Query Security Data Challenge: Splunk Edition Webinar
November 1, 2023
In this webinar, Query CEO Matt Eberhart will discuss the who, how, and why of the Query Security Data Challenge: Splunk Edition with guests CISO at Query Neal Bridges, and CISO at IPG Troy Wilkinson.
Hear them share the value they’ve experienced with the Query Federated Search App for Splunk.
00:00:00:06 - 00:00:22:06
Matt Eberhart
Hello, everybody. Welcome to the Query webinar on the Security Data Challenge. I'm Matt Eberhardt. Great to see everyone. I want to start by introducing our two guests today. So we've got two great CISOs that I think some of you have probably spent some time with before. first, Troy Wilkinson from IPG. Hi, Troy. Thanks for joining.
00:00:22:08 - 00:00:24:13
Troy Wilkinson
Thank you very much, Matt. Glad to be here.
00:00:24:15 - 00:00:27:19
Matt Eberhart
And our very own Neal Bridges. Neal.
00:00:27:21 - 00:00:29:08
Neal Bridges
How's it going?
00:00:29:10 - 00:00:48:13
Matt Eberhart
Yes, I like the hat. Thanks for representing the Query hat today. Good stuff. Well, a couple things that we want to talk about today. So if you've been following along on LinkedIn, you've seen we've been making a lot of noise about that query security data challenge. So you might say what is the security data challenge.
00:00:48:13 - 00:01:13:03
Matt Eberhart
And well it really aligns with our mission at Query. So our mission is to help you all improve your security operations with data, to make better use of data across everything that you're doing. And we enable some foundationally different ways to access data. And we know that that requires you to make some changes to your operational picture, your operational cadence, your playbooks.
00:01:13:05 - 00:01:37:09
Matt Eberhart
And so we've invited you to challenge us to help make that security operational switch easier, better, more effective. The very first data challenge that we're opening up is around Splunk. So we've talked to a lot of you that have Splunk. And I've had some challenges bringing certain types of data into Splunk, whether it's cost related friction and getting access to the data.
00:01:37:11 - 00:01:58:03
Matt Eberhart
Just using data that's maybe not easy to bulk move. Like maybe you want to use the Microsoft Graph for better user data that are asset data, but we're doing some cool things that help make it a lot easier for you to increase your Splunk data picture without increasing your Splunk costs. So the Splunk Data Challenge is open now.
00:01:58:05 - 00:02:20:11
Matt Eberhart
We'll put a link in the comments. you can see it on our our web page as well to get more information on it. But mostly what we want to do today is really dive into a conversation with our two CISO guests and really learn a little bit more about how they think about making better use of data all across security operations.
00:02:20:13 - 00:02:41:21
Matt Eberhart
So so here we go. Let's let's start off with a question to Neal. We'll start with you. And you know I know there's a lot happening at Query around making better use of data across security operations. And you know you spend a lot of time with both the Query product and the product team. But your number one mission is to protect Query.
00:02:41:24 - 00:02:46:21
Matt Eberhart
So I'd love to hear a little bit more about how you're thinking about making better use of data.
00:02:46:23 - 00:02:57:09
Neal Bridges
Yeah. And it's been pretty interesting. So, you know, just a little background on me, right? I've led some security operations teams for some rather large fortune clients in the past, and I've built a lot of security ops functions from scratch.
00:02:57:09 - 00:03:36:02
Neal Bridges
And I've deployed several iterations of Splunk, both on-prem and cloud and hybrid models and things like that. I've, I've been graced with, with having large budgets, being able throw just tons of money at a problem like Splunk and definitely coming into, a company like Query and having to protect, a startup, at the early stages with limited resources, limited personnel, limited funds to be able to do that, had to get smarter and think more strategically about how I handle data and the query platform actually gives me that advantage and gives me that ability to start thinking about how to do things on a much more, you know, agile and strategic basis.
00:03:36:02 - 00:04:01:12
Neal Bridges
You know, especially being a SAAS company, we have data everywhere. We're largely remote. We don't have, an office anywhere. And so our organization is scattered all over the globe. And so having to provide protection, having to have visibility and having to have monitoring across a multitude of cloud assets and a multitude of remote workforce, has posed a different set of data challenges than any of the other organizations I've had to work with in the past.
00:04:01:14 - 00:04:26:03
Neal Bridges
And I think as we continue to get bigger, I think one of the things we continue to see is the predominance of, of SAAS solutions and just how easy it is to swipe a credit card and get access to yet another tool that arguably makes the business run faster and better and leaner. But, obviously presents a pretty huge, you know, attack surface increase from a security perspective that does require you to be able to, you know, identify threats, detect them, and then be able to respond to them.
00:04:26:03 - 00:04:35:17
Neal Bridges
And if you don't have access to that data, if you can't search that data when you get those, those alerts and those indicators, you know, what good are you from a security operations perspective?
00:04:35:19 - 00:04:39:14
Matt Eberhart
Yeah, no. For sure. For sure. What what do you think, Troy? Similar?
