I spent the early part of this week in Orlando, attending Splunk .Conf 2018. Here are a few of my takeaways:
- Splunk articulated a vision of security analytics/operations for 2020 that included 10 areas:
- Data ingestion. Collecting and processing a growing body of security telemetry.
- Detection. Finding and blocking known threats.
- Prediction. Using advanced analytics to identify new attacks and then spreading the warning around to all connected customers.
- Automation. Automate all pedestrian tasks and accelerate more complex tasks.
- Orchestration. Use APIs to connect security controls together for investigations and remediation actions.
- Recommendation. Monitor and record security operations and then recommend proven actions to the SOC team.
- Investigation. Provide intuitive tools to figure out what cyber-attacks are happening and why they are happening.
- Collaboration. Offer a workbench for security operations while connecting to collaboration tools like Slack.
- Case management. Deliver a security-centric tracking system that spans security incident management lifecycles.
- Reporting. Providing a central place to measure all aspects of reporting.
I would add integration (i.e., SOAPA functionality for data management services, software services, etc.) and outsourcing (i.e., choosing which security operations tasks to delegate to partners), but Splunk’s list is pretty complete.
- With the addition of Phantom, Splunk talked a lot about the OODA loop (i.e., observe, orient, decide, and act). This is a military technique for decision making based upon data analytics. OODA is a good framework for the Splunk/Caspida/Phantom triad.
- Using Phantom (or other security automation/orchestration tools), Splunk customers are automating as many security processes as they can, as quickly as they can. There is a short-term focus on automating mundane tasks. As one presenter said, “I don’t want to automate an hour-long task we do once a week. I want to automate a task that takes 10 minutes that we do hundreds of times every week.” It’s worth noting that with the acquisition of Phantom, Splunk is much more focused on security operations processes and best practices than it was in the past.
- Splunk now presents its security architecture in three layers: A data layer, analytics layer, and operations layer. This model is like ESG’s security analytics and operations platform architecture (SOAPA) – capture security data, analyze security data, act upon security data.
- Splunk security benefits from some other core Splunk capabilities including stream processing, data fabric search, Splunk mobile, Splunk TV, etc.
- It seems like every other security vendor (except for competitors) has a Splunk application or integrates with Splunk. There were user-led sessions on valuable integrations between Splunk and Palo Alto Networks, Symantec, etc. Splunk promotes and welcomes this industry cooperation.
- It’s always interesting to see how customers are building new use cases on top of Splunk. I attended sessions that used Splunk for risk scoring, adversary emulation testing using the MITRE ATT&CK framework, integration with Apache Kafka, etc. Splunk is also opening its machine learning tools so customers can write their own algorithms or fine-tune those provided by Splunk.
- Splunk doesn’t talk much about cloud implementation but it is a growing part of the business. My guess is that most customers will run core Splunk in the cloud within the next 3 years.
- Splunk works with hundreds of MSSPs and has a healthy and growing business in this area. Who knew?
- System integrators like Accenture and PWC have thriving Splunk businesses but I believe they are just scratching the surface on basic opportunities today. There is an opportunity for these and other SIs to help customers assess security processes, establish best practices, and help resource-constrained customers extend Splunk similar to leading customers.
If you look at Splunk solely as a technology company, you are missing the big picture. The Splunk user base has become a community with its own language, culture, and rituals. Splunk deserves a lot of credit for creating and facilitating this dynamic – and believe me, it ain’t going away anytime soon. Splunk’s customer relationships are much more than savvy marketing, totems, and funny hats, however. Splunk continues to listen to and work with its customers at a level that other vendors don’t understand and can’t possibly execute.
It’s appropriate that Steve Wozniak was a keynote speaker at .Conf this year. While Wozniak may be best known as a co-founder of Apple Computer, the Woz was also the brainchild behind the “US” festival, a 1980s music event intended to encourage the integration of community and technology. In its own geeky way, Splunk .Conf accomplishes this goal on an annual basis.