back caretBlog

Splunk Agrees: Wire Data Adds Crucial Context to Logs

Logs only tell part of the story when validating security incidents or providing root cause analysis

Over the past several years, there has been growing recognition of the need to think about the data sources you're using in your analytics. It's no surprise that ExtraHop touts wire data as the most complete, unbiased, and instant source of IT data, but we're not the only ones!

Even Splunk Agrees, Wire Data Is Truth

This post from Splunk (a great ExtraHop technology partner) caught my eye with the title: Find the Ultimate Truth in the Wire. Even the Most Granular Logs Are Not Enough to Be the Truth. The author explains how SIEM platforms necessarily lose some granularity when they normalize the data for analysis and that knowledgeable hackers exploit these data limitations to try and hide or obscure their activities. When responding to an event, IT and security staff need to validate it and then find out with certainty what data was affected and whether adversaries are still active in the network.

CCTV

The Splunk post also explains that, while logs are an invaluable piece to the analytics puzzle, they are self-reported information about an event and not the actual "source of truth," even when preserved in their original form. Network packet forensics, or wire data, is the answer. Like a closed-circuit camera, wire data is the objective observations of activity and can provide root cause analysis, especially with the ability to download the precise packets (in a PCAP file) that comprise a particular flow.

In addition to providing definitive answers, wire data can also improve the accuracy and fidelity of SIEM alerts, acting as an additional dataset that is already consistently structured by virtue of the network and application protocols. The Splunk post also points out the broad coverage of wire data, not only including obvious HTTP information but also SQL transactions and DNS activity.

ExtraHop Is the Leader in Wire Data

ExtraHop and Splunk make for a great pairing, and we share a number of joint customers who stream wire data from ExtraHop into Splunk for correlation with log data.

ExtraHop Splunk John Smith

As the author of the Splunk post points out, you need to make sure data is normalized and ready for analysis before feeding it into an analytics platform. ExtraHop's secret sauce is its ability to transform raw, unstructured packet streams into structured wire data at tremendous scale—up to a sustained 100 Gbps, even with line-rate decryption. A few key reasons why organizations choose ExtraHop for wire data visibility:

  • Agentless Auto-Discovery - Automatic discovery, classification, and mapping of all physical and virtual devices, clients, and applications
  • Broad and Deep Visibility - L2 – L7 content analysis for holistic visibility across tiers at industry-leading scale—up to a sustained 100 Gbps throughput
  • Machine Learning - Powerful machine learning applied to your richest data source to detect security and operational anomalies
  • Extensibility and Openness - Rich APIs to integrate with other platforms for correlated analysis or to orchestrate automatic responses

Take a look at the ExtraHop + Splunk integration (including a video demonstration), and learn how ExtraHop can improve your security posture as well as the accuracy of SIEM alerts!

More resources:

Featured Blogs

Sign Up to Stay Informed