00:04:39:16 - 00:05:07:05
Troy Wilkinson
Yeah, I think that that data is the, you know, the future of security operations, really. And and how we access that data and how we query it, no pun intended. obviously is, you know, the secret sauce to how we're going to be successful in stopping bad actors at scale. I mean, we are hitting, you know, a tipping point of just the sheer amount of data that we can ingest and can search because the promise of XDR is bring all of your logs into one place, and we'll be able to apply analytics and correlation rules on top of that data.
00:05:07:05 - 00:05:26:15
Troy Wilkinson
Unfortunately, it doesn't work that way. You get it into a certain SIEM or whatever you want to call it, and you start trying to apply correlation rules over even a 24 hour period and the system slows down. You try to move that out to seven days, and all of a sudden you're you're looking at hours to do correlation searches when you really need to be doing them in real time.
00:05:26:17 - 00:05:44:02
Troy Wilkinson
And so the promise of the future to me is decoupling our data layer from our analytics layer. I think we need to have optionality around our data, how long we store it, what tier of storage that we store it into. You know, I'm a big fan of Amazon Security Lake and I will continue to talk about that journey.
00:05:44:04 - 00:06:12:09
Troy Wilkinson
But, you know, being able to decouple how we search our data versus how we store and own our data is really important to what I believe is the future security operations. Now, being able to query data without moving data is even more of the secret sauce, right? Instead of putting data at risk and moving it multiple times, to go from a tool to a to a SIEM to do searches and so on, you know, being able to query it with what I call federated search, is to me, the future.
00:06:12:09 - 00:06:32:06
Troy Wilkinson
But we all have regulations that say you must keep data for one year, three years, seven years, whatever your regulation says, you must keep that data. So we still have to put it somewhere. And that's why I love, Security Lake. You know, being able to have that zero cost ingest for third party data, you know, and I get to decide what tier of storage I keep it, how long I keep it.
00:06:32:08 - 00:06:57:11
Troy Wilkinson
And then using something like Query to do that federated search of the data. when I want to in that scale and I'm talking petabyte scale, in real time quickly to run those 30, 60, 90 day queries, to really stitch together the commonality of an attack rather than being, you know, hamstrung to a 24 hour search that really gives me such a small slice of a window into the attack surface of that particular threat actor.
00:06:57:11 - 00:07:01:03
Troy Wilkinson
So super excited about about this conversation.
00:07:01:05 - 00:07:20:04
Matt Eberhart
Yeah, no, it's great. And I think maybe staying on that thread for a minute. Troy, like, I know you've talked about Security Lake and you've been a big advocate for that. How have your architectures kind of changed in recent times? And, you know, as you start to think about creating an environment that where you have more choice.
00:07:20:04 - 00:07:33:07
Matt Eberhart
And I love that optionality word that you use around where the data is stored, how long it's retained, the type of storage, like so. Tell us maybe a little bit about some of the architectural changes that have been really beneficial for you.
00:07:33:09 - 00:07:51:09
Troy Wilkinson
Yeah. And I think architecturally, the way that we move data into Security Lake and putting it into that common format of OCSF is so crucial to the success of this. I don't think I would be even having this conversation about Security Lake if not for OCSF. Putting data into a common schema and format allows us to search it at scale, no matter what tool it comes from.
00:07:51:09 - 00:08:10:03
Troy Wilkinson
If it's in the Security Lake, it is there by design, and it has those common tags and format. So that's number one. Number two is the architecture of you know, we started with our in our journey, with security logs that were most important to us. Right. We started with the big security logs that we use every day to stop bad guys faster.
00:08:10:05 - 00:08:26:15
Troy Wilkinson
And by doing that and bringing those into the Security Lake, we were able to get better visibility and speed. But also on top of that, all of your native cloud logs, CloudTrail, CloudWatch, and all the other things that you have running in your cloud are also, very native to that format. So we made it, very easy.
00:08:26:17 - 00:08:42:00
Troy Wilkinson
From the — and we're still in a transition period here, ust to be very clear and honest, but I think a lot of my peers that I've talked to are like, I'm stuck on my legacy SIEM. I want to be what you're talking about. I want to be there someday. I don't see the light at the end of the tunnel.
00:08:42:00 - 00:08:58:24
Troy Wilkinson
I don't see the path from A to B, I'm scared to take a leap and I get that. And I think that, you know, hopefully I'll be able to prove the process out and share some of the successes. But, you know, as we decouple the data and we put data in the Security Lake, that's a data layer, imagine that's your core.
00:08:59:01 - 00:09:23:21
Troy Wilkinson
The second part was always the crucial part to get right. And that's the the querying, the dashboarding, the detections, the correlations, the matching. Without that layer, you know, this could never be successful. And that's where Query comes in to to that effect. And we talk a lot, about how we power that with threat intelligence and how we power that with threat detection and correlation and building that out so that we can mimic what we had in our legacy SIEM.
00:09:23:22 - 00:09:32:02
Troy Wilkinson
But now we're doing it at speed and at scale in the cloud, at, I mean, a fraction, a literal fraction of the cost.
