AWS re:Invent 2023
Get the Most Out of Splunk Security Ocsf and Amazon Security Lake Ant212

Title

AWS re:Invent 2023 - Get the most out of Splunk Security, OCSF, and Amazon Security Lake (ANT212)

Summary

  • The session covered the integration and benefits of using Splunk Security with the Open Cybersecurity Schema Framework (OCSF) and Amazon Security Lake.
  • Tom, a principal security strategist at Splunk with nearly a decade of experience, provided insights into the evolution of data normalization and the challenges faced with the Common Information Model (CIM).
  • OCSF was introduced as an open standard for data normalization, not owned by any single vendor, allowing for flexibility and extension by users.
  • Amazon Security Lake was described as a cost-effective data storage solution, primarily a collection of S3 buckets with services to facilitate data ingestion in OCSF format.
  • The integration of Splunk with Security Lake simplifies the ingestion of AWS data into Splunk, especially for on-premises customers, and supports compliance mandates.
  • The session included a live demo showcasing the ease of setting up Security Lake integration with Splunk and the JSON format of ingested data.
  • Use cases for the integration were discussed, highlighting the advantages of analyzing data where it resides and the importance of real-time log analysis for certain scenarios like ransomware attacks.
  • The future of Splunk includes federated search capabilities, allowing for searches across various storage mediums, including Security Lake.

Insights

  • The OCSF initiative has gained traction with over 150 vendors participating, but full commitment varies, indicating a cautious approach by vendors to see if widespread adoption occurs.
  • The OCSF is designed to be flexible and vendor-agnostic, which could potentially disrupt the current landscape of proprietary data normalization standards.
  • Amazon Security Lake's integration with Splunk significantly reduces the complexity and time required to ingest AWS data into Splunk, which has been a pain point for on-premises customers.
  • The session highlighted a shift in Splunk's strategy from being a data storage solution to focusing on data analytics, emphasizing the analysis of data where it resides rather than centralizing all data within Splunk.
  • The upcoming federated search feature in Splunk will further enhance the ability to analyze data across different storage solutions, providing more flexibility and efficiency for customers.
  • The speaker's call for engagement with Splunk's account team suggests a push for personalized support and consultation to help customers leverage the new integrations effectively.
Get Started with Checksums in Amazon S3 for Data Integrity Checking Stg350Getting Started Building Serverless Event Driven Applications Svs205