The Gately Report: Splunk Partners Play Big Role in Security Business Growth
Plus, IBM reports the global average cost of a data breach has reached an all-time high.
![Splunk partners see Business growth Splunk partners see Business growth](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd99e43104364ccfd/6523ecdad41e333e3969b760/Business-Growth.jpg?width=700&auto=webp&quality=80&disable=upscale)
Denphumi/Shutterstock
Channel Futures: What did you bring to this role at Splunk from TwinWave?
Mike Horn: In terms of TwinWave, I was responsible for all of the go-to-market, the same thing around product definition and strategy, and execution. So it was a role that was familiar to me. And I had held a similar role back at Proofpoint, which is where I was before starting TwinWave. And at Proofpoint I had a general manager role where I was also responsible for engineering, product management and a few other things for our advanced malware products called Targeted Attack Protection, our security automation products and our threat intelligence products.
So what I love to be doing is at the intersection of customer problems and technology solutions, and how we make sure that the things that we’re building are meeting what customers need and that we’re delivering value to them every day. And that’s a particularly important thing in security because you’re helping protect organizations and their users, and their data and everything else. And so making sure that the applications and the solutions that we build get them the outcomes that they’re looking for. That is why I’m so passionate and excited about being in the security space.
CF: How big is Splunk’s security business? What sort of growth has it experienced and what role are partners playing in that growth?
MH: So we don’t do a specific breakout on the financial side, but I would say that overall we’re helping lead growth from the security products perspective. Partners play a critical role in that for us and in a variety of different ways. Certainly partners are helping us implement and deliver Splunk solutions to customers. And so we have a lot of partners that help with that side of things. That’s everything from the SIs to VARs, and a variety of other folks in between.
And then we also have partners that are helping us just deliver the product and bringing new opportunities to us. They’re doing integrations with larger projects where Splunk is an element of a bigger solution. There’s been a pretty big shift over the last few years in terms of being even more partner-friendly and partner-focused.
CF: Digital resilience was a big theme at Conf23. What does that mean to you?
MH: It’s interesting because in security, I think we’ve been doing resilience from the beginning. If you think about what resilience is, it’s adapting to things. It’s surviving things. It’s recovering from things. Well, what do we do in security? We adapt to changes in the threat landscape. We survive the incidents that occur. We recover from them and we learn, and we go do new things. That is resilience, right? And so I think that security and resilience are kind of one and the same.
I think a big part of what we’ve been talking about when we talk about digital resilience is the fact that … at the end of the day, a customer needs their application, their servers, their infrastructure, their users to be up and running. And whether those are being disrupted by an outage caused by a server issue or an application issue, or that’s an outage that’s being caused by a cyber event, both of those impact their ability to perform as a business. And so that’s the unification; that’s the convergence that we’ve been seeing from our customers’ perspective, wanting us to help them in becoming more resilient regardless of what the source of that challenge or that issue is.
CF: Among the solutions announced during Conf23, from a security standpoint, what other solutions do you find significant besides Splunk Attack Analyzer?
MH: I think Mission Control, which we announced as well, really is important for our customers because getting that unified experience where they can work in a single application and do all the things that they need to do to get through that threat detection investigation and response life cycle is really critical. We already had best-in-class SOAR and security information and event management (SIEM), and so by pulling those together and creating a kind of a unified experience where an analyst can do that work, I think is going to really have a big impact for customers. So we’re really excited about that. We’re proud of what we’ve done there.
CF: AI and cybersecurity is a big topic right now, including using good AI to stop bad AI. How does Splunk fit into that?
MH: We’ve been collaborating with Min Wang, our new CTO, and talking about how we can leverage generative AI and other things in security products for security use cases. So I think there are really two areas where we see AI playing. One is helping analysts and people that are performing investigative activities and making it easier for them to do those things. So even though you might be able to craft a query that could go get the information, it puts cognitive load on the user to go figure out what are all the different ways if I want to do something that’s pretty complex. Allowing them to define those queries in natural language and to say, “Show me all the systems that are running this process that had this activity on this particular date,” simplifying that and just being able to do that in human language, is much easier to do. It democratizes the ability for analysts to do things quickly. You raise everybody’s ability to participate in those investigations and do powerful things.
The second one is, AI is really good at doing a synthesis of information. You might have a security event that had IPs and domains, and maybe a file hash URL, all sorts of different pieces of information, and today things like SOAR can help automatically enrich those. So we’ll go do lookups and gather data, but then the analyst is the one that’s synthesizing that information and looking at all the different pieces that were pulled out. I think AI can have a tremendous impact there because AI can then take all that information, synthesize it and give the analyst a suggestion about what story might be being told by all this additional context and enrichment data so they have a much better starting point.
Now in all these cases, we still are big believers in human in the loop. I don’t believe in fully autonomous cybersecurity decision making anytime soon.
CF: What do partners and customers want in terms of AI and cybersecurity?
MH: What we hear from customers is they want things that help them, but that don’t make the final decision for them. And I often talk about AI as being the second wave of security automation. My first startup was a company called NetCitadel, which was an early SOAR company back in the 2011-2012 time frame before SOAR was a category. And what we saw then was people were scared of automation. Enterprises [wondered], what happens if you cut off the internet? What happens if the CEO can’t get all their email, etc. I think over the last decade or so, organizations have gotten more comfortable with automating and doing things. But AI is now the next wave of automation. It’s intelligent automation. But I think that means we’re back to, “Let me learn, understand and be a little cautious in terms of the customer.” And I think over time, as the technology matures and develops, and people see more examples of where it’s been successful, that those concerns will go down, and people will find more and more creative ways to use it.
CF: What sort of feedback have you been receiving from customers and partners? What are you hearing from them in terms of their latest needs, challenges, etc.?
MH: I think in terms of changes, there’s always the undercurrent of threat landscape and helping them stay up with the latest attacks. So that comes in everything from Attack Analyzer detections to security content in enterprise security, our machine learning (ML) models, etc. So there’s just always a baseline of [how] we need to help customers deal with whatever the next threat is going to be and nobody knows what that is until it shows up.
In terms of other areas that I’ve heard come up more and more, certainly the adoption of cloud and some of the challenges that come with that adoption, whether that’s moving systems and applications to cloud environments, and just thinking through what are the implications now with new surface area, new places that I need to go deal with, or whether those are things like identity and access management. And now I have user accounts that are spread out and what are the appropriate permissions and everything else. So that’s certainly been an area that I hear a lot from customers.
I was having a conversation with a CISO and he was talking about doing more and more in things like Kubernetes. So those containers pop up, they exist for some period of time and then they go away. If there turns out to be a security-related event that needs to be investigated, I need to have all that information. I need to understand the context of what that container was doing, where it was running and what it had access to. So the more dynamic those environments become, the harder it is sometimes to synthesize the data. And so I think customers are looking to Splunk to help with that synthesis and understanding.
CF: Is the threat landscape basically shaping Splunk’s security strategy/roadmap?
MH: There’s kind of a constant, built-in thing that we know we need to stay up to date with the landscape. So every road map includes that understanding of, “Hey, we don’t know what it is we’re going to have to do, but we have to make room for adapting to the latest attacks.” If a new attack vector appeared that we didn’t have a product that helped cover, that might create a change in a road map, or we might develop a big new feature or a new product to adapt to something that’s happening in the landscape. But for the most part, I’d say the day-to-day changes in the landscape that we see are baked into the product plans that we already have. It’s just kind of a known unknown, as we like to say, where we don’t know exactly what’s going to happen, but we know that something’s going to happen.
CF: From a security standpoint, what can partners expect from Splunk for the remainder of 2023?
MH: We have a number of great product releases that already came out this year. We’re going to continue to innovate and deliver new products that they can bring to their customers throughout the rest of this year. I think they’ll see a renewed, continued focus and emphasis on helping to make our channel partners successful. You could see how important of a role partners are playing at Conf23 and so I think that partners can expect to see more of that.
