Archive

Clarifications about SPLUNK functionality

New Member
  1. Is SPLUNK an SIEM, SIM or SEM tool?

A. Strongly agree B. Slightly agree C. Agree D. Slightly Disagree E. Strongly Disgree

  1. Can SPLUNK guarantee 100% compliance to all regulatory standards (e.g. HIPAA, PCI DSS, SOX, etc).

A. Yes B. No

  1. If ‘Yes’, please give an example to explain.

  2. Are there any prerequisites in order to achieve full compliance potential with SPLUNK system?

A. Yes B. No

  1. If Yes, what are these prerequisites.

  2. Are SPLUNK appliances the best fit for compliance reporting?

A. Strongly agree B. Slightly agree C. Agree D. Slightly Disagree E. Strongly Disgree

  1. What differentiates SPLUNK from other tools like IDS (Intrusion Detection Systems)/IPS (intrusion Prevention Systems), Database Monitoring Systems (DMS/DAM), Log Management, etc?

  2. 8.
Tags (1)
0 Karma

SplunkTrust
SplunkTrust

This is a complicated question to answer, as it is very open ended, subjective, and dependent on your own business processes.

In my OPINION, the correct answer is "none of the above" -- Splunk, at its heart, is an engine for data collection and search. Whether it can function as a SIEM, SIM, or any other tool to assist in compliance activities depends greatly on how you put the data collection and search functions to work for your purpose. If you aren't collecting the right data, or doing the right searches against it - it doesn't give you the answers you seek.

This is an important distinction to note. Splunk does not care what data it indexes, and it does not care what searches you run against that data to accomplish your business goals.

To Splunk, an IDS/IPS, a database audit tool, and such are simply data sources to be collected and indexed and later searched upon.

Splunk is in a similar space as other "Log Management" tools in that logfiles (syslog, app server logs, webserver logs, etc) are very commonly fed into Splunk for later searching. The difference (again, in my opinion) is Splunk's focus on search -- Splunk makes it easy for you to take all of those log events that you are collecting and convert the unstructured data in them into something that makes sense to the people who are using it.

No software tool is a magic bullet to guaranteeing "100% compliance" with anything. Compliance is ultimately a process driven activity. Splunk can give your people executing these processes the tools and data to help them accomplish compliance, but simply installing the software and pushing a bunch of data into it is not sufficient.

There are real people using Splunk today to help achieve their compliance efforts, by using it for its strength -- collection and search. Much work has been done (refer to the links @gkanapathy provided) in building pre-packaged Splunk solutions that assist in this, and make it easier by not reinventing the wheel.

There is no such thing as a "Splunk Appliance" -- it's just software, and you bring your own favourite hardware. Depending on your data volumes, you could get by with a single quad-core server from your favorite server vendor all the way up to multiple 16-way boxes with hundreds of GB of local storage.

Splunk Employee
Splunk Employee

I think this requires rather longer (and less objective in some cases) answers than this forum was intended for. If you're looking for answers (vs initiating a discussion) I might suggest you check white papers at http://www.splunk.com/view/resources/SP-CAAACGF and http://www.splunk.com/view/security-and-compliance-solutions/SP-CAAADSB or contact a local representative: http://www.splunk.com/view/contact-us/SP-CAAAAH7