1、The SIEM Buyers GuideYour guide to modern,data-driven security solutions for the hybrid worldT�����able of ContentsWhats a SIEM?.3What does a SIEM do,exactly?.4Legacy SIEMS are dinosaurs.4What else is out there?.6The evolution of a data-driven SIEM.6Modern SIEM Essentials.7Five essential capabilities of
2、a modern SIEM.7Seven must-have SIEM strategies.8Enter Splunk.13Splunk as your SIEM.14Uplevel your SIEM.14Build on a strong foundation.16Lets talk real-world ROI.17Future-proof your SIE������M.21Tap the power of data.21The SIEM Buyers Guide|Splunk1The SIEM Buyers Guide|Splunk2������The last two years have been a
3、 wild ride,with dizzying changes in the way we live and work as we navigate enormous u�����npredictability brought on by a global pandemic,among other world events.For organizations,digital transformation has gone from priority to urgent imperative,and nearly every company has become a technology company
4、 out of necessity.But necessity is also the mother of invention.These unprecedented and volatile times have pushed us to innovate at lightning speed.Whats fueling the most critic�������al innovations?Accelerated cloud technologies and the power of dat��a.To not only survive but thrive in this hybrid world,or
5、g��������anizations need solutions that are powerful,flexible and fast solutions powered by data.With a strong data and technology fou�������ndation,organizations can respond quickly to whatever comes their way,secure their organizations from ever-evolving threats and use their data to innovate.But not every organ
6、ization has been able to tap the power of d�����ata,due to three major challenges:Data silos:With too many tools within and across teams,data is often fragmented and hard to see,which leads to inefficiency and vuln����erabilities.Lack of visibility across processes:Without contextual data,its difficult to tr
7、ack business����� processes end to end,making it harder to get to root causes and find ways to optimize.Security and compliance regulations:Constantly changing security,privacy and compliance regulations make it even more challenging to make sure the right data is acc�����essed at the right time,with the righ
8、t governance.As a �����consequence,organizations have difficulty drawing insights from and taking action on their data.Its just too time consuming and resource intensive.But theres a solution:your organization can meet these challenges,stay secure and tap the power of data by employing the right security
9、 information event management(SIEM)solution,one thats cloud-based and data-driven.A SIEM solution is like a pilots radar system.Like pilots,the analysts who help pilot your security operation center(SOC)need radar to safely navigate whats around them,whats a������head and what might be hidden out of view.
10、A SIEM solution is a security platform that helps SOC analysts see across enterprise IT and spot security threats hiding in the corners of the systems they protect.Wi����t�������hout it,theyre flying blind.While security applications and network security and system software do catch and log isolated attacks an
11、d anomalous behavior,todays most serious threats are distributed and cant be caught with these tools alone.Hackers attack in unison across multiple systems and use advanced evasion techniques to avoid detection.At����tackers also take advantage of stressful situations to exploit weaknesses situation�����s li
12、ke,say,an immediate shift to remote work during a global pandemic.In the middle of that urgent transition,SOC teams were tasked with keeping systems secure,but without in-person access to������� the security tools and processes theyd com�����e to rely on.Situations like these are why a modern SIEM solution is m
13、ore important than ever.Without the right SIEM,cyberattacks can fester and turn into catastrophic incidents that even the best SOC analysts cant see coming.And by the time they discover the vulnerability like a ransomware or supply chain att������ack all they can do is damage control and start the search
14、for a new CIS�������O.In this buyers guide,well take a deep dive into what exactly a SIEM solution is,what it does,how its different from other tools,and how to find the right SIEM solution for your organization.The SI��������EM Buyers Guide|Splunk3Whats a SIEM?What does a SIEM do,exactly?Gartner defines a SIEM so
15、lution as“a technology that supports threat detection and security incident response through the real-time collection and historical analysis of secur����ity ev������ents from a wide variety of event and contextual data sources.”Basically,a SIEM solution helps SOC analysts do their jobs better.Its a security
16、platform that ingests e������vent logs and gives����� them a single view of their data,with more insight.With a modern SIEM,analysts can solve three major security challenges:A lack of visibility into the real-time status of your organizations security often referred to as security posture.Trying to reduce the
17、 amount of false positive security alerts analysts see,prioritizing them,and then increasing the speed of their detections and investigations.A lack of flexibility or support for different types o�����f deployment environments,technology tools and threat intelligence.So how are organizations trying to so
18、lve those challenges today without a SIEM solution?Historically,theyve used“legacy”solutions,various point solutions,and more recent emerging tools like extended detection and response(XDR)sol������utions.Lets explore what all those are,and the pros and cons of each quickly.Legacy SIEMs are dinosaursOkay,
19、not literally,but legacy SIEM technology is now over a decade old,and legacy SIEMs just arent built to keep up with todays evolving security challenges.With a closed environment and limited data they can ingest,theyre slow at queries and inves�����tigations,and they dont scale to meet business n�������eeds.Many
20、 enterprise IT organizations that invested in SIEM platforms discovered this the hard way.They learned after spending a lot of money that it takes a long time to ingest all their data into a �����legacy SIEM,and that the underlying data system used to create the SIEM tends to be static.Though there are a
21、 myriad of software options on the market for co��������llecting,storing and analyzing security-only data,only a few can turn that data into actionable intelligence,and a legacy SIEM isnt one of them.Then theres the issue of speed.Your SOC analysts cant afford to lose precious time when there is a security
22、alert,and a legacy SIEM solution cant keep up with the pace at which they need to investigate data.W������orse yet,legacy SIEMs can only p������rovide data on security events,which makes it difficult to correlate security events with whats happening across the rest of an IT environment.That might have worked a
23、decade ago,bu������t not in our hybrid world,where some employees work remotely,others bring their own devi����ces to the office,and everything in between is connected and generating data all of which is crucial to security.Especially with todays rapid adoption of cloud services,which continues to expand the
24、threat vectors,�����todays organizations need to monitor user activity,behavior and applicatio����n access across key cloud and software-as-a-service(SaaS)solutions,not just on-prem services,to determine the full scope of potential threats and attacks.The SIEM Buyers Guide|Splunk4Seven Reasons to Replace You
25、r Old SIEMOr�����ganizations are often tied to the ������dated architectures of traditional SIEMs,which typically use an SQL database with a fixed schema.These databases can become a single point of failure or suffer from scale and performance limitations.1.LIMITED SECURITY TYPESBy limiting the type of data th
26、at is ingested�����,there are limits in detection,investigation and reponse times.2.INABILITY TO EFFECTIVELY INGEST DATAWith legacy SIEMs,the ingestion of data can be a massively laborious proc��������ess or very expensive.3.SLOW INVESTIGATIONSWith legacy SIEMs,basic actions,such as raw log searches,can take a s
27、ignificant amount of time often many hours and days to complete.4.INSTABILITY AND SCALABILITYThe larger SQL-based databases get,the less stable they become.Customers often suffer from either poo����r performance or a large number of outages as spikes in events take servers down.5.END-OF-LIFE OR UNCERTAI
28、N ROADMAPAs legacy SIEM vendors change ownership,R&D slows to a crawl.Without continuous investment and i�����nnovation,security solutions fail to keep up with the g��������rowing threat landscape.6.CLOSED ECOSYSTEMLegacy SIEM vendors often lack the ability to integrate with other tools in the market.Customers a
29、re forced to use what was included in the SIEM or spend more on custom development and professsional services.7.LIMITED TO ON-PREMISESLegacy SIEMS are often limited to on-premises deployments.Security practitioners must be able to use cloud,multicloud,on-premises and hybrid������� �����workloads.The SIEM Buyers
30、 Guide|Splunk5What el������se is out there?The truth is out there But lets start with the t������ruth about point solutions versus platform solutions.Point solution vendors are lying if they tell you they can do what a modern SIEM solution can.They typically do one or two things really well,but without a centra
31、l���ized way of making sense of an organizations data,SOC analysts are flying blind.Point solutions dont offer that radar system they need to safely navigate whats around them,whats ahead,and whats still unknown.Then you have XDR an emerging solution generating a lot of(marketing)buzz.But������ you cant alwa
32、ys believe the hype.XDR is an evolut�������ion of endpoint detection and response(EDR),which has traditionally served as an additional data source for a S������IEM solution not a replacement for it.Though XDR can be used in tandem with a modern SIEM,XDR alone wont cut it.Not being able to see into a companys sec
33、urity posture makes the job of your SOC analyst almost impossible.And the last thing yo����u want to do is make the life of your SOC analyst harder,because there just arent enough good SOC analysts to go around.Lets face it,the eternal security skills shortage has only gotten worse since the pandemic st
34、arted.Going back to that radar system:without visibility,security investig��������ations can only s�������cratch the surface of true incident resolution and that leads to more vulnerabilities down the line.The less visibility your organization has,the more vulnerable it is to a high-profile breach,which can cost m
35、illions of dollars and its reputation.No CEO wants to see their companys name in a Bloomberg headline and no CISO wants to explain why that happened.The evolution of a data-driven SIEMCall it survival of the fittest.With legacy������� SIEMs stuck in the past,and new-fangled solutions only able to solve par
36、t of the problem,the modern SIEM had to evolve into a robust,analytics-driven solution to keep up with the sophistication and speed of todays attacks.What SOC analysts require today is a simple way to correlate information across all security-relevant data.A solution that enables IT to m��������anage their
37、security posture easily.������SOC analysts must be able to anticipate what threats might be lurking and put measures in place to limit the vulnerability of their company in real time.For that,enterprises need a data-centric,modern SIEM solution that gives analysts full visibility into the data being gener
38、ated by their enterprise,one tha������t works with more than just log data and simple correlation rules for data analysis.Leading SIEM solutions now combine long-time storage of event logs with real-time monitoring to provide your team with a holistic understanding of the organizations security posture.Th
39、e SIEM Buyers Guide|Splunk6Gartners Magic Quadrant for Security Information and Event Management is practically required reading for anyone exploring the SIEM market.As the report has evolved,its grown to include open source SIEM vendors and other new entrants in the broader catego�����ry,beyond a“true”S
40、IEM.So how can you tell if a solution is the real deal?In the Critical Capabilities for Security Information and Event Management report,Gartner highlights the five things a modern SIEM can do that others cant.Five essential capabilities o�����f a modern SIEM1.Collect security event logs and telemetry in
41、 real time for threat detection and comp�����liance use cases.A modern SIEM solution can collect,use and analyze log data from across an ecosystem of teams,tools,peers ������and partners in accordance with sector-specific mandates around regulatory compliance and reporting,as well as the latest threat detectio
42、n needs.2.Analyze telemetry in real time,over time,to detect attacks and other activities of interest.A modern SIEM can collect,use and analyze all event logs and give a unified view into whats going on across the security stack in real time.Th�����is gives IT and security teams the ability to manage eve
43、nt logs from one central location,correlate different events over multiple machines or multiple days,and tie in other data sour�����ces like registry changes and ISA Proxy logs for the complete picture.Security practitioners can also audit and report on all event logs from a sing�������le place.3.Investigate in
44、cidents to determine their potential severity and impact on a business.It can a������lso determine the severity and likelihood of potential incidents for each issue identified,and use this information to prioritize and inform on corrective actions.4.Report on these activities.A modern SIEM can als���o genera
45、te reports containing security information about any part of an organizations infrastructure and provide a means for documentation and compliance requirements.5.Store relevant events���� and logs.And finally,a modern SIEM solution can store historical log data over the long term,which helps analysts mee
46、t compliance mandates and correlate data ov������er time.The SIEM Buyers Guide|Splunk7Modern SIEM EssentialsSeven must-have SIEM strategiesThats right,its another list,because who doesnt love a list especially one that makes your job easier?Seven key strategies for securing your organization(and how you c
47、an use a modern SIEM to implement them):1.Real-time security monitoring and analysisOrganizations need to be able to detect and respond to threats in record time no matter the nature or severity of the attack.But to do this and do it well,security monitoring is a must-have,an����d luckily,a modern SIEM
48、offers robust,real-time monitoring.How does it work?To pinpoint and id��������entify different types of malicious and/or anomalous behavior,a SIEM retrieves and maintains contextual data around users,de������vices and applications(e.g.,asset and identity data)from across on-prem,cloud,multicloud and hybrid enviro
49、nments.All relevant data is then fed into a wor�����kflow to������ assess potential risks.By monitoring and ingesting machine data from a diverse set of sources across different types of deployments,security teams have a comprehensive view of potential security events making it that much easier to detect and z
50、ero in on bad actors.A leading SIEM should provide a library of customizable,predefined correlation rules,a securit������y event console for real-time presentation of security incidents,and dashboards to provide real-time visualizations of ongoing threat activity.Security monitoring can also be augmented
51、with out-of-the-box correlation searches that can be invoked in real time or scheduled reg�����ularly.These searches can be available via an intuitive user interface that doesnt require analysts or administrators to master a search language.Finally,a modern SIEM will have a local and historical search fu
52、nction to make easy work of searching log data,and reduce the amount of network traffic accessing search data.1.Real-time security monitoring and analysis:detect and respond t�����o thre�����ats fast2.Cloud security:detect and respond to threats across hybrid,cloud and multicloud environments3.Incident respon
53、se:identify incidents when they occur����,and track,route and annotate events4.Threat intelligence:access curated,in-product security research on existing and emerging threats5.Incident investigation and forensics:optimize threat hunting,reduce the volume of alerts and �������increase true positives6.Advanced
54、and insider threat detection:exponentially improve detection success,freeing up time and resources to zero in on complex,high-fidelity threats7����.Compliance:unify the three pillars of compliance process,technology and people through greater visibility across systems and processes.The SIEM Buyers Guide
55、|Spl����unk82.Cloud securityAs your organization sprints ahead with digital initiatives,youll need to pay close attention to both general security requirements and the technical complexities of cloud migration.Inevitably,the journey to cloud nativity presents a considerable increase i����n risk to the enter
56、prise especia����lly if the organization is not up-to-date on network controls,access management systems or cloud configuration options.Add to that an expanding attack surface and a lack of visibility,and youve got y��������ourself a high chance of breach.So traditional monitoring just isnt enough.Security team
57、s need the capabilities of a modern SIEM to analyze and ingest d������ata from a wide range of sources,across all types of environments,in order to de�����tect the where and why of security events.How does it work?With a leading SIEM solution,you get out-of-the-box cloud security monitoring content that makes
58、it easier to detect and respond to threats across hybrid,cloud and multicloud environments,including soph����isticated detection rules for cloud attacks,and tools to help you test and improve cloud detections v������ia attack simulation.Especially in the age of remote work,you need to be able to capture and a
59、nalyze ������all cloud and endpoint data regardless of volume,variety and velocity.Ultimately,by monitoring the uptime,availability and activity across multiple cloud deployments with a modern SIEM,youll have full visibility into cloud services(including Amazon Web Services,Azure and Go���ogle Cloud Platform
60、)and all the actionable insights that come with it.Slack unlocks data to empower collaborationWhen the COVID-19 pandemic hit,Slack had to transition more than 1,600 employees to remote work,all the while continuing to provide �������a secure,enterprise-grade service to its booming user base.With Splunk,Sla
61、ck was able to��� seamlessly transition their workforce to the cloud,bolster security within a zero trust ������framework,and gain visibility into any and all activity across its cloud services.Slack has also used Splunk to:Glean insights into behavioral patterns across critical applications.Authorize and au
62、thenticate users within a zero trust network.Innovate and stay in lockstep with customers while remaining secure.Running a secure ecosystemWith a massive surge in demand due to the pandemic,Slack had to make sure its security program was working effectively and with the welcome help of Splunk������� launch
63、ed a new application programming interface(API),as well as fortified a zero trust network.By integrating an analytics API with Spl��������unk,users had an easier time keeping a finger on the pulse of the organization.The�������� API integration helped customers get the information they needed and for leadership to
64、stay connected.All of Sla�������cks critical applications were sending logging content into Splunk,bringing data into one place,and offering insight into an array of behavioral patterns.Operating in a zero trust network where users are authenticated and authorized also strengthened Slacks security posture.
65、“Splunk is a key part of Slacks ability to operate a ������zero trust network,”Ryder says.“Because Splunk gives us visibility into all the ������activity thats happening across all of our cloud services.”“Splunk is how we verify that our security program is operating across our entire fleet and across our corpo
66、rate applications the way we expect it to,the way we must to assure the integrity of our company.”Read more.The SIEM Buyers Guide|Splunk93�����.Incident responseTodays organ�������izations also need an up-to-date incident response strategy,and a modern SIEM can help you identify incidents when they occur,and pr
67、ovide a means for tracking,routing and annotating events.How does it work?A SIEM can manually or auto��������matically agg�������regate events,support third-party systems and vendors(allowing for the easy ingestion of data to and from a diverse set of sources),and provide up-to-date threat intelligence and auto-re
68、sponse capabilities(like������� playbooks)that preempt or disrupt cyberattacks either right before or right after they emerge.In order to do all of this,a SIEM s����olution should be the hub around which an incident response workflow is customized and crafted.Since security events have different levels of urge
69、ncy attached to them,potential threats can be identified,categorized and triaged via dashboards,then assigned to analysts for review.By identifying,triaging and auditing notable events based on the fidelity of the t�����hreat,a modern SIEM makes the start of �������the remediation process more reliable,equippin
70、g your teams with the contextual awareness they need to determine����� next steps.To expand or reduce the scope of their analysis(which can be vast),your SOC analysts can use a SIEM to apply filters to the sea of������� log data,then place events,actions and annotations into a timeline to see everything thats g
71、oing on.They can then review and codify these timelines as a repeatable kill chain methodology �����to deal with specific event types.The SIEM Buyers Guide|Splunk104.Threat intelligenceThreat intelligence is another must-have strategy.But threat intelligence is often too noisy,with your security analysts
72、 having to manually curate data to make use of it.With manual input,context gets lost during the investigation proc����ess or the data becomes too disparate,while enrichment i�����n playbooks is too clunky.Making it even harder for your analysts,the most valuable security data is often locked inside silos in
73、 and across companies.With more integrations coming online that are generating more data needing to be secured and stored,this p����roblem isnt going away.Fortunately,thanks to the rapidly growing intelligence marketplace,modern SIEM solutions can integrate threat intelligence into every stage of the in
74、cident response flow,as wel������l as acr������oss an ecosystem of teams,tools,peers and partners.How does it work?Threat intelligence transforms internal and external sources of security intelligence for informed,actionable automation across ecosystems of teams and tools and helps with intelligence sharing wit
75、h internal and external stakeholders.Your team can preempt attacks and create complex pipeline�����s without ever having �������to write or maintain scripts in the backend.Threat intelligence comes integrated into most modern SIEM solutions or as cloud-native SaaS that integrates seamlessly with a modern SIEM p
76、latform.The intelligence provided usually includes indicators of compromise(IOCs),adversary tactics,techniques and procedures,al�����ongside additional context for various types of incidents and activities.This makes it much easier to recognize abnormal activities,as your analysts have all the informatio
77、n they need to assess �������the risks,impact and objectives of an attack no matter how cu�������nning and respond appropriately.Threat intelligence data can be integrated with machine data to create watchlists,correlation rules and queries for better detection and response to attacks.This information can be auto
78、matically correlated with event data���� and added to dashboard views and reports,or forwarded to devices that can then remediate the vulnerability in question.Transforming Intels security posture with innovations in data intelligenceIntel was burdened with a legacy SIEM that only a han��������dful of experts k
79、new how to use and needed a new strategy for detect�������ing sophisticated attacks encroaching on their environment.This inspired Intels Cyber Intelligence Platform(C��������IP)a modern,scalable platform built around cutting-edge technologies(like in-stream processing).Intels data could flow from hundreds of data
80、 sources into a Kafka message bus,then into Splunk for context-rich visibility and grea����ter effectiveness throughout the organization.With the help of Splunk,Intel was able to:Speed up data analysis ������and detection of sophisticated threats.Deliver a collaborative,unified approach to managing cybersecur
81、ity.Deliver additional business value across security operations.ScalingIntelsCyberIntelligencePlatformCIPs results led to additional data sources,new use cases and many more data models.Eventually,use of the platform expa�������nded to teams like vulnerability management,compliance and enforcement,risk ma
82、nagement and beyond,which placed additional demands on the infrastructure while requiring even faster compute and storage.To maximize the platforms performance,Intels security solution arc�������hitect and engineers needed a deeper understanding of Splunk and Intel technologies.A collaborative Splunk and I
83、ntel team developed a joint reference configuration to help guide CIPs expansion across comput������e,memory and storage using the latest Intel products and technologies.Splunk and Intel are now sharing their success with IT and security peers,helping others scale their Splunk and Apache Kafka deployments
84、 to more effectively convert raw data into operational,business and security intelligence.“With situational awarene�������ss,we know ourselves,”says Lee.“But with threat intelligence,we know our enemy.Were now operating an integrated threat intelligence program and our Splunk SIEM is one of the key solutio
85、ns for acentralizedinformationmanagementplatformthatwedeploy�������at������ourIntegrated Security Operations Center(ISOC).”Read more.The SIEM Buyers Guide|Splunk115.Incident investigation and forensicsChances are,your security team spends too much time investigating low-value alerts with too little context.Incid
86、ents based on narrowly defined detections can lead to a high volume of false positives and a lot of extra noise,quickly �������������overwhelming and overburdening anyone on the front lines.Thats why you need a strong incident investigation and forensics strategy powered by a modern SIEM.How does it work?A moder
87、n SIEM visualizes and correlates data by mapping categorized events against a kill chain,or creating heat���� maps to better support incident investigations by providing important insight into which tactics have been used by an adversary that map to a particular industry framework.Risk attribution can a
88、lso help optimize threat hunting and reduce the volume of alerts thereby increasing true positives while surfacing more sophisticated threats,like low and slow attacks that most c�������orrelation searches traditionally miss.This frees up time and resources to home in on actual(often comp�����lex)threats,aligni
89、ng operations to industry-s�������tandard cybersecurity frameworks.Bottom line:freeing up your analysts to focus on high-value tasks means theyre better positioned to respond quickly and efficiently in the event of a security breach and who wouldnt want that?Plus,your te��������am can make better informed decision
90、s and gather forensics evidence with the comprehensive collaboration and reporting capabilities integral to a modern SIEM �����investigative workflow.6.Advanced and insider threat detectionSecurity threats continue to evolve,mutate an��������d find ways to evade standard security procedures and the more sophisti
91、cated the attack,the harder it is for your team to detect and remediate it.Between������� the changing threat landscape and the crafty nature of new and emerging threats,advanced and insider threat detection strategy has never been more important.Most traditional security tools cant meet the challenge.They
92、 rely on existing rulesets and signatures����������,and can only detect straightforward,well-known threats,so they fail to address the complexity of advanced security threats,like insider threats,zero-day attacks,laterally moving malware and compromised accounts.How does it work?Fortunately,a modern SIEM can
93、adapt to these threats by stitching together anomalies and correlating them as part of the incident response workflow,as well as implementing capabilities like endpoint detection and behavioral analytics.By establishing multi-dimensional behavior baselines and d������ynamic peer group analysis ideally in
94、tandem with unsupervised machine learning compromised or misused accounts can be detected.The goal is to not only������� detect hidden threats,but also determine the scope of the attack and how best to contain it.For this,your team requires real-time views and reporting capabilities that can be extended to
95、 include any number of third-party applications and services.This type of analytics and behavior profiling in a SIEM can exponentially improve detection success,freeing up your teams time and resources to focus on complex,high-fidelity t�������hreats,before its too late.The SIEM Buyers Guide|Splunk127.Comp
96、lianceWhether its for cybersecurity,forensic analysis,privacy,fraud or risk management,different teams require different views and processes around data������� in order to guarantee compliance.A modern SIEM can help unify the thr����ee pillars of compliance process,technology and people by providing you with g
97、reater visibility across the board.How does it work?A modern SIEM solution takes a holis�������tic,foundational approach to compliance that not only connects compliance teams,silos and technology fiefdoms,but also streamlines the overall efficiency of compliance-related operations.This means the tedious,ti
98、me-consuming chore of legally-mandated log review can finally be put to bed.Your analysts can be more productive and maintain the buttoned-up������,documented approach to risk management thats expected of them.With a modern SIEM�������,organizations can see across the entire security stack for assessments,rankin
99、gs,investigations and audits,and are no longer dependent on a single department or functional unit for ins������ights.Your analysts can search,alert and r�������eport on machine data from an array of sources,meet compliance requirements from audit trail collection and reporting,and generate sector-specific compl
100、iance reports in seconds.������Expo 2020 Dubai mega-event ensures security with SplunkSecuring an event like Expo 2020 is no easy feat especially in the face of ����insider threats.And while Expo Dubai had prioritized cybersecurity since its very inception,the time had come for the org to up the ante ahead of
101、 their coming six-month event.To tackle a number of their growing concerns,Expo 2020 required a security platform that could scale quickly,manage operational security for hundreds of different data sources and technology soluti����ons,and be flexible enough to adapt to the evolving cybe����rsecurity needs o
102、f the event.Splunk����� proved to be the best solution to meet these requirements.Splunk helped Expo 2020:Monitor,flag and classify suspicious or anomalous behavior/activity.Respond to potential threats immediately and take corrective acti������on.Tackling the possibility of insider threatsMega-events and larg
103、e-scale organizations deal with a number of security incidents on a regular basis and insider threats have evolved into some of ��������the most challenging risks these organizations face.To protect its technology ecosystems from potential adversaries,Expo relied on Splunks real-time monitoring to identify
104、suspicious behavior.Splunk also helped the Expo team make faster,better data-driven decisions,strengthening Expos overall cyber resilience,and empowering them to respond to threats immediately with corrective action.“Splunks flexibility meant that we cou������ld easily resize the deployment to accommodate
105、 Expos changing needs during the pandemic,especially in terms of adapting to the one-year postponement of the event.”Read more.Th�����e SIEM Buyers Guide|Splunk13Splunk offers a data-driven SIEM solution on a flexible data platform.That means with Splunk,organizations can see across all their data,gain i
106、nsights quickly,respond with accuracy,confidence and ease and do it all with one unified,integrated solution.You could say its the ultimate radar system for SOC analysts.Splunk can monitor and analyze data from any source and at enterprise sc�����ale,and offers integrated solutions that deliver consisten
107、t full-stack observability,unified security and myriad custom applications,giving you limitless ways to ������gain insights from data.A no-compromise,data-centric security operations platform like Splunk delivers the ����strength and flexibility needed to meet complex compliance challenges and respond to thre
108、ats so your organization can grow and in�����novate securely.By working across multicloud and hybrid environments and providing robust tools for investigation,analysis and orchestration,Splunk helps organizations find and remediate threats quickly,and with accuracy.Splunk Enterprise monitors and analyzes
109、 machine data to improve your IT,security and business performance.With intuitive analytics,machine learning,packaged applications and o��������pen APIs,Splunk Enterprise is a flexible platform that scales from focused use cases to an enterprise-wide analytics backbone.Splunk Cloud Platform is a flexible,se
110、cure and cost effective data platform that helps organizations search,analyze,visualize and act on their data.With Splunk deployed and managed securely,reliably and scalably as a service,you get fast,flexible service,powerful and integrated streaming,sear������ch,and machine learning,and predictable prici
111、ng that aligns wi�������th value.The SIEM Buyers Guide|Splunk14Enter SplunkSplunk as you������r SIEMTodays complex technological ecosystems and constantly changing security threats require modern security operations that effectively balance business risk with security risk,while also allowing organizations to mo
112、ve quickly.Splunk security solutions not only meet todays SIEM needs,they help you prepare for whats next.Splunk offers a security operations platform that ingests data from any source for accurate threat detection,investigation and automated response across cloud,on-p������rem a���nd hybrid environments.And
113、 because Splunk embraces an open ecosystem,you have the freedom to select the best tools and build using your existing infrastructure.The Splunk platform is built to ingest,normalize and provide insights across all of your data���� so you can get accura�������te and actionable detections,conduct quicker invest
114、igations and reduce time to remediation.Those advanced security analytics provide the valuable context and visual insights your security team needs to make faster,smarter decisions �������in complex environments.Along with end-to-end visibility into security,Splunk offers schema-on-read and distributed ind
115、exing capabilities that make colle������cting and analyzing data from any source both quick and easy.Splunk is also flex�����ible,offering several options for enterprises looking to deploy their SIEM or migrate from their legacy SIEM,and the choice of on-prem,cloud or hybrid deployment.To cover your basic need
116、s,you can use either Splunk Enterprise or Splunk Cloud Platform.Both core platforms provide collection,indexing,search and reporting capabilities.Many Splunk security customers u�����se one of the two platforms to build their own real-time correlation searches and dashboards for essential SIEM use cases.
117、You can also leverage Splunk-built search and reporting,security and observability solutions as well as the Splunkbase ecosystem that includes literally thousands of apps.Uplevel your SIEMNeed to take it up a ����notch(or three)?Splunks next-level SIEM solution,Splunk Enterprise Security(ES)is fast,powe
118、rful and flexible,delivering data-driven insights for full visibility into your or�����ganizations security posture so you can protect your business and mitigate risk at scale.These are just some of the reasons Splunk ES has been the SIEM market share leader the past several years,according to IDC.With u
119、npara�����lleled search and reporting,advanced analytics,integrated intelligence,and pre-packaged security content,Splunk ES accelerates threat detection and investigation so you can quickly assess the scope of high-priority threats and take action.It combines m������achine learning,anomaly detection and crite
120、ria-based correlation in a single security analytics solution,and runs on Splunk Enterprise,Splunk Cloud or both.Splunk ES is also flexible and plays well with others.Built on an open and scalable d�������ata platform,Splunk ES allows organizations to stay agile in the������ face of evolving threats and business
121、 needs.And Splunks extensive ecosystem and flexible deployment options ensure your technology investments are working in tandem with your SIEM,while meeting you where you are on your cloud or hybrid journey.With Splunk ES,you can visu�����ally correlate events over time and communicate details of multi-s
122、tage attacks.You can also easily discover,monitor and report in real time on threats,attacks and other abnormal act��������ivity from across all your security-relevant data.And Splunk ES now offers new,native risk-based alerting and cloud security features so you can investigate real threats even faster,wit
123、h more insight.Cha����nces are,your security team is wasting hours on low-fidelity alerts that they ultimately���� abandon.Splunk ES risk-based alerting cuts down on the number of alerts they receive so they can focus on the ones that matter,helping to detect complex threats they might otherwise miss.Risk-b
124、ased alerting attributes risk to users and systems and only generates alerts when risk and behavioral thresholds are exceeded,helping you detect more true positives.And unlike other solutions,Splunks risk-based alerting was also built to improve SOC efficiency an�������d help teams align with their industr
125、y-standard cybersecurity frameworks of choice.For more advanced SIEM use cases,Splunk ES offers ready-to-use dashboards,correlated searches and reports.In addition to pre-built correlation rules and alerts,Splunk ��������ES includes incident review,workflow functionality and third-party threat intelligence
126、feeds to help you with investigations.The SIEM Buyers ������Guide|Splunk15Five complex problems you can solve with Splunk Enterprise SecurityProblem SolutionHow it worksWhat it helps you do1.Not being able to see all of your data from different sources(audit,firewall,windows,unix,linux,endpoint or other l
127、o������gs)Real-time security monitoring and analysisPuts all of your data into one centralized platf����orm so you can search and make sense of whats going on in your environmentGet real-time visibility over your security posture paired with the ability to search,analyze,and prioritize if or when potential is
128、sues arise2.Advanced and insider threats that go unnoticed and hurt your organizations financial well-being and reputation Advanced and insider threat detection Advanced analytics help you find sophisticated threats and malicious insiders that evade traditional detection methodsPrevent se������curity inci
129、dents early and quickly before they do irrevocable d����amage3.Not being able to search through data while performing an investigation can be s������low and cumbersomeIncident investigation and forensicsGives you the full context of an event,identifies the root cause and provides fast and flexible search and
130、reportingQuickly and easily investigate security events,find and analyze data for evidence,and assess������� potential damage damage4.Lack of centralized data to drilldown and search while lack of predictive analytics or machine learning can make hunting for threats slow and arduousThreat huntingProvides i
131、n-depth hunting and analysis through flexible searches,machine learning and threat intelligenceSearch proactively for cyberthreats that may otherwise evade detection5.5)Lack of visibility and inability to analyze IT and security controls can lead to compliance violations(and severe pen�������alties and fin
����132、es)CompliancePerforms continuous risk assessment,centralizes and analyzes data across the organization,and provides robust reporting to ensure compliance standards are achievedConfirm and demonstrate effective adherence to compliance requirements and regula�����tory frameworksThe SIEM Buyers Guide|Splunk
133、16Build on a strong foundation Splunk ES is a part of a broader Splunk security portfolio that uses Splunk Enterprise or Splun�������k Cloud as a core data platform and offers a range of security solutions to help your team lower their mean time to detect an�������d respond to incidents:Splunk UBA(user behavior a
134、na������lytics)uses machine learning to scale advanced and insider threat detection.Splunk SOAR(security operation,automation and response)accelerates security workflows by automating and orchestrating the incident response process.Splunk Intelligence Management(threat intelligence)automates����� data orchestr
135、ation to centralize,normalize an�������d prioritize intelligence across all stages of security operations.Smarter security with machine learning and automationWith Splunk UBA,Splunks user behavior analytics tool,you can detect unknown threats and anomalous behavior using machine learning.Advanced threat de
136、tection discovers abnormalities and unknown threats that traditional security tools miss.Automatically������� stitching hundreds of anomalies into a single threat will help your securit������y analysts be more productive.And deep investigative capabilities and powerful behavior baselines on any entity,anomaly or
137、 threat will accelerate your threat hunting.Spunk SOAR,Splunks security �������operation�������,automation and response tool,lets your team work smarter,respond faster and strengthen your organizations security defenses.It automates repetitive tasks so they can focus their time and attention on the incidents and
138、actions that matter most.Splunk SOAR reduces dwell times with automated investigations and reduces response times with playbooks that execute at machine speed.SOAR also integrates your existing security infrastructure so that each part actively participates in the defense strateg�������y and all the parts
139、work together.A SIEM in the cloud,for the cloudMost organizations today are at some stage of their cloud journey.With so many tools to manage across diff�������erent portals,compliance,migration and service offerings,cloud secu�����rity monitoring can be tough.Security teams need tools that easily integrate wit
140、h cloud providers,and Splunk ES gives you cloud security monitoring content designed to make monitoring easy,no matter where your data is located.Splunk ES has pre-built detections and investigations specific to the major cloud providers,like Amazon Web Services(AWS),����the Google Cloud Pla����tform(GCP)an
141、d Microsoft Azure.This content helps you monitor both cloud and on-prem data,seamlessly bringing cloud data into your existing detections and investigative workflows.Splunk ES is vendor neutral and can monitor your data no matter the cloud provider,giving you the conf�����idence to �����choose an IT infrastru
142、cture and application provider that makes the most sense for your business.And now that practically everything is off��������ered“as a service,”why shouldnt your SIEM be SaaS too?When deployed as a cloud-based SIEM via Splunk Cloud,Splunk Enterprise Security frees your team to focus on high-value activities
143、,instead of backend maintenance.Splunk ES on Splunk Cloud can scale to monitor tens of TB of data per day,from any source,in any ��������structure,at any time scale,giving you the economic and time-to-value benefits of cloud service with the powerful market-leading capabilities an enterprise organization ne
144、eds.The SIEM Buyers Guide|Splunk17Lets talk real-world ROIBut a data-centric,modern SIEM solution i�����s really expensive,right?Depe������nds how you look at it.The real expense comes when your organization falls victim to an insider threat,a ransomware attack or another data breach,which are both costly and
145、harmful to your organizations reputation.When you consider the risk of those costs,a data-driven security solution starts to sound like a pretty smart �����investment.A modern SIEM provides immediate ROI by helping you avoid a breach and proactively protect your organization from both inside and outside
146、bad acto�����rs.But the ROI doesnt end there.A data-centric SIEM not only meets your security needs,but also supports IT issues such as compliance,fraud,theft and abuse detection.Its also useful for IT operations,service intelligence,application delivery and business analytics.With Splunk as your SIEM,yo
147、ur security team can work in concert with other IT functions������ and gain visibility across the organization,fostering better cross-department collaboration and stronger overall ROI.But the best way to understand the real ROI of a data-centric SIEM solution is to hear from those who already have one.Spl
148、unk Intelligence Management,Splunks threat inte�������lligence tool,automates data orchestration to centralize,normalize and prioritize intelligence across all stages of security operations.It breaks down data silos to help align security effectiveness with business objectives,improving cyber resilience an
149、d operational efficiency.With Splunk Intelligence Managem�������ent,your team can easily select intelligence sources,including open source,premium intel providers and collections of historical events and alerts.They can then apply priority scores,safelists and filtering based on indicator types or attribut
150、es and submit prepared data into data repositories or a designated application of choice.More ways to secu������re and integrate For Splunk Enterprise Security,theres also the Unified App for Splunk Enterprise and Splunk ES,which helps security professionals analyze notable events and lev�������erage intelligenc
151、e to quickly understand threat context and prioritize and accelerate triage.Analysts can leverage data in Splunk and enrich against threat intelligence feeds and case management data to gain insight into attack trends.For more ways to integrate,Splunkbase offers thousands of sec�������urity-related apps(an
152、d thousands of non-security apps as well)with pre-built searches,reports and visualizations for specific third-party security vendors.These ready-to-use apps,utilities and add-ons can help your team with security monitoring,next-generation firewall,advanced threat management and a lot more.Along ������wit
153、h a myriad of out-of-the-box content for specific security use cases,you can rely on Splunk SURGe,a a team of dedicated Splunk security experts,threat researc������hers and advisors,to provide you with timely research,technical guidance and tactical recommendations on how to detect,investigate and respond
154、 t����o the latest emerging threats.And with the Splunk data platform as the foundation for Splunk ES,you can use Splunk to gain insight and solve problems outside of security.That same data can be tapped for all kinds of IT,DevSecOps and business initiatives.The SIEM Buyers Guide|Splunk18ASUfightsfraud
155、,protectspayrollandsave$780kayearAs the largest educational institution in the United States,Arizona State University(ASU)helps set the standard for security in higher education across the globe.Guided by the mission to protect students and faculty against threats like������� fraud,ASU turned to Splunk to
156、safeguard its systems.Since������ deploying Splunk,the customer has seen benefits including:Reducing payroll and direct deposit fraud for the more than 14,600 employees on ASUs$889 million annual payroll.Saving the university$780,000 every year.Centralizing key data to improve student and employee experie
157、nce.ASU leveraged Splunk for security and another crucial objective:improving the student and employee experience.By using Splunk to centraliz������e key data across campus,th������e university gained visibility into previously disparate systems and was able to address problems quicker and enhance the entire st
158、udent experience.Watch the video to see how pub�����lic universities increase efficiency with Splunk.“Thanks to Splunk,we now have visibility into the student experience and can collect,aggregate and report ������on data to make business decisions faster than ever before.”Nate Plamondon,Splunk Architect,Arizon
159、a State UniversityThe SIEM Buyers Guide|Splunk19InfoTeKandSplunkdeliverasecurityi������ntelligenceplatformforthe public sectorMany organizations depend on SIEM software to monitor,investigate and respond to security threats.But at one U.S.government agency its mission was hamper����ed when its legacy SIEM sof
160、tware from HP ArcSight failed to live up to expectations.The agency turned to InfoTeK,a leading cybersecurity,software and systems engineering firm,to replace its SIEM tool.Since deploying the Splunk Enterprise with Splun������k ES,the customer has seen benefits including:Deploying in one weekend and stop
161、ping an attack the next day.Achieving a 75 percent cost r�����eduction to support its SIEM.Reducing number of tools required,including log aggregators and endpoint solutions.With Splunk Enterprise and Splunk ES,the agency has an data-driven SIEM that provides the IT team with actionable security intellig
162、ence at an affordable cost.InfoTeK deployed Splunk software over one we������ekend for the customer.Starting the very next day,the software proved its value.The IT team was able to search security events an������d immediately thwarted an attack vector.Click here to learn how InfoTek reduced its SIEM costs by 75
163、%.“Something that used to take hours,days or even weeks with other products or jumping between multiple tools can be done in seconds,minutes or hours with Splunk.”“We were able to provide a ROI before the product was even fully purchased because the cust������omer successfully stopped a threat that would
164、have required a complete rebuild of the network.”Jonathan Fair,senior incident handler and security enginee�������r,InfoTeKThe SIEM Buyers Guide|Splunk20Heartland Automotive protects brand reputation,secures data with SplunkKnown for its sign��������ature oil change,Heartland Automotive Services,Inc.,dba Jiffy Lub
165、e,is the largest franchisee of quick lube retail service stores in the U.S.Heartland Automotive needed a cybersecurity platform to protect its brand and its most im�������portant resource its data.Since deploying Splunk ES and Splunk UBA as its integrated ����SIEM platform,Heartland Automotive has seen benefit
166、s,including:Realizing time to value by implementing a SIEM and insider threat�������� protection solution in only three weeks.Gaining a platform to drive innovation with 25%less total cost of ownership(TCO).Establishing real-time security investigations and insider threat protection.SIEM implementations are
167、 often complex,as large organizations have many data sources and it may require weeks to configure alerts.Acco�������rding to Alams,the Splunk professional services team made the entire process of identifying the companys data sources,fleshing out the SIEM design and configuring alerts seamless.Click here
168、to learn how Heartland Automotive drove innovation using Splunk with 25%less TCO.“Fast tim������e to value is everythingwe were able to implement a SIEM and insider threat detection solution in three weeks in what would normally take three months.”“The chief financial officer and other members of our seni
169、or leadership team have been impressed with time to valueto see it one day and almost be implemented the nextincreased their confidence in us to deliver quickly.”Chidi Alams,head of ��������IT and Information Security,Heartland Automotive ServicesThe SIEM Buyers Guide|Splunk21Future-proof your SIEMSecurity
170、threats are going to keep advancing,and technological systems and circumstances arent getting any simpler.So why settle for a SIEM that meets todays needs when you could choose one that will also help you tackle the challenges of tomorrow?A data-centric SIEM solution provides a so�������lid foundation for
171、the future with robust capabilities like real-time monitoring,incident response,user monitoring,advanced analytics and more.And by combining a data-centric SIEM with advanced threat detection������ and SOAR technologies under a single platform,your SOC is even better equipped to protect your organization
172、today and in the future.A future-ready security operations platform that allows your team to manage security events across the entire event lifecycle all from a �������common work surface will be critical in containing and remediating cyberattacks quickly.Your team will be able to respond quickly to ever-e
173、volving threats and protect your organization by optimizing and modernizing your data,analytics and operation solutions.Splunk is developing even more ne���w security capabilities and integrations to help you prepare for whats ahead,including integrated threat intelligence,stream�����lined,cloud-based behav
174、ioral analytics and������� advanced risk-based alerting.Tap the power of data Your job was hard enough to begin with,and the last few years have made it even harder.Its time to put your data to work.Your organization needs powerful,flexible and fast solutions solutions powered by data.With a strong data an
175、d te������chnology foundation,organizations can respond quic������kly to whatever comes their way.Splunk is the data platform for the hybrid world,empowering organizations to unlock innovation,improve security and drive resilience.With Splunk as your cloud-based and data-driven SIEM,your organization can gain v
176、isibility across data sources and processes,keep up with security and compliance regulations,and stay one step ahead of security threats.Ready ������to make Splunk your SIEM solution?Learn more.The SIEM Buyers Guide|Splunk22Splunk,Splunk and Turn Data Into Doing ������are trademarks and registered trademarks of
177、 Splunk Inc.in the United States and other countries.All other brand names,product nam����es or trademarks belong to their respective owners.2022 Splunk Inc.All rights reserved.22-23827-Splunk-SIEM Buyers Guide-EB-103The SIEM Buyers Guide|Splunk 23Are you ready to learn more about Splunks �����analytics-driven SIEM solution and how it can help improve your organizations security posture?Speak with a Splunk expert now.Get Started.
sgpjbg002
工作日 8:30 - 17:30
报告分类
