Leveraging Splunk as a SIEM tool
Organizations are extremely vulnerable to threats from external cyber criminals, malicious insiders and nation-states. Today’s threats are more sophisticated and capable of evading traditional, point security products.
Statistics from the annual Mandiant M-Trends Report (2012-2016) on breach investigation:
- 143: The median # of days until a breach is detected
- 40: The average # of systems accessed, once a breach occurs
- 67%: Percent of corporate breach victims that are notified of a breach by external sources (customers, the FBI) and not their own internal security teams
Splunk maintains the leadership position among SIEM products according to independent research firms such as Gartner, Forrester and others.
Consider these results that Splunk customers realized:
- 70% to 90% faster detection and triage of security events
- 70% to 90% faster investigation of security incidents
- 10% to 50% reduction in risk of data breach, IP theft, fraud
- 70% to 90% reduction in compliance reporting time
Source: 1,000 documented case studies by Splunk’s Business Value Consulting team.
Splunk is able to deliver these results because it works in ways that traditional security tools do not. To detect or investigate advanced threats, organizations need both security and “non-security” data because advanced threats avoid detection from signature-based security products. Most traditional SIEMs just focus on gathering security data based upon signature-based threats, leaving vulnerabilities in an organization’s security posture. Splunk, on the other hand, aggregates and correlates data from both security (firewall logs, intrusion detection, etc.) and non-security (network traffic, DHCP/DNS, server and application logs, etc.) sources.
Splunk can either:
- Compliment an existing SIEM tool
- Replace and go beyond existing SIEM software