Damaging news reports of data breaches at familiar companies like Uber Technologies Inc. and Equifax Inc. are scaring enterprises straight. The anxiety is good for business in the cybersecurity technology sector. The big data security software market is expected to swell from 2016’s $10.63 Billion to $26.85 Billion by 2022. But it’s not like the goats in the headlines weren’t using cyber defense tech. Are the new products any better? How can information technology and security teams convince C-level executives their investments will be worth it?

“The problem is, at the end of the day, the adversaries live in the seams,” says Brad Medairy (pictured), senior vice president at Booz Allen Hamilton Inc. Vendors may hone individual security tools to be very good at a given, well-defined task, he said. But any missed spots are exploitable by attackers who can slip into the thinnest cracks.

Nevertheless, cleverly-marketed security software finds plenty of takers in well-meaning security pros. At industry powwows like the RSA security conference, “I watch a lot of folks in the space walking around with a shopping cart. And they meet all these great vendors, and they have all these shiny pebbles,” Medairy said. Chief security officers walk away thinking they’ve procured the silver bullet, at last; that if they implement this tool or technology, they’re good to go, he said. “And I think we all know that’s not the case.”

Mediary related his lessons on what effective security looks like in an interview at Splunk .conf2017 in Washington, D.C. His years fighting terrorism led to his faith in the data-centric approach. Fighting adversaries at the data level, instead of within parameters set by specific tools, is a more advanced approach, he said. “All these tools work really well — within their own ecosystem,” he told John Walls (@JohnWalls21) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio. “But as soon as you start to mix and match best-of-breed tools and capabilities, they tend to not play well together.” (* Disclosure below.)

BAH uses the Splunk Inc. data platform as its “integration hub.” The 103-year-old management consulting firm then brings its “trade craft” and “tech craft” to bear on that data in full, Medairy said. This boosts its efforts to proactively hunt and understand the adversaries of its clients in government and elsewhere, he explained.

The company cooked its approach into Cyber4Sight, an add-on for Splunk Enterprise Security.

Sec officers’ fundraising  platform

A data platform for security, as opposed to a simple tool, might be a swifter sell across departments, and to management too.

TransAlta Corporation is a power generator and wholesale marketing company based in Calgary, Canada. Before 2009, cyber security was not a high priority for the company, Kent Farries, IT security at TransAlta, told theCUBE. In that year, it first implemented a security information event management solution. (A SIM is basically log management.) Farries and his colleagues found that the SIM did not turn up the information needed to detect and respond to threats.

The problem is that a SIM is vertical; it is built to serve one purpose, Farries said. It’s a security tool for the security team. Drawing in and dispersing data logs to other departments can be rickety, he said. The company eventually switched to Splunk for better cross-department data management, he said.

“It’s a platform for us, so we bring all the data in, it’s consumed by IT security, it’s consumed by DevOps and operations,” Farries said. The desktop team can also use it to detect application problems. Security can use all data brought in from any endpoint for detection and forensics capabilities, he said. “So for us it’s like a fabric, a foundation.”

Security can freely build use cases on the fly with the Splunk platform, says Ikenna Nwafor, senior information security specialist at TransAlta. Historically, this was far from the case, he said. “We would most likely need to engage a third party contractor […], somebody who is a specialist in that field,” he said.

Cross-department utility and a holistic view of security programs highlight another Splunk benefit: “Being able to communicate with the stats to senior management around getting the necessary buy-in to proceed with whatever initiatives we want […],” Nwafor said.

Turn compliance yellow lights green

The flexibility of a platform may help some industries out of sticky data compliance spots.

No one knows Byzantine compliance rules like the healthcare sector. Rhode Island Hospital — the teaching hospital of Brown University — ran into a regulatory impasse in its diagnostic imaging department. The department uses magnetic imaging resonance as well as computed tomography scans to diagnose patients. “You could get MRIs all day long,” Derek Merck, director of computer vision and image analysis at RIH, told theCUBE. Unlike MRIs, however, CT scans should be kept to a minimum since overexposure can cause adverse skin reactions and other problems.

The hospital became aware that Medicaid could reduce reimbursement if it could not prove that it was using ionizing radiation properly. No one really knew what that meant; Medicaid did not spell out guidelines, Merck said. “These vendors are coming in, they’re trying to sell us solutions that are, like $100,000 licenses,” he said. The hospital’s administration took the regulation seriously, so Merck and staff from the CT team came up with a system using Splunk.

“We use Splunk to collect meta information about how all the scanners — system wide — are being used,” he said.  They built dashboards to show, per institution, the average dose per protocol, per body type. They can also ticket outliers, or higher-than-average doses, and justify them in the event of inquiry, he said.

Offense is the new defense

The flexibility of a data-centric platform gives security pros more than a blinking red light to panic over, Medairy says; it gives them a chance to counter it like an expert, not a pre-fab tool.

Imagine a financial services company facing a nation-state attacker with advanced tactics, techniques and procedures, Medairy says. “I’m the CISO, I’m the CIO. Should I resign? Should I jump out the window? What do I do?” It is one thing to know that bad guys are after the company — it is another to operationalize intelligent response, he says. “I think where the industry is going is, how do you take offensive tradecraft and apply it to defensive?”

Watch the complete video interviews, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of Splunk .conf2017. (* Disclosure: TheCUBE is a paid media partner for the Splunk .conf2017 event. Neither Splunk Inc., the event sponsor, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE