If you stopped by the Splunk booth at RSA Conference this year, you probably heard us talking about “chaos.” And what better place to discuss chaos than the largest, busiest and loudest global security event of the year?
Yes, cybersecurity professionals around the world are living in chaotic times. Just look at the news coming out of RSA this year—nation-state hacks continue to rise, concerns around data privacy are mounting and several cybersecurity executives went before Congress to discuss their latest challenges with emerging threats. At the center of it all? Data. As data continues to anchor every Security Operations Center (SOC), it’s important to embrace the chaos.
Here are three things to remember to help your SOC thrive.
1. Data Is Everywhere—Even in Places You Don’t Suspect
I could talk all day long about the prevalence of data and its endless growth and potential. Data is everywhere, it’s continuing to expand much like our own physical universe, etc., etc., etc.—but you already know that. While the echo chambers of the cybersecurity world will talk about digital transformation all day, what they often don’t mention is that in a constantly changing world, data is popping up in places you wouldn’t think to look at. For instance, the recent discovery that US soldiers were inadvertently leaking information about the location and layout of military bases worldwide through their fitness tracking applications
This requires a security platform and ecosystem that supports the modern world, and the modern world doesn’t operate with data that is simply on-prem or in cloud, but rather, hybrid, virtualized and spread out across more systems than the analyst’s eye can see. Every part of your security ecosystem must be scalable and open, but to achieve that, you need portability across both clouds and data centers.
2. Security Operations Is More Than Just Search
On the road, I talk a lot about our vision for “SOC 2020,” which details 10 capabilities every SOC should require to stay ahead of cyberthreats. When most people think of security data, they immediately think of investigation, but the truth is, investigation is just one part of the data analytics puzzle. Any security tool that sits at the heart of the SOC must not only be able to investigate using data, but also detect, predict, automate, collaborate, recommend and orchestrate with it.
The bottom line is—Security Operations is a lot more than search. If you’re only executing on search in the SOC, you're doing about 10% of the job. However, once the proper tools are put in place to control and embrace the chaos, security analysts should be able to automate 90% of their tier-one SOC work, getting precious time back to focus on higher order bits activities and become more proactive at managing security strategy and business risks. Today’s world of automation, propelled by SOAR, is the new entry-point for modern security strategy.
3. Your Security Data Only Goes As Far As Your Security Ecosystem
One of the most consistent things I hear when speaking with longtime Splunk customers about what makes our technology stand out above the others is our large ecosystem of partners and user community. Because Splunk is data agnostic and can ingest data no matter the source, it’s been easy for our ecosystem to deliver over 850 security-relevant apps on Splunkbase. And because data in its native state is often chaotic, messy or unorganized, it’s important that security tools offer open APIs and services that outside vendors can plug into. This kind of ecosystem should be a design requirement of whatever technology you put at the heart of your SOC.
This is especially important given evolving concerns around data privacy. While open APIs are good for security strategy, sharing your data and not knowing how it will be used or whom it will be shared with is not, and could lead to chaos that can’t be contained. Think twice about which vendors you're sharing your data with, and make sure that effective privacy controls are in place.
The truth is—security is hard. Data chaos is a component of that, but with the right hybrid approach to monitoring, detecting and acting on your security data, it doesn’t have to be so difficult. As the industry (and data) continues its endless expansion, don’t be afraid of the chaos, and remember—chaos breeds opportunity, and opportunity welcomes innovation.