That’s a wrap for Splunk .conf19, the company’s 10th annual user conference that focused on all things data, including using data to gain better insight on and stopping cybercriminals in their tracks.

During the event, executives touted Splunk‘s efforts to offer new solutions through building, acquiring and investing in innovation. With its new Splunk Mission Control, customers gain a unified security operations center (SOC) experience that supports investigation and search across multiple on-premises and cloud-based Splunk Enterprise and Splunk Enterprise Security instances, ChatOps collaboration, case management and automated response.

In a Q&A at .conf19, Haiyan Song, Splunk’s senior vice president and general manager of security markets, talked about her company’s efforts to make SOCs more effective and its overall cybersecurity  strategy.

Channel Futures: Tells us about the issues SOC analysts are facing. We’ve heard a lot about analyst burnout, if they could they would quit their jobs, and so on.

Splunk’s Haiyan Song

Haiyan Song: There are a couple of levels. One is on a very high level: The data is exploding and the number of technologies they have to learn and to manage, the average is like 75. That’s not very possible for a person. So I think that in many ways it’s really giving birth to technologies like what we bring to the market for security information and event management (SIEM) and Phantom, which is automation, and the Security Operations Suite. The other thing is, the burnout and things are also because we live in a time that the threats continue to evolve, and you figured you just learned some techniques and things, and then things are evolving. So I think this is when you really want to bring technology like [machine learning] and [artificial intelligence] to humans with that learning because they’re great at churning through a huge amount of data, and learning and getting insights, and finding anomalies. So I think those are probably the two that I feel like are most prevailing.

But I think what’s coming down the pipe is the cloud. It’s fundamentally changing how software gets built, how it gets deployed and consumed, and security in that world is really going to require a fundamental change, too. So that’s what I would really want our industry to put more focus on because we actually have an opportunity to do that right and make security by design, and that we understand the new digital economy, the API economy, the service-based economy. It also changes risk management … and how it has to be 24/7 because things are always changing. I think those are actually the things that we all should be paying a lot of attention to, whether we’re in the industry providing solutions or you’re the analyst who is doing the day-to-day. A very inspiring part is all the customers do understand that’s a big thing and they are open to adopting technologies like automation.

CF: Is mobility going to be increasingly important in cybersecurity?

HS: We live in a world where we can be anywhere and things can happen at any time. I think the most important thing is to enable the analyst to be able to take actions wherever they are. And that’s really the gist of the news from the security perspective, the mobility and what we’re trying to provide.

CF: How has Splunk’s Security Operations Suite evolved through the years?

HS: When Splunk started, it was not even a security company, but customers found that …

… it’s a gem to bring all of these logs together and they got a lot of use cases lit up by Splunk. So when I came over here, my charter was to build the security market group and build the security business. We really looked at what Splunk’s differentiators are and the ability to bring all different types of data together. Data to everything is really the DNA of the company. We said, ‘Well, if we can bring data to everything, we can bring data to security.’ So we decided the first push was to be very analytics-driven, so we said we’re going to be an analytics-driven company and take an analytics approach to security. And our new SIEM, which is enterprise security, is all based on that.

And then a year after that, we said to do analytics better, we really need advanced technologies like ML and behavior analytics, so we acquired a company called Caspida, and that added to our portfolio as the user and entity behavior analytics (UEBA) product. So we continued on that journey and helped customers understand data and built threat models, and really zoned in on content and use cases to drive customers’ adoption and success. About a year-and-a-half ago, we acquired Phantom, but we didn’t just wake up the next day and acquire it. Phantom was one of the founding partners for our adaptive response program, and together we developed a lot of framework and integration, and there was so much energy that we decided it’s just probably better to join the team together. That gave birth to the Security Operations Suite. Splunk is the only company that can really brings the data layer, the analytics layer and the operational layer together. And now Mission Control brings the best of all of them together and lets the analysts work with it.

CF: A lot of the improvements through the years were enabled through acquisitions. Do you see that continuing?

