Insight by Splunk

How data can improve your cyber situational awareness

The State of Cybersecurity

We are saying ingest machine data once and then use it for many purposes. One of the purposes is cybersecurity. But we also have enterprises who use it for predictive IT operations. We have manufacturers who use it for quality assurance and productivity in their manufacturing lines.

The Intersection of IT Modernization and Cybersecurity

If you look at the security information and event management space, there is a lot of out dated platforms still in use, and what it becomes is an access to innovation. Right now we are in a big cycle for upgrading the SIEMs, which runs everyone's security operations center.

Despite all the focus on cybersecurity over the last 15 years, agencies continue to struggle to protect their data and networks.

While progress is clear in some respects with the shift to focus on risk, including the first ever cyber enterprise risk management report, the number of attacks, the sophistication of attacks and the types of bad actors are all evolving. And agencies, like nearly every organization, are struggling to keep up with from technology and workforce skillset perspectives.

And OMB is updating two key documents to help agencies focus more on risk… the policy on high value assets and on the trusted internet connection or TIC initiative. Both of those policies are expected this fall. The TIC policy is from 2008, nearly 10 years old when the word cloud wasn’t in the federal vocabulary. And the focus on high value asset started after the 2015 OPM data breach, and the policy is from December 2016 so that’s nearly two years old as well.

This is happening while agencies still are trying to complete some of the basics of cybersecurity. The most recent report from the Office of Management and Budget found 64 percent of all civilian agencies are covering at least 95 percent of their hardware assets with a management capability that detects and alerts when an unauthorized piece of hardware connects to the network. OMB says only 65 percent of all civilian agencies are meeting the goal of having at least 95 percent of all software assets covered by a whitelisting capability.

Gary DePreta, the area vice president for defense, intelligence and aerospace at Splunk, said many of these challenges can be reduced if agencies and organizations better understand the data around their cyber threats and vulnerabilities.

“Situational awareness is one of their top challenges. The data that runs over their networks and through their devices is siloed in IT. They have a server group, an application group, a network group. But machine data doesn’t care what your organizational chart looks like. What agencies have to do foundationally, just the starting point, is to get access to all that data,” DePreta said on the Innovation in Government show. “A lot of agencies are viewing the data in security siloes too. They say they have to look at their firewall data or we have to look at our network, our routers and switches data. What we say is they should not worry about the question they will ask before you decide which device you will look at, but you should ingest all your data and be able to correlate that. The days of known threats are long gone and today’s technology allows you to use things like machines learning and to look for anomalies in that data.”

DePreta said without that access to the data across the enterprise, organizations are at a big disadvantage.

The way to solve this is not by bringing in more tools either, he said. Instead, agencies and organizations should consider creating a data platform for all data—structured and unstructured.

“We are saying ingest machine data once and then use it for many purposes. One of the purposes is cybersecurity. But we also have enterprises who use it for predictive IT operations. We have manufacturers who use it for quality assurance and productivity in their manufacturing lines,” DePreta said. “Once you have the data in, you can ask it any questions you want. If you take a data platform approach, ingest all the data and look for the use cases or the questions you are trying to solve for, which can be cybersecurity or not.”

DePreta said the data platform approach also lets agencies consolidate the number of cyber tools they have as many are redundant and are not being used to their full capabilities.

“The platform approach is becoming popular because we don’t know what data is out there. Where tools are being created for a specific point problem like wanting to monitor firewall performance, but we have a problem of not knowing what we don’t know. So this platform approach lets you ingest all data and worry about the questions you have yet to think about later.”

DePreta said agencies have an opportunity with the push by the Trump administration for IT modernization to not only simplify their operations and reduce their attack surfaces, but improve situational awareness by reducing the complexity of their technology and taking advantage of the data.

“If you look at the security information and event management space, there is a lot of out dated platforms still in use, and what it becomes is an access to innovation. Right now we are in a big cycle for upgrading the SIEMs, which runs everyone’s security operations center,” he said. “The next generation SIEMs provide access to things like machine learning. Agencies which are investing time in market research to see what has changed in some of these platforms and how they can apply it are the ones who will do well.”

 

About Splunk:

Splunk Inc. (NASDAQ: SPLK) turns machine data into answers. Organizations use market-leading Splunk solutions with machine learning to discover their “aha” moments with machine data and solve their toughest IT, Internet of Things and security challenges. Use Splunk software in the cloud and on-premises to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Join millions of passionate users by trying Splunk software for free: www.splunk.com/free-trials.

 

Resource Center: