Trip Report, Splunk Conference 2017

This week was Splunk’s annual user conference (.conf), which took place in Washington DC this year. Now Splunk.conf is different than lots of other user conferences, although it does remind me of some of the events I attended at the start of my career (dare I say DECWorld?). 

Many Splunk users are absolutely gaga over the product and the company. Splunk customers exchange use cases, give presentations, participate in panel discussions, and talk about the way they use Splunk today and their plans for the future. Heck, they will even open up about what features they’d like to see Splunk adopt in the future.

Topics: Cybersecurity SIEM Splunk SOAPA

The Problem with Collecting, Processing, and Analyzing More Security Data

Security teams collect a heck of a lot of data today. ESG research indicates that 38% of organizations collect, process, and analyze more than 10 terabytes of data as part of security operations each month. What types of data? The research indicates that the biggest data sources include firewall logs, log data from other types of security devices, log data from networking devices, data generated by AV tools, user activity logs, application logs, etc.

Topics: Cybersecurity Data Management SIEM TAXII STIX Splunk SOAPA CIM

Splunk on SOAPA (part 1)

I’ve written a lot about ESG’s security operations and analytics platform architecture (SOAPA). SOAPA is happening because enterprise organizations are surrounding SIEM with lots of other security analytics and operations tools to accelerate incident detection and response. As this occurs, many organizations are actively integrating these technologies together with the goal of building an end-to-end, event-driven, security technology architecture.

SOAPA is impacting security strategies of large organizations, leading to reactions and changes on the supply side. What type of changes? I recently sat down with Haiyan Song, EVP at Splunk, to discuss Splunk’s views on SOAPA. Here are a few highlights of our discussion:

Topics: Cybersecurity SIEM incident response Splunk SOAPA

A Video Interview about SOAPA with Haiyan Song, SVP of Splunk, Part 1

The trend toward security operations analytics platform architectures (SOAPA) is impacting the traditional SIEM market, causing leading vendors to adapt their strategies to accommodate the need for product integration and functional expansion. In this video, I talk with Haiyan Song, SVP of Security Markets at Splunk,who comments on changing security requirements, customers’ desired outcomes, and what this means for Splunk’s business strategy and R&D investments.

Topics: Cybersecurity Splunk SOAPA security operations analytics platform

Splunk Intent on Extending Cybersecurity Leadership

I attended the Splunk user conference earlier this week (.Conf2016) and came away pretty impressed. Since I started watching Splunk years ago, the company climbed from a freemium log management and query tool for IT and security nerds to one of the leading security analytics and operations platform. Not surprisingly then, security now represents around 40% of Splunk’s revenue. Given the state of the cybersecurity market, Splunk wants to work with existing customers and get new ones to join in to build on this financial and market success.

Topics: Cybersecurity SIEM security analytics Splunk

My Take-aways from Splunk Conf 2015

When I first became familiar with Splunk years ago, I thought of it as a freeware log management tool for inquisitive security analysts. Useful for general purposes, but I didn’t see it as a true enterprise security management system, a category defined by vendors like ArcSight, Intellitactics, and Network Intelligence at that time. 

Topics: Cybersecurity big data security analytics SIEM Splunk

Splunk Show Shows Spunk (Includes Video)

Check out my "man on the street" video from the event, and read my additional takeaways below. 

Topics: Analytics Big Data cloud IoT Splunk machine learning

Enterprise Organizations Describe Weaknesses in Malware Detection and Protection

Well here we are halfway through January and you can’t cross the street without hearing about a malware attack or security breach somewhere – Neiman Marcus, Target, Yahoo, Yikes!

When my non-technical friends ask me what they should expect moving forward, I’m not exactly a beacon of hope. My usual response is something like, “get used to it, things will likely get worse.”

Topics: IBM Palo Alto Networks Information and Risk Management FireEye Security and Privacy Security malware Mandiant Barracuda Leidos Target cybercrime CSC Anti-malware NIST APT Unisys Splunk

Addressing advanced malware in 2014

In the cybersecurity annals of the future, 2013 may be remembered as the year of advanced malware. Yes, I know that malware is nothing new and the term “advanced” is more hype than reality as a lot of attacks have involved little more than social engineering and off-the-shelf exploits. That said, I think it’s safe to say that this is the year that the world really woke up to malware dangers (advanced or not) and is finally willing to address this risk.

So how will enterprise organizations (i.e., more than 1,000 employees) change their security strategies over the next year to mitigate the risks associated with advanced malware threats? According to ESG research:

  • 51% of enterprise organizations say they will add a new layer of endpoint software to protect against zero day and other types of advanced malware. Good opportunity for Kaspersky, McAfee, Sophos, Symantec, and Trend Micro to talk to customers about innovation and new products but the old guard has to move quickly to prevent an incursion by new players like Bit9, Bromium, Invincea, and Malwarebytes. The network crowd (i.e., Cisco, Check Point, FireEye, Fortinet, and Palo Alto Networks, etc.) may also throw a curveball at endpoint security vendors as well. For example, Cisco (Sourcefire) is already selling an endpoint/network anti-malware solution with a combination of FireAMP and FirePOWER.
  • 49% of enterprise organizations say they will collect and analyze more security data, thus my prediction for an active year in the big data security analytics market – good news for LogRhythm and Splunk. Still, there is a lot of work to be done on the supply and demand side for this to really come to fruition.
  • 44% of enterprise organizations say they will automate more security operations tasks. Good idea since current manual security processes and informal relationship between security and IT operations is killing the effectiveness and pace of security remediation. Again, this won’t be easy as there is a cultural barrier to overcome but proactive organizations are already moving in this direction. If you are interested in this area, I suggest you have a look at Hexis Cyber Solutions’ product Hawkeye G. Forward thinking remediation stuff here.
  • 41% of enterprise organizations say they will design and build a more integrated information security architecture. In other words, they will start replacing tactical point tools with an architecture composed of central command-and-control along with distributed security enforcement. Good idea, CISOs should create a 3-5 year plan for this transition. A number of vendors including HP, IBM, McAfee, RSA Security, and Trend Micro are designing products in this direction with the enterprise in mind.
Topics: IBM Check Point Palo Alto Networks Fortinet Cisco IT Infrastructure Information and Risk Management Sourcefire FireEye HP McAfee Security and Privacy Security endpoint security Kaspersky LogRhythm trend micro bromium Symantec Invincea antivirus RSA Security Sophos Bit9 Anti-malware Hexis Splunk

Information Security versus “Shadow IT” (and mobility, cloud computing, BYOD, etc.)

We’ve all read the marketing hype about “shadow IT” where business managers make their own IT decisions without the CIO’s knowledge or approval. According to ESG research, this risk is actually overstated at most organizations, but there is no denying that IT is getting harder to manage as a result of BYOD, cloud computing, IT consumerization, and mobility.

As these trends perpetuate, CISOs find themselves in the proverbial hot seat – it’s difficult to secure applications, assets, network sessions, and transactions that you don’t own or control.

Topics: Information and Risk Management Security and Privacy Sailpoint 21CT RSA Security Bit9 Octa Splunk