HS: We try to have a very balanced approach: build, buy and partner. They’re all sort of in play. And partnering is a very important part of the strategy because security is an ecosystem and no one can do it alone. We already are integrating more than 1,900 APIs with 300 or so customers. So that’s a lot of coverage and a lot of automated actions people can take. And also, we announced we’re going to be open-sourcing all those integration apps, so if customers have very special ways of doing integration, they can start with things that are already working versus starting from scratch. That’s our way of giving back to the community and working better with the industry. So I would say … there’s a lot of innovation we’re doing internally, but also … if there’s great technology and it makes sense for customers, we’ll bring them in to get better integrated. The whole Mission Control is about unity, simplicity and efficiency, and we definitely expect to do more.

CF: Can you talk more about the role partners play in extending Splunk’s reach and capabilities?

HS: The ecosystem partners, especially on the technology ecosystem side, are a very, very essential part of the solution because Splunk is a nerve center and the role we play is very neutral. We are actually doing the best job if we can bring all the endpoint security solutions in, all the network security, all the threat intelligence and all the identity. Splunk can be the biggest security company in the world because we work with all of them, we bring all of them together. But if we don’t invest in the ecosystem, if we don’t work with the ecosystem well, we’re not even going to be relevant. This is how important our partners on the …

… technical ecosystems side are. But we also work with a lot of other partners who are delivering the value to the customer. Cisco is not only a technology partner, but they also are bundling our solution with what they take to their users, and we work with SIs like Accenture and Deloitte because they will help customers transform their security operations and building new capabilities with the world becoming more digitized. So the partners are such a strategic part of our go to market and our very existence to a certain extent.

CF: What is Splunk working on beyond what’s been announced this week in cybersecurity?

HS: We believe security strategy has to start with the data strategy, and that trend has been there and it’s just getting stronger. We believe automation is going to become even more important and essential, and we also see cloud, even though it’s not a new thing, but it has certainly in the last couple of years given us a new challenge because it has fundamentally changed the paradigm of compute, how software gets developed and deployed, and we cannot just protect cloud in the same way we protect on premises.

And we talk about AI and ML, and that’s a big challenge because we’re not the only ones investing in that. Our adversaries are doing that, too. So we will continue to really help customers with adoption of automation. Not only does it bring machine speed and efficiency, but it really helps us to generate that codifying of that data so AI can really be applied. One of the challenges is the adversaries probably have an upper hand because it’s not symmetric. They can get access to a lot of data, they have no regulations, they have no privacy concerns and they have no lawyers. And if they do something wrong, there are really no consequences, and they only have to be right once. And for what we do, we have to be pretty much, hopefully, right all the time.

Newer, Targeted Attacks on the Rise

New data from SonicWall Capture Labs shows a sharp decline in ransomware year over year, but that definitely does’t mean cybercriminals are backing off.

Some 7.2 billion malware attacks were launched in the first three quarters of 2019 as well as 151.9 million ransomware attacks, marking 15% and 5% year-over-year declines, respectively.

However, IoT malware jumped to 25 million, a staggering 33% increase; encrypted threats spiked 58% through the first three quarters; and web app attacks are on the rise, showing a 37% increase over the same period last year.

While attacks may be trending down, the reality is the number of attacks is still very high and more nefarious than ever, even evading traditional sandbox technology, according to SonicWall. The SonicWall Capture Threat Network has recorded an increase in targeted geographic attacks beyond the United States to include the United Kingdom and Germany.

Bill Conner, SonicWall’s CEO, tells us the year-over-year decline in ransomware is because attacks have become more sophisticated and targeted at …

… fewer, higher-value targets.

SonicWall’s Bill Conner

“We’ve also seen other macroeconomic factors have an impact on malware trends,” he said. “For example, with the fall in cryptocurrency prices in 2018, attackers attempted to keep cryptomalware profitable by making up for it in volume — [for example], infect larger devices. As cryptocurrency began to recover in 2019, we’ve seen the shift back to fewer, but more targeted attacks.”

On the other hand, as attackers continue to become more sophisticated, SonicWall has seen “tremendous increases” in other, newer types of attacks, such as encrypted threats, side-channel attacks, attacks over non-standard ports, evasion techniques and IoT-specific malware, Conner said.

