When I first became familiar with Splunk years ago, I thought of it as a freeware log management tool for inquisitive security analysts. Useful for general purposes, but I didn’t see it as a true enterprise security management system, a category defined by vendors like ArcSight, Intellitactics, and Network Intelligence at that time.
Boy, was I wrong! Fast forward to 2015 and there is no question that Splunk is a market leader and building on its momentum. I just returned from Splunk’s annual user event, .conf2015, in Las Vegas. Here are a few of my observations and impressions:
1. Splunk has something that every high tech company aspires to but most never achieve – a passionate user base. I talked to a lot of Splunk customers and the story is almost always the same: They first purchased Splunk for its flexibility, applied it to a specific area, and then created a few dashboards to help solve some type of problem. Over time they repeated this process, pointing Splunk at a variety of other issue. You get the picture – by 2015, large organizations have figured out a myriad of use cases for Splunk across the enterprise, and are only too happy to share these stories with other Splunkers.
2. Security analysts tend to behave like rogue detectives when conducting investigations – they poke and prod at the data, follow their instincts, apply open source tools, and chase every possible lead. So what’s the problem? Cybersecurity professionals can get lost in the crime scene, pursue dead end leads, and fail to document each step of their investigations. Recognizing this inefficient pattern, Splunk added two features in its new Enterprise Security (ES) 4.0 called the investigator timeline and the investigator journal. Combined, these new features can be used to capture investigation processes, documenting each step in sequence with supporting notes. This simple addition should really help organizations streamline investigations while providing an investigations methodology blueprint that can make junior analysts more productive.
3. Splunk seems to have carved at a good role for cloud security monitoring. In fact, many users have figured out ways to tap into various Amazon APIs, collect cloud data in Splunk, and keep an eye of the security status of cloud-based workloads. This obviates the need for stand-alone cloud security point tools and gives Splunk users common management oversight for on-premise and cloud-based workloads. Enterprise CISOs should be especially attracted to this capability.
4. Splunk is a proverbial cybersecurity Tabula Rasa and many users have figured out how to weave it into a potpourri of use cases. As a company, Splunk not only encourages this activity but also promotes it heavily so users can share their experiences. I sat in on numerous sessions where Splunk was a central component for incident response, threat intelligence collection, processing, and analysis, anti-fraud, insider threat detection, endpoint security, etc. In this way, Splunk endorses a community-based “network effect” where everyone can benefit.
5. I got a sneak peek at Splunk User Behavior Analytics (UBA) which is the first fruit of the company’s recent acquisition of Caspida. UBA baselines user activities, detects anomalies, and then analyzes these anomalies to sort false positives from real risks. Now you can do some of this analysis with the base ES or Splunk platform (as well as other SIEM tools) but UBA really helps automate this process for organizations that are especially vulnerable to devastating insider attacks (i.e. military, intelligence, defense contractors, high tech companies, etc.). Yes, there are other independent tools for user behavior analytics, but Splunk shops will appreciate the tight integration and symbiotic product roadmaps here.
As one of the themes of the event, Splunk is pushing a notion of analytics-driven security. This aligns with the initiatives I see at leading enterprise organizations putting Splunk (and others of course) in the right place at the right time.
Of course not every organization is a Splunk shop today but given the current state of cybersecurity, Splunk should have plenty of opportunity ahead. To promote the Splunk-effect to outsiders, Splunk should continue to “can” the collective wisdom of its installed base by doubling down on professional services and accentuating go-to-market programs with key partners like Cisco, Fortinet, and Palo Alto Networks. Splunk should also continue its effort to proliferate Splunk within academic and professional cybersecurity education and training programs. Finally, Splunk should further emphasize vertical industry solutions – especially as cybersecurity intersects with IoT.
Splunk .conf2015 felt more like a family reunion than a technology user conference and the company deserves a lot of credit for establishing this type of community. With all of the rhetoric and hype in the cybersecurity market these days, it’s refreshing to see a technology that CISOs are not only using but embracing.