SIEM, Splunk & Log Management
SIEM & Log Management in Brief
Situational picture is one of the biggest “hype words” at the moment. Most simply, situational picture is an overview into your cyber security posture, generated from several log sources. At its best, a situational picture includes application logs, data communication logs, customer feedback systems, ticketing systems, as well as public news sources, threat intel and possibly much more. Building all this is challenging; mapping and defining needs, and deciding what’s “good enough” is a cumbersome process.
What Mint Security delivers
We help identify the initial needs. We design the log management architecture from the point of view of performance, redundancy, log protection, as well as security. With regard to the protection of logs, it is essential who has access to which log.
In audit logs, our expertise is based on the demanding environments in the financial sector – our expertise is scalable both upwards and downwards.
Customer Needs and Challenges to Be Solved
Every customer environment is different and each customer has individual needs. However, the challenges we face can be roughly categorized as follows:
- Situational picture of security devices
- Situational picture of the infrastructure
- Situational picture of the SecDevOps environment
- Run-time logs for systems software
- Compliance and audit logs
- Visibility inbto SDLC, CI/CD pipelines and application development
- Visibility into the cloud infrastructure
- Integrating log observations in JIRA or Slack
We have excellent expertise in Splunk. We prefer to do our SIEM deliveries with Splunk, because we can guarantee excellent results, we can support our customers all the way – planning, sizing, implementing, operating the system, managing content and creating alerts or SOC integrations.
Our Excellent Splunk Blogs
There is a lot to write about Splunk and the endless opportunities therein – so we have decided to share both expertise as well as opinions as separate blogs.
This is a follow-up to my previous blog on Auditd and Splunk. That one was about Defender ATP and Proxmox and license consumption. I did not really touch the subject of a good Auditd baseline configuration.
This blog post offers a few simple tricks and tips that will ensure that your security controls do not interfere with each other. The tricks are not really tricks, just plain old configurations which offers food for thought. As we know, Splunk is the most complex beast of a software out there.
Managing a Splunk installation can be a complex task, but with proper tools and processes, it will become a lot more approachable. Recently, a customer wanted to have a Splunk environment that they could install and manage with Ansible. So that is what we created.
Clustered Splunk Enterprise installations are mainly managed by the related management nodes. Indexer Cluster with the Cluster Master and Search Head Cluster with the Search Head Cluster Deployer. Without an additional process of change management, there is no way to easily track down what has been changed, by who and when.
More details about our methods and tools
We are hard-core Splunk experts. However, our expertise is not product-specific, but relying on our experience, we can conjure up views in big log data in any environment.
Below are some screenshots of actual (and anonymized) log analysis.
We do Splunk implementations worldwide. We prefer to do preparations offsite, initial planning as a workshop onsite, then installations and configurations over remote connections and finalization, training and handover again onsite. We have a clear concept, the final implementation is always up to the customer.
Splunk is one of the most popular and largest log management vendors today. Spunk is widely used, there are lots of extensions and addons even for the most exotic use cases. Splunk can go beyond huge amounts of data and does not limit the source types or log formats in any way. Whatever you throw at it, we will work it out without expensive and time consuming efforts.