Security Market Segment LS
Tuesday, 29 October 2019 11:16

In conversation with: Haiyan Song Featured


How does Splunk see the current state of IT security?

Attending Splunk's .conf19 recently, we sat down with Haiyan Song, SVP and GM of Security Markets at Splunk to hear her thoughts on the current state of security. For many years, Splunk has been active in this area due to their ability to capture and rapidly analyse huge amounts of SIEM data.

iTWire: please, can you introduce yourself.

Song: So, my name is Haiyan Song, and I run the security business for Splunk. I think [I started] here around six years ago. Splunk started as an IT Ops company and we used to call it 'Google for IT' - really, sort of getting all the different logs together trying to understand and troubleshoot and get to the bottom of any IT problems. And it turned out to be a useful tool when it comes to security, especially with regard to compliance. People are thinking gosh I have a place where all the logs are and maybe the auditors can just get reports from them.

That's how we got into security. I want you to have this history because we didn't start with, you know, we are the SIEM for whatever. However, because of that interest, and because of our ability, our claim to fame in many ways is the ability to investigate from all different sources and get to the answers that people couldn't get to without a tool like this. That becomes really critical when you think about breach response when you think about investigation forensics.

iTWire: In your time with Splunk, how have you seen the industry change?

Song: So customers started using us for those use cases. When I came over [to Splunk] the world was really at a pivotal point of this legacy SIEM, as we call it. They are built to bring situational awareness, but was never built to help people to respond to it. So their ability to investigate and to pivot and to help with the incident responders was very limited. We thought, hey, that's a great opportunity for Splunk, why don't we take the DNA and the differentiator we have, and really help customers solve the most pressing problems at the time. {That] is to understand to detect the breach, and most importantly to respond to it. So that's a little bit of the history. But if I look at it from today, what really worked well for us is part of the reason that legacy SIEM, were no longer relevant is because they couldn't handle the data explosion. They don't have the flexibility they don't have the scale, they don't have the ability to bring things together. So we really managed to leverage the opportunity, the world is digitizing, and security strategy needs to be really built on a very strong data foundation. So that's our number one and why we're interested, where we're so good at it.

The next thing that has happened in the last I would say, two or three years is, you realize that everybody talks about [the fact that] there's millions of jobs that still open for cyber security. And we also see AI and ML and all this automated technology being used by the adversaries to launch their attacks, things are happening in machines. So, the adoption of automation, which actually got started by Phantom Cyber and we acquired them last year. So there is [inaudible] security orchestration, automation and response. So, the adoption of that for security is exhilarating, and it's already delivering a lot of results around better efficiency for the Ops team, because they're saving a lot of money by reducing the meantime to respond because automated playbooks get done in 30 seconds, versus two hours and then, most importantly, if you don't have the ability to respond at machine speed, you got no chance. So that's the second thing that's driving our interest in this space.

[For] the third one, I would say cloud. Cloud is a big thing in the US, I think it's becoming bigger and bigger in Australia. Cloud is not really new in terms of top-of-mind for people. But, more and more, we actually start to see that has changed fundamentally how people start building software differently, deploy them differently and people consume them differently, and security can no longer be a bolt-on, you cannot say "hey now I just like figured out I need to do something about the software which is deployed into the cloud." You have to really start thinking security from the get-go. The cloud is very ephemeral so you can't just say hey I'd just like get to [a possible intrusion event] two weeks later and see if this IP address means anything." You cannot do that because by then, it doesn't mean anything anymore. Everything needs to be really… We call it 'shift left,' to be by design. And that's one of the things [why] we just bought Signal FX. Our mission, lot of the push that the company are doing, is cloud needs a new compute model cloud needs new instrumentation I think the term [is] called observe-ability, it's really the new way, and security is going to have to build out those type of new constructs as well so that's the third one that is super important.

AI and ML. Everybody is talking about it. The adversaries are using it. I think we need to get better at it. People say data is the oxygen for AI data is the new fuel right for that [arms race]. The problem is, we have a lot of regulations, and so sharing data and using the data, it's [difficult]. There's not a lot of constraints on the other side, as adversaries don't have lawyers, don't have regulations. There's no privacy concerns, and they steal the data they use them, so I think it's a very asymmetric warfare that we're dealing with. So I think that really calls for the industry to work together. So that's sort of the fourth one.

But [for] the last one, I would say that's really intriguing and we're all just getting into is supply chain and third party risk testing. Since the Target breach [it was] their HVAC to the vendor who caused the problem. But in the cloud world, I'm using the term digital cloud, supply chain. Because right now, so many things are driven by APIs, you know you're using one App, you don't know how many companies are behind it, and that digital supply chain has caused so much more complexity, for you to get assurance to say hey you are you good? Well there's no one player, there's multiple ones, and there's no such thing called compliance by, "gosh let's do a new audit and checkbox… we're done." It has to be 24 by seven continuous monitoring. So we focus on really how to bring risk scoring mechanisms and, and how do we tie business sort of risk with the security operations. That's one of the major drivers.

So I'd say those five trends are really our guiding post - security needs to rely on a data strategy and automation is key. A must have a third one is cloud changes everything and we've changed security right to start from the very beginning; and AI/ML are super important, and digital supply chain requires a totally different way of dealing with smart vendors.

iTWire: The more we move to cloud, it seems to me we have an opportunity to concentrate our security expertise, because assuming that one person can look after 100-person company, then you don't need ten to look after a 1000 person company, and so on. So I'm wondering if in the next 10 - 15 years, there'll be just about nothing on-premise. And that then gives the major vendors an opportunity to actually focus those security operations centres to be linked in with the cloud vendors. Are you seeing something similar.

Song: I think you're right, there's definitely a trend for a lot for the security players to think about this new thing called managed detection and response, it's really good. I'm less optimistic about everybody going to be in the cloud in 10 years.

And if you think about mainframes… open systems like Unix, Linux came out about four decades ago... But the mainframe still is there. I still think the world is going to be hybrid.

But like you said, more and more workloads, more and more storage and more and more security can actually be done in the cloud. I think the cloud vendors can do a really good job of securing some of the small-medium companies on their own. We [Splunk and partner companies] can't compete with the big banks - they have a different resource pool and talent pool. But I think the hybrid is still going to be there. And, and for Splunk, we believe that overall being very neutral in that world would really continue to help to bridge together, but we also have a strategy on data, we understand data cannot live, wherever they need to live. So we have new products like the Data Fabric Search to allow us to be able to reach the data and use the data without having to assume the data can be stored locally. And that's driving some of the innovation.

iTWire: I know Google, with all the Google Apps is encouraging us to end up with what are effectively very unintelligent device on our desks at home. And that means we don't have to worry about security because all we need is a VPN pipe into somewhere.

Song: If I can just make one comment before I pass on to the world in the cloud. This first wave of breaches we've seen, it's not really, you know, the VPNs, that communications or stuff, it's actually human errors. It's miss-configurations of your storage, this is miss-configurations or leak, you know like, credentials, people steal the keys and so they can get into the system.

iTWire: How many Amazon buckets are there open, right?

Song: So, even in that new world, the cloud providers will ensure that you know the pipes can be secure and storage can be secure it's still going to be up to the application, and the user, to do the right thing. And we know who was the weakest link in security. Always humans. So that's why automation is getting...

iTWire: It seems to me there's three levels of organisation in their security posture. There's the first group which are not even compliant and don't have much of a clue. There's a second group, which will scream and carry on and finally pass an audit, and then go . And there's a third group that will say, Oh yes, an audit, that's fine.

Simon Eid (GVP, Splunk based in Melbourne, Australia): And in a lot of cases, they're just tick-boxes a lot of the sectors will sit there and say, we've got an audit requirement. If we implement 'this' we've ticked the box, they don't do anything with it after the event.

iTWire: So, you're just describing my second category. But the proper security posture should be oh, there was an audit. Okay, here's my compliance paperwork and validation data.

Song: In the cloud world everything is connected, is always on. You don't really have a lot to do for the [compliance].

iTWire: Yes because you quickly throw team together. you frantically pass the audit. Then everyone goes back to their other jobs.

Eid: And by then, everything has changed.

iTWire: The other wonderful thing is they will fine-tune a whole lot of parameters so that they might pass the audit then they back them off again, because they need them to actually run their business.

Song: I think that's still probably a point that people are thinking yes [inaudible] yes we get economy of scale, but do we want to standardise all the cloud vendors like, storage, for things like SaaS, I think.

iTWire: we might have an opportunity to circle back to what you said about the cloud being the modern mainframe. We may have that chance to say we want to take away some of that flexibility because things are going so horribly wrong.

Song: I think it's already happened. You think about the adoption of SaaS is an example. Such a big thing for every company, and they definitely give up some flexibility customisability, but it just brings that standardised thing, and so the security side I think in many ways, similarly. People would say, Yes, I will subscribe to threat intel, and I will, be part of the sharing, ISAC, and we'll try to standardise. Nowadays, everybody is a big fan of the MITAC ATT&CK framework. "Okay, we're going to use that to really think about our security access posture."

And now, the paranoid side of coming out with your posture is that when you have that warfare, the last thing you want to do is for everybody to understand exactly what you're doing, and the adversary says, "okay that's how they think about it. That's the technology they have, that's the standard they have." I think there's a fine balance. Of the little OP, how the variation see we use this. You know when you are in that kind of warfare is the last thing you want to be is open and predictable.

iTWire: You know the two words that went through my mind through all of what you were just saying, Sun Tsu.

Song: Yes, exactly. The Art of War.

iTWire: I want to circle back a little bit to your comments about AI and machine learning. One of the things that we've seen a lot about, particularly in biometrics and face recognition, is bias in the sample. Are we likely to be accused of the same thing when we are setting up our AI for security inspections? In other words, we're only looking for the things that we know about and that's what we're training the AI to look for.

Song: I think in that sense, what goal we're seeking... I'm a very big thinker of AI/ML.

I was at the World Economic Forum earlier this year and we had an AI panel. I basically said, it's too early to really see AI solving the problem, because for AI to solve a problem, there has to be a lot of training sets - they need data. We're just at the very beginning of the adoption of automation. So, automation, the orchestration, automation response, it's really the way for us to digitize a lot of the human intelligence, how we respond to certain incidents. Still that really has much better coverage and variety and fidelity. The AI doesn't have a lot of data to train for the response - there are lots to train on, image recognition, voice recognition and ML can do a lot of analytics of data; finding anomalies. But for AI to be that position, an action engine, and we're still very early, and I agree with you. We know we all need to be mindful of what data we're feeding into it. But also, it's important to say the role they play right now is this is not taking over the world. That's why I'm not scared about it.

iTWire: With that in mind, I'm left wondering, "what problem are we solving?" In our use of AI, we can't just say we want to solve this with AI without actually spending a lot of time saying this is a problem that we are addressing directly.

Song: For me, AI and ML are technologies [that are] there to help. The most important thing and the best thing they can do well, is they can churn through huge amounts of data, so fast, and they can enable you to make decisions and responses too, which is really the one thing that I looked at that AI/ML can do a lot better than humans. Humans are smart but we're just not good at finding patterns. So I think that's the one fundamental thing is, can you bring all this data together, bring the context together, bring the intelligence together, bring the history together and make sense out of it and make better decisions and AI and ML can help us with that.

iTWire: All through what you're saying, I'm still hearing the problem of learning bias. It was right through everything you said. To me, learning bias was underpinning all of it.

Song: Really, it's not different than me being a person coming to the team with what I know, right? Like, how can we share better? How can we, get access to different sorts of data? This is where we probably need help, [perhaps] regulation. On the other side [our security adversaries], There's no regulations. And for us, you know we all like to protect our brand or reputation. And we can share a lot of the data. So, I would say, what you pointed out, it's still a problem, we don't have a solution, but recognize the problem is always the first step to solve a problem.

iTWire: Whenever we talk about IT security, I always remember the statement from the IRA, when they were speaking indirectly to Margaret Thatcher. They said, "you have to be lucky, all the time, we only have to be lucky once."

Song: Exactly. That's why it's asymmetric. They [can also] do AI and now they can do it well 90% of the time, or 99% and they just [have to succeed] once, and we can have [just] one percent wrong. So I think the important thing really is that data is going to power lot of the increasingly intelligent solutions and automation has to be is very important [as a part of that]. We call it defence in depth, there's no one solution to solve everything. And what we're trying to do, is really trying to bring all the things together, and enable the analysts to have work to really do all the things they need do in the software and the one security solution. I use analogies like we want to help customers' security. And that concept, the AI engine, the data, the automation. Our job is to bring all the security together, we're not going to replace them [security analysts]. We just want to make them better. Better coordinated, better automated, and that [whole] security and defence in depth concept. So that's our vision or strategy.

iTWire: One more point about machine learning. I read a study recently where people trained this unit to distinguish between wolves and foxes. It was doing really, really well. But they said, actually what is it doing to decide which is which - how is it distinguishing between foxes and wolves". It turns out that If there was snow in the picture, it was determined to be a wolf - that was all it was doing. It would look at all these pictures and determine that if the background was white, it was a wolf, if it was not, it was a fox.

Song: So there's fashion designers, designing new fashion scarves, [somewhat] like sunglasses, and they basically do it in such a way that it defeats facial recognition. So we're thinking, , the training set, we're thinking all the other high tech stuff. That could be just a new scarf but the facial recognition has no idea what this. I think there's many different ways to mess up with the AI. There's still a long way to go for machines to learn what human intuitively can do. But that's a new data point, and hopefully the technology says okay let's see if there's no wardrobe situations happen.

iTWire: What about 'fuzzing?' Do we throw unexpected content at our AI to see how it responds? Because that will then tell us how well it's learned.

Song: I think fuzzing is supported, you can test anything - applications, security. I don't know, right now if there's enough data that you [can] do it and really get conclusive [results] because we're still early.

iTWire: how do you manufacture a large body of fake data. That's a real problem.

Song: So it all comes to data, the data is the oxygen.

iTWire: Thank you for your time.

The author attended Splunk's .conf19 as a guest of the organisers.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments