What's the Difference Between Splunk Enterprise Security and Security Essentials?

If you’re looking to leverage Splunk for security, there are a couple ways to approach this task. Below I’ll explain some of the differences between Security Essentials and Enterprise Security.

What is Splunk?

Splunk is a best-of-breed data analytics platform. Many people use Splunk for security, but its power comes in the diversity of use cases you can fulfill with a single software. Splunk can do everything, including monitoring IT operations, looking for fraud, cybersecurity, and even monitoring heating, ventilation, and air conditioning (HVAC) systems. The use cases are endless. As long as you grab data in machine readable format (i.e., ASCII), you’re only limited by your creativity.

About NuHarbor Security

NuHarbor is a leading national cybersecurity services firm, supporting the diverse needs of hundreds of clients with clear, comprehensive, and outcome-based solutions. We support only best-of-breed security technologies with thoroughly trained and vetted analysts. We make cybersecurity easier for our clients by integrating the most comprehensive set of security services in the market, from compliance and offensive testing to award-winning 24×7 managed security operations. Companies often ask us to implement Splunk and support them with monitoring for security use cases. One commonly asked question is: What’s the difference between Splunk’s Security Essentials application versus Splunk Enterprise Security?

Splunk Security Essentials

Splunk Security Essentials is a free reference application on Splunkbase that contains example Splunk Search Processing Language (SPL) commands to look for specific security events. You can think of SPL and Security Essentials like a collection of preformatted Google-like searches of your data for specific security events. The Security Essentials app also does a nice job organizing and categorizing security searches by security capability and complexity.

Splunk Enterprise Security

Enterprise Security is Splunk’s Security Incident and Event Management (SIEM) platform. Splunk Enterprise Security provides the security practitioner with visibility into security-relevant threats found in today’s enterprise infrastructure. Splunk Enterprise Security is built on the Splunk operational intelligence platform and uses its search and correlation capabilities, allowing users to capture, monitor, and report on data from security devices, systems, and applications. As issues are identified, security analysts can quickly investigate and resolve the security threats across the access, endpoint, and network protection domains. In simple terms, Splunk Enterprise Security contains everything from Security Essentials but adds the ability to manage events by risk, the ability to do deep security data correlations, and other useful features like SOC automation (e.g., If Splunk identifies a DDOS attack on an open port, a user can automate the action to close the port on the firewall).

Difference Between Splunk Security Essentials and Splunk Enterprise Security

These two solutions are very different in their objective and intent, though many people get these two solutions confused. Splunk Security Essentials is a free security reference application on Splunkbase that contains foundational security use cases. The great part about Security Essentials is that all use cases are organized in stages, among other helpful categorizations:

The complexity of the searches can vary across stages. As you increase in stages, you’ll see the evolution from simple data collection and aggregation to full threat feed integration. A lot of this can be done within Splunk Enterprise, but with Enterprise Security you can easily do this using the risk framework that adjusts risk score based on the asset involved.

Enterprise Security is Splunk’s SIEM (Security Incident and Event Management) platform. It detects patterns in your data and automatically reviews the events in a security-relevant way using searches that correlate many streams of data. Additionally, Splunk compares the identified event against the assets and asset value in your environment to prepare a comprehensive view of enterprise security risk. Splunk Enterprise Security also contains other valuable features that aren’t covered here, such as incident review, investigation management tools, glass tables, etc. What’s interesting about Enterprise Security is the statistical analysis of data from a security investigations perspective. By creating security alerts, Enterprise Security can identify specific security events as well as statistical deviations from your baseline data. Over time, as you become more familiar with your data and have a chance to see outlying security events, you’ll be able to tune and optimize Enterprise Security for maximum benefit of streamlined investigation and security alerting. The goal is to tune Enterprise Security to the point where you’ve “removed the hay” and are “left with the “needle.” In other words, when an alert triggers you’re left with a high-fidelity security event.

High-level Security Use Case Mapping

I often see folks leverage firms with no true security experience – this is a recipe for failure, or at least reduced return on investment. NuHarbor supports only best-of-breed security technologies, like Splunk, with thoroughly trained and vetted analysts. NuHarbor has vast expertise with Security Operation Center and MSSP development using Splunk.

If you’re interested in Splunk for security and need a sounding board, contact NuHarbor today!