On a chilly night in mid-December, security researchers at Splunk Inc. began to see numerous references to SolarWinds pop up in Slack channels and security forums frequently used by those who guard major public and private network systems against attack.

It didn’t take long for the security community to suspect that something big was happening, and they were right. The SolarWinds software supply chain hack quickly emerged as one of the most significant security compromises of the young decade.

The event prompted one Splunk security analyst to ask the obvious question: What was missed and what could be done about it? A quest for the answer has led to the formation of a novel security research team called SURGe, focused on solving big security issues using Splunk tools while helping customers respond to fast-breaking cybersecurity events.

“It was something we almost immediately knew was a gap,” said Ryan Kovar (pictured), distinguished security strategist at Splunk. “How do you actually detect this? There’s not a great answer, and that really bothered me. That was part of the reason that we founded the team.”

Kovar spoke with John Walls, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the Splunk .conf21 Virtual event. They discussed the team’s research focus and the importance of creating tools to quickly navigate rapidly spreading incidents. (* Disclosure below.)

Creating consumable tools

Accompanying the announcement of the newly formed SURGe group was a whitepaper authored by Kovar and another Splunk security strategist. The report — “Detecting Supply Chain Attacks” — is part of a series of research projects that the Splunk team plans to pursue.

“What we’re focused on is how to create things that help every size of business,” Kovar said. “You may never be able to have the headcount of a Fortune 100 company, but thanks to the power of software and tools and things like the cloud, you might have some force multipliers that we’re hoping to create for you in a much more packaged and consumable method.”

The concept behind the SURGe initiative is to become better prepared to deal with the next significant attack by focusing on in-depth analysis of the news and using the most practical tools to quickly navigate an incident. Kovar has characterized this as “blue collar for the blue team” in a recent blog post for Splunk.

“We go to conferences, and we talk from wizard to wizard; we sit in our ivory tower onstage and proclaim how to do things,” Kovar said. “Sometimes those sound great, but they’re not actually helping people in their job today. We’re creating things that we hope you can immediately take home and implement.”

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of during the Splunk .conf21 Virtual event. (* Disclosure: TheCUBE is a paid media partner for Splunk’s .conf21 Virtual conference. Neither Splunk Inc., the sponsor for theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE