Digital transformation helped organizations reach new benefits…but not without new pains. The threat landscape is expanding with greater complexity and fragmentation. Security teams need a data-centric strategy to meet evolving challenges and achieve a strong security posture. Learn how to improve end-to-end visibility and enhance detection and response operations to strengthen cyber resiliency.
© 2022 Splunk Inc. All rights reserved.
>> ANNOUNCER: Please welcome President and CEO, Splunk, Gary Steele.
>> GARY STEELE: Hi, I'm Gary Steele, the CEO of Splunk, the data platform leader for security and observability. Now, you may recognize me from my twenty years coming to Moscone as the CEO of Proofpoint. Today I'm excited to be here representing Splunk as their Chief Executive.
Now, one of the great things about both companies, they are both based in the Bay Area. And one of the favorite things that I have that I love to do is to go for long runs. And what I would like to do is tell you about one of the challenges with running in the Bay Area which is kind of a bummer is the hills, not because they are tough to climb, but because of something known as a false summit.
Let me tell you about a time that I was up against one.
So, I had a couple of free hours one morning in San Francisco and I decided to go run up Hawk Hill just across the bay. And I had started out with a short distance, thinking I would just do a short distance into the headlands, but I was tempted by seeing the top of the hill. I pushed myself a little farther to reach the peak.
Once I got to that spot though, I saw it wasn't the top after all. It was actually false summit. Now, I pushed a little harder but I was running out of time, running out of water. I headed back. And I didn't reach the peak that day.
And I think all of us have faced false summits in the past two years. You think about the number of weddings and reunions that got put off while we were sheltering in place.
Or the fact that we have all felt like, isn't COVID over yet? And yet wastewater plant workers have been testing our waste for evidence of COVID resurgences.
And finally, while there has been an incredible investment across many organizations to improve their overall security posture, we still haven't reached our optimal, our peak, in terms of security operations.
And when I spend time and I talk to organizations and talk about the improvements that have been made through this process of digital transformation and managing through all of that and building out security operations, three challenges fundamentally remain, the first of which is obvious, and that's the threat landscape. It hasn't gotten any better and it's continued to evolve.
More complexity has come about because the attack surface continues to grow. All of those great efforts to bring applications to the cloud just created more to protect.
And finally, there is lots of silos. Silos get created in a number of ways. So, silos get created by the purchase of new tools. Silos get created for a variety of other different reasons. But it creates an impediment.
And honestly, these are a lot like the issues I come across when I go run.
You know, I grew up in the State of Washington and on the eastern side of the state actually, and it was interesting there, it was super predictable, it’s relatively flat, I knew the terrain, climate was always the same, pretty easy. But what's different here running in the Bay Area is climate changes about every mile. So, you have got to figure that out. One left turn, because of all of the changes in the terrain, can take what was an exciting run into one that's painful and one to be regretted.
And it's really where we are with the threat landscape today where there is always a level of uncertainty. And I don't need to lecture all of you about what you have seen in the threat landscape, but it's everything from threats of ransomware to supply chain attacks to zero-day vulnerabilities, to all of the kinds of things that we have all lived through over the last couple of years. It just puts us in a very uncertain position.
And I think in particular, we also have this hangover of what's happening in the Ukraine. Will – will there be other issues associated with that that affect all of us? We don't know yet. I think it leaves us in a pretty uncomfortable spot.
The second big challenge that we see is complexity, and I bring this analogy back to running. It's sort of interesting. People always tell me that running is the easiest thing in the world. You just buy a pair of shoes and you go. Well, it's actually gotten more complicated. There’s a million choices for shoes. There’s lots of kinds of gear. And there’s lots of electronics, all of which can be great.
And you translate that into what we are seeing in the security world. We have been adding tool after tool every time we have been faced with some form of new challenge. That ultimately creates more complexity. Each of those tools has a dashboard; great. It produces a whole set of data; great. How does that all come together in a way that doesn't make it anything but complicated?
And also, you combine with that these broader initiatives to expand cloud initiatives and use hybrid cloud architectures.
