In today's always-on, ever-connected world, keeping digital systems secure and reliable is not just a goal, but a business imperative — it is now a boardroom-level conversation. With the increasing complexity of digital systems and ever-growing event volume, organizations face a constant battle to protect their systems, data, and reputation from a myriad of threats. Simultaneously, they need to optimize system performance, identify bottlenecks, and enhance the overall user experience. Historically, security, ITOps and engineering teams have worked largely within their own domain, with their own separate dedicated tools and processes. When teams needed to work together, it was often ad hoc, with processes stitched together with duct table and bailing wire. These are increasingly proving suboptimal and misaligned with the system realities, threat volumes and performance demands of today’s digital world.
In this blog, I will delve into the findings and recommendations provided in the timely white paper authored by ESG, "The Business Case for Unifying Security and Observability: Strategies for Forward Thinking Technology Leaders." I will explain how Splunk is enabling organizations to unify security and observability operations, to build digital resilience.
Siloed Approaches Are Hampering Teams, Increasing MTTD and MTTR
Security, ITOps and engineering teams are under increasing pressure to do more with less, even as the complexity of systems and volume of incidents continues to grow. Staffing and skills shortages only exacerbate the challenge. These teams do need domain specific tools, but standalone tools often fail to provide the complete enterprise context needed for accurate detection, investigation and response. For example, organizations that rely on disparate tools across security and IT likely struggle to understand how an outage in a cloud service might be connected to a threat affecting their networks. Similarly, teams may not be able to understand how a proposed resolution in their domain may have downstream impacts on the systems and services in other domains. The lack of comprehensive and shared visibility also results in misalignment in prioritization and response — as the ESG analysts note “When a security team finds an unprotected data flow in an application or a misconfigured router setting, it ‘throws these issues over the wall’ to software development or IT operations teams, who each have their own way of analyzing data, prioritizing responses, and resolving these issues. Remediation may also be hamstrung by manual processes or held back in anticipation of some future software release cycle. Process overlap and redundancy can add hours, days, or weeks to critical system problems.”
I hear this in almost all my customer conversations — technology leaders are frustrated by the wasted cycles and elongated service disruptions resulting from a siloed approach. Little wonder then that our research into State of Security found that 81% of organizations are converging aspects of security and IT operations, and 61% are converging aspects of security operations and observability. Respondents most often believe convergence will help with overall visibility of risks in their environment (58%) and that they will see improved cooperation in threat identification/response processes (55%). In our research on State of Observability, organizations note that the visibility afforded by observability solutions also helps them better uncover and evaluate security vulnerabilities — and once these issues are found, they are also acted on and fixed faster.
A Thoughtful Unification Strategy Benefits All Teams
The ESG white paper prescribes an approach to unification that I have seen work well for many of our customers. They point out that unification is not a matter of standardizing on one single tool. Just the opposite: security, ITOps and engineering teams need domain-specific technologies designed for the nuances of their jobs. But this needs to be underpinned by a common data plane that aggregates data across IT, security, and engineering technology, breaking down silos of information and myopic views.
As you build out this architecture, your primary objective should be to harness the data from across systems and services in order to build context-rich, cross-functional insights that denoise your environment, and speed your teams’ ability to detect, investigate and resolve service interruptions or security threats. For example, ManpowerGroup uses Splunk to provide instant access to data that supports better decision-making across teams. Different teams look at the InfoSec dashboard for different reasons. The audit team looks at it for policy compliance, IT teams may look at it for patch management. As Mike Friedel, ManpowerGroup’s director of global information security eloquently states “With Splunk, we’re all playing from the same sheet of music”.
Beyond just faster MTTD, MTTR and streamlined processes, there are real cost efficiencies to this approach. Our internal analysis shows that there is an 85% overlap between the data used by security and IT teams. When you consider that any single source of interesting data is likely being used, reprocessed (and paid for) by multiple teams to ask different questions of that same data, the cost benefits are self-evident.
Splunk Is Your Partner in Enabling Unification and Driving Your Resilience Journey
Here at Splunk, we are honored to partner with organizations across the globe to help them on their journey of building resilience, and unifying security and observability. If you were at .conf23, you would have heard from many customers on this theme. For example, Magnus Lord, Splunk Functional Expert from Inter IKEA talked about how IKEA started their Splunk journey with security (SIEM), and soon realized that the same data could be used for IT Operations. Splunk Observability gives their teams a holistic view of the underlying application and service operations to maintain service levels and deliver better internal and external customer experiences. Alex Tabares, Sr. Director of Threat Intelligence and SecOps, Carnival Corporation talked about how his team uses Splunk to monitor their 9 global brands, with 90+ ships sailing to 700 different destinations.The ships are ‘floating cities,’ and their systems need to be safely up and running at all times. Splunk provides visibility to the data so that the IT and security teams can work together to drive digital resilience and provide the best guest experience. With Splunk, over the last 3 years, Carnival has improved the stability metrics of their systems by over 70%.
Splunk brings together all the key capabilities security, ITOps and engineering teams need to drive faster detection, investigation and response. Splunk is a leader in both Security and Observability. Our security and observability products are powered by the Splunk Platform, which provides unparalleled visibility at scale across your digital environments. This enables you to bridge the islands of data, making data access and visualization easier, and conduct cross-domain analysis and correlation while optimizing costs. The Splunk portfolio harnesses the power of Splunk AI to guide detection, investigation, and response augmenting the power of humans — but keeping them in control — to solve complex problems quickly and with greater efficiency.
By consolidating data and breaking down barriers between security and observability, Splunk enables organizations to reduce alert fatigue, respond to threats and performance issues faster, and optimize their resources. Whether it is dealing with an unexpected spike in traffic, or a potential security vulnerability resulting from a code change, Splunk helps streamline incident detection, investigation and response across teams, reducing churn and enabling faster MTTR. With Splunk’s unified approach, organizations can ensure that security incidents are not viewed in isolation but are analyzed in the context of system performance and user experience, and vice versa. This holistic approach allows organizations to prioritize actions based on business impact and maximize the value of their investments in security and observability, building digital resilience.