In other cybersecurity news …
IBM Security‘s latest annual Cost of a Data Breach Report shows the global average data breach cost hit another high, reaching $4.45 million per incident, and more organizations are passing breach costs onto consumers than increasing security investments.
The average cost increased 15% over the last three years. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.
According to the IBM report, businesses are divided in how they plan to handle the increasing cost and frequency of data breaches. Ninety-five percent of studied organizations have experienced more than one breach.
The report is based on analysis of real-world data breaches experienced by 553 organizations globally between March 2022 and March 2023. The research, sponsored and analyzed by IBM Security, was conducted by Ponemon Institute and has been published for 18 consecutive years.
Some key findings in the 2023 IBM report include:
Artificial intelligence (AI) and automation had the biggest impact on an organization’s speed of breach identification and containment, yet 40% of organizations still haven’t deployed these technologies.
Most breaches weren’t discovered by an organization’s own security teams or tools, including MSSPs. But when an organization did discover a breach themselves, they saved nearly $1 million in breach costs.
About half of organizations plan to increase security investments because of a breach, but even more said they increased their cost of goods and services as a result.
Despite ongoing efforts by law enforcement to collaborate with victims, many still opted not to bring them in, and it came with a price. Ransomware victims that didn’t involve law enforcement saw higher breach costs and took longer to contain an attack than those that did involve them.
Nearly 40% of data breaches studied resulted in the loss of data across multiple environments, including public cloud, private cloud and on-premises, showing that attackers were able to compromise multiple environments while avoiding detection. Data breaches that impacted multiple environments also led to higher breach costs ($4.75 million on average).
The average costs of a breach in health care reached nearly $11 million in 2023, a 53% price increase since 2020. With medical records as leverage, threat actors amplify pressure on breached organizations to pay a ransom. In fact, across all industries studied, customer personally identifiable information (PII) was the most commonly breached record type and the costliest.
Organizations across all industries with a high level of DevSecOps saw a global average cost of a data breach nearly $1.7 million lower than those with a low level/no use of a DevSecOps approach.
Critical infrastructure organizations experienced a 4.5% jump in the average costs of a breach compared to last year, increasing from $4.82 million to $5.04 million, $590,000 higher than the global average.
“Time is the new currency in cybersecurity both for the defenders and the attackers,” said Chris McCurdy, general manager of worldwide IBM Security services. “As the report shows, early detection and fast response can significantly reduce the impact of a breach. Security teams must focus on where adversaries are the most successful and concentrate their efforts on stopping them before they achieve their goals. Investments in threat detection and response approaches that accelerate defenders’ speed and efficiency, such as AI and automation, are crucial to shifting this balance.”
Cosmetics giant Estee Lauder confirmed a cyberattack in which an unauthorized third party gained access to some of the company’s systems.
Both the Alphv/BlackCat and Clop ransomware gangs claimed to have compromised company.
“Based on the current status of the investigation, the company believes the unauthorized party obtained some data from its systems, and the company is working to understand the nature and scope of that data,” the company said in a statement.
Estee Lauder said it’s focused on remediation, including efforts to restore impacted systems and services. The incident has caused and is expected to continue to cause disruption to parts of the company’s business operations.
Brad Hong, customer success lead at Horizon3.ai, said this is “one of the most interesting developing case studies of recent ransomware history–two individual ransomware groups, uncoordinated, managed to get into a brand-name enterprise company at the same time.” Initial reports indicate that they did not hack into its infrastructure from the same attack vector.
“While it might seem obvious that the moral of the story is to patch highly exploited vulnerabilities, like MOVEit, as a priority, it’s unfortunately commonplace to see organizations pigeonholed on the wrong things, and if not this threat actor, then the next one could be successful if limited only to their imagination,” he said. “This only emphasizes the need to continuously validate the strength and extent of security through offensive techniques. At the end of the day, advanced persistent threats (APTs) are groups of humans, too, and their techniques change as they adapt to the rest of the world.”
Defending against one group doesn’t grant you blanket defense against another, Hong said.
