The Gately Report: Future Splunk Innovation Will Focus on ML for Threat Detection
Hiring managers are struggling to bring younger and first-time professionals into the cybersecurity industry.
![Machine learning Machine learning](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt5a67cbef6a500b66/6524253c8d0db331d619345f/Machine-learning.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Observability and security took center stage during .Conf22. What’s the significance of those?
Jane Wong: Observability is very focused on effective, efficient operations of really broad, complex deployments. How are your systems running? How are your applications and workloads in the cloud running? Security is more focused on detecting, helping, investigating and responding to threats. But there’s a commonality between the two. Both find incidents. So an incident on the observability side is maybe a server is running really slow or my application performance just dropped way below a baseline of normal. A security incident may be this person is acting out of their norm, like they’re accessing data that they don’t normally access or their machines slow down at different things. Both are incidents that you would then need to investigate and respond to.
We have a mature product in security called orchestration and response security that helps respond to security incidents. If there was a link in an email like a potential phishing email, was it a phishing link? Was it a bad malicious link or a good link? So we do that investigation right through to you. If it’s a bad link, now I want to go block that on my firewall. So I’m going to go through a connector to a third-party tool and make a change to the configuration of that tool to block that link. So we have security answers that we respond to in a similar way. Observability also has incidents that are responded to. We can share the platform that does that orchestration in response. There’s no need to have two completely separate platforms built in separate organizations. So sharing that technology is something that we’re going to be doing now.
CF: Is Splunk the only organization or are there others out there that have combined observability and security?
JW: Not with Splunk‘s level of investment and maturity. There’s hugely active startups in both domains. With security, there are many new, hugely innovative startups. We integrate with those and the same on the observability side. But for this big level of investment, I mean, we’re heading towards a $3 billion company. We’re the biggest.
CF: What’s your take on the current threat landscape? Ransomware is grabbing most of the headlines, but are there other,
equally dangerous threats out there?
JW: Supply chain attacks continue to be a problem. Log4j continues to be a win for attackers. We saw lots of attacks following the situation in Ukraine. If it was emails sent with links purporting to be news sites and they weren’t really new sites, or phishing campaigns related to news from Ukraine, we saw a lot of that. So I think with things happening in the geopolitical landscape, there’s always risk, specifically phishing or watering hole websites being set up that people are going to go to and then get the machines infected, and their accounts compromised.
CF: What aren’t organizations doing that they should be doing to protect themselves and their customers?
JW: I think customers should really focus on use cases rather than tools. Whether it’s a shiny threat or a shiny new security tool, really figure on core use cases. What are you trying to detect? What are you trying to block? It’s priorities. I think that’s kind of an important thing not to miss.
CF: What are the biggest issues organizations face when it comes to cybersecurity and how is Splunk addressing those?
JW: The biggest threats are getting broad visibility end to end across your landscape. Threats can be very evolved and if they’re successful and an organization gets breached, there could be lateral movement across the organization. There could be more compromised accounts. There could be implanted malware across multiple systems.
To really get that full, visible picture on what happens post-breach, Splunk can be hugely helpful because we have logs from all of the systems that may have been impacted. So we can help put together that big picture of an attack. Security tools that are more focused on prevention try to stop those threats getting in. But Splunk is very good if those tools have failed at figuring out what attackers did, how they did it and where they did it, giving that picture. So I think that’s really important. I think then response, when you get that new understanding of here we had a weakness, this is how they got in and this is what they did next. Now I’m going to change my infrastructure to prevent that from happening in future. So both the full visibility and then the fast response when something’s happened, I think are the key pieces.
CF: How is Splunk addressing the cybersecurity talent shortage and alert fatigue among security teams?
JW: Through automation. If I’m responding to a phishing attack manually and I see an email that someone in my organization sent in and said I think this is a phishing attack and it’s got an attachment or it’s got a link, if I have to go manually to a safe area that I’ve set up specially and detonate that attachment in a sandbox or go through to that link to see if it’s got malware at the end of it or a malware dropper, that’s very slow. I can automate those steps. So rather than doing that every day with all the different potential phishing attacks that employees sent in, I can automate those steps. That just makes it like machine speed. It will tell me immediately whether something’s bad or not, so I don’t have to do the same thing every day. As an analyst, I get that time back. I can look up patterns of phishing attacks or actors that were groups we think may be behind waves or campaigns of phishing attacks. I can upload all the work I’m doing to something a lot more higher order.
