Stop the world, I want to get off. Oh! It stopped…

Sitting here in my home office reflecting the potential problems the world faces both in the short term and longer term, I can’t help but think back to my career before coming to Splunk. That time was spent on the ground working ‘in the real world’, maintaining the operational and security state of systems and networks. I can empathise with the huge pressures the entire IT chain from CIOs, CISOs, IT Managers and IT admins are under right now.

As the global workforce moves to new ways of working, as CEOs are fighting for our companies, and as health and emergency services around the world are preparing for a crisis not seen for many decades, I find myself wondering ‘what is it that I can do to help my customers, my company and my family?'. This is a question I think we should all be asking ourselves.

We are living in a time where that Business Continuity Plan must have been designed, tested and battle hardened. Sadly, for many businesses I know this has always been a ‘nice to have the time’ exercise and mostly always pushed down the priority list in favour of new business, or more pressing business operations. That being said, the question still remains. How can you help your company, no matter how big or small?

Whilst many organisations have temporarily ceased trading, a lot continue on skeleton staff, or staff that have migrated to home. The facts are that for many organisations, the workforce is severely stretched, working hours have changed whilst we support families, IT network traffic patterns have changed whilst users are on VPNs, hardware may have been sent out the door at pace and may not comply with best practice or corporate policy at the outset, or indeed for the ongoing period of social distancing. 

  • For those organisations that have closed temporarily, does the IT equipment remain switched on and operational?
  • Does the company's external presence still exist and if so, is it actively monitored for security threats?

Of course, from a security perspective the adversary knows how to take advantage of this weakened position we find ourselves in. There has been increased activity of both nation state and non nation state sponsored actors. At a time when the UK government is considering the use of the military to help with the healthcare response, there have been media reports of the Royal Navy escorting Russian warships away from UK borders in a period of ‘unusual high activity’. Further testing the UK's capability for domestic stability and security. Anecdotally, as I live three miles from an active Air Force base I witnessed two Typhoons scrambled overhead last week in what I’m presuming (read ‘making massive assumptions’) was on a similar mission.

Electronically there has been a big increase in email phishing scams, socially engineered phone calls to home workers, and increased malware activity. From sextortion, to imitating the World Health Organisation. From TrickBot installers to Bitcoin scams and significant rises in the amount of SSL certificates with host names like ‘corona’ and ‘covid-19’ being registered to stand up infrastructure designed to take advantage of the situation in one way or another. 

Covid-19 and E-mail Scam


Perhaps the most devastating attacks at a time like this lie in attacks to healthcare and the healthcare supply chain. Today a UK government official reported that 72 million pieces of protective equipment (PPE) has been delivered to NHS hospitals in the last two weeks alone. That kind of manufacturing and logistics problem is almost beyond comprehension to me, and especially if I think about how that looks at a global scale, both practically and with my ‘Cyber head’ on.

Back in October 2018, WannaCry ransomware shut down a third of hospital trusts causing more than 19,000 operations to be cancelled, 200,000 infected computers and a subsequent bill of £92m.

Now more than ever, organisations need increased visibility of the vast quantities of data from the systems that tell exactly what is happening right under their noses. The crucial point to data visibility is of course the ability to get answers from it. Simply stored in a data sump, it is about as much use as it was when it was buried in electronic devices and network cables. Data lakes and sumps must have the capability to be investigated ‘at will’. Sadly the downfall of many data lake projects. Data must be accessible. An ‘investigative lake’ if you will.

Typhoons fly at supersonic speeds, data flies around our networks and servers at ever-increasing mind-boggling speeds. The need to bring data to every question, every decision and every action an organisation takes has never been more real.

More tactically, if you work in security, network, server or endpoint operations, now more than ever you are needed to maintain the operational and secure state of them whilst trying to find which way is up. Fortunately, if you do work in this space you are probably more comfortable remote working than some of your colleagues, due to oncall or general working patterns that have supported this remote approach in IT for years now. For many in IT, connecting to a VPN or using web based conferencing software is ‘not their first rodeo’. If you haven’t seen it already, Splunk have released a blog series, WFH: Welcome to the New Normal designed to pull together content, lessons learnt and best practice for monitoring Security, and IT Ops. Grab a coffee, and chill in between Zoom meetings (other web conferencing software does exist - apparently!).

A little known secret in the Splunk armour that may just help remote workers is Splunk Connected Experiences. It is as simple as downloading the Splunk Cloud Gateway app from Splunkbase, and placing it on your Splunk installation. From there, you can send dashboards and alerts to mobiles, and tablets all in a neat package. This might just keep both you and your organisation's leadership team ahead of the curve, and make all the difference.

Here’s a schematic: 

Splunk Cloud Gateway

What’s neat about Connected Experiences, is your family will absolutely love Splunk dashboards on your 60” Samsung smart TV. OK maybe not, maybe just keep it on your mobile device and keep the TV free for Disney+.

Threats like ransomware are not going away anytime soon. Evidence shows the adversary loves to increase activity during vulnerable times, over regional holidays for instance when monitoring activity is degraded. The recent shifts in working patterns exacerbate this. Many organisations will be more vulnerable at this time. I fully expect that the current situation the world finds itself in right now will be exploited for intellectual gain and criminal profit. We must do what we can now, and continue to work hard to free data so that it can be investigated and exploited for practical benefits in future. 

Who knows maybe one day Splunk will go supersonic too! Quantum Computing INC. Announces Technology Partnership with Splunk INC.

Stay safe, and reach out to your local account team to chat all things Splunk, or just to stay sane. I personally will enjoy many coffees with my customers over Zoom!

The world did not really stop, it’s just temporarily bent out of shape and moving a little slower than usual!

Happy Splunking, and happy WFH!


Derek King

Posted by