00:09:32:04 - 00:09:53:16
Matt Eberhart
Yeah. No, that's that's amazing. I mean, to see the cost come down so much and but to simultaneously see the data picture really be able to explode because now you don't have these limiting factors of, wow, you know, I really want to have two years of historical CrowdStrike EDR logs, but boy, that's going to be 3 or $4 million with…
00:09:53:16 - 00:10:04:12
Matt Eberhart
…you know, whatever my SIEM is. So I really I love the fact that we can try to remove a lot of these cost concerns from the the operational needs. What do you think on this, Neal?
00:10:04:14 - 00:10:13:23
Neal Bridges
I mean, Troy hit the nail on the head like and I think Security Lake represents a solution to a long term problem that, you know, you mentioned peers being kind of stuck with where they where they go now Troy.
00:10:14:03 - 00:10:32:03
Neal Bridges
And I think you, there's also another layer to that where there's a lot of, you know, there's a lot of uncertainty and a lot of fear about what, what is in the cloud. How do I get access to that data in the cloud? How do I know something bad is happening in the cloud? Because you're only two choices prior to Query was, I need to leave it inside of my cloud provider, or I need to put it in my SIEM.
00:10:32:08 - 00:10:56:15
Neal Bridges
And both of those were terrible options, because you either need to teach analysts how to query in Athena to be able to do security investigations, which is, you know, teaching them basically how to be SQL administrators or you had to incur cost to bring them into your SIEM. And I think that that also compounded the stuck feature as we've started to migrate into the cloud, because it's really limited a lot of security teams to being effective and doing their security investigation in the cloud.
00:10:56:17 - 00:11:17:23
Neal Bridges
One of the things that I've been able to change architecturally, and how I think about security operations in being at Query and having access to the Query products for my own security operations is the ease in which I can put data into, you know, S3 buckets in Security Lake, inside of, inside of AWS and then be able to use Query to search it as if it were native inside of any of my other security operations platforms.
00:11:18:00 - 00:11:28:03
Neal Bridges
So I I'm that's the part that's exciting for me is that it does make that transition to being able to monitor and detect, for threats in the cloud a lot easier and a lot smarter there.
00:11:28:05 - 00:11:45:18
Troy Wilkinson
And just one thing want to add to that, which is so cool, is that, you know, we have regulations that say you must keep this type of data, let's say firewall logs, endpoint logs, network logs for X number of days. But maybe there's a log source that would be really beneficial., but you really don't want to pay to move it or to ingest it anywhere, or store it anywhere outside the tool.
00:11:45:24 - 00:12:05:14
Troy Wilkinson
Let's say your domain controllers, you know, expansive DNS queries and all the full Sysmon type of logging. You know, you can leave that data where it is and query it in real time with a federated search from Query.ai., get that dashboarding without ever moving that data, without ever incurring a cost for moving that data, without ever putting that data at risk while it's in motion.
00:12:05:16 - 00:12:16:00
Troy Wilkinson
I mean, this this actually ups the game, not just from I can do more with less, but also I get this tremendous expansion of my visibility as a force multiplier for your security operations team.
00:12:16:02 - 00:12:42:00
Matt Eberhart
Without a doubt. Yeah, I love that, I love that. And, you know, I think, we're talking a lot about about logs and that's certainly a big piece of security operations and important. But there's a lot of security relevant data that expands beyond logs. Right. Like what's actually the current run state of different systems and really making better use of, ticketing system data, or, you know, user data, asset data.
00:12:42:03 - 00:13:02:01
Matt Eberhart
Neal, I know, you had your, your boss sent you a text message early in the morning recently about, hey, what's going on with this Okta vulnerability. And, you know, are we potentially impacted at Query? And I, maybe you could share a little bit. I loved your blog on that, on that subject, maybe you could share a little bit about how what that journey looks like.
00:13:02:03 - 00:13:16:08
Neal Bridges
Yeah. Yeah. For some reason, I thought when you hired me that, that I was going to be a little different in terms of us working together, knowing that that we worked together in the, in the past. But I it's good to see that you continue the trend, the tradition of, you know, calling me at random hours and being like, what's this random thing I just heard on the news?
00:13:16:08 - 00:13:37:24
Neal Bridges
And can you answer it for me? No, but it's a very yeah, I've given this talk to a lot of people before like that is the security operations, you know, worst nightmare fear, right? The CISOs worst nightmare fear is your boss calls up and and finds something or hears something or reads a news article or, you know, a buddy tells them at the golf course, like, about this thing.
00:13:37:24 - 00:13:39:05
Neal Bridges
And you get a call and it's like.
00:13:39:10 - 00:13:40:02
Neal Bridges
00:13:40:02 - 00:14:11:10
Neal Bridges
You have to. provide an answer and so there's always that fear when you're sitting in this seat, that you've got to find answers to questions that you don't know if you're going to get asked quicker than your boss has time to come down and ask them. I don't know, Troy. Have you ever had to accomplish that as well? And so when when the Okta thing happened, you know, there was definitely a clock tick down, which is okay, how quickly can I get access to data that I needed to get access to that maybe I did or didn't have access to before, so that I could then search for the list of indicators that had come out on Friday at…
00:14:11:12 - 00:14:42:23
Neal Bridges
…the release of Brian Krebs’ blog that says, okay, are we impacted or are we not impacted? And so I went through an exercise of doing it with the resources that we had at Query. And then I went through and tried to do it from scratch to say, okay, how long would it take me if I needed to onboard new data sources from scratch, to, to do this if I didn't have those in there and the ability to be able to get new connections, whether they're, you know, common connections like a CrowdStrike or a SentinelOne or a Graph API or something like that, which are pretty, pretty standard or pretty easy
00:14:42:23 - 00:14:59:02
Neal Bridges
or even some of the more complicated, connections with like a, an Amazon S3 or an Azure Blob storage, being able to get those into the platform within 20 or 30 minutes, and then to be able to search those indicators across all of them, I think, really contributed to me being able to give you that answer in a really, really timely fashion.
00:14:59:04 - 00:15:00:20
Matt Eberhart
Yeah, it's great, it's great.
00:15:00:22 - 00:15:16:12
Troy Wilkinson
It's so funny because, you know, Matt, you know, my wife has a threat correlation threat in, intelligence company, and she's always the first to send me articles. And I always shake my head like you'll even hear me, say some choice words from the office here. When this when something comes out, I'm first to get it.
00:15:16:12 - 00:15:32:06
Troy Wilkinson
I'm looking at it like, Yeah. Not again. Right. So. So she's already prepping me. So, we used to have this, game that we would play where she would send me Threat Intel and we would see if our paid Intel sources would have it first. And she always won always won. So I understand how it is to have to answer for those things.
00:15:32:06 - 00:16:03:03
Troy Wilkinson
But fortunately, I'm in a position to be able to answer faster. But, you know, those, those kind of things where we're, you're looking at being able to do this query in place of threat intelligence, as we're talking about that threat correlation and bringing that into Query so that you're looking at your single pane of glass, your your incident responders, whether you have an MSSP that's doing your tier one, and then they're handing it off to your team, or if it's just your team doing it in-house, they have that single pane of glass that allows them to go out and quickly identify threat actors initial access and paint…
00:16:03:03 - 00:16:28:12
Troy Wilkinson
…that investigative timeline to eradication is so important to be able to to specifically say to your privacy and your legal counsel that we are confident that this is the totality of this, you know, incident, and we are confident that we don't have any other problems here. And being able to do that at speed and scale has been a challenge for legacy SIEM which is why the future on Security Lake with Query powered by Tego is so exciting to me.
00:16:28:14 - 00:17:05:08
Matt Eberhart
Yeah, no, for sure anybody that hasn't checked out, Tego Cyber is what Troy's talking about. And, Jen, we'll put it in the in the chat here, but tegocyber.com definitely definitely take a look. And you know when we think about increasing the access to, to data and really being able to kind of expand that security operational picture, that's one of the things I think is, is really important because, you know, there's a lot happening with, scrutiny around CISOs and particularly in large companies where they're being asked to just like you said, Troy, like, are we covered on this?
00:17:05:10 - 00:17:23:24
Matt Eberhart
And, you know, if you if you, if you're making cost based decisions on how much data you have access to or if you're limiting the visibility of those teams, and, you know, as, as a CISO, you're saying, well, I think we're covered. you know, I think we're covered is proving out not to be a good enough answer.
00:17:24:03 - 00:17:25:13
Troy Wilkinson
Just just look at Tim Brown, right?
00:17:25:22 - 00:17:28:15
Neal Bridges
I was gonna say that was a, great example.
00:17:28:17 - 00:17:54:06
Troy Wilkinson
Well, the Wells notice went into an actual lawsuit now. And so I want to point out that this new SEC regulation that goes into effect December 18th calls out not just materiality. It calls out in the aggregate. Matt. So as you think about that, you just mentioned a huge problem for CISOs. If you're limiting the visibility you have because you can't afford to bring in that telemetry, and you cannot say with a high degree of certainty that this is not part of something larger.
00:17:54:06 - 00:18:24:10
Troy Wilkinson
And it does make materiality thresholds because you can't see it in the aggregate. And that is actually verbatim in the SEC ruling, in the aggregate. So you have to think about the liability that you're putting on yourself as a CISO. Joe Sullivan, Tim Brown, good examples of how this could go bad for all of us. Right. So you have to take these things into account and make sure that you are as informed as you possibly can be, getting that investigative timeline stitched out so that you're confident that that is your blast radius and that is your totality of the action.
00:18:24:12 - 00:18:48:07
Matt Eberhart
You know, and I would say that not having having, you know, been now on the business side, being CEO responsible for, you know, also, the bottom line, like, and I think the reality is in 2023, in the economic climate that we're in, you know, being a CISO and going to the CFO and saying, we'll see. The SEC says that, you know, I need $20 million to keep all my logs.
