Tuesday, September 17, 2019

Splunk as a SIEM

Ashley J. Oliver
Oliver COM Solutions, d/b/a
2019 CISSP Candidate

Splunk as a SIEM

First and foremost, what even is a SIEM? And why does your business want one? A SIEM, or Security Information and Event Management is a tool that provides real-time analysis of alerts related to security that applications and hardware devices on your network generate.

Who would benefit from a SIEM? Anyone can benefit from a SIEM, the benefits of reserving resources such as Network Admins or System Engineers for day-to-day tasks instead of the knee-jerk reaction to (what may not even be) an alert. Depending on your institution, albeit Hospitals and Financial Institutions would clearly benefit from this type of tool as intrusions are more elicit and they remain larger targets for exploits. Smaller Enterprise Businesses can benefit from this type of tool as well just for the added “Peace of Mind” layer. No, you won’t find that layer in the OSI Model, but it is a more human related component. Not to mention, if you’re paying hourly the last thing you want to do is go over budget on a project because of a last minute response to an unfortunate intrusion event.

Personally, I like Splunk. I see this tool often, clients, customers, business contacts, etc. often inquire about the use of this tool, and why Splunk? Well, Splunk is a SIEM solution that operates by transmuting Machine Data into legible files. At a high level, the tool essentially reads the data coming into your network, it compresses the data, and then generates a legible report based on what it read. This cleans up the information coming in (which can be massive) depending on the size of your organization, and it makes it easily accessible. Be mindful when selecting a SIEM solution that one of the most beneficial factors (in my tech engineer opinion) is that this type of solution will help you to determine if “Alerts” are actual Alerts that need to be responded to accordingly, or if they are false-alarms. I mean, how many times have we all assumed it’s broken or offline because it was hacked into – meanwhile it was just unplugged?


Other SIEM Vendors: Cisco SIEM, LogRythm, McAfee, AWS SIEM, FireEye SIEM

No comments:

Post a Comment