Jesse Trucks, a Cyber Security Engineer with the Oak Ridge National Laboratory, discussed ORNL’s experience with Splunk and the latest security trends with theCUBE co-hosts John Furrier and Dave Vellante, live at the Splunk .conf2013. Oak Ridge National Laboratory, a multiprogram science and technology laboratory, is part of the U.S. Department of Energy that conducts basic and applied research and development to increase the availability of clean, abundant energy, looking to restore and protect the environment, and contribute to national security, has been an early Splunk user, adopting the solution in 2006.

Trucks explained that while it used to be a log tool to access several machines without logging on for each of them, “now it is actually a data analytics platform. I never realized how much of a data geek I was” before having Splunk available, he added.

What Splunk does, other than just looking at logs, is look at the data and analyze it. ORNL has to keep track of large amounts of data, all the time. With Splunk’s ability to do a statistical analysis on a broader set of data from all of our machines, “we can see patterns that we didn’t see before,” Trucks explained.

Splunk has “become more than just a framework, but originally it’s a framework that allows us to drill down into our data. It’s become a reporting platform. We’re starting to use it for non-security operational things,” Trucks  stated. “Using splunk to mine and visualize data, we see things that we couldn’t in a stock application that has a limited view.”

Comparing Splunk to open source solutions Elastichsearch and logstash, Trucks said the two solutions offered limited ability to do data visualization. With Splunk 6 Enterprise, “data modeling allows you to use the information more without being super techie. I don’t think they’re mature enough for non-technical users.” With Splunk, he could create an account and give it to someone who would then get the data they needed without being tech savvy.

On analytics + security

Asked how security had changed in the last decade, Trucks said the “the biggest difference in the security landscape is that the volume of attacks has increased to the point where it really is just a fire hose. You have to use tech that are capable of adapting. The successful attacks have become extremely complicated because they are driven by human actors. The complexity in how you look at your system has evolved, without data analytics, we cannot do our job.”

The role analytics plays in security, Trucks explains, is that it enables security experts to keep track of the system logs and network device logs, which all goes into Splunk, and by running searches, they can see activities and patterns that are relevant, such as an unnaturally high number of account authentications or authentication failures, “we see patterns that emerge to show intrusion activity,” he said.

Trucks advised security practitioners to become a member of InfraGard, an FBI supported initiative that helps organizations understand the newest threats. He also stressed the importance of having “a holistic view of your organization, understanding how your people and applications work.” Businesses don’t invest because is can be expensive, but the alternative is an immense cost in case of a breach due to stock price loss, reputation loss, customer loss, which ultimately amounts to  a lot more than what they’d spend on security measures.