I have implemented SIEM systems in the last 11 years of my life and always the challenges have been focused on Why this SIEM and why not another, Does it really cover the features of a SIEM, Does it help to cover the needs of my business, Is it qualified and complies with the necessary security features to be a mature SIEM, Is it qualified and complies with the necessary security features to be a mature SIEM?
All of these initial questions from Security and Risk Management Leaders that I have encountered have the common denominator of questioning the success of a SIEM project.
I would like to emphasize what every SIEM should seek and this is visibility, remarking that "We cannot protect what we cannot see" and that every SIEM should help early reaction to security incidents, be it attacks, threats, infrastructure malfunction or misuse by the users themselves.
In this context, we must have a solution capable of centralizing the information in a single point and facilitating identification, in order to follow up and even obtain feedback and experience of our security and/or operational positions.
I would add to this that they must meet the challenges of the 3 V's Volume|Variety|Speed, which refers to the ability to process large amounts of data, the ability to integrate various types, formats and sources of data and rapid action both for the identification and for the care and response to incidents, allowing analysis, correlation, identification of patterns, deviations, predictions for warning.
Although we can try to invent the black thread, we can also take up the experience and Gartner research, remembering that Gartner first cites the term "SIEM" in a 2005 report entitled "Improve IT Security With Vulnerability Management" and that in terms it is completely oriented to event and security management, and already after a few years of having matured the concept, it bases its recommendation on taking into account the Critical Capabilities for its evaluation, where they recommend considering the results of their ratings to achieve an effective value of the SIEM solution and strategic planning based on the great future challenges of security and cybersecurity, by taking advantage of past, present and future experience, therefore dictating that by 2020 75% of SIEM products will use Big Data technologies at their core, along with machine learning, in order to improve threat detection and enhance incident response capabilities.
It is important to remember that for the sixth consecutive year Splunk has positioned itself as a Leader, occupying the highest position in the Gartner Quadrant Execution Capability so I find it interesting to comment on the Splunk Enterprise product which is a composite solution, which is delivered as software and can be deployed on-premises, in cloud services / IaaS, in hybrid modes and as SaaS through Splunk Cloud in Splunk, has several premium applications including Splunk Enterprise Security (ES), which provides the core features of SIEM and the maturity of threat identification and incident handling. Additional components include Splunk UBA which extends analytics capabilities through a machine learning-based analytics library and now Splunk Phantom to address SOAR capabilities.
The data management layer and search capabilities are handled by Splunk Enterprise (or Cloud) which includes real-time analytics and dashboards, alerting, incident management, automated response (adaptive response), visualizations and reporting, and allows for scalable environments that accommodate the growth of any organization and consists of indexers and search heads, as well as event forwarding clients that provide event collection and forwarding to endpoints.
In addition, it offers a variety of Splunk-built and third-party applications that are complementary for various security use cases, including Security Essentials, Stream (for collecting network packets), Analytics for Hadoop, Machine Learning Toolkit, and Ransomware and PCI Compliance (both premium applications).
Gartner identifies ten Critical Capabilities for a SIEM that they weight according to importance for basic monitoring and complex monitoring, as well as advanced threat detection, which in my personal experience I would like to detail below.
Key capabilities that a SIEM must have
1.- Architecture.
In this capacity Splunk provides all the facilities to implement the solution, has well-documented procedures and minimum requirements available to users, this solution is fully scalable, it allows to have the components in a single dedicated computer or distribute them in different computers to expand their processing capabilities indexing or management, allows clustered environments that improve the distribution of loads between components in a balanced and more productive and faster way, This for more demanding processing or management environments, is supported for any environment both physical and virtual and even have a hosting service in the cloud, the architecture is designable and adaptable to any growth, in my experience this has been a key factor for success in organizations that undergo constant changes in technological infrastructure in a short time ... . sound familiar?
2.- Deployment, Operations and Support.
Splunk in this capacity provides all the ease of self-taught operation and a vast documentation for the use or resolution of contingencies with the platform, in addition to having specialized support from A3Sec. Splunk also has a splunkbase site that makes available the download of more than 2,000 free applications, with this customers have become completely self-taught and self-sufficient in their development processes, adaptation of indicators and research. This has allowed us to develop applications to meet the specific needs of each business, and it is always useful for us and even more useful for our clients to have a completely customized development that guarantees the success of their SIEM.
3.- Data and Logs Management.
In this context Splunk is able to collect logs and data from almost any source that generates it, it is based on the principle: "If you can read it, you can integrate it".
