Why Splunk Cloud and Deepwatch
By Rich Meeker
Splunk Cloud and Deepwatch is truly a partnership that brings out the best in one another. So how did this powerful union come to be and what does it mean for customers?
About ten years ago, the virtualization revolution changed the paradigm. Security Engineers no longer directly managed the compute and storage of bare metal systems, and instead relied on a Virtualization and Server team. While the responsibility was in the hands of these teams, the Security Engineering teams were still required to have intimate knowledge of the platform requirements to inform their counterparts on how to scale the solution without breaking it. Delays and performance impact in some organizations was common as the security engineering teams waited on the other teams to process the infrastructure requests, or cost overruns occurred as teams scaled after the fact. This led to Security Engineering teams increasingly being spread too thin and having less time to focus on their core responsibilities of effectively managing security technology, reducing risk, and protecting the organization. Realizing this, organizations are now looking to get out of the infrastructure business and have started to leverage Cloud based solutions as part of their digital transformation initiatives in an effort to increase operational efficiency and improve their Security Risk posture.
Why the shift to Cloud, and what are the advantages?
Organizations have learned that while having a separate internal team manage the infrastructure helped them with leveraging the expertise of infrastructure engineering specialists, the security engineering teams were still required to understand the CPU, Memory, storage, and architecture requirements of the platform. This was required to be proactive in managing the scale of a solution as changes in an organization’s environment occurred such as additional growth and adoption of the SIEM. This requires an additional level of knowledge and expertise in designing and architecting a solution, which takes time and experience to gain. With security engineers wearing multiple hats and trying to stay afloat with day to day operational requirements, most security engineers often do not have the bandwidth to learn the ins and outs of all of the security platforms they manage to become Architect level experts. Managed Cloud Platforms can help security engineers maximize their time and experience on the core aspects of their role in managing risk, while protecting an organization’s digital assets and resources. Email Security and Web Content Security are two solutions where cloud adoption has become the norm, especially with the work from home transition of 2020. Managed SIEM in the cloud is a natural next step to support distributed environments as part of an organization’s Digital Transformation initiative.
Splunk Cloud and Deepwatch can provide an organization with a fully managed SIEM platform, allowing a security engineering team to elevate their positions and focus on managing risk and the more critical aspects of Information Security. Below are a few of the benefits of Splunk Cloud and Deepwatch with Infrastructure and Platform management:
- Splunk Cloud provides a resilient infrastructure where an organization’s security engineering team does not have to worry about maintaining the routing, uptime, or resiliency of the infrastructure to support the SIEM. Operations and maintenance are managed by Splunk Cloud.
- Splunk Cloud also manages major and minor software releases and performs the upgrades.
- Splunk Cloud is Certified with the following compliance options:
- FedRAMP Authorized at the Moderate Impact Level by GSA FedRAMP PMO;
- Meets U.S. Persons requirements under ITAR;
- SOC 2 Type 2, ISO 27001, PCI, and HIPAA compliant.
- Splunk Cloud Apps & TA Security provides additional value to organizations; each App & TA deployed in Splunk Cloud is reviewed and vetted by the Splunk Cloud engineering teams, who validate appropriate deployments in the Cloud environment.
- deepwatch provides additional platform management by monitoring the platform while collaborating with Splunk to ensure the platform is operating efficiently and at scale.
- Splunk Heavy Forwarders are managed by Deepwatch, including the installation of Apps & TAs on the Heavy Forwarders. This includes management and tuning of event data as it is received to help create efficiencies when ingesting data for security relevance.
- Splunk Engineering performs the configuration of the splunk Core environment, while Deepwatch Engineering focuses on onboarding new log sources and verifies CIM compliance. (Note: The Splunk Common Information Model (CIM) provides a way to normalize event fields from disparate log sources in order to have a common language between the different event sources, which helps to accelerate data analysis and provide higher fidelity.) The Deepwatch named Squad provides 24×7 security monitoring and alerting.
To further enhance an organization’s security operational capabilities and to enable a Security Engineering team to focus on other facets of managing the security program, Deepwatch can provide additional enhancements to help an organization gain an instant modern SOC. This includes:
- Bundling and Integration of additional technologies to enhance the SIEM. This includes the Deepwatch Cloud SecOps Platform which provides Threat Intelligence, Collaborative Ticketing, Real Time Collaboration, and internal SOAR to enrich and automate security event management. The Deepwatch Cloud SecOps platform includes the ability to integrate with a customer’s SOAR solution.
- Deepwatch provides a named Squad as part of the MDR solution offering to act as an extension of an organization’s Security team. This not only provides 24×7 Security Monitoring and Alerting, but additional engineering and threat hunting capabilities:
- Splunk and SIEM Engineering Expertise to manage Event Data and Security Content
- Managed Threat Hunt Scenarios
With the heavy lifting accomplished, a security engineering team can now leverage the fully transparent platform to perform searches, review or create reports, and collaborate with Deepwatch’s engineering and Security Analyst teams on a Cloud managed Splunk environment.
Combining Security & Operations under a single platform
Another benefit of Splunk Cloud is its ability to provide a single data analytics platform for an entire organization. This allows Security Engineering, DevOps, Infrastructure, Business Analytics, and other teams to operate from a single platform. By streamlining the engineering requirements, it allows teams to speak a common language while reducing engineering development time and integration complexity that may arise from leveraging multiple platforms.
Whether an organization needs a completely outsourced Security Operations team, or needs assistance with augmenting an internal SOC team today, Deepwatch with Splunk Cloud provides a flexible and scalable model to elevate an organization’s Security Operations capabilities. An organization can quickly and efficiently improve their Security Risk posture through the power and flexibility of Splunk. Deepwatch provides organizations with the confidence to manage and maintain the complexities of a SIEM and Modern SOC.