracks and categorizes assets by risk and can be used with RBA to determine the riskiest assets quickly. For example, assets with sudden increased activity may be prioritized more than those with confidential information.
- Investigation Workbench
Users can navigate the Workbench during an investigation to accelerate the assessment time of incidents. The Workbench centralizes detailed context from an endpoint, a network, or other security data that might be relevant. Analysts can investigate one or multiple notable events that may be a potential security threat. The asset and identity data associated with those notable events are automatically extracted for further analysis to find a solution faster.
The investigation Timeline allows for better collaboration and tracking of investigations. Users can toggle between different timelines under investigations to determine the scope of activities. Ad-hoc searches are easy to run from the Workbench to prevent further navigation and distractions, making them easier to use.
- Use Cases
Also, did you know you can use Splunk’s Use Case Library to research new or emerging threats? In Splunk ES, security content comes as pre-packaged detections stored in the use case library for future use. You can filter by use case or industry framework such as MITRE ATT&CK. Analytics stories provide in-depth details about use cases, including description, data sources, and how they align with each industry framework, and even have Splunk search query and implementation tactics.
Conclusion
12 is the magic number when it comes to Splunk Enterprise Security. With multiple dashboard and visualization options, choosing Splunk for security is a no-brainer. Contact Prudent right now, for help from highly trained professionals to enable you with your Splunk needs!