CF: Budgets are tight among organizations with everything going on with the economy and geopolitical issues. How is Splunk helping organizations with security while helping them save money or at least stay within budget?
JW: We have new pricing, which is very predictable and consistent, and measurable on a cloud. So we’re working with customers in that way. That pricing really helps tie value delivered to the need the customer has so customers can decide the importance of what they want to protect and the value back to them. So tying those two things together, I think is really important.
In other cybersecurity news …
ISC2 this week published findings from its 2022 Cybersecurity Hiring Managers research that shed light on best practices for recruiting, hiring and onboarding entry-and junior-level cybersecurity practitioners.
The research, reflecting the opinions of 1,250 cybersecurity hiring managers from the United States, Canada, United Kingdom and India, highlights the need to build effective job descriptions, and assign appropriate roles and responsibilities, along with the importance of non-technical skills and investing in career development.
Key report findings include:
Forty-two percent of participants said training costs less than $1,000 for entry-level hires (those with less than one year of experience) to handle assignments independently.
Nearly a third said it takes less than $1,000 in training cost for junior-level practitioners (one to three years of experience) to handle assignments independently.
Thirty-seven percent estimate entry-level practitioners are considered “up to speed” after six months or less on the job. Half said it takes up to a year.
Ninety-one percent of hiring managers said they give entry-and junior-level cybersecurity team members career development time during work hours.
Certifications are considered the most effective method of talent development for entry-and junior-level practitioners, followed by in-house training, conferences, external training and mentoring.
Fifty-two percent work with recruitment organizations to find entry-and junior-level staff. This approach is followed by looking to certification organizations, colleges and universities, using standard job postings, and apprenticeships and internships along with leveraging government workforce programs.
Eighteen percent of hiring managers are recruiting individuals from within their organization working in different job functions, such as help desk, HR, customer service and communications.
Hiring managers also revealed their top five tasks for entry-level cybersecurity staff:
Alert and event monitoring.
Documenting processes and procedures.
Using scripting languages.
Incident response.
Developing and producing reports.
Tara Wisniewski is ISC2‘s executive vice president of advocacy, global markets and member engagement.
“Hiring managers are struggling to bring younger and first-time professionals into the industry,” she said. “The study shows us that, with the exception of the smallest organizations, employment levels for entry-level cybersecurity professionals trail far behind every other experience level. It’s also a particularly notable challenge in the United States and United Kingdom, compared to Canada and India, where entry-level employment levels are higher overall. Entry-and junior-level staff members help their organization, bringing new perspectives, ideas, creativity, critical skills in new technologies, enthusiasm and reinvigorating energy, as well as being a valuable next generation to transfer knowledge to. This shortage of talent in this area has increased the reliance on costly external recruiters to try and fill vacancies.”
The top priority is to review and rethink job descriptions and hiring criteria, Wisniewski said.
“Ensuring that qualification and experience expectations are appropriate for the role is of paramount importance and is the area where most hiring managers have been struggling,” she said. “When it comes to entry-and junior-level roles, it’s all too easy to fall back on experience as an easy measure of competence. But it doesn’t work for these first-time career positions and instead creates a chicken-and-egg paradox that ultimately deters and prevents many young professionals from entering the cybersecurity field. For these roles, qualifications are a far more viable way of verifying foundational competence and an ability to learn.”
Lookout has discovered an enterprise-grade Android surveillanceware being used by the government of Kazakhstan within its borders. Lookout researchers also found evidence of deployment of the spyware, which Lookout researchers have named “Hermit,” in Italy and in northeastern Syria.
The sophisticated malware tooling is designed to provide surveillance capabilities to nation states.
Hermit is likely developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl, a telecommunications solutions company that may be operating as a front company. RCS Lab, a known developer that has past dealings with countries such as Syria, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. This discovery appears to mark the first time a current client of RCS Lab’s mobile spyware has been publicly identified.
Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it has been deployed. Researchers were able to obtain and analyze 16 of the 25 known modules. The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and text messages.
Paul Shunk is a security researcher at Lookout.
“The Hermit app that initially is installed on a device is a framework with minimal surveillance capability built into the app,” he said. “It has the ability to download modules from a command-and-control server as instructed and then to activate the functionality built into these modules. This approach ensures that automated analysis of the app cannot find any of the spying functionality and makes even manual analysis significantly harder. In addition, it allows the malicious actor to enable and disable different functionalities in their surveillance campaign or depending on the capabilities of a target device. The modular design might even be part of the business model of the software vendor, allowing them to sell individual spying features as value-add line items.”