00:18:48:09 - 00:19:10:16
Matt Eberhart
That’s also probably not going to happen. And so the ability to have some more cost effective ways to ultimately be able to get the job done, I think, is what a lot of people are looking for. And, you know, that's that's really how we came to this focus on on federated search for Query is because people like you, Troy and you, Neal, were like, this is the right way to do it, right?
00:19:10:16 - 00:19:19:18
Matt Eberhart
This is as you love the way you say that Troy of like decoupling the search and the analytics from the data and the storage like that. That is the future.
00:19:19:20 - 00:19:39:11
Troy Wilkinson
Yeah, absolutely. And if you think about it, you know, we all have regulations that require us to store data so that we're not going to get away from having to put data somewhere. So being able to actually decouple from that data ownership data or data stewardship to being able to really apply the analytics and threat intelligence correlation and actually real time search of things you never thought you could have.
00:19:39:12 - 00:19:57:22
Troy Wilkinson
You mentioned asset management systems. You mentioned maybe your IoT Phosphorus as an example, another portfolio company, at SYN Ventures. Yeah. tremendously great at finding IoT devices and things on your network you did know about. Imagine tapping into that with Query and saying, hey, we see new things on your network. You're not aware of it, just really in real time, bringing all this territory together.
00:19:57:23 - 00:20:05:15
Troy Wilkinson
It's kind of the promise of XDR that we've always been looking for. But now we actually have a way to to accomplish it without the cost.
00:20:05:17 - 00:20:24:15
Matt Eberhart
That's right. And I mean, I think with the three of us all having significant operational experience, it's like so many times when you go through and you do a detailed incident response engagement and you really spend the time to, you know, do the after action report, like the data the data was there, the indicators were somewhere, the data was somewhere.
00:20:24:15 - 00:20:50:02
Matt Eberhart
But it's being able to enable the right operator to put their hands on it when they need it and understand it and actually use it to draw an insight that that protects the business. I mean, yeah, that's that's the challenge we have. And I think for a lot of our customers tell us that, you know, as their security tool stack is increased from dozens of tools to 40 or 50 different tools that don't work together, that's become even more problematic.
00:20:50:02 - 00:21:08:23
Matt Eberhart
So, you know, I know not to get into the ditch of XDR, but I think you're I would agree with your comments, Troy, that it just hasn't really played out, right, that well. So. Well, good. There are a couple of questions coming in, so I'll, I'll, I'll throw out, for anybody else that wants to, to put any questions. And while…
00:21:08:23 - 00:21:26:02
Matt Eberhart
…we do that just to get to know Troy and Neal a little bit better. You guys both have an interesting shared connection around golf and the PGA. So, Troy, I think your daughter Mackenzie has accomplished some pretty impressive stuff with golf. Tell us about that.
00:21:26:04 - 00:21:40:05
Troy Wilkinson
Yeah. She's, you know, first of all, I'm just thankful that she decided to take up golf because I got her into it originally as a father because I wanted to play golf with her one day when she grew up. But, she really took to it. And now it's become a passion of hers. And, and thankfully, it is her passion.
00:21:40:05 - 00:22:01:09
Troy Wilkinson
And I'm not pushing it on her. Right. But, um, she’s been playing since she was eight she’s state ranked here in Nevada. She's 12 years old now. But even at 11 years old, we played in the Founders Cup Pro-Am with some pros, and she was out driving them on occasion. So, you know, she's hitting the ball 265 on average, sometimes up to 280-290, which is ridiculous for even an LPGA star.
00:22:01:09 - 00:22:18:18
Troy Wilkinson
But, you know, at 12 years old, this is amazing. So, we live in the land of Butch Harmon. If you know Tiger Woods golf coach that got him started. and it's just down the street to his his school. Her coach is a LPGA tour pro. So, this is just an exciting time to watch her growth, you know?
00:22:18:21 - 00:22:22:19
Troy Wilkinson
And just kind of live vicariously through the things she's getting to see and do.
00:22:22:21 - 00:22:23:10
Neal Bridges
That's awesome.
00:22:23:10 - 00:22:30:22
Matt Eberhart
Yeah. That's amazing. That's amazing. And, Neal I think you're targeting your first PGA event. Tell us about that.
00:22:30:24 - 00:22:43:24
Neal Bridges
I am yeah, I, I, I recently got serious about golf and started taking up tournaments. I've been playing on and off at very, very amateur status for, for for obviously a better part of a decade. I think most people do.
00:22:44:01 - 00:23:11:05
Neal Bridges
And I finally got serious about actually putting forth the effort to try to, make it to, the PGA tour late in life and, managed to I've got two LPGA coaches and, I love both of them and the, the, you know, golf has proven to be a huge mental health advantage for me. And just in terms of like, you know, getting into myself and being more patient with dealing with crises from from your CEO and when it comes with things to you, you know, at odd hours in the morning.
00:23:11:07 - 00:23:30:24
Neal Bridges
But, yeah, here in, here in a couple weeks, I'll be participating my first PGA event, part of the PGA's reach their, their, their, charity arm. The arm that gives back. They got a HOPE arm that focuses on veterans. And, I'm gonna be participating in the Secretary's Cup, the PGA Secretary's Cup for the for the PGA HOPE team.
