Have you been worried about whether your deployment is secure? Are you tired of keeping track of all security vulnerabilities and vendor-provided patches to ensure that your exposure to such vulnerabilities is minimized? What about making sure that the certificates for your hundreds of forwarders, indexers, search heads and other Splunk connectors are not expired?
You’re not alone!
Based on a recent study we did with Splunk admins, it turns out that ~55% of an admin's efforts are spent on platform management tasks (e.g., certification updates, version upgrades, app, and tech add-on updates, etc), which were considered “low-value” tasks. Admins were able to allocate about 5% of their time to high-value tasks, such as business use-case creation.
At Splunk, our admins manage Splunk deployments for around 3,000 customers in the cloud, and we also support around 11,000 customers who self-manage their deployments. Our customers range from those with a single, standalone instance, to a fully distributed system with ~500 Indexers, ~10K search heads (SH), ~300K forwarders, and ~40 search head clusters (SHCs). Over time we have collected, tried, and tested configurations that are secure and optimal for a variety of specific deployment types. As the complexity within our customer environments grows, our optimization also evolves.
Splunk Assist allows us to bring all of that goodness to our self-managed customers so that you too can benefit from our experiences with Splunk Cloud Platform. Based on our initial estimates, the insights and recommendations in Assist will not only help enhance the security of the deployment but may also help reduce admins’ efforts spent on platform management tasks by 25%.
Splunk Assist is a cloud-connected service for Splunk® Enterprise that puts your telemetry data to work. Assist provides you with a single place to monitor your deployment and see recommendations to improve your security posture.
In this screenshot we see an overview of indicators that show that some of the Splunk tiers are at risk.
The primary objective of Assist is to keep your deployment secure and in prime condition. Assist does this by providing the following:
Assist is only available in Splunk Enterprise 9.0 or above versions. Once you install or upgrade to Splunk Enterprise 9.0 or above (download Splunk Enterprise) there are three easy steps to enable Splunk Assist for your deployment (see How to configure Splunk Assist for more details):
Splunk Assist is generally available (GA) now, it shipped with Splunk Enterprise 9.0 in June 2022. With our first version we have released the following:
With Certificate Assist you can identify and mitigate certificate expiry issues. Remember those hundreds and thousands of forwarders that you have to manage and track certs for? No more! Assist will not only keep track of the expiry date for you but will also warn you and tell you exactly which node has the expired certifications. It will display a ranked order list of certification issues based on the closest expiration date. The benefit of Certificate Assist is that you proactively avoid the pain of losing connectivity when certificates expire.
The certificate assist overview page lists warnings of certification expiries with suggested actions to take.
Do you wonder if your setup is the most secure it could be? Do you worry about when the newest vulnerability patch will come out, or when you should run another security check across all your nodes? Instead of fretting, open up Splunk Assist at least once a day to see for yourself how Assist is keeping your environment safe! Check out the “security score” to see any configurations that need changing, copy-paste the automation/help text to fix the vulnerability, and you are good to go.
Config Assist displays a ranked (critical, warning, and conforming) list of over five security postures across seven *.conf files, along with actionable recommendations to fix those settings.
Here we see that of the 60 indicators in this deployment, 6 are critical and 6 have been issued a warning.
Now, you can sleep in peace…well, until the next vulnerability, or when your cat takes over your bed.
More than half of our self-managed customers have about 50 apps installed and deployed on their Splunk deployment. Some of those apps are very active, but others may have been inactive for a while and as a result never upgraded. Has that ever happened to you? It sure did for more than 50% of our customers
App Assist will list a ranked order of currently deployed apps (from Splunkbase) based on version gap and nodes they are installed on. Older versions of apps will be at the top and instructions to download the latest version will be at your fingertips.
App Assist shows a list of the apps that need to be updated.
We thought you’d never ask! We have big plans for Splunk Assist: we’ve already received so much positive feedback from our preview customers, and we’re committed to investing in this capability. A few of the areas that we will focus on and prioritize include the following:
Stay tuned for more, and let us know any ideas you might have at ssg-splunk-assist@splunk.com. You can also learn more in our documentation.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.