Technology security icons

Impressions of Splunk as an enterprise SIEM tool

This blog was authored by Jon Oltsik, a Senior Principal Analyst at ESG and the founder of the firm’s cybersecurity service. With almost 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO’s perspective and strategies. Jon was named one of the top 100 cybersecurity influencers for 2015 by Onalytica.

When I first became familiar with Splunk years ago, I thought of it as a freeware log management tool for inquisitive security analysts. Useful for general purposes, but I didn’t see it as a true enterprise security management system, a category defined by vendors like ArcSight, Intellitactics, and Network Intelligence at that time.

Boy, was I wrong! Fast forward to 2015 and there is no question that Splunk is a market leader and building on its momentum. I just returned from Splunk’s annual user event, Splunk Conf 2015, in Las Vegas. Here are a few of my observations and impressions:

  1. Splunk has something that every high-tech company aspires to but most never achieve—a passionate user base. I talked to a lot of Splunk customers and the story is almost always the same: They first purchased Splunk for its flexibility, applied it to a specific area, and then created a few dashboards to help solve some type of problem. Over time, they repeated this process, pointing Splunk at a variety of other issues. You get the picture—by 2015, large organizations have figured out a myriad of use cases for Splunk across the enterprise, and are only too happy to share these stories with other Splunkers.
  2. Security analysts tend to behave like rogue detectives when conducting investigations—they poke and prod at the data, follow their instincts, apply open source tools, and chase every possible lead. So what’s the problem? Cybersecurity professionals can get lost in the crime scene, pursue dead-end leads, and fail to document each step of their investigations. Recognizing this inefficient pattern, Splunk added two features in its new Enterprise Security (ES) 4.0 called the investigator timeline and the investigator journal. Combined, these new features can be used to capture investigation processes, documenting each step in sequence with supporting notes. This simple addition should really help organizations streamline investigations while providing an investigations methodology blueprint that can make junior analysts more productive.
  3. Splunk seems to have carved out a good role for cloud security monitoring. In fact, many users have figured out ways to tap into various Amazon APIs, collect cloud data in Splunk, and keep an eye on the security status of cloud-based workloads. This obviates the need for standalone cloud security point tools and gives Splunk users common management oversight for on-premises and cloud-based workloads. Enterprise CISOs should be especially attracted to this capability.
  4. Splunk is a proverbial cybersecurity Tabula Rasa and many users have figured out how to weave it into a potpourri of use cases. As a company, Splunk not only encourages this activity but also promotes it heavily so users can share their experiences. I sat in on numerous sessions where Splunk was a central component for an incident response; threat intelligence collection, processing, and analysis; anti-fraud; insider threat detection; endpoint security, etc. In this way, Splunk endorses a community-based “network effect” where everyone can benefit.
  5. I got a sneak peek at Splunk User Behavior Analytics (UBA), which is the first fruit of the company’s recent acquisition of Caspida. UBA baselines user activities detect anomalies, and then analyzes these anomalies to sort false positives from real risks. Now you can do some of this analysis with the base ES or Splunk platform (as well as other SIEM tools), but UBA really helps automate this process for organizations that are especially vulnerable to devastating insider attacks (i.e., military, intelligence, defense contractors, high tech companies, etc.). Yes, there are other independent tools for user behavior analytics, but Splunk shops will appreciate the tight integration and symbiotic product roadmaps here.

As one of the themes of the event, Splunk is pushing a notion of analytics-driven security. This aligns with the initiatives I see at leading enterprise organizations putting Splunk (and others, of course) in the right place at the right time.

Of course, not every organization is a Splunk shop today, but given the current state of cybersecurity, Splunk should have plenty of opportunities ahead. To promote the Splunk-effect to outsiders, Splunk should continue to “can” the collective wisdom of its installed base by doubling down on Splunk professional services and accentuating go-to-market programs with key partners like Cisco, Fortinet, and Palo Alto Networks. Splunk should also continue its effort to proliferate Splunk within academic and professional cybersecurity education and training programs. Finally, Splunk should further emphasize vertical industry solutions—especially as cybersecurity intersects with IoT.

Splunk Conf 2015 felt more like a family reunion than a technology user conference and the company deserves a lot of credit for establishing this type of community. With all of the rhetoric and hype in the cybersecurity market these days, it’s refreshing to see a technology that CISOs are not just using but embracing.

The original content of this blog can be found at: