How Splunk pivoted to security

splunkmanagement800
Splunk managament at .conf2017, including CEO Doug Merritt third from the left and Monzy Merza far right

The big data analytics company Splunk has gone from being founded as an IT operations tool, to one best known for its security solutions

Share

The 14-year old big data company Splunk made its name in the IT operations space when founders Erik Swan and Rob Das set out to become the Google of enterprise IT, by ingesting and indexing machine data from logs to make the information searchable. But its current CEO says the vendor is best known for its security solutions - how did it get here?

Speaking at the company's .conf2017 event in Washington DC, Doug Merritt, CEO for two years now, said Splunk is seen as a "security-specific vendor today".

The fact is, Splunk fell into the security analytics business. "We started as an IT ops company, and we stumbled into security," Merritt said.

As the story goes, IT ops people started sharing Splunk with their security colleagues because they saw value in the streams of systems information they were using for anyone that was tasked with spotting potentially malicious activity across the network and various enterprise systems.

"They soon realised if they take that data and augment it with firewall data, for example, I get all of this additional insight," Merritt explained.

More from .conf2017: Splunk turns to machine learning to help customers get the most from their operational data

This shift towards becoming a security vendor started under Merritt's predecessor, Godfrey Sullivan, who created 'market groups' within the company so that certain divisions could focus on either IT or security. Merritt has since added an IoT market group into the company.

In terms of reputation, Splunk is now best known for its security solutions, which helps analysts spot threats with Splunk dashboards, which crunch through systems data in close to real time.

From a business perspective, it's closer to 50-50 though. Merritt said: "The interesting piece is in any different quarter it is 40-50 percent an IT ops quarters and 40-50 percent security quarters, and there is really no consistency or pattern between one or the other." 

That's an interesting admission from the CEO of a company which specialises in pattern recognition for complex data sets.

What next for Splunk Enterprise Security?

Now that Splunk is deeply embedded in the security space, what is it doing to stay ahead of the competition?

Monzy Merza, head of security at Splunk, told Computerworld UK that the cloud is changing the priorities of its enterprise customers the most. "We have many customers who want visibility into the cloud, that's by far the biggest set of evolutionary steps people are taking," he said.

Merza splits Splunk's security customers into two distinct groups, high and low maturity. What these two groups want from Splunk differs slightly.

He explained: "For the ones that have the higher maturity level with security expertise - the federal customers or big financial services organisations - they want a platform because they have skills and competencies within their organisation that want to exert their own capabilities to do more. So that is how we built the platform.

"On the other side we have the ones just starting out their security journey. Those customers want consulting services, best practices and solutions. That's not to say the high-end teams don't want solutions, but they're going to tweak those solutions."

Read next: Dubai Airport turns to real-time data in drive to be world's "biggest and best" airport

More specifically: "Customers are asking for user behaviour analytics, insider threat protection. We had a set of customers who want a lot of automation and more around cloud computing and IoT through a security lens."

One of the biggest announcements at .conf2017 was the release of Enterprise Security Content Updates via Splunkbase, a new subscription service that offers pre-packaged security content to Splunk ES customers.

"The idea behind that is we want to provide analytics such that the customers can use that threat intelligence, not just as a report, but make it actionable," Merza said.

Merza gave the example of a typical piece of ransomware: "We know certain domains were being utilised and being generated by a domain algorithm. We know that in order to protect yourself against that type of attack there was a vulnerability that needs to be patched for your operating system, and we know that to ensure the long term assurance of your environment you should have good backups.

"So we know the specific elements and make that threat intel actionable."

Find your next job with computerworld UK jobs