00:23:30:24 - 00:23:33:03
Neal Bridges
So I'm super excited about that.
00:23:33:03 - 00:23:54:13
Matt Eberhart
It's awesome. Yeah. It's awesome. keep us posted for sure. That's great. So, first question, which so we started off talking a little bit about the, the security data challenge and the fact that right now, the kind of first challenge we've thrown out there is around Splunk. And so the question is, can I really use Query to reduce my Splunk bill?
00:23:54:15 - 00:24:15:07
Matt Eberhart
And, you know, I think the answer is like I'd say it's the answer to any good question. It's it depends. Right. Query is not a magic wand. But yeah, as we've been talking about, federated search gives you a lot more choice and control on where and how you store data. And one of the things I like about that is it helps you be way more mission driven.
00:24:15:08 - 00:24:36:12
Matt Eberhart
You know, when you start thinking about centralizing and collecting logs and putting it in a tool like Splunk, it's, you know, easy to just start trying to, you know, put as much as you can in there, basically until somebody tells you, no, you can't spend anymore money. But really thinking about, you know, what's the mission? Am I trying to, you know, do better at detection and try to shorten the time to to detection and correlating the alerts that come from those?
00:24:36:12 - 00:24:58:03
Matt Eberhart
Or am I trying to really improve my investigation process? Or maybe it's threat hunting that I'm after. And so, you know, Troy, I'm curious on on your you know, I know you were an early adopter of Security Lake and I've heard you talk about some of the cost benefits. You you believe that that drive. So, what are your thoughts around, you know, reducing those, reducing your SIEM bill?
00:24:58:05 - 00:25:21:02
Troy Wilkinson
Yeah. So I think that the industry average for SIEM is around $300,000 per terabyte per year. It just on average, and I know that we are significantly above that, just from our, perspective of data ingest, but moving to a security lake, reduced the cost just of storage of the data down to probably 80%. It reduces reduction.
00:25:21:08 - 00:25:43:01
Troy Wilkinson
So even when you add back in the cost of Query and the cost of, the enrichment and threat correlation detection, you know, you're probably at, 25% maximum of your original Splunk cost. That's estimated that I'm working on the ROI factor of all those different things. But here's the real rubber meets the road for me is people love their legacy, SIEM
00:25:43:01 - 00:26:08:05
Troy Wilkinson
And we'll say Splunk in this instance for the workflow and the ability to work inside of enterprise security to do very granular threat detections, threat correlation, threat intelligence matching. Also, security analyst workflows and dashboarding. I think a lot of that functionality, Matt, is built right into Query. You can adjust some people like, a friend of ours we met down in Florida two weeks ago said, hey, we've built our entire life on top of Splunk.
00:26:08:10 - 00:26:26:14
Troy Wilkinson
I haven't. I've hired this army of engineers who are never going to move off it. So that's okay, because you can use Query on top of Splunk to to be effective and find things faster and correlate over bigger data sets at speed and scale. So, you know, you can do that there. If you're if you're ingrained in Splunk and you're just like, I'm staying, I can't move.
00:26:26:16 - 00:26:43:04
Troy Wilkinson
That's okay. Query can help you there, but I can promise you that there is a path to being able to do more and faster and better and much, much cheaper. the way that I was talking about Security Lake with Query.
00:26:43:06 - 00:26:45:03
Matt Eberhart
No, I think I think that's great.
00:26:45:05 - 00:26:57:10
Neal Bridges
I think that that that hits the nail on the head. And I think it's back to what Matt was saying with choice. Like when I, when I talk to some of my friends who are still, you know, building and running security operations, you know, it always boils down to I need to make a decision.
00:26:57:10 - 00:27:20:01
Neal Bridges
And unfortunately, it's a decision that sacrifices my security posture. in the essence of of having to be more fiscally conservative for the organization that I’m being a part of. And I think, you know, I view I view the, the you know, the Splunk app that we have and the ability to bring a lot of that, that, that data into Splunk as not a, you know, a pitchfork rallying cry as a death of Splunk.
00:27:20:01 - 00:27:40:24
Neal Bridges
But, you know, hey, we finally have a choice that gives us an architectural freedom to decide how we want to best utilize and make efficient use out of the data that we get into Splunk, so that we can continue to to expand and do our mission, protecting organizations, you know, knowing that we've got people that are trained on Splunk, we've sent them to Splunk certifications that competed in boss of the SOC.
00:27:41:04 - 00:27:59:23
Neal Bridges
You know, you've got millions of dollars in architecture either tied up in an on-prem instance or a cloud. You spent countless hours writing dashboards and detection rules and reports for leadership and stuff like that, that you're just not going to turn off overnight. And so and so meeting the the needs of the security operations teams with where they're at, trying to solve those problems.
00:27:59:23 - 00:28:02:24
Neal Bridges
I think that's the the choice that excites me about it.
00:28:03:01 - 00:28:21:22
Matt Eberhart
For sure. I mean, one of the first use cases people tend to start with us is around, the high volume historical logs. So when you think about, like CrowdStrike logs, like, let's say you had 20,000 CrowdStrike endpoints, I mean, they can produce 30 to 50TB a year of data just there alone.
