Splunk Steps Up SIEM Investigation Capabilities Of Its Enterprise Security System
Machine data analytics software developer Splunk is extending the capabilities of its security software, adding new capabilities the vendor says will speed up the process of investigating and responding to potential security threats.
Splunk today launched Spunk Enterprise Security v.5.0 with Investigation Workbench, a new toolset the company said streamlines security investigations and accelerates incident response.
"Now [security investigators] can make informed, data-driven decisions on how to respond," said Girish Bhat, Splunk director of security product marketing, in an interview with CRN.
[Related: Splunk Continues Machine Learning Acquisition Spree With Purchase of SignalSense ]
Splunk's core machine learning platform monitors, collects and analyzes machine and log data from a wide range of sources. IT performance management and IT security are the two most common use cases for the company's software.
Splunk Enterprise Security, a security information and event management system, is built on the Splunk platform and works in conjunction with the company's Splunk User Behavior Analytics application.
Time to detect, time to contain and time to remediate are the three critical metrics in dealing with IT security threats, Bhat said. The challenge is shortening those times given that organizations receive tens, hundreds and even thousands of alerts every day.
The new Investigation Workbench centralizes security alert analyses, pulling asset and identity data that's relevant from networks, endpoints, cloud applications and other sources and displaying them to investigators in a single dashboard. It can also add third-party contextual data, such as human-curated threat intelligence information, to an analysis.
That means security operations managers can spend less time collecting data and focus more on analyzing incidents and determining a response, according to Bhat.
"It streamlines the investigation," Bhat said. "It's about accelerating the incident response."
Analysts can also adjust the time period of the incident under investigation, making it easier to determine the scope of a threat and the needed response.
Splunk works with a range of channel partners to take the vendor's Enterprise Security software to market including systems integrators, managed security service providers (MSSPs) and resellers.
Service providers can utilize Splunk Enterprise Security 5.0 and the Investigation Workbench to provide higher quality service, according to Bhat. "They can offer a better [service level agreement] to their customers."
Bhat said VARs and solution providers can leverage the Investigation Workbench capabilities as a way to stand out in the very crowded market for SIEM products. "This can be a competitive differentiator for them," he said.