Splunk Brings Big Data Into Security Monitoring

Machine data tends to come in high volumes, and it's usually a starting point for Splunk, the IT-centric big data analytics platform. Repeating a land-and-expand pattern often experienced by Splunk, customer IDT, a telecommunications and payment services company, has moved from using the platform for datacenter optimization to a high-speed security application. The planned next step is into business and marketing applications.

Splunk monitors server log files and systems data streams and then offers analytics tools to spot and interpret patterns and anomalies in data that are indicative of performance problems or outages. IDT first deployed Splunk in 2008 to address IT systems troubleshooting, and initial success led to wider use across of all of IT. Splunk has effectively replaced a homegrown trouble-analysis application built on a relational database, and IDT reports that the mean time to resolve IT incidents has dropped by more than 20 minutes while network uptime has improved dramatically.

"We had one report that took us 32 hours to run on the old database, and now we're getting it out within two minutes using Splunk," said Golan Ben-Oni, chief security officer and senior VP of network architecture, in a phone interview with InformationWeek. "Once we saw the speed and agility of the platform, it just kind of crept all over the organization."

[Want more on Splunk's Hadoop Integration? Read Splunk Spawns Hunk Hadoop Tool.]

This year, IDT brought Splunk into a security role, replacing a security information and event monitoring system implemented only a year ago. That tool took as long as 15 minutes to issue an alert triggered by correlations of events from security products including Palo Alto Networks firewall software, a FireEye threat-detection platform, and a Fidelis Security Systems network security appliances. Security engineers then took another 15 minutes, at minimum, to isolate infected systems on the network. Between the two delays, IDT was taking too long to respond to security threats.

"It's important to get an infected system off the network as soon as possible, because if a system on the inside of a network has been compromised, it's much easier for an attacker to move laterally within that network because they're behind the firewall," said Ben-Oni.

Taking advantage of Splunk apps, including the Splunk App for Enterprise Security, Splunk App for PCI Compliance, and Splunk App for Palo Alto Networks, IDT was able to speed both alerting and automated response to threats.

"The integration that we did effectively acts on the alerts by triggering Palo Alto to isolate infected systems," Ben-Oni said. "Our target was to get response times down to one minute, but when we implemented it we found the system can react within as little as 18 seconds."

IDT's next planned expansion in the use of Splunk is into detection of business and marketing opportunities, visualizing patterns in data that previously went unobserved.

"We'll be looking at where, geographically, for example, users are coming into the network, so we can identify key emerging market regions that we may need more marketing attention," said Ben-Oni. "A key advantage with Splunk is that we can correlate geographic information from every source, which is something we've exploited on the telecom side of the business to identify carriers that we interconnect with that may be having problems so we could restore services as quickly has possible."

Splunk gathers data both on network usage and on Web site interactions, so another business use case is developing richer behavioral customer profiles, said Ben-Oni.

Now that so much data is being stored in Splunk (which relies on its own, proprietary data store), Ben-Oni says IDT is definitely considering Splunk's "Hunk" integration with Hadoop, which would support high-scale, low-cost storage of data that the company might not otherwise keep.

"I would love to have all my data directly within Splunk's infrastructure, but the beauty of the Hadoop-Splunk integration is that we can, at an extremely low cost, snap up all kinds of data that we wouldn't be able to consider in any other environment," Ben-Oni said.

IT groups need data analytics software that's visual and accessible. Vendors are getting the message. Also in the State Of Analytics issue of InformationWeek: SAP CEO envisions a younger, greener, cloudier company. (Free registration required.)

Doug Henschen is executive editor of InformationWeek, where he covers the intersection of enterprise applications with information management, business intelligence, big data, and analytics. He previously served as editor-in-chief of Intelligent Enterprise, editor-in-chief of Transform Magazine, and executive editor at DM News.