“While it would’ve been valuable to patch the suspected exploited MOVEit instance at [Estee Lauder], testing the true blast radius of this highly warned vulnerability, by continuously running find-fix-verify loops from the attacker’s perspective, [Estee Lauder], like any organization, would have a much better understanding of the totality of potential paths to impact,” he said.
Cosmetics giant Estee Lauder confirmed a cyberattack in which an unauthorized third party gained access to some of the company’s systems.
Both the Alphv/BlackCat and Clop ransomware gangs claimed to have compromised company.
“Based on the current status of the investigation, the company believes the unauthorized party obtained some data from its systems, and the company is working to understand the nature and scope of that data,” the company said in a statement.
Estee Lauder said it’s focused on remediation, including efforts to restore impacted systems and services. The incident has caused and is expected to continue to cause disruption to parts of the company’s business operations.
Brad Hong, customer success lead at Horizon3.ai, said this is “one of the most interesting developing case studies of recent ransomware history–two individual ransomware groups, uncoordinated, managed to get into a brand-name enterprise company at the same time.” Initial reports indicate that they did not hack into its infrastructure from the same attack vector.
“While it might seem obvious that the moral of the story is to patch highly exploited vulnerabilities, like MOVEit, as a priority, it’s unfortunately commonplace to see organizations pigeonholed on the wrong things, and if not this threat actor, then the next one could be successful if limited only to their imagination,” he said. “This only emphasizes the need to continuously validate the strength and extent of security through offensive techniques. At the end of the day, advanced persistent threats (APTs) are groups of humans, too, and their techniques change as they adapt to the rest of the world.”
Defending against one group doesn’t grant you blanket defense against another, Hong said.
“While it would’ve been valuable to patch the suspected exploited MOVEit instance at [Estee Lauder], testing the true blast radius of this highly warned vulnerability, by continuously running find-fix-verify loops from the attacker’s perspective, [Estee Lauder], like any organization, would have a much better understanding of the totality of potential paths to impact,” he said.
Splunk partners are playing a crucial role in helping the company grow its cybersecurity business and safeguarding customers from cyberattacks.
That’s according to Mike Horn, senior vice president and general manager of Splunk’s security business. He previously was president and CEO of TwinWave Security, which was acquired by Splunk last November.
At last week’s Conf23, Splunk unveiled numerous new offerings, including Splunk AI, new product innovations to Splunk’s security and observability platform, and Splunk Edge Hub, the first product exclusively for Splunk partners.
Biggest Threats Facing Splunk Partners, Customers
Supply chain-related attacks pose the biggest danger to organizations, and are especially difficult to prevent, detect and remediate, Horn said. The Clop ransomware gang’s massive MOVEit Transfer attacks were just the latest supply chain-related threats to wreak havoc on organizations.
Splunk’s Mike Horn
“We previously had Log4J and SolarWinds, the things where attackers are able to co-opt existing infrastructure distribution models,” he said. “They can kind of sneak in the back door, so to speak. I think that’s a really challenging one and something that can be a little bit harder to pick up on, a little more nuanced than the smashing at the front door with your ransomware document. So that is one that I think we’re going to continue to see more of. I hear customers asking about API security because it’s a new surface area that’s getting exposed. And any time you have something new, it’s less mature. We haven’t worked out all the bugs yet, which is what attackers take advantage of.”
One of the products unveiled at Conf23, Splunk Attack Analyzer, resulted from Splunk’s acquisition of TwinWave. It allows security teams to automate the analysis of malware and credential phishing attacks to uncover complex attack techniques used to evade detection.
“That’s my baby, and I take a lot of pride in what we’ve done there,” Horn said. “Ninety percent of the TwinWave customers were already Splunk customers so we had a lot of overlap and familiarity there. We had already built integration with Splunk products like Splunk Security, Orchestration, Automation and Response (SOAR). We had customers that were using Splunk products and TwinWave at the time, now Attack Analyzer, very effectively together. So I’m excited now that we’ve gotten to a point where we’re ready to bring it to all the Splunk customers.”
See our slideshow above for more from Horn and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like