One of the Hermit samples Lookout analyzed used a Kazakh language website as its decoy, Shunk said.
“We further identified that the main command-and-control (C2) server used by this app was just a proxy, with the real C2 being hosted on an IP from Kazakhstan,” he said. “The combination of the targeting of Kazakh-speaking users and the location of the backend C2 server is a strong indication that the campaign is controlled by an entity in Kazakhstan.”
The overall design and code quality of the malware stood out compared to many other samples Lookout sees, Shunk said.
“It was clear this was professionally developed by creators with an understanding of software engineering best practices,” he said. “Beyond that, it is not very often we come across malware which assumes it will be able to successfully exploit a device and make use of elevated root permissions.”
There are more than 24 billion usernames and password combinations in circulation in cybercriminal marketplaces, with many on the dark web. That’s the equivalent of nearly four for every person on the planet.
That’s according to new Digital Shadows research. This number of usernames and password combinations represents a 65% increase from a previous report in 2020.
Digital Shadows’s research found that the top 50 most common passwords are easy to guess and simply use the word password or a combination of easily remembered numbers. Some .46% of all passwords – nearly one in every 200 – are still 123456.
Keyboard combinations such as qwerty or 1q2w3e are commonly used. Of the 50 most commonly used passwords, 49 can be cracked in under one second via easy-to-use tools commonly available on criminal forums, which are often free of charge or at minimal cost, according to Digital Shadows.
However, the good news is that adding a special character (such as @ # or _) to a basic 10-character password adds approximately 90 minutes to the amount of time an offline attack would take to crack the password. Adding two special characters results in an offline cracking time of approximately two days and four hours. This makes it much less likely that a person will fall victim to an attack with criminals, instead attacking accounts that are easier to breach.
Cybercriminal marketplaces and forums remain the most commonplace for threat actors to advertise and sell stolen credentials. Over the last two years this ecosystem for criminals has continued to expand, along with the range and sophistication of malware at their disposal. This has helped fuel the increase.
Chris Morgan is Digital Shadows‘ senior cyber threat intelligence analyst.
“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” he said. “Criminals have an endless list of breached credentials they can try. But adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds. In just the last 18 months, we at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”
Kim DeCarlis is PerimeterX‘s CM0.
“Since the theft of credentials has already happened, digital businesses should look for a way to stop the next step: credential stuffing attacks in which cybercriminals try to validate the username and password,” she said. “It would be smart for online businesses to look for solutions that flag when a known compromised credential is being used and force an action such as a simple password reset.”
Once a valid username and password pair is found, cybercriminals can use the credentials to log into and take over legitimate accounts, typically on a number of sites since password reuse is common, DeCarlis said. Because the credentials are accurate, there’s a good chance the criminal will get into the account without any problems. Since most websites don’t have security checks post-login, they are free to navigate through and abuse the account with no questions asked. This abuse could include transferring money, cashing out credits or buying products that are easy to resell.
“Validating that a user had the right credentials was previously enough to keep accounts safe,” she said. “But given this scenario, businesses need to think about continuous post-login validation. It’s time to look beyond login to make sure the user is in fact who they say they are and is doing what they should be doing in the account. This kind of comprehensive account protection approach will pay dividends in the form of reducing chargebacks, lowering calls [to] customer service, reducing strain on IT resources, and protecting brand reputation and revenue.”
Arctic Wolf will now provide its partners with the ability to offer incident response capabilities directly from Tetra Defense, its incident response business unit.
Members of the Arctic Wolf Partner Program can now offer:
Free incident response retainers. Eligible Arctic Wolf managed detection and response customers will receive priority access to the Tetra Defense incident response team without having to pay any additional upfront costs.
Incident response referrals. Partners who introduce non-Arctic Wolf customers in need of incident response services to Tetra Defense are eligible to become the partner-of-record for future Arctic Wolf opportunities.
In addition, Arctic Wolf has launched an enhanced partner sales training program. The program offers a comprehensive set of virtual training courses designed to provide channel partners with an understanding of the diverse security industry landscape, as well as sales and marketing guidance meant to help grow their business.
Bob Skelley is Arctic Wolf’s senior vice president of global channels.
