9

MAY, 2019

Using Splunk ES and UBA together to create a SIEM

by

Aliado Splunk Managed Security Consultants are pleased with the new versions of Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA), which can be used in conjunction to form analytics driven SIEM. These new versions of Splunk ES 5.3 and Splunk UBA 4.3, can be downloaded from Splunkbase.

Our Splunk integration service teams are building these analytics SIEMs to meet different client needs and helping with many different basic and modern SIEM use cases such as security monitoring, incident investigation and forensics, insider threat detection, advanced threat and attack detection, incident response and automation.

The key benefit is that current threats are more manageable with easier investigation, detection and response across multiple vectors.  Combining Splunk ES with Splunk UBA will enhance workflow and simplify investigations by synchronizing threat management across ES and UBA and speed up threat detection and response.  With centralized monitoring and a vendor agnostic way to onboard auxiliary data sources, Splunk Administrators can view critical apps within their environment and simplify data ingestion.

I asked the Aliado sales team how they find these opportunities and what questions they ask of their clients to get the conversation started down the right path.  They said you first must target the right people to ask the question to.

Who to Target?

  • CISO – Builds and executes a security strategy
  • Security Administration / Engineer – Wants scalability and performance
  • SOC Manager – manages a team of security managers, wants effective personnel management and a departmental interface

What Questions to ask?

  • Tell me about your ability to effectively detect, investigate and respond to large scale threats in the cloud?
  • What are your SOC teams’ biggest challenges?  Are they too many false positives, or overloads of alerts?
  • How do you ingest auxiliary data sources? Do you have a vendor agnostic way of ingesting auxiliary data sources?
  • How are critical apps monitored? Does your enterprise have a central way to view them?
  • Can you scale and ingest all security relevant data needed to solve your security use cases?