When it comes to real-time operational intelligence, Splunk is vying for market leadership. The company just rolled out version 3.1 of the Splunk App for Enterprise Security, complete with a new risk scoring framework that promises faster threat detection and containment.
Beyond allowing you to assign risks scores to any , the app also lets you connect and visualize data on the fly. Then there’s the guided search feature that lets more users access security analytics without any knowledge of programming languages or command syntax.
Haiyan Song, Vice President of Security Markets at Splunk, said adapting quickly to new attack techniques is the key for modern cybersecurity warriors. The new version of the Splunk App for Enterprise Security, he explained, was built to help organizations stay agile in a dynamic landscape of zero-day and previously unknown attacks.
“Risk scoring provides prioritization beyond just event data to help security teams transform security analytics by identifying the most critical threats from the massive streams of data surrounding them,” Song said. “We believe the app will have a profound impact on the threat detection capabilities of organizations around the world.”
A Great Step Forward
One of the key new features in Splunk 3.1 is risk-based analytics, which promises to beef up decision-making capabilities by applying a risk score to any data so security and IT teams can prioritize, triage and receive alerts about threats based on risk score. Meanwhile, the visual investigation feature sets the stage for faster, deeper insights across all machine data with new capabilities that let companies visually discover relationships through event swim lanes that organize and correlate data.
The new version of the app also lets users simplify complex correlation across disparate data sources with advanced searches in a guided user interface that requires no programming language knowledge. Finally, there’s domain name-based threat intelligence, which deduplicates and assigns weights to threat intelligence feeds.
David Monahan, Security Research Director at Enterprise Management Associates, said Splunk's Enterprise Security App Version 3.1 represents a great step forward in providing security analytics to more roles across the security team.
“The addition of risk-based analytics and more in-depth threat intelligence, combined with the ability to connect and visualize disparate data, are extremely valuable and well aligned with the requirements we are hearing from end users,” said Monahan. “The new guided UI allows any user to build sophisticated queries without foreknowledge of the Splunk analytics language, advancing the capabilities of every level of user, improving effectiveness and accelerating the ROI gained from Splunk.”
Deciding Where To Start
We turned to Javvad Malik, a senior analyst at 451 Research, to get his take on the Splunk app. Fundamentally, he explained, Splunk's approach treats all IT logs and events as inputs and stores them at scale.
This enables companies "to undertake monitoring, forensics, investigations, etcetera,” Malik said. “The biggest challenge for most is deciding where to start from -- which is where the Splunk App for Enterprise Security comes into the picture to specifically assist security teams to leverage Splunk [technology].”
So far as the current release, he called it “pretty much in line” with what has emerged in response to market demand. Gathering data is one thing, he noted, making it usable and separating the news from the noise is another.
“However, even once meaningful data is separated, it needs to be risk assessed and scored,” Malik concluded. “This is where the security analytics capabilities of Splunk appear to be maturing very well and shows Splunk takes the time to research the market needs and develop its product in that direction.”
Posted: 2014-08-11 @ 9:48am PT
Super good, a great step forward.
Posted: 2014-08-08 @ 8:31am PT
@Splunk User: Thanks for checking. The article is accurately talking about the general availability of version 3.1 of the Splunk App for Enterprise Security. However, as Splunk notes in their announcement, "Version 3.1 of the Splunk App for Enterprise Security requires version 6.x of Splunk Enterprise." Hence the confusion.
Here's a link to the announcement for further details:
Posted: 2014-08-08 @ 4:46am PT
Don't you mean 6.1? Splunk 3 was released 5 years ago...