“We are always evaluating our program and the needs of our partner community,” he said. “It’s an important part of our business to ensure we’re supporting our partner community in ways that meet them where they are, with room to grow. In that process we determined that there was a need to further distinguish our top-tier partners and have a runway in our program for existing partners to grow and for new partners coming on board. In addition to our ongoing evaluation of the program, we added new benefits we could offer the top tier. “
Many businesses also turn to their channel partner for guidance in the event of a cyber incident, which is why it’s important for them to have access to quality incident response capabilities and forensics to respond quickly, Skelley said. These new additions will augment partners’ existing resources to help their end customers during business-critical moments.
“Partners in our top tier continue to get the full suite of benefits, but we also offer great benefits to partners at every level to ensure they have access and resources needed to scale and grow within our program,” he said. “Our entire partner ecosystem has access to resources that make them competitive in the cybersecurity market – training, sales resources and marketing resources to help them generate demand and acquire new clients.”
Arctic Wolf will now provide its partners with the ability to offer incident response capabilities directly from Tetra Defense, its incident response business unit.
Members of the Arctic Wolf Partner Program can now offer:
Free incident response retainers. Eligible Arctic Wolf managed detection and response customers will receive priority access to the Tetra Defense incident response team without having to pay any additional upfront costs.
Incident response referrals. Partners who introduce non-Arctic Wolf customers in need of incident response services to Tetra Defense are eligible to become the partner-of-record for future Arctic Wolf opportunities.
In addition, Arctic Wolf has launched an enhanced partner sales training program. The program offers a comprehensive set of virtual training courses designed to provide channel partners with an understanding of the diverse security industry landscape, as well as sales and marketing guidance meant to help grow their business.
Bob Skelley is Arctic Wolf’s senior vice president of global channels.
“We are always evaluating our program and the needs of our partner community,” he said. “It’s an important part of our business to ensure we’re supporting our partner community in ways that meet them where they are, with room to grow. In that process we determined that there was a need to further distinguish our top-tier partners and have a runway in our program for existing partners to grow and for new partners coming on board. In addition to our ongoing evaluation of the program, we added new benefits we could offer the top tier. “
Many businesses also turn to their channel partner for guidance in the event of a cyber incident, which is why it’s important for them to have access to quality incident response capabilities and forensics to respond quickly, Skelley said. These new additions will augment partners’ existing resources to help their end customers during business-critical moments.
“Partners in our top tier continue to get the full suite of benefits, but we also offer great benefits to partners at every level to ensure they have access and resources needed to scale and grow within our program,” he said. “Our entire partner ecosystem has access to resources that make them competitive in the cybersecurity market – training, sales resources and marketing resources to help them generate demand and acquire new clients.”
In the coming months, new Splunk innovation will focus on adding more machine learning (ML) to its tools for advanced threat detection.
That’s according to Jane Wong, Splunk’s vice president of security products. She spoke during this week’s Splunk .Conf22. The conference brought 12,500 attendees and more than 1,800 partners to Las Vegas.
This was also the first .Conf for Gary Steele, Splunk’s new president and CEO. He joined Splunk after serving as Proofpoint’s CEO for nearly 20 years. Doug Merritt stepped down as Spunk’s CEO last November.
Momentum Is Back
Splunk’s Jane Wong
Wong said Steele has “brought a momentum back to Splunk.”
“You can feel it, very positive,” she said. “He’s very personal. He’s very transparent. We have weekly town halls to feel very real and authentic. He’s going to dive in and be hands on, and really help us get to the next level.”
During his .Conf keynote, Steele said he’s looking forward to driving revenue growth well beyond $3 billion.
In a Q&A with Channel Futures, Wong talked about Splunk’s innovations in observability and security and more from .Conf22.
Channel Futures: From your perspective, was there an overall message from this conference, whether you’re a partner
or a customer?
Jane Wong: I’ve been talking to customers over the past couple of days, and they’re really resonating well with what they want to see Splunk do. So one is that we’re not going to be addicted to ingest any longer. We’re really changing the way we think about data and whether that data is ingested into Splunk or not, or whether we can add value through analytics, whether the data is in a cloud service provider, on-premises or a private data lake. I think that’s really resonating well with analysts, too. I’ve had so many meetings where they are saying good to see you on this path finally. Machine learning is a message that we had last year as well, and everybody thinks that Splunk has access correctly to so much data that we can have a ton of value using ML for security to find more advanced threats. So that’s exciting. I think those are the two big ones. Also, security and observability coming together. I had lots of conversations with customers about that because they’re looking at both and they want to know can you dig down a little, tell us what you’re doing, where these things come together and how that works.
Scroll through our slideshow above for more from Wong about Splunk security innovation and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like