IT Security Intelligence enables your company to prevent data breaches, secure personal and sensitive information and detect security events, attacks and incidents.
Blue Turtle can help you detect and protect using the Splunk software Security Intelligence solution.
To help you make your machine data accessible, useful and valuable, Blue Turtle offers Splunk software.
Your data contains a definitive record of your user transactions, customer behavior, machine behavior and fraudulent activity. This information is essential for managing, securing and auditing your environment – whether physical, virtual or in the cloud. This data also enables you to gain end-to-end visibility and insights on to how to better run IT and the business. Splunk Enterprise will help you address one specific solution area, then leverage it and your machine data to solve other pressing problems over time.
A majority of the Fortune 100 and more than 7,900 enterprises, service providers and government organisations in more than 100 countries use Splunk software. Troubleshoot application problems and investigate security incidents in minutes instead of hours or days, monitor and alert to avoid service degradation or outages and deliver compliance at lower cost. With Splunk organisations are far more effective—all with far higher productivity, lower costs and with new insights that contribute to both the top line and bottom line.
Advanced threats have permanently changed how organisations think about cybersecurity. It’s no longer enough to monitor for known threats or to just rely on security point products that provide a narrow view. Security teams need an infrastructure-wide view of activities in order to identify, understand and stop attackers.
There are four classes of data that security teams need to leverage for a complete view:
- Log data
- Binary data (flow and PCAP)
- Threat intelligence data
- Contextual data
If any of these data types are missing, there’s a higher risk that an attack will go unnoticed. These data types are the building blocks for knowing what’s normal and what’s not in your environment. This single question lies at the intersection of both system availability (IT operations and application) and security use cases.
The amounts and types of data needed for making the most effective data-driven security decisions requires a solution that:
- Will scale to collect tens of terabytes of data per day without normalisation at collection time and applies a schema to this data only at search (query) time;
- Can access data anywhere in the environment, including traditional security data sources, personnel time management systems, HR databases, industrial control systems, Hadoop data stores and custom enterprise applications that run the business;
- Delivers fast time-to-answer for forensic analysis and can be quickly operationalised for security operations teams;
- Provides a flexible security intelligence platform that includes significant out-of-the-box content and apps that can maximise security infrastructure investments and the skills of your security team;
- Understanding advanced threats and business risk drives the need to make more data available for analysis and to see events in context. In this light, all data can be security relevant.
Flexible, Scalable Security Investigations
Splunk Enterprise is software that is scalable and flexible enough to search across terabytes of data such as traditional security sources, custom applications and databases. Splunk automatically provides a timeline view of all collected data.
This timeline can focus on the precise moment in the past a security event occurred or be viewed in real time. Any search result can be turned into a report for distribution. This is especially useful for ad hoc queries in support of compliance initiatives such as PCI, SOX, FISMA or HIPAA.
Real-time Forensics Operationalised
Once a forensic investigation is complete, Splunk Enterprise searches (queries) can be saved and monitored in real time.
Real-time alerts can be routed to the appropriate security team members for follow up. Correlation across system data by vendor or data type is supported in Splunk’s easy-to-use Search Processing Language (SPL™). Splunk SPL supports correlations that can generate alerts based on a combination of specific conditions, patterns in system data or when a specific threshold is reached.
Splunk lets you see real-time information from security and network devices, operating systems, databases and applications on one timeline, enabling security teams to quickly detect and understand the end-to-end implications of a security event. It also watches for hard-to-detect patterns of malicious activity in machine data that traditional security systems may not register. This approach can also provide the building blocks for a variety of supported fraud and theft detection use cases.
Make Data More Meaningful to More Users
Splunk Enterprise automatically extracts knowledge from your data. Additional knowledge and security context can be added by identifying, naming and tagging fields and data points. You can even add information from external asset management databases, configuration management systems and user directories. Expand the use of Splunk in your organisation without having knowledge of the Splunk SPL by defining Data Models that describe relationships in the underlying machine data. Data Models can then be used to power the Splunk Pivot interface, which allows any user to easily build Splunk reports.
Metrics and Operational Visibility
Understanding business risk requires a metrics-based approach to measure effectiveness over time. The Splunk SPL contains over 100 commands that can help users express search results as tables, graphics and timelines on security dashboards. Key performance indicators (KPIs) can be monitored by business unit, compliance type, location and more.
Real-time Correlation and Alerting
Correlation of information from different data sets can reduce false positives and provide additional insight and context. For long-term correlations, Splunk can write individual system events to internal files also monitored by Splunk and age them out over time. If the right group of events writes to the file before it is aged out, the correlation is completed and an alert is issued. Splunk supports a rich set of alert creation criteria providing rule-based alert suppression and thresholds.