Tag Archive for: splunk
By partnering with Proficio for your Splunk Management and Monitoring requirements you get a team of experts on your side. Our global Security Operations Centers (SOCs) are staffed by security experts who are dedicated to Splunk infrastructure management, content development and threat detection and response.
Organizations today are aware of their cybersecurity risk, but many struggle to determine what is the best way to stay protected. Finding the right balance between using internal resources and outsourced managed services is the key to a successful cybersecurity program. But how do you weigh your need to control technology and operations with the size and skills of your cybersecurity staff?
Grant Slender, CISO and Head of Security, Cloud and Support of Queensland Investment Corporation (QIC), spoke at Splunk’s .conf19 about how they achieved this balance. In his presentation, he explained how QIC uses Proficio’s managed security services and Splunk’s Cloud technology in what he coined as a “Goldilocks Architecture”.
The underlying aspects of all strong cyber defense programs are the people, process and technology:
- People – Security teams must have the skills to manage your devices and monitor security alerts, but also to build the appropriate content to quickly and accurately detect threats within your environment
- Process – Having good processes in place keeps the team running smoothly and ensures that security events are documented and handled consistently
- Technology – Selecting the right technology mix to put in your environment is essential for having a strong cybersecurity posture
Allocating resources to each of these elements and defining how they work together can be a challenge – one that can take several iterations before getting it right. More and more organizations are moving towards hybrid SOC models where security operations are shared by in-house staff and an outsourced partner.
To determine the right model for your team, consider the following:
For some enterprises, purchasing and maintaining a SIEM is the ideal option. It gives you full ownership of both the technology and content and allows you to build a security infrastructure that meets your needs.
But purchasing a SIEM is expensive and comes with its own set of challenges.
When looking at this option, one must consider things like:
- Who is going to install the SIEM? Where will it be deployed?
- Who will monitor security events?
- Who will create the searches and analytics you use to discover threats? Will they be regularly updated and tuned for your environment?
- How do you integrate and curate threat intelligence into your analytics?
- How much time will your team spend managing the system?
- How do you increase capacity as your organization grows?
- Do you need a redundant architecture?
Staffing is often the biggest challenge as many organizations struggle to recruit and retain qualified individuals to manage and monitor their SIEM. You will need to ensure you have 24/7 coverage, including staff committed to working the graveyard shift to avoid coverage gaps, and building a Security Operations Center (SOC), that will need multiple skill sets including SIEM Content Developers, Security Engineers, and Incident Responders. Organizations that do not have the ability to support specialization often look into outsourcing some or all of their security operations.
Fully Managed Model
If owning the SIEM is not a viable option for your organization, you may consider fully outsourcing your security operations. Under this approach, a managed security service provider (MSSP) sends security events from multiple clients to a centrally hosted SIEM. The MSSP takes responsibility for detecting indicators of attack or compromise and alerting their clients accordingly.
Using a fully managed service is attractive to some organizations because it does not require users to buy complex software or staff a SOC. Moreover, MSSP clients benefit from an OPEX model, reduced cost of ownership, and a service that can scale to meet the needs of a growing business. But there are also trade-offs of this approach, including reduced opportunity for customization and lessor control of data and technology. In addition, some MSSPs use proprietary SIEM technology and are challenged to keep their software competitive with industry leaders, causing the accuracy and quality of security alerts to decline over time.
QIC tried managing an on-premise SIEM but found it difficult and complex. Then they tried using a fully managed SIEM but realized that they needed more control over their technology stack and data. Their last approach, the Goldilocks architecture, left them most satisfied; this co-managed service pairs Splunk Cloud with Proficio managed security and monitoring services.
“It was just the right balance between having a technology stack that we had ownership on, where we understood what the data was doing (and) where it was transitioning into security events… but we also had that global scale coverage, 24×7 cover, processes and people. For me, it was that Goldilocks architecture that enabled us to be successful.”
Grant Slender, CISO & Head of Security, Cloud and Support, QIC
Partnering with an MSSP to create a hybrid model allows you to own the technology components but outsource the 24/7 monitoring and management, reducing staffing challenges and lowering your OPEX. A good MSSP will create a personalized runbook, set up business context modeling to understand your high-value assets, and provide you with metrics, so that you can present your security posture to the board. They should also be experts who can help you properly configure your SIEM – from data ingestion to use cases – and be available to tune it over time to keep it running optimally.
Selecting the right MSSP is critical, as they are an extension of your team. Since most organizations cannot staff a 24/7 SOC, their in-house team should not feel threatened by the possibility of job loss; rather, they should embrace the opportunity to focus on more varied and challenging tasks.
The threat landscape continues to evolve. Attackers will only get smarter, faster and more creative, so organizations need to stay ahead of tomorrow’s cyberthreats. Whatever approach you choose, make sure you’ve got a partner with experience and a vision for the future.
Proficio is an industry leading Managed Detection and Response service provider, utilizing next-generation technology and methods to detect advanced threats and automate responses. Contact Proficio to learn about our customized security options and see how we can help your company stay protected.
In the early 2000s, when Security Information and Event Monitoring systems (SIEMs) came onto the market, they were often expensive and complex to manage. But many organizations were required to collect, analyze and store security logs to meet compliance requirements, and a SIEM was the perfect tool for the job. Today most IT organizations expect much more from their SIEM than meeting compliance requirements. Modern SIEMs must detect advanced threats and provide automated response and containment functions.
For all but very large organizations, the most practical approach to security monitoring was to partner with a Managed Security Service Provider (MSSP). MSSPs were responsible for monitoring and investigating security events and managing SIEM systems. Some MSSPs extended this role by developing their own SIEM.
As technology has evolved and cybersecurity has become increasingly complex, many users found that older SIEMs are not only complicated to properly run and maintain, but also haven’t evolved enough to stay ahead of today’s cyberthreat landscape. Older SIEMs struggle to ingest all data types and have slow or difficult search capability, poor user interfaces and lack scalability. And as these platforms age, there is often less support available from the vendor or the MSSP, leading to frustration and lengthy problem resolutions.
Finding the Right Tool
If you’re leading your organization’s transition away from its legacy SIEM, where do you start? The first step in selecting a SIEM is determining your objectives and needs. Questions you should ask include:
• What’s my budget for the solution?
• What is my risk profile?
• What are my critical digital assets that must be protected?
• What is my timeline for implementation?
• Do you want to host the system on-prem or in the cloud?
• How much data will be ingested?
• Which data sources are being sent?
• Are there any critical use cases that I need to move over?
• Will I build my own security content, or do I want a pre-packaged solution?
• What response and containment functions must be automated?
• What role should AI and Machine Learning play in detecting and responding to threats?
• Can I scale my environment and team over time?
• What are my business continuity goals?
Once you gather the requirements for your new solution, you will have a better idea which solutions to focus on in your search. Today many organizations select Splunk as their SIEM. Splunk is a Leader in the Gartner SIEM Magic Quadrant and highly regarded for its search ability and powerful data analytics. Splunk’s unique approach to data ingestion and robust library of apps allows you to send a wide range of log sources directly to their system and define use cases for your data.
Splunk software can be installed in your organization’s IT infrastructure or hosted in the cloud. Splunk offers a managed cloud-based service and some MSSPs also offer to host Splunk in their own cloud infrastructure. The decision to deploy your Splunk SIEM on-premise or in the cloud rests on trade-offs between control, scalability, and access to in-house expertise. Some MSSPs have built their use cases and content as an extension to Splunk Enterprise while others fully support Splunk ES. Further, Splunk offers Phantom for Security Orchestration and Automation and User Behavioral Analytics that can also be part of your technology solution.
Setup for Success
Once you’ve determined what Splunk deployment you need, you have to decide how you will manage the platform. While your choice of platform and deployment architecture will guide your decision, many organizations find it’s best to partner with a team of Splunk experts for the implementation, as well as the security monitoring.
There are many things to consider when selecting a service provider to partner with. MSSPs come in all shapes and sizes. Some focus on offering a fully managed solution, while others offer a co-managed or hybrid approach. Some MSSPs differentiate themselves on their ability to customize their services while others offer a pre-set package of solutions.
Do you have the in-house expertise, or will you need a partner who can help you with the process, from migration to on-going monitoring and even management?
Managed Detection and Response (MDR) providers deliver 24×7 threat monitoring, detection and response services to their clients. Partnering with the right MDR provider gives you the benefits of a 24×7 Security Operations Center (SOC), plus extends your team with access to a wide range of Splunk experts. These experts are available from start to finish, giving you a well-thought out installation design, as well as creating strong use cases with actionable alerts, specific to your log sources, and expert back-end management.
See Proficio’s MSSP Checklist for our suggestions on what to look for in an MSSP.
Now that you’ve selected your solution and a partner who can help you deploy it, it’s time to plan for the transition over into a new system. Before you remove your legacy SIEM, you’ll want to ensure you have properly phased out your current SIEM and MSSP, if you have one.
