Leveraging Splunk for complete
and seamless network visibility
While Splunk collects a substantial amount of data, it doesn’t provide the full recording of what has been sent and received on a network. Security and Network Operations Centers therefore need a tool to investigate any events that look suspicious.
By running Splunk on the Napatech Pandion Recorder, all data are captured and stored to disk and can be accessed quickly and easily for forensic investigation.
Pandion provides insights in mere seconds, allowing the Splunk user to determine the full scope of the event and provide timely remediation. Pandion can be seamlessly integrated with any existing Splunk solution, allowing businesses to leverage earlier investments.
Challenge: tackling billions of logs
As one of the most versatile event management tools on the market, Splunk is utilized across industries to collect data from security, network, and server assets throughout the corporate infrastructure. To provide the needed insight into network security and performance, any unusual activity registered by Splunk must be analyzed and prioritized.
This task is typically managed by Security and Network Operations Centers (SOCs and NOCs) working to condense billions of log notifications to the highest priority actionable events. But while Splunk collects a substantial amount of event data, it does not provide the needed visibility of what has been sent and received on the network. SOCs and NOCs therefore need a way to corroborate and resolve any events that look suspicious.
“The average cost of time wasted responding to inaccurate and erroneous intelligence can average $1.27 million annually.”
Ponemon Institute Survey
Solution: Splunk / Pandion integration
This is where Napatech Pandion Recorder can help. Pandion is a scalable capture-to-disk solution based on FPGA-driven SmartNICs with reconfigurable storage. It seizes, stores and retrieves all network data on demand, enabling teams to retrospectively provide PCAP evidence for a multitude of tasks, including forensic analysis or operational troubleshooting. Pandion provides full continuous capture that can be matched to Splunk events or any other anomaly observed.
In our first use case, an SOC security engineer working for a financial services firm is investigating a Splunk event, sent by Suricata, with a suspicious domain name. A corresponding event from the firewall indicates that a connection was attempted to the resolved address. To further investigate this activity, the SOC engineer clicks on the event in Splunk, uses the Pandion workflow, and in just a few seconds sees the full packet record corresponding to the name resolution and the subsequent connection.
Without this information, the decision to report or disregard the event would have been based on assumption alone. But by analyzing the packet data, the SOC engineer can determine exactly what was sent/received to the suspicious address, whether or not a harmful document was downloaded, and if any information was actually sent out of the infrastructure. So the Splunk event can be resolved for severity and impact without conjecture or incomplete info.
In our second use case, an NOC analyst working at a social media agency sees an application alert in Splunk for slow/no response and needs to identify the exact area of concern; an exercise which could prove time consuming and complex. But with the Pandion / Splunk integration, the NOC analyst can simply click on the event, search for packets, and quickly determine which infrastructure area is likely at fault: network, server or database. Inevitably, the stakeholders in each of these areas would only have visibility of their own domain, and would tend to claim that there is “no trouble found”. But with this solution, the raw packet data will conclusively show which part of the organization needs to action the event and provide a root cause analysis.
In our third use case, an Incident Responder working for a major Defense Contractor notices that a network security device has sent an alert into Splunk indicating suspicious SSL traffic. In this case, the server may be vulnerable to “heartbleed”, where the vulnerability exposes information in memory from recent web transactions, including cleartext usernames and passwords. The Incident Responder clicks on the event in Splunk and by analyzing the packets he can directly determine:
- whether the bug seems to have been exploited successfully
- exactly what information was obtained through the vulnerability
“An organization can receive an average of nearly 17,000 malware alerts in a typical week. The time to respond to these alerts is a severe drain on an organization’s financial resources and IT security personnel.”
Ponemon Institute Survey
As we have seen, Pandion provides an easy workflow. By clicking on any event in Splunk, the operations user can immediately get the full network packet trace that corresponds to the Splunk event. Thanks to its industry leading search speed, Pandion provides an answer in mere seconds, allowing the Splunk user to determine the full scope of the event and instantly provide the needed remediation.
Pandion can be seamlessly integrated with any existing Splunk solution, allowing businesses to leverage earlier investments and realize substantial savings.