Splunk Enterprise Security

Enterprise Security in hybrid (cloud + on premise) scenario

Explorer

Hello,

We are refining our Splunk hybrid (cloud + on-premise) architecture design and are looking for ideas and experience sharing in that particular area.

In summary:
- We have a clustered (Indexers and SHs) Splunk infrastructure on premise in our data center to centralize logs from on-premise computers and perform their security monitoring with Enterprise Security
- We are now starting to use the cloud (AWS now and also Azure in the near future) for hosting some of our information systems and are defining the architecture for these log data ingestion also in the cloud (EG: CoudWatch to Firehose to ELB to several Splunk HFs in AWS)
- For indexing these cloud logs, one option we have is to build also a Splunk indexers cluster in AWS (and Azure later) but this won't allow our existing on-prem enterprise security SHs cluster to access that data (from what we can read, Hybrid search is only supporting one standalone on prem search head and not a cluster and premium apps like ES are explicitly not supported for hybrid search).
- Since hybrid search seems not possible, one alternative we have in mind is to forward log events from HFs in the cloud to our existing on-prem indexer cluster via our existing AWS Direct Connect lines but would like your feedback on feasibility, latency/performance, traffic costs, ...
- Another alternative is to build a full (Indexers + ES SHs) clusted infra in the cloud (AWS, Azure) but this won't be as "user friendly" for our Splunk users (like the SOC team) as they will have to switch between 2 or 3 different Splunk installations. Also on the Splunk administration side, we will have to duplicate (or triplicate with Azure) many servers/configuration ...

Thanks in advance therefore if you can share your experience in these hybrid Splunk deployments, particularly in the context of having Enterprise Security used as the SIEM to monitor cloud and on-premise infrastructures.

0 Karma

Explorer

I believe your ES SH can connect to your AWS indexers (I may be wrong). The documentation speaks of Splunk Cloud (different from AWS deployment). This is my thinking. Sending data from your cloud to your on-premise will involve significant cost depending on the volume of data being sent.

If you have solved this issue, kindly please share your solution.

Thanks
OP

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!