We've introduced a lot more data sources, a lot more control points, and we have spread the attack surface in a way that's incredibly complicated.
Then you couple with all of this what has happened with remote work. Splunk did a State of Security Report that was issued in – just recently issued where it showed that 80% of new – 80% of organizations responded saying that they actually had to put in new threat detection to support remote access because of all of this remote work.
So, complexity has continued to rise.
And finally, we are living with all kinds of silos. You know, I look at the running world, and the thing that annoys me the most is if I go out on a run and for whatever reason I'm in some location where my watch doesn't connect to my phone or my phone loses all connectivity, and that's kind of what's happened today in the world where we are creating these various data silos.
Why do we have them? Well, you have them because you’ve brought these various tools in, all of which capture critical and interesting information. You also have organizations tracking application telemetry that is often captured in a NOC, but that oftentimes doesn't correlate or combine with the information captured by the security teams.
And the answer is not adding more people to the problem. That doesn't work given the talent shortages all of us are experiencing today.
And so, it's often the case where security teams feel overworked and oftentimes overwhelmed. And so – and that's kind of how I felt when I didn't make my summit to Hawk Hill. I was not deterred, however. I knew that if I was better prepared the next time, I could make the summit. And there was not going to be any shortcuts. I felt like I needed to be better prepared, consult more maps, really get my watch settings right, basically use all available data to have a better run.
And I think that's where we are today with security, where you and your teams are best equipped to reach your true summits when you take a data-centric approach to any operation. And if this was an audience of IT specialists, SREs, DevOps, I would be saying the same thing.
Because at the end of the day when an alert happens, is it an application event? Did the application fail? Or is it – is it a security issue? And either way, at the end of the day, an incident is just an incident. And one of our beliefs fundamentally is that security and DevOps are converging.
To ensure that you really have security and resilience across your organization, you need to find a way to ensure that everything is talking so your networks are all connected, and that all of your data is accessible from your SOC.
And these silos that have gotten created in the past where the application environment is monitored by your NOC and the data collected by your SOC, those have traditionally been silos. We see convergence in that world.
So, when you take a data-centric approach, you can drive three critical outcomes. The first of which is end-to-end visibility, being able to see across your entire infrastructure. And that infrastructure can span multiple clouds. It can span your on premise work and combinations or hybrid environments.
With this, you can drive accelerated detection and response. You have all of the data in one place. You can make quick decisions. And you can drive great outcomes.
And then finally, with all of that, you can improve your overall cyber resilience, including meeting your privacy and compliance initiatives.
Now, let's take a look at each of these in a little more detail. The first of which is thinking about how do you get end-to-end visibility across all of your infrastructure? And what's important here is you want to be able to get full fidelity of your data, having it normalize into a common structure so that you can take action quickly.
You need a SOC solution that is flexible enough to adapt to new security technologies, because clearly, we are in this world where we are adding new capabilities all of the time, and it needs to be scalable to handle the ever increasing volumes of data that I think we are all experiencing.
And then finally, you need comprehensive monitoring and remediation capabilities to secure users' data wherever they reside, whether they are in the cloud, whether they are on premise, or somewhere in between. And doing all this allows your security operations team to move from feeling overwhelmed to truly feeling in control.
Now, let me give you a quick example. A large US health system employs roughly 6,500 affiliated physicians, has roughly 40,000 employees, and they handle 2 million visits per year.
Now, through all of that, they are obviously producing immense amounts of data. And they chose a data-centric SIM solution as the centerpiece of their SOC. It allowed them to ingest data from any source and continuously monitor across the entire environment to protect patient privacy.
Now, what was interesting about this is by installing that core level of data, they got some additional uses out of it. They actually used the approach to zero in on how medications were being administered in order to guard against potential diversion of controlled substances like opioids.
And at the same time, when COVID broke, they saw their attack – the number of attacks increase. So, they saw wires – they saw attempts to divert wires, they saw more fake credentials, they saw more supply chain attacks, and at the same time, their workers were working around the clock because think health system, they were all working while many of us were sheltering in place.
So, they put together orchestration and response to ultimately drive workflow that automated all of the mundane tasks of their team, so they ultimately elevated worker productivity and made the job much more – much better for their SOC workers.
