2.3 Splunk Products

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 29 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> We're on Module 2 talking about Splunk products,
00:00
understanding popular Splunk products is important.
00:00
If you're going to claim any kind of Splunk knowledge,
00:00
you need to be able to understand
00:00
how the products interact,
00:00
and work with each other, and
00:00
know where to start for making
00:00
recommendations on what products
00:00
that companies should look to purchase.
00:00
Splunk does regularly make changes,
00:00
and add new features, and products,
00:00
so check their site for the latest information.
00:00
Like we talked about in Module 1,
00:00
when people refer to Splunk,
00:00
they typically mean the core Splunk platform
00:00
or they may just be referring to
00:00
what they're used to working with.
00:00
There are currently four different
00:00
Splunk platforms to choose from,
00:00
these all aggregate process,
00:00
and help you use data,
00:00
which one you pick typically has to
00:00
do with your data appetite, and budget.
00:00
A small company with a few users,
00:00
and limited data may choose Splunk light,
00:00
whereas most large companies will
00:00
pick Splunk Enterprise or splint Cloud.
00:00
There are some differences between these platforms,
00:00
such as for Splunk light,
00:00
you don't have the option of clustering,
00:00
and high availability or single sign on options.
00:00
Splunk Enterprise is
00:00
the most popular platform I've seen,
00:00
on the surface the main difference
00:00
between Splunk Enterprise,
00:00
and Splunk Cloud as if you want
00:00
an on-prem solution where you're
00:00
managing your own servers
00:00
or if you want a hosted environment in the Cloud,
00:00
there are other considerations,
00:00
but companies will usually
00:00
start with one of these four options,
00:00
and then build out from there.
00:00
Pricing is determined by how much data
00:00
is indexed on a daily basis.
00:00
There are many different options for licensing.
00:00
So if you're seriously looking to make a purchase,
00:00
you should talk with Splunk about
00:00
what would be best for your company.
00:00
Before even looking to make
00:00
a purchase it maybe a good idea to quantify,
00:00
and prioritize the data you think you'll need.
00:00
Splunk has a lot of solutions
00:00
targeted towards specific industries,
00:00
that typically work as
00:00
paid apps added to an existing platform.
00:00
A common environment might exist of
00:00
a Splunk enterprise environment
00:00
or Splunk Enterprise Security,
00:00
often referred to as ES for Enterprise Security,
00:00
and Splunk user behavior analytics added to it.
00:00
Splunk Enterprise Security adds features like
00:00
making it easier for analysts to pivot between events,
00:00
conduct threat hunting, and just
00:00
intelligence, and identify risk.
00:00
Splunk UEBA or User Behavior Analytics,
00:00
then adds machine learning,
00:00
and helps identify anomalies in the environment,
00:00
and pick out things like insider threats or
00:00
compromises that might otherwise have been missed.
00:00
While Enterprise Security,
00:00
and UEBA are heavily marketed together,
00:00
you can't have one or the other
00:00
with your Splunk enterprise platform.
00:00
Other solutions to add to your platform
00:00
include things like insights for infrastructure,
00:00
Splunk helps you baseline your environment,
00:00
and identify potential problems.
00:00
Two of Splunk recent acquisition target other areas,
00:00
Splunk Phantom is an orchestration,
00:00
and automation tool that lets you
00:00
kick off automated chains of events.
00:00
For example, you can have
00:00
Splunk Enterprise send over a malware event,
00:00
have Phantom, look up the hash, and Virus Total,
00:00
and then tell another tool to
00:00
isolate the machine that has the malware,
00:00
and then tell your ticketing system to open a ticket
00:00
with the event information in
00:00
Virus Total results, it's pretty cool.
00:00
VictorOps is primarily used to
00:00
manage on call schedules, and create notifications,
00:00
such as by sending push notifications to your phone,
00:00
giving you a call,
00:00
or send me an email when an event comes in.
00:00
An example scenario would be say
00:00
you have high CPU alert for a critical machine trigger,
00:00
and Splunk Enterprise,
00:00
and then Splunk since the event over to
00:00
VictorOps where it then
00:00
calls the system owner to take a look at the machine.
00:00
For our review time,
00:00
can you identify which
00:00
of the following is not a Splunk platform?
00:00
The answer is C,
00:00
Splunk Enterprise Security can be added to
00:00
a Splunk platform to give
00:00
additional tools for your company to use.
00:00
As a review, you have your Splunk platform,
00:00
Splunk Enterprise, Splunk Clouds,
00:00
Splunk light, and Splunk free.
00:00
This may be enough for your company,
00:00
plenty are able to accomplish
00:00
everything they need to with one of these, however,
00:00
Splunk has a lot of other specialized solution
00:00
that can optimize the use of your data,
00:00
such as Splunk User Behavior Analytics,
00:00
Splunk insights for ransomware, and others.
00:00
Phantom can be used to automate tasks in your company,
00:00
and VictorOps can alert you when something
00:00
happens, and with that,
00:00
you've made it through Module 2,
00:00
and Module 3,
00:00
we'll finally get our hands on Splunk.
Up Next