ESG's Jon Oltsik talks with Splunk Senior VP Haiyan Song about SOAPA and Cybersecurity. This is part 2 of a 2-part series.
Jon: I'm here talking about SOAPA with Haiyan Song. Thanks again for coming back and doing part two of the video.
Haiyan: Great to be back again.
Jon: Okay. So I wanna tell you about two or three years ago, I sat in a session at conf, your user conference. It was done by Swisscom, and it was all about this architecture that was kind of a precursor to SOAPA, in my eyes, and that became adaptive response. So how is adaptive response, in your view, related to the SOAPA concert?
Haiyan: You definitely caught the very important session we had in that conf, and we're very excited of that just like we talked about previously. Our customers has always helped drive some of our new innovations and inspired that. I think that was one of the sessions. And adaptive response, in many ways, it's...it really embodies the spirit of SOAPA.
It's creating that control plane and adding that on top of analytics platform. So people can actually take actions, but taking actions in the framework versus on a specific product. So that's the beauty of an architecture versus a specific integration with a specific technology. Customer has the flexibility in the future to evolve into new solutions in that area without having to redo a lot of the planning after.
Jon: And when Swisscom was talking about it, there was a lot of talk about making it an industry standard or developing, you know, standard architecture for the industry. How's that going?
Haiyan: That's going great. We went out and announced Adaptive Response Initiative RSA in 2016. At the time, we had eight Fundi [SP] members really working with us define that. And as of this RSA, we announced another set of partners and now we have 25, really spreads around all the different technology components. I think your odd line [SP], like the EDR side, the network side, and the IR side, and even identity, there is a big portion of that.
Jon: Yeah, what I liked about it was, it made it so that it was an architecture and you didn't have to go to your firewall, your IDS, your IPS, or your identity in management and right policies, you could do that universally.
Haiyan: Yeah. So for us, you know, we always try to be very neutral in our ecosystem, and being the nerve center, that's part of the obligations and responsibility, if you will. And to be that neutral party, we feel that creating that framework, I think now you have the SOAPA architecture that really, you know, underpin that framework for us.
It's really aimed at giving the ecosystem partners a simple, easy [inaudible 00:02:52] to integrate, giving customer a ready integrated solution for fast response.
Jon: Okay. Speaking of response, one of the hottest areas that I find, and all of our research tells us, is in security operations automation and orchestration. What's Splunk doing there and how does adaptive response get you further along?
Haiyan: We have actually, in many ways, extended the SIN capabilities since two years ago, adding incident response capabilities, popular features like the Investigator's Journal, the Timeline, really goes beyond just detection that help you facilitate the response and investigation.
So adaptive response and SOAPA is really standardizing what that means and perscribing it to the ecosystem, "What do we need? What's in the control plane?" You know, about information gathering, about taking actions, and about maybe even instructions to say, "Go run a playbook, and you have the flexibility to write into your playbook what that is."
Jon: Yeah, and I liked...at last year's event in Florida, I know even though you have adaptive response, there were some partners there that are in the internet response platform market, so you're still extending this to the partners?
Haiyan: Yes. Security is such a team sport...
Jon: I agree.
Haiyan: And there's areas that we may have overlaps, but most of the time, it's we complement each other in that solution. Even with overlaps, the customer would have a choice what they prefer to use, and we want to enable all of that.
Jon: Okay. So as you know, I'm pushing SOAPA. I wanna see more integration in the security industry. You're pushing it. What do you see in the future for, not only Splunk, but for SOAPA architecture in general?
Haiyan: The space in security, the way we've been categorizing how the security market are supplementing them, needs to evolve. I think SOAPA is a great way to for people to think about and extend it, SIN's based, if you will. And really adding those key components, like IR, like, you know, detection and collection.
And for me, if you just think about analytics component, right, we acquired a UBA vendor And that also stays for analytics, you want to be collaborative, you want to have multiple engines to help you look at it from different things.
So I think that will be the trend and the customers will demand that and the vendors will continue to evolve that to provide better analysis, which leads to detection, faster, better, and hopefully automate a lot of the things. You know, we have a skill shortage in the industry and that would solve a lot of problems for the customer.
Jon: Yeah, I agree with everything you say, and I think that the one thing I'd say to Splunk and to others in the industry is that customers need help. So to the extent that you can provide reference architectures, or work with service providers, I think that's really important moving forward for skill shortage again.
Haiyan: Yeah, and for us. I think we always use the nerve center as an analogy, right, to think about what we need to do. And I think what's behind that is really the analytics-driven approach, the adaptive response capability, and I think that SOAPA, as a way to describe that architecture, is a great start.
Jon: Well, we appreciate you coming. So thanks so much.
Haiyan: Thank you for having me.
Jon: My pleasure.