At its annual event, Splunk unveiled several product updates. Its data analysis and observability tools, as well as security solutions, have been updated to meet the challenges of multicloud.
This year again, the Splunk World Conference was held in virtual form for health reasons. An event packed with announcements for the machine data analysis specialist who for several years has enriched its offers towards observability and security. “Today, there is a strong demand for real-time and data completeness,” says Stéphane Estevez, EMEA product director at Splunk. The objective is therefore to help customers to better manage their data volumes, particularly in a multicloud approach, which brings complexity.
On this last point, the publisher launches Data Manager for Splunk Enterprise and its Cloud version. This service makes it easy to access data stored in clouds from one place, no matter where it is. Available in beta mode, it is compatible with AWS and Microsoft 365, and soon with Google Cloud Platform and Microsoft Azure. In addition, the Ingest Actions function (also available in preview), takes care of purging and filtering the data before deciding to send them to the Splunk platform or to an external storage such as AWS S3.
The Data Manager service provides visibility into the data stored in the different clouds. (Photo credit: Splunk)
More granular telemetry, for better responsiveness
On the cloud storage part, the publisher has extended the SmartStore service to Azure (already available on AWS and Google Cloud). This solution (presented in 2018) allows customers to upgrade their storage (primary, secondary, etc.) while controlling costs. For the indexing aspect, Flex Index targets data that is used very little but is important for in-depth investigation (forensic) or compliance reasons. Here again, Splunk seeks to simplify data research by offering the Federate Research offer capable of unifying research on the Splunk platform. “Collecting data from clouds and analyzing it is essential for AIOps. The more data they have, the more they can improve the detection of breakdowns and anomalies, ”explains Stéphane Estevez.
Splunk also continues to strengthen its position in the observability market. Last May, he presented his observability cloud, a platform capable of collecting all the data and covering the three pillars of the field: metrics to detect problems, traces to determine where the problem is and logs. to understand in detail why this happened. At the conference, Splunk presented developments to its APM offering with a focus on automation. “For example, we have added auto-detect in Infrastructure Monitoring which automates the analysis of anomalies in infrastructures. There is no need for configuration and the alerts are directly integrated into the dashboards ”, explains François Estevez.
It also emphasizes AlwaysOn Profiling (also in beta), which “brings more granularity when analyzing problems in a transaction at the code level”. Likewise, Log Observer allows “graphical consumption of logs for DevOps”, assures the manager. And to also quote DB visibility which “scans which query is the slowest according to a history on the databases”. Finally, the mobility part is addressed by the RUM (Real User Monitoring) function for mobile applications (resulting from the acquisition of Plumbr), which is based on Open Telemetry (Splunk had acquired Omnition, the main contributor to this open telemetry project. source). The service provides performance monitoring for mobile applications.
Always On Profiling provides more granular analysis of transactions down to the code level. (Photo credit: Splunk)
Security: focus on multicloud and reinforcement in the Intel Threat
In recent years, Splunk has taken the turn of security and the annual conference was an opportunity to strengthen its portfolio in this area with a focus on cloud environments. According to the publisher, the health crisis has accentuated the attack surface (with teleworking and the use of the cloud) and highlighted blind spots (configuration, detection time, increase in alerts, false positives, etc.) . To remedy this, Splunk updated its Enterprise Security platform by improving dashboards to have more relevant information. The Risk-Based Alerting service responds to the fatigue of security analysts faced with the growth of alerts by optimizing threat detection.
The risk-based alerts service aims to reduce the influx of alerts to security analysts. (Photo credit: Splunk)
On the SOAR (Security Orchestration, Automation and Response) pane, Splunk paves the way for customization by launching a SOAR application editor. This allows users to test, build, and modify security orchestration applications. It should be noted that the SOAR platform expands the Threat Intel branch with the acquisition of Trustar last May. Intelligent Platform technology is now fully integrated, becoming a full-fledged service. It aims to centralize threat data in order to be integrated into the workflows of SIEM (security event information management) and SOAR (security orchestration, automation and response) tools.
Trustar’s Intelligent Platform, acquired last May, has been integrated into Splunk’s SOAR platform. (Photo credit: Splunk)
Finally, the publisher announces the creation of a team of cybersecurity experts, called Surge. Its vocation is to help customers who are victims of a cyberattack. But also, it will produce documentation on certain cybersecurity topics. “For example, she looked at SSL protection”, slips François Estevez. An initiative reminiscent of the recent Google Cloud initiative with its Cybersecurity Action Team.