“There is a tremendous opportunity for MSSPs and other cybersecurity providers,” he said. “Attackers have realized that there’s more to gain by targeting and infecting businesses, rather than consumers, as the likelihood of a business paying a ransom is higher. This has led to higher ransom demands and higher payouts. With that as a backdrop, there is a huge cybersecurity skills gap, felt hardest by SMBs who lack the resources to defend against such challenges. This is where MSSPs and other cybersecurity providers can step in to help close that gap.”

As attacks become more sophisticated and continue to evolve, it is critical for organizations to exercise basic hygiene, such as keeping their systems patched and their security products up to date, according to SonicWall.

Bugcrowd Unleashes Attack Surface Management

Bugcrowd‘s new Attack Surface Management (ASM) provides an assessment of an organization’s security posture by providing visibility and intelligence on its attack surface.

Bugcrowd said ASM is the first crowd-driven solution to reduce the unknown attack surface by matching the effort and scale of malicious attackers with attack-minded defenders. It identifies connected digital assets, prioritizes them based on real risk for attack, and migrates critical findings to new or existing crowdsourced testing programs like bug bounty or pen test programs for an added layer of targeted testing.

Casey Ellis, Bugcrowd‘s founder, chairman and CTO, tells us through the identification of additional testing surfaces and the prioritization of security remediation activities, ASM provides his company’s partners with more opportunities to engage with customers by identifying and generating upsell opportunities.

Bugcrowd’s Casey Ellis

“ASM is powerful in a VAR model in that it’s a simple solution to a compelling problem,” he said. “Organizations can only secure what they know is within their attack surface, and ASM helps reduce unknown attack surface by up to 98%. ASM is also a catalyst for additional upsell opportunities, whether for Bugcrowd or other products in a partner portfolio, as newly surfaced assets can lead to additional security effort and investment needed, based on uncovered risk.”

Exabeam’s  Annual Cybersecurity Salary Survey Includes Some Surprises

Exabeam‘s new global survey of cybersecurity professionals shows they continue to struggle with …

… cybersecurity burnout and fatigue, while citing a challenging work environment as the most rewarding aspect of their job.

The survey included 479 security professionals completed last month. Among those surveyed in the United States, the United Kingdom, Canada, India, Australia and the Netherlands, 91% were male – up from 90% in 2018 – representing a persistent gender disparity in cybersecurity.

Further, a wide racial disparity was uncovered, with African-Americans represented by less than 3% of respondents to the survey. Some 65% identified as Caucasian. People of Asian descent made up just 13% percent of respondents, while 9% were Latino/Hispanic.

Exabeam’s Trevor Daughney

“The lack of diversity in this survey is a microcosm of the wider problem plaguing the cybersecurity industry,” said Trevor Daughney, Exabeam‘s vice president of product marketing. “When we consider the continuous threats and external adversaries that cyber professionals face, we understand that fighting them often requires a multidisciplinary approach. Building a diverse team of people creates a more holistic view of the problem and delivers a range of valuable problem-solving skills. In that way, diversity truly improves the overall outcomes of the team.”

Some 62% of respondents said their jobs are stressful or very stressful, and 44% don’t feel they are achieving a work-life balance. Further, 40% of respondents indicated they were actively engaged in job-searching.

“Another interesting finding is that 51% of the respondents who indicated they were actively engaged in a job search cited reasons for doing so were poor compensation and unsupportive senior leadership,” Daughney said. “That poor compensation is a top reason is particularly interesting given the average salary range is relatively high at $75,000-$100,000. Allowing for both professional challenges and intermittent reprieve in a high-stress environment seems to remain a challenge for security organizations.”

Respondents see a lot of promise in automation, according to Exabeam.

“For example, 75% of respondents indicated that automation and security orchestration, automation and response (SOAR) solutions would help their response times, and 80% stated that they would make their job easier and improve security,” Daughney said. “SOAR and automation were also seen as the solution most ready to impact their future work against security threats. MSSPs and other cybersecurity providers can help security professionals with offerings that help them automate manual work, especially mundane or repetitive tasks; fight against burnout and find a more sustainable work-life balance.”

The survey revealed that 72% of respondents currently use a SIEM solution. Additionally, 21% said they are already deploying some form of AI/ML in their cybersecurity efforts, and 43% intend to use AI/ML in the future.

While only 16% use SOAR solutions, 75% believe SOAR would increase their SOC response times, Daughney said.