SURGe: Blue Collar for the Blue Team

TL;DR: Splunk has a new security research team focused on in-depth analysis of the latest cybersecurity news to help the public navigate security incidents with confidence using Splunk. Check out our new site splunk.com/surge for more information!

🕒 4-minute average read

It was a cold, windy night on December 13th when I first saw the word "SolarWinds" pop up in various secret-squirrel slack groups that I inhabit. Phrases like "Does anyone use SolarWinds?" and "Trying to find logs with dga generated Avsvmcloud[.]com" or "Lookout for incoming CISA alerts." I perceived something big was coming. Once CISA dropped Emergency Directive 21-01, I knew this compromise was a big deal. Taking reports from FireEye, CISA, and Microsoft, I started working at 2300 and sent up a flare for help on our corporate Slack. Ryan Lait and Shannon Davis in Australia responded. Around 0400, I turned the blog over to Shannon and Ryan and went to bed. We quickly published the blog on 14DEC21.

As we sorted through the embers of the SolarWinds fallout, I realized that we had a gap at Splunk. We had great technology and processes, but we weren't focused on the people part of the equation. We needed to help organizations solve their holistic security problems, not just detections. We needed to SURGe-up and help them when it mattered most. I realized then that I had a new mission at Splunk: to create a novel security research team focused on solving big security issues with Splunk while helping customers make sense of breaking cybersecurity news events.

SURGe Assemble

I knew that I wanted to create something different. Frankly, I wasn’t sure the world needed YASVRT (yet another security vendor research team). So I created a mission statement aimed at solving the problems of today and tomorrow, not problems for cyberwizards in the distant future. Mick Baccio quickly distilled that mission statement down to "blue-collar for the blue team." And that's SURGe in a nutshell. Practitioners, storytellers, and old UNIX plumbers who think differently and work on problems that we wish everyone had already solved.

SURGe members include Marcus LaFerrera, who has been hacking and defending networks since the mid-'90s; Audra Streetman, who recently pivoted from a career in journalism to cybersecurity; and Mick Baccio, a former presidential campaign CISO and head of Threat Intelligence at the White House. Longtime Splunkers Shannon Davis, James Brodsky, Dave Herrald, and John Stoner have helped solve cybersecurity problems for Splunk customers for many years. Add in Tamara Chacon, a competitive gamer, along with a matrixed team throughout Splunk, and we had the team ready to go.

Knocking Down Ivory Towers

We decided that SURGe would focus on two things to start: breaking cybersecurity news, and larger "practical" security research projects. From January onward, we stood up a "protoSURGe" effort. We made an internal promise to review every CISA alert or emergency directive (ED). If the alert was something that Splunk could help with, we would work around the globe to produce a timely, educational, (hopefully) amusing blog and provide "best-effort" detections. These detections are often immature, unscalable, and full of false positives or false negatives, or, what we affectionately call Splunkspiration. So why give them out so fast? Because it gets you further down the road than you were before. After publishing the blog, SURGe works with Splunk’s Threat Research Team (STRT) to create long-term quality detections released via Enterprise Security Content Update (ESCU).

But first, the spaghetti on the wall detections to get you started. If you are interested in rapid response alerts, Splunkspiration, or spaghetti on wall detections? Great! You can sign up for our rapid response alerts here splunk.com/surge

The second focus was on research projects. Since SURGe was founded in the wake of SolarWinds, we started researching detections for software supply-chain compromise. The work, primarily created by Marcus LaFerrera, turned into a white paper and a .conf21 talk "SEC1745C - Hunting the Known Unknown: Supply Chain Attacks." Further blogs and research derivatives will follow over the following weeks. Not only that, Dave Herrald and John Stoner have been hard at work creating a platform and educational workshops to deliver on bots.splunk.com. Over the next year, we will offer more and more research projects. I am not a lawyer, so keep these deliverables with a "forward-leaning" frame of mind.

Shouting From the Rooftops

Creating great content on splunk.com/surge isn't enough. Another one of the tenets of SURGe is public outreach. You can find Mick Baccio, Audra Streetman, myself, and producer Drew Church on "Coffee talk with SURGe" every two weeks on Linkedin Live (find us with the #coffeetalkwithsurge tag!). We plan to release two to four blogs each month on Splunk Blogs with the SURGe tag, and attend and present at conferences worldwide. Look for our appearances on splunk.com/surge or the @splunk Twitter account with #SURGe.

So there we go, now you know about SURGe, who we are, and what we are doing over the next couple of months. If you've made it this far and you have questions about the name or the small "e" in SURGe… well, that's a wombat egg that you will have to ask me about in person over a cup of coffee. ;-)


Follow all the conversations coming out of #splunkconf21!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.