So, I think this is a very good example where driving that data-centric approach, leveraging visibility, had a great outcome.
Now, let's talk a little bit about accelerated detection and response. The reality here is you can tackle the complexity of your data silos and ultimately deliver faster detection response by bringing it all together.
Harnessing all of the organization's data with the right context and analytics on top of that data enables security teams to get the right insights from the data sources and then couple that with automation of all of the mundane tasks. That's really the magic.
And I think everyone here is probably on some form of automation journey, and I believe that there is more and more opportunity to drive that automation in the days, weeks, and months ahead, because that's the critical element to give people's time back, to make SOCs more productive, and ultimately make security scalable as we live in this very uncertain world.
And finally, you know, you look at various – various kinds of customers. Let's talk about Transurban. They are an Australian-based road operator company. They chose a data-centric SIM approach and they were focused initially on driving detection times down. That was their number one focus. They implemented orchestration in response to streamline processes and standardize procedures. And what was exciting was the outcomes that they achieved were amazing.
They drove threat detection time – time by – down by 87%, response time by 94%, and remediation time by 70%. So. incredible outcomes on the – on all of these critical metrics.
And so, when you then think about overall cyber resilience, once you have achieved the visibility and faster detection and response, you are really in a position where you can drive overall cyber resilience.
You know, innovating on process, innovating on technology ultimately puts you in a position where security posture is raised and that resilience ultimately is supporting the overall business growth of the company. I think this is where we all want to get to and it's very achievable in this data-centric world.
So, here’s another great example. The customer is REI. Mike Hughes, the CISO, was there, was actually the first CISO at the retailer. And they’ve experienced great value with this data-centric approach because it allows to expand the capability and capacity of the security team.
Now, what's interesting, they had adopted a platform by their IT organization where they were looking at data that they could search, analyze, visualize, and then they extended this broadly into their security world, implementing SIM and SOAR all in the cloud to really empower their security operations team.
Now, I'm going to let you hear from Mike directly. So, let's roll the video.
>> MIKE HUGHES: What we do in security is we look for anomalies, we look for pattern deviation, we try to find the needle in a haystack. What's really interesting when we start to aggregate data together in a platform is we can now start to project and map patterns back into that data and see what the normal flows look like.
And so, if you can take away all of that good pattern and everything you know, you can start to surface that one thing that is the anomaly and start to chase that down.
Security is not a milestone. Security is a journey. And so, we have to think about it and we have to plan like that. And that's what we are doing at the co-op. That's one of the reasons making the investment in cybersecurity, to expand the security operations center, to lay automation in, those are the next steps within a security program that is continuing to evolve.
>> GARY STEELE: It was great to hear from Mike and hear about those benefits.
So, just to recap, the data-centric benefits are end-to-end visibility, being able to see across your entire environment, and I think one of the things that is also important in this world that is oftentimes multi-cloud, oftentimes hybrid, to be able to get access to that data within your security operations team without moving that data necessarily from one environment to another. It's really about having that visibility from central console.
With that, then you can drive accelerated detection and response, thinking through the value and benefits of orchestration and response, and how you can drive much of the mundane tasks out of the Security Operations team.
And finally, with that, improving overall cyber resilience, which has critical benefits overall in the business.
Now, you’re probably wondering, did I ever get up the summit of Hawk Hill? Well, the reality is I really thought hard about looking at the maps, understanding where the heck I was going so I would have sure visibility. I made sure that from a detection standpoint, I really understood what the risks were going up. And then finally, hydration, sleep, all of those things gave me the right resilience. And I'm excited to say that I did get to the top of that hill and I did reach the true summit by relying on my data and the context that I had in hand.
And now I'm absolutely going to extend this approach to everything I do. This data-centric approach really is life changing.
So, I want to thank you and I hope to hear what your teams can accomplish using this data-centric approach. Thank you very much.
Hackers & Threats Protecting Data & the Supply Chain Ecosystem Security Strategy & Architecture
security analytics security operations SIEM orchestration & automation cyberattacks
Share With Your Community