Network Security Monitoring

Splunk is a Big Data platform which has been widely used for Network Security Monitoring for LAN, WAN, DMZ, secure network, and internet.   There are more than 300 applications available on Splunk for security and compliance, thus it supports almost all major network security companies on market, such as : Cisco, Symantec, Trend Micro, Juniper, Check Point, Blue Coat, F5, Qualys, Citrix, RSA, and many more.  Splunk can grab security threats from dissimilar event sources like firewall, IPS/IDS, wireless network, computer endpoint,  and network appliance.

In general implementation best practices, Splunk runs in co-existence with existing network security solutions that a company already have.  Splunk helps to analyze security posture for multiple devices, visualize it into a business friendly dashboard, and provide audit friendly report for compliance and risk.

 

Splunk App for Cisco Security Suite (free)

Cisco Security Suite on Splunk

Cisco Security Suite provides a single pane of glass interface into Cisco security data. It supports Cisco ASA and PIX firewall appliances, the FWSM firewall services module, Cisco IPS, Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), Cisco Identity Services Engine (ISE), pxGrid, and Cisco Advanced Malware Protection / Sourcefire / eStreamer.

 

Splunk App for Symantec DeepSight Security Intelligence  (free)

Splunk App for Symantec DeepSight Security Intelligence - IP MapSplunk App for Symantec DeepSight Security Intelligence - Main Dashboard

Monitor cyber threats and malicious activities in your network with the Symantec DeepSight Security Intelligence App for Splunk Enterprise. By correlating data sources in your Splunk environment to flagged threats from Symantec’s datafeeds, you will have visibility into any risks posed against your data in real time. Take control of your network and fight cyber crime with the Symantec DeepSight Security Intelligence App for Splunk Enterprise.

The technology add-on for this app is currently only available for RedHat 6.x and CentOS 6.x. We will expand the functionality of the TA to other operating systems in future releases.

Features:
– Get information about the current threats posed against your data
– Drilldown on specific events to see recurring threats
– A geographical breakdown of malicious IP addresses per country level
– A graphical representation of IP/URL threats over time
– Analyze the hostility, reputation, and confidence value of any given harmful IP/URL data against DeepSight

 

Splunk App for Trend Micro Deep Security (free)

Splunk App for Trend Micro Deep Security - Anti-Malware Splunk App for Trend Micro Deep Security - IPS

Configure Deep Security to send events to Splunk via syslog in CEF format. After installing the Trend Micro Deep Security App in Splunk, 6 new UDP syslog listeners will be created. Individual UDP ports are used to facilitate the separation of the various event types within Deep Security.

10701 – Syslog UDP port for System Events
10702 – Syslog UDP port for Anti-Malware Events
10703 – Syslog UDP port for Web Reputation Events
10704 – Syslog UDP port for Firewall and IPS Events
10705 – Syslog UDP port for Integrity Monitoring Events
10706 – Syslog UDP port for Log Inspection Events

 

Splunk App for Blue Coat Security Analytics (download from Blue Coat)

Splunk App for Blue Coat Security Analytics - Main Dashboard Splunk App for Blue Coat Security Analytics - Threats Overview

The Blue Coat Security Analytics App for Splunk imports alert and meta data from the Blue Coat Security Analytics Platform, thus enabling fast and effective monitoring inside the Splunk system. It also contains several key dashboards to monitor network traffic, identified threats and anomalous activity. Thus providing IT organizations with critical context to any network and security event identified within Splunk and enabling them to pivot into Security Analytics with the data from a specific event for quick and efficient workflow

Blue Coat’s Security Analytics Platform complements Splunk by acting as a camera on the network, providing clear, actionable intelligence about security threats to applications, files, and web content. With this retrospective look at traffic on the network, IT organizations can quickly identify the advanced and targeted attacks that slip past traditional prevention-based security tools.

 

 

Splunk App for F5 WAF Security by Nexinto (free download from GitHub)

Splunk App for F5 WAF Security - Top Attacks

This App analyzes attacks on your web infrastructure prohibited by F5 ASM. It displays these dashboards:

Displays attacks based on GeoIP
Displays attacks based on Type
Displays attacks based on Violation, Signature
Displays attacks based on Country
Displays attacks based on IPs
Heatmap for Attack Type Distribution by Type, Country, Violation
Security Stats table for displaying chronological attack requests and locations

 

Splunk App for Netscaler WAF Security (free downloads from GitHub)

Splunk App for Netscaler WAF Security - Top Attacks

This App analyzes attacks on your web infrastructure prohibited by Netscaler. It displays these dashboards:

  • Displays attacks based on GeoIP
  • Displays attacks based on Type
  • Displays attacks based on Country
  • Displays attacks based on IPs
  • Heatmap for Attack Type Distribution by Type, Country, Violation
  • Security Stats table for displaying chronological attack requests and locations

 

Splunk App for Qualys (free)

Splunk App for Qualys - Main Dashboard Splunk App for Qualys - Search for Vulnerabilities

Qualys App for Splunk Enterprise pulls Vulnerability Detection Data from your Qualys VM account and puts it in Splunk for easier searching and reporting. Qualys is the property and trademark of Qualys, Inc.

This App provides a vulnerability dashboard containing a variety of summary charts including top hosts affected, most prevalent vulnerabilities, IP lookup, IPs matching a given vulnerability, as well as remediation status and trending data. The dashboard also includes preconfigured searches and reports, and can also be configured to display data in formats and aggregations that matches the organization’s needs.

  • Qualys App – Our app pulls data from your Qualys account into Splunk including vulnerability detection results and the KnowledgeBase (QIDs). The app uses Splunk’s App Development framework and leverages existing Qualys APIs.
  • Built in Dashboards and Reports are included

Things you’ll need

  1. Qualys account with API access
  2. Splunk Enterprise account
  3. Computer with MacOS or Linux

 

And a few hundreds more Splunk Apps for Security

Yes, there are hundreds more security applications for Splunk that you can download.  Too many to be shown on this page, just click the link above and you can find Splunk Apps for Palo Alto, Juniper, Check Point, McAfee, Nessus, Sophos, NetScaler, Snort, Fortinet Fortigate, Radius, RSA, Aruba, FireEye, Dell Sonicwall, Hurricane Labs, Squid, Suricata, and many more!

Splunk can provide you one stop solution for Security Monitoring in your enterprise, a pure Big Data player that can help you visualize and aggregate system events from all devices across the enterprise in timely fashion.  Thats why Cisco replace their existing SIEM with Splunk, see how Cisco Uses Splunk on Cisco UCS for IT Operations.

 

Splunk Enterprise Security (requires Premium License)

Splunk Enterprise Security - Security PostureSplunk Enterprise Security - Access Anomalies

Splunk Enterprise Security helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk.

• Continuously Monitor: get a clear picture of security posture using pre-defined dashboards, key security and performance indicators, static & dynamic thresholds, and trending indicators
• Prioritize and Act: optimize incident response workflows with alerts, centralized logs, and pre-defined reports and correlations
• Conduct Rapid Investigations: use ad-hoc search and static, dynamic and visual correlations to detect malicious activities
• Handle Multi-step Investigations: trace activities associated with compromised systems and apply the kill-chain methodology to see the attack lifecycle