When Splunk acquired security vendor Caspida a few months ago, some eyebrows were raised, while others saw it as a natural move. Long a vendor delivering a broad big data analytics platform, the Caspida acquisition was an admission of what many people already thought - that a huge proportion of the real-world adoption of analytics platforms is in the IT space, specifically security and threat intelligence. The Caspida acquisition was a good way for Splunk to go deep into this sector and follow a dual strategy: a broad platform for general use cases and distinct vertical for the early big data use cases.
This would seem to be the strategy that Splunk is following, and the company is today announcing some major updates to what was formerly called the Splunk App for Enterprise Security. Relabeled to recognize the heightened importance of security as a product direction for Splunk, Splunk Enterprise Security is focused on allowing organizations to trawl through the steps an attacker takes in order to more quickly and efficiently detect and respond to breaches.
The product has been upgraded to better handle multi-stage attack detection and response, as well as ease collaboration between response teams. New features being released include:
- Investigator Journal keeps track of ad-hoc searches and activities to streamline multi-stage analysis associated with breach detection and response.
- Investigator Timeline allows any event, activity, or annotation to be placed within an investigation timeline to help analysts better understand, visualize, and communicate the cause-and-effect of events and the details of advanced multi-stage attacks. For example, users could apply the kill chain within the timeline during investigations.
- Investigator Timeline also allows any security team member to place events, actions, and annotations into the timeline to share their perspective of the scenario to collaboratively investigate incidents, problems, and breaches.
- Enterprise Security Framework allows customers, vendors, and third parties to create, access, and extend ES functionality with apps that can run within ES and access functionality such as the alert management, risk, threat intelligence, and the identity and asset frameworks.
In addition to the enterprise security app, Splunk is rolling the Caspida technology in Splunk UBA, intended on adding another layer to organizations' cyber defense arsenal. UBA promises to deliver:
- Improved detection of cyber attacks and insider threats.
- Increased security analysts' effectiveness by only presenting meaningful threats with malicious activities using a kill chain visualization.
- Operationalization of security by rapidly getting data into Splunk UBA and streamlining incident response by leveraging the full power of Splunk solutions.
"Every second counts, and Splunk security solutions give an edge to security teams by improving the speed and efficiency of attack and breach detection and incident response," said Haiyan Song, senior vice president of security markets at Splunk. "Splunk solutions are often seen as the nerve center for security because they let teams leverage their entire security technology stack and utilize their data to detect, understand and take action in a coordinated fashion across the organization. Splunk Enterprise Security lets analysts visually correlate events over time and communicate details of multi-stage threats while Splunk UBA uses machine learning to spot the most dangerous offenders – advanced attackers including malicious insiders."
Splunk got an early start in the space and was borne out of experience in the IT security and general management space. These more verticalized product offerings make sense for a company intent on growing and broadening its customer base.