In my personal experience with Splunk I have not had any integration limitations, it has allowed me to collect from almost all methods and protocols supported both TCP or UDP and even reading SNMP Traps, Syslogs, reading specific files or audits of various operating systems with its Universal Forwarder, as well as database collection via DBConnect app and even via Stream for those who do not want to affect their performance or enable their auditing, or even just for those who want to read traffic, DevOps and Internet of Things data via Event Collector API, and we have even dared to read social media hashtags for identification and social insights of your business customers.
In addition Splunk enriches and contextualizes information by using and loading lookups, for threat detection, monitoring and compliance.
4.- Real-time monitoring.
In this capacity Splunk has a centralized and manageable UI interface that lives in the Splunk component called Search Head that is fully supported for LDAP integrations, RADIUS or custom managed users and roles, its interface is easy, intuitive and allows real-time monitoring for threat detection and incident response, allows the creation of indicators called Dashboards, Views, Reports, Alerts with ease of integration and modification.
Splunk has the Splunk Enterprise Security App, which features The Splunk Enterprise Security App provides security posture indicators that leverage contextual information uploaded such as identities or asset lists categorized by severity and home networks to help users identify and prioritize incidents or alerts for evaluation
5.- Analysis.
Splunk has a strong event and data source analysis capability that allows the detection of specific activities, from discrete events to anomalous behavior. The analysis methodology ranges from whitelisting matches, correlation directives, to basic or advanced statistics that leverage machine learning or trends.
In my experience, these capabilities are critical because they have easily found the needle in the haystack within the entire matrix that has enabled and ensured the success of SIEM in the business..
6.- Data and application monitoring.
This point seeks to have a good integration capacity of diverse applications and data sources, as well as an interface to define non-compatible event formats. In my experience with other SIEMs, this was quite a ritual. I tell you with all my heart that it is something you should rigorously consider, as there are many SIEMs that require a lot of plugin development work, a lot of knowledge and hard expert work behind every configuration, to achieve visibility of your information. This makes it very difficult to manage, since the sources even in each update undergo many changes even in format and content, and not knowing or not considering them makes it unreliable or an immortal implementation process, however Splunk does not require development of plugins, or forced log formats, to achieve the extraction, classification or visibility of information, this is one of the most valuable successes that I consider of this solution.
7.- Threat and context.
In this capacity of consideration Splunk has allowed me to enrich and contextualize the information, categorize even the physical and human assets by criticality, connectivity and ownership over the user environment, as well as the external threat landscape, which together play an important role in detection, validation and prioritization of detected events that help assess and analyze the risk and potential impact of an incident, this I have achieved with the Enterprise Security application and the PCI App, counting on the ability to create and identify, based on the collection of sources, the classification of events according to the CIM, and integrated correlation rules. This has enabled the successful early detection of incidents for our customers.
8.- User context and monitoring.
Splunk has allowed me to achieve the monitoring of user activity from the sources of technologies such as Domain Servers, Home-made Applications, Databases, Communications and Security Devices, such as FW, IPS's, WAF, Communication Devices etc. and the ability to correlate and analyze authentication and timely alerting data, allowing with this: reporting policy violations and suspicious behavior, for example: brute force attacks, account locks and unlocks, promiscuous accounts, lack of account usage and changes in privileges and roles, etc. This has been achieved with a behavioral analysis of the activity, which allows identifying deviations against baselines or predefined thresholds.
Splunk has even allowed through the internal logs the creation of a self-monitoring application of the Splunk solution for the verification of user activity to identify the good or bad use of the platform, this has been very useful for compliance issues.
9. Incident management.
In this context Splunk Enterprise has allowed me the configuration of various alerts and the ability to assign and notify specific users and even add automated actions through scripts as a method of care and response. In addition, through Splunk Enterprise Security I have been able to integrate more formal operation and incident assignment flows, where incidents have the ability to change status and assignment to users, the ability to integrate with ticketing systems and even the ability to document the response process.
It is also important to mention that Splunk is trying to focus efforts on meeting future security challenges that relate to automating incident response actions such as: disabling affected user accounts and blocking or filtering network connectivity when an alert is detected, this is being achieved with the additional acquisition of Pathom already as SOAR.
10.-Threat detection tools.
In this context I would like to point out that Splunk has allowed us to create custom security applications, or implement Splunk's premium applications such as Enterprise Security as SIEM and / or PCI for compliance issues or the inclusion of applications with security focus of various platforms available recommended such as: UBA, Stream, Splunk Security Essential, Alert Manager for managing notable events (alerts), etc..