Ideally, when you entered into an agreement with your legacy MSSP, you defined a process to transition to another partner or to in-house approach. This includes how and when to give notice of termination, ownership of information pertaining to your operations and policies, and access to historical security logs. Professional MSSPs understand that business relationships may not last forever and should work with you through the transition.
The best way to migrate over is to plan ahead and leave at least 30-60 days of overlap to properly implement and setup Splunk. This also allows you time to verify that your data ingestion is aligned in both systems, ensuring you’re not missing any critical data. A well thought implementation ensures you get the most of your investment from the start.
If your organization has data retention requirements to adhere to, you should keep that in mind when you plan for the transition. Plan ahead to ensure that your archive data will not be lost when you offline your legacy SIEM and determine the process for recovery if access is needed later. For hot, searchable data, build your implementation overlap to keep this data on both SIEMs for this period so that you can easily access it.
You’ve spent a long time setting up your legacy SIEM to be exactly the system you want. This includes everything from data ingestion to creating security use cases, dashboards and reports. Use this transition as a chance to audit everything you’ve set up and created, to find what you want to move in to Splunk and what’s most important. Give yourself ample time to transition to ensure all of the high value data is coming through.
Define and Refine
Data and Use Cases
It’s important that you not only send the appropriate data sources to Splunk, but also have strong use cases in place to ensure you’re capturing the right incidents and not missing critical alerts. When looking at your data, consider what sources are overactive, or always quiet. Are these still relevant? Do they need to be tuned better?
For use cases, look at what’s catching important incidents or hasn’t alerted in a year. If you begin by looking at the data you’ve ingested, and content you’ve built and how it’s working, you can determine where to start and what you should rebuild in your new system.
Your service provider should offer insight into what data is most essential to keep your organization safe. Look at what use cases or log sources are most critical and start with those high value assets first. They should also be able to assist you in controlling your data ingestion, so that you are only paying for the data you need.
If your legacy SIEM is still running when you deploy Splunk, you should look for consistency between the two platforms. This will help you gauge whether your use cases are properly tuned and accurately sending you alerts for security incidents.
Outline your Policies
If you’re currently using an MSSP or service provider, this is the time to review all the runbook and escalation procedures you’ve put in place. This should be the base for your new service provider, so that you can get off on the right foot and be setup for a successful relationship. Good service providers should help you define business context modeling, so they know what your critical assets are and provide you with a dedicated team for your account.
Test, Tune, Go Live…
Once everything is configured, it’s time to start the testing phase. If possible, give yourself a few weeks to compare your Splunk setup to the legacy SIEM. Make sure that all the data is coming in properly and your use cases are firing as expected. Once you’ve fine-tuned your environment and are happy with your setup, you can officially retire your legacy SIEM.
Proficio’s team of Splunk experts can help you with your migration and continue with management of your environment once deployed. Contact us to learn more about how we can help you upgrade your cybersecurity with Splunk.
Unleash the Power of Your Data
Splunk .conf is the premier education and thought leadership event for thousands of IT, security and business professionals looking to turn their data into action. Join us for four days of innovation, featuring today’s thought leaders, Splunk’s top partners, 300+ education sessions and numerous opportunities to learn new skills.
Register today for .conf19 to accelerate your career and transform the way your company does business with data. With Splunk, you’re empowered to do amazing things with data – and the possibilities are endless.
Visit Proficio at Booth 123 and find out how our patent pending algorithm reveals gaps in security controls and shows an organization’s cyber risk compared to their industry peers.
Proficio’s CEO, Brad Taylor, will present “The SOC of the Future.” to share his vision for the future role of security operations centers and how they will address the challenges of the 2020s
SplunkLive! New York is back!
Splunk delivers real time operational intelligence by harnessing the value of machine data to give you the answers you need. Join us at SplunkLive! to learn more about this unique data platform and how you can use it to investigate, monitor, analyze, and act!
At SplunkLive! New York you can hear directly from customers who will talk through how they are using Splunk to solve their toughest IT, Internet of Things, and security challenges live on stage. Our afternoon breakout tracks offer a range of content for all interests. You’ll have the opportunity to learn more about what’s new with Splunk, gain insight into different use cases and learn how you can use Splunk to drive positive outcomes, achieve end to end visibility across key business services and make better decisions.
Who Should Attend:
SplunkLive! is uniquely designed for those looking to:
- Explore the Splunk Platform for the very first time
- Get started on their Splunk journey
- Find out what’s new for Splunk in 2019 and take it to the next level
- Understand how their business can do more with Splunk
Whether you’ve been using Splunk for years, just implementing Splunk, yet to begin your Splunk journey, or researching Splunk for the first time, SplunkLive! New York is the place to be to learn what you need to turn your data in answers.