MoD goes Splunk to advance information as a 'force multiplier'

News by Adrian Bridgwater

Operational intelligence firm Splunk describes 'full lifecycle' of attacks and advocates analytics-driven security

Security firms are changing in terms of their core form factor, approach and technology proposition as they move upwards and outwards from ‘traditional' threat protection. While anti-virus products (obviously) still exist, the rise of sophisticated firewalls, security-centric cloud partitioning and application delivery controllers all now form part of the mix.


New breeds of InfoSec also now encompass Security Information & Event Management (SIEM) and machine learning based analytics for anomaly detection. An (arguably) key player in this space is the colourfully-named real time operational intelligence firm Splunk.


Splunk has used its annual ‘.conf' user, customer and partner event in Orlando this month to detail its work with the UK Ministry of Defence and the security focused elements of its own platform.


Security attack lifecycle


“Watching for individual alerts is no longer enough, we need to be able to track the full lifecycle of a security attack,” said Haiyan Song, senior VP of security markets at Splunk.


Song says this of course because Splunk's technology proposition hinges around so-called real time operational intelligence through machine data intelligence and model based behaviour analytics.


Before detailing the mechanics of how Splunk is evolving its product set, Song introduced UK Ministry of Defence CIO Mike Stone who detailed the organisation's renewed approach to data security.


Force multiplier


“Information is the lifeblood of organisations – and the vision of our organisation is to deliver information capabilities that are a ‘force multiplier'. If we don't provide this then we risk ceding control to our enemies,” said Stone.


The MoD is currently undergoing one of the most significant IT enhancement/upgrade programmes in its history. This is because the organisation itself has, until now, been dependent upon large-scale monolithic silo-structured IT services that were in real terms at odds with the UK's actual ministerial and military requirements.


“Our work to deliver what we call Defence-as-a-Platform is all about shifting from vertically integrated systems to now moving to a core horizontal platform that works outwards to the tactical edge – and on top of that we will deliver the evergreen application services that are needed,” said Stone.

The MoD will now work with the Army, Navy and Air Force to deliver the ‘mission specific' applications they need to be effective.


Oxygenating information analytics


“We will ingest all the exhaust from digital networks and derive operational intelligence using Splunk. We will now look to extend our use of Splunk … and exploit the ingredients of platform economics to oxygenate our approach to information analytics. We will also seek to exploit the wider ecosystem of platforms [over and above those that exist in the five eyes] and this is what Splunk will help us to do,” said Stone.


Bringing the theme back to what Splunk is doing in its security division, Haiyan Song retook the stage to explain the importance of both network and endpoint visibility if we want to protect our IT systems.


“Identity is the new attack surface, user behaviour analytics is the new protection layer,” said Song.


Threat indicators


The firm's Splunk for Enterprise Security (ES) 4.5 product now joins its Splunk User Behaviour Analytics (UBA) product as specific tools for this type of protection. Using this technology, firms can apply ‘threat indicators' to machine data from logs to ‘data events' and onwards as they build up an analytics-driven layer of security protection.


“Splunk advances its analytics-driven security vision and security analytics leadership with the new releases of Splunk ES and Splunk UBA. Splunk ES 4.5 provides a common interface for automating retrieval, sharing and response in multi-vendor environments. Splunk UBA 3.0 delivers new machine learning models, additional data sources and content updates of use cases,” said the company, in a press statement.


Splunk Enterprise Security (ES) will typically be used to provide a view into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information.


“It enables security teams to quickly detect and respond to internal and external attacks to simplify threat management while minimising risk and safeguarding your business,” said the firm.


The trends here gravitate around the examination of machine data and how it can be used to provide deeper layers of anomaly detection and security protection – all in a real time monitoring environment. But beyond this there is a key trend for visualisation technologies that will present more digestible views of graphical information for firms using so-called big data streams to reinforce their approach to IT security.


Splunk is called Splunk in a reference to ‘sperlunking' or the practice we know as ‘pot holing' or caving in the UK. Digging down into data requires a deep dive deep cave exploration it appears – bring a torch and a clean pair of socks.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews