The Difference between Splunk ES & Splunk Security Essentials
A common question from those new to Splunk Security is “What is the difference between Splunk Enterprise Security(ES) and Splunk Security Essentials (SSE)”, I think the answer lies primarily in outlining what Security Essentials is and what it provides for security operations.
Security Essentials is a free application from Splunk (https://splunkbase.splunk.com/app/3435/) which includes a library of Security relevant content. This content includes searches, documentation and dashboards to aid in rolling out a security monitoring solution. Some of the content in Security Essentials requires a premium application from Splunk such as User Behaviour Analytics or Enterprise Security, however the majority of the content works with Splunk Enterprise (Splunk Core) and will significantly aid many organisations security maturity.
The key areas within the application to fully understand the value that SSE offers are the Security Content page as shown below and the searches themselves. Security Content provides a viewpoint of all the content available in SSE, with key filters across the top so that you can filter based on the data available to Search within Splunk or the Security Frameworks you are working with.
Once you have found a detection search of interest, navigating into that search provides an overview of the search, what category, journey stage (more on that below), whether data exists within Splunk for that use case and where within the MITRE ATT&CK tactics/techniques and other frameworks the detection search resides. In addition to the expected alert volume from the search and a short brief on how to respond should you detect it within the environment.
In addition to the details around the search, there is also line-by-line documentation on each of the searches to fully explain how they are constructed and what they do. This is a great reference for learning new Splunk SPL regardless of your current experience.
The content within SSE can be bookmarked so you can keep track of the progress in deployment of these security detection searches, a key process required to successfully roll out a security monitoring solution.
Along with all this content is helpful guidance on how to leverage it and improve your security maturity, the first port of call is the security data journey page, this dashboard aligns to “the essential guide to security” from Splunk which is also worth a read –https://www.somerfordassociates.com/splunk-essential-guide-to-security-sign-up/
It highlights each step on the journey with milestones and targets to meet along the way so that you can track your progress and make sure you don’t leave yourselves exposed by presuming you have coverage where you do not.
So, how does this differ to Enterprise Security?
Well, Enterprise Security is Splunk’s SIEM offering, it provides a collection of frameworks and capabilities to act as a platform from which to leverage content. The frameworks include:
- The Notable Event Framework — the ability to take an alert and process the output from that alert, tracking progress along the way and allowing for handover and of said alert.
- The Threat Framework — the ability to process all of your datasets against a number of threat data feeds whether IP, domain, certificate or file intel.
- The Asset and Identity Framework — the ability to correlate and provide context to all alerts and events through the platform against your systems and users.
- The Adaptive Response Framework — the starting point for automation, allowing for integration into any technology to automate a response
- The Risk Framework — the collation of information and detected events with associated risk scores aligned to assets, identities or other. Also the foundation for Risk Based Alerting. Link to blog on RBA