One of the biggest most promising trends in the security business today is this unison of data analytics and security in one happy package.  A number of leading products have implemented analytics into their security platform and it figures to be a big field yet again in 2014.  Perhaps none of these examples may be as interesting as Splunk, who finds themselves at the center of the current cybersecurity landscape through the use of its advanced data analytics.  Splunk shares some of their perspective on the year ahead and we discussed these topics with Joe Goldberg, senior manager of product marketing at Splunk.

• Organizations will embrace big data for SIEM and security analytics.
  Organizations have come to the realization that traditional, signature-based security products do not work against today’s advanced threats. Nation states, cybercriminals, and malicious insiders now use advanced tactics such as spear phishing, social engineering, custom malware, and legitimate credentials to hide in a sea of normal IT activity. As a result, organizations will realize they need to index all their data and then use big data security analytics for advanced correlations and to baseline what is normal, and then detect the deviations and anomalies from that baseline. This requires indexing a massive amount of security and “non-security” data in real-time from a diverse set of data sources, or “big data”.
• Organizations are going to invest more in skilled security practitioners.
  Organizations are being compromised at an alarming rate by advanced threats such as nation states or insiders like Edward Snowden, regardless of the latest and greatest security technologies they have in place. Companies now realize technology is only part of the solution. The other critical part is talented security professionals who can harden the IT environment against threats and fine-tune security products to accurately identify threats. Employees who know the organization’s IT environment intimately and can use security analytics tools to quickly determine what events are abnormal or suspicious. As a result, we expect to see more hiring and training for skilled security professionals to build up an organization’s internal security IQ and security posture.
• Organizations will turn to third-party threat intelligence feeds. Organizations are overwhelmed by a sea of security events and alerts in their environment. Organizations need a faster, more automated way to sift through the noise to determine the true threats. To do this, organizations will turn to third-party threat intelligence feeds from either open-source/public sources or commercial vendors to identify threats. These feeds leverage the collective knowledge of thousands of sensors and honeypots on the public Internet and inside organizations to identify known, bad threats based on IPs, domains/URLs, executables, software hashes, and processes. Organizations can cross-check this threat intelligence data in an automated manner against what they are seeing in their own organization to quickly identify the truly harmful events worthy of immediate attention.

Goldberg sees three categories of the most key threats – nation states, cybercriminals and malicious insiders.  In the paradigm of the classic APT bucket, the challenge is that these attacks are not signature based, so relying on signature-based tools is a losing proposition.   The enterprise needs an advanced technology to detect and react to these types of threats.  That means investment in better tools, and investment in security practitioners.  Splunk’s growth is well over 50% from year to year with more than 6400 customers, 2500 which are security customers and Gartner distinguishes them as the fastest growing SIEM vendor.  Analytic security is taking off like wildfire and the only gap that Goldberg sees is the availability of security personnel needed to run them.  That’s the case with a lot of tools in the industry with options abound, but a dearth of qualified people to properly deploy them.  That will be a big movement for 2014 as outlined in the predictions, and a premium will be put on finding talent that is familiar with and can think like a cybercriminal does.  There will be more hiring of “red teams”, that is specialized teams of hackers for hire that execute advanced penetration testing.

Needle in a haystack

Whether it’s bleeding-edge applications, SCADA devices or the burgeoning Internet of Things, while these all should be properly written and hardened prior to production, sometimes that’s just not possible.  Many could have been written ten or fifteen years ago, so having Splunk as a tool for anomalous event detection is critical for the evolving enterprise.  Additionally, some 80% of advanced attacks are sourced to things like spearphishing or social engineering.  These are extremely difficult to defend against without analytics.   By determining what’s normative baseline behavior, real-time detection of deviations is possible, and one can even predict what should be happening in an environment based on these standards.  So the collection and analysis of data is great and all, but the real trick comes in accurate detection and analysis of what is a threat, because there is a lot of data to sift through.

Goldberg points out how nascent this is, as security is only 30% of the company’s business.  The rest is composed of ops and management, still they all bleed together because all data is security relevant.  As we’ve seen, sometimes fingerprints of advanced malware are performance based and thus Splunk’s capabilities become that much more critical.

Splunk is seeing a number of competitors in the security analytics game, but Goldberg points out that they tend to be disparate products that are bolted together.  Known as “FrankenSIEMs” in certain circles, they certainly look great in marketing documents, but when compared to Splunk’s unified UI and datastore the differentiation is very clear.   Splunk also features big data architecture, incorporating any kind of machine data from any source, indexing all of it and implementing very fast search.  Some customers index as much as 100TB of data a day, and can return search results on this data in seconds or minutes.  The use cases for Splunk go beyond just security and are a good point of investment.  In some cases customers are even using it for real-time fraud detection.

Goldberg says that Splunk is also easy for the enterprise to consume.  All it takes is one guy in the organization, who is perhaps a bit more open-minded than usual, looking for a solution to a problem.  It’s practical and free to download.  From there the product scales on its own because it’s intuitive, easy to use and adds so much value.

“If you can use Google, then you can use Splunk”

Customers are starting to outsource this as well, through MSP service providers that are hybrid/partners that can really help out SMBs and mid-size companies that are as vulnerable and targeted a threat as any other business in the industry.

photo credit: Mayaevening via photopin cc