00:28:21:22 - 00:28:54:01
Matt Eberhart
And, you know, when you think about, am I going to spend 12 or $13,000 a year to put that in S3, or am I going to spend as you say Troy, $300k a terabyte to put it, to put it in my SIEM, and I mean, those, those kind of cost savings and that choice and control can add up really quickly and create, you know, so it's either free up some funding that you can apply to mitigating control or a program that you think is more effective, or just really help with significant cost avoidance for the future.
00:28:54:03 - 00:29:11:23
Troy Wilkinson
Agreed. And also, we started with security logs as a way to to test out the theory. Right. So we use Splunk for a lot more than security. You know, it has a lot of functionality. Different business units and departments use it for different things. But you know, we we carved out security now as a use case in an example.
00:29:12:00 - 00:29:42:06
Troy Wilkinson
And I think we've been pretty successful there. And I know my team likes it. And so it's really about what's best for your business and your use case. You may have an outsourced third party managing or for you that has to work there. We've seen that, you know, there's all kind of reasons. But the best part about Query is you can work in all of those situations to provide better insights faster, and actually tap into data that you can't bring into your SIEM for for any reason, whether there's no way to get it there logically, physically, or that is too expensive or something that you just want to look at longer term.
00:29:42:06 - 00:30:07:01
Troy Wilkinson
I use Sysmon all the time as the example. Very noisy, but you want to see it. It gives you a lot of great telemetry on the endpoints. DNS logs. People generally don't store that. It's just too voluminous and not, worth storing. But if you could query it in place, different story. You know, there's all types of logs that you could bring into the query dashboard, married up with the stuff that you are storing in your SIEM to give you that holistic picture, which is exactly what we're looking for, right?
00:30:07:02 - 00:30:22:09
Troy Wilkinson
We want to know everything we can about an incident, a threat, a threat actor, an endpoint so that we can confidently say we've eradicated them. We have completely stopped the bleeding. And there's no legacy, persistence, you know, still sitting there.
00:30:22:11 - 00:30:48:03
Matt Eberhart
Absolutely, absolutely. And, yeah, Neal has a ton of experience with you know, building Splunk content, as they call it, right, whether it's dashboards and different reports. And so our, our Splunk app enables you to kind of bring the power of, of, of Query federated search as almost like a distributed data mesh right inside of Splunk, and we love that because, I mean, look, Splunk got some very powerful capabilities.
00:30:48:03 - 00:31:10:02
Matt Eberhart
Like when you look at what you can do with SPL and types of dashboards and visualizations, like being able to leverage that with that expanded data, whether it's data directly in SaaS systems data in Security Lake data in S3 buckets or wherever it is like, that just gives you a lot more choice and control. So that's awesome. One last question.
00:31:10:02 - 00:31:30:00
Matt Eberhart
So switching gears a little bit, with both of you all being a CISO and I know both of you all staying up on trends, what are you thoughts on, all the kind of news cycle, if you will, around the power of AI and LLMs and security? Have you seen anything particularly cool or, you know, what do you what do you think?
00:31:30:00 - 00:31:31:22
Matt Eberhart
Well, we'll start with you, Troy.
00:31:31:24 - 00:31:53:07
Troy Wilkinson
Yeah, absolutely. I think, we are ushering in a new era. You know, it's like another industrial revolution, right? There's so many facets of AI. And, you know, Jonathan, over at Cranium, we talk about this all the time, from protecting the foundational models to protecting against bias and data poisoning. That's that's one conversation. But as it relates to how are we going to use AI to protect our companies from threat actors?
00:31:53:07 - 00:32:18:04
Troy Wilkinson
That's where my my mind goes. You know, I think that, you know, Charlotte over at CrowdStrike is an amazing tool. I think Purple at SentinelOne is an amazing tool. I know that other security companies are really looking to leverage large language models and turning our own security telemetry into a large language model that we can then search with either natural language processing or, you know, through queries that we have with Query.
00:32:18:04 - 00:32:41:18
Troy Wilkinson
As an example, I think that this is going to empower us. I don't think it's coming from my job. I don't think it's coming for my SOC Analyst’s job. I think it's going to make my SOC Analyst better. I think we're going to be able to find bad guys faster, and we're really going to close the window a bit of this, you know, kind of arms race with the bad guys of they're just getting around our controls and our visibility, and they're coming up with the new technique I think we're going to be using.
00:32:41:18 - 00:32:45:17
Troy Wilkinson
On the flip side of that, threat actors are already using them, to…
00:32:45:18 - 00:32:46:06
Matt Eberhart
00:32:46:06 - 00:33:04:06
Troy Wilkinson
…create exploits faster. You know, when a zero day comes out, the exploits already available on the dark web within hours because of AI, they're able to use AI to write better phishing emails and get into my environment. They're able to write AI queries to better, put together the reconnaissance phase of an attack as an example. So, you know, bad guys are using this.
00:33:04:06 - 00:33:14:17
Troy Wilkinson
So we should not be turning a blind eye to it because, they're using it against us, and we should be leveraging it every time we can to be better, faster, stronger to, you know, bolster our security.
00:33:14:19 - 00:33:21:23
Matt Eberhart
Yeah. Neal, I know you talk about this on the screen. So, what get give us the TL;DR
00:33:22:00 - 00:33:40:19
Neal Bridges
Yeah. I mean, it's it's always a tough concept. So so I streamed it to to thousands of cybersecurity professionals all across the gamut, you know, on a weekly basis. And AI has obviously come up, you know, on almost every stream between now and March or February, whenever ChatGPT really kind of like, started to start to stick its head out of the turtle shell.
00:33:40:21 - 00:33:53:09
Neal Bridges
And, and I think, Troy, you hit the nail on the head like, I don't think it's going to come for SOC Analyst’s jobs anytime soon. I know that's a lot of people's concerns. you know, and you're right, you know, the adversaries are using it, you know, you know, as soon as soon as it was, it was available.
00:33:53:09 - 00:34:25:19
Neal Bridges
Adversaries ran to it to see how they could they could advance our attacks. And so I'm very much in favor of democratizing, you know, the advancement of technology, especially in the security phase, to make sure that both the attack, the attackers and the defenders can make utilization, in the best way possible. I think if I were to identify the the concerns that I fundamentally have around, you know, you know, AI's role in security operations and security data, is I think, and this came up in a, in a conference that I attended a couple of weeks ago, which is the hallucination aspect of, you know, you know, determining whether, you know, a
00:34:25:19 - 00:34:48:05
Neal Bridges
result is indeed a derived result from the appropriate amount of inputs or whether it's something that that the large language model and the AI has had to stretch itself to, to make and ascertain. And we've already seen cases on the legal side where people have tried to use AI to, justify legal stances and legal arguments. And there's been lawyers who have come up with legal basis that they've asked AI to produce that have not existed.
00:34:48:05 - 00:34:59:15
Neal Bridges
And a lot of that hallucination, I think, is what's going to be a huge limitation, you know, kind of inhibiting us from seeing some positive results out of using AI in that threat detection space.
00:34:59:21 - 00:35:07:12
Matt Eberhart
Oh, I, I agree, I agree, I think you know, the other thing that I, that I find really interesting is just the idea of like, how do you attack an LLM?
00:35:07:14 - 00:35:30:20
Matt Eberhart
And I thought, I'll put the link in the, in the chat, but Caleb Sima wrote, wrote a Medium post a few months ago about, I think it demystifying LLM threats. It's it's fantastic and really thinking about like how you can you can attack those and whether it's poisoning the data or other things. But there's there's, there's clearly I, I like the way you said it, Troy.
00:35:30:20 - 00:35:49:20
Matt Eberhart
There's clearly a lot of power and potential and I, I totally agree with you as well, Neal. I don't think it's coming for anybody's job immediately, like, as far as replacing people. But I think there's there's a lot of power to it. But there's also still a lot to be, to be thought out. So that's great. Well, gentlemen, this is great.
00:35:49:20 - 00:36:01:02
Matt Eberhart
Very appreciative of you taking a few minutes out of your day and having a chat with us. Thank you very much. Neal, as always, thank you. And, Troy, it's great to see you and really appreciate your thoughts and your time today.
00:36:01:04 - 00:36:19:00
Troy Wilkinson
Absolutely. Thank you. Matt. And, you know, this is a subject that I'm passionate about. So if anybody is watching this and want to hear about the journey from legacy SIEM to Security Lake, happy to, you know, give you my story on how that happened and what our successes are so far. It's a journey in progress. So, you know, I'd love to get engaged with the community on on that perspective.
00:36:19:02 - 00:36:36:05
Matt Eberhart
We're all on LinkedIn and post pretty frequently, so give us, give us a follow or connection there. You know, check out Query as well if you're not following it on, on LinkedIn, we talk about a lot of these topics. And we do we throw in a nice spicy meme or two here or there as well.
00:36:36:05 - 00:36:39:09
Troy Wilkinson
So you took my question, who's the meme master at Query?
00:36:39:09 - 00:36:40:20
Troy Wilkinson
Because they're doing a great job. Who is.
00:36:40:20 - 00:36:41:21
Troy Wilkinson
That that comes up.
00:36:41:21 - 00:36:43:21
Neal Bridges
Shout out to Dave Wheeler on that one.
00:36:44:00 - 00:36:54:08
Matt Eberhart
Dave Wheeler and Robbie. But it's a team effort for sure. All right. But yes we are. We try to we try to have some fun. And it's it's been it's been fun to watch for sure.
00:36:54:10 - 00:36:55:05
Troy Wilkinson
Winner winner chicken dinner.
00:36:55:08 - 00:37:00:18
Matt Eberhart
Thanks for the shout out and good stuff. Exactly. All right thanks everybody. Have a great day. Appreciate it.
00:37:00:18 - 00:37:01:16
Troy Wilkinson
Thank you very much. Cheers.