When the news broke that a pervasive supply chain attack had compromised a wide swath of government and commercial sector IT systems, one of the first companies many organizations called in to help was Splunk, recalls Eric Schou, Area Vice President and head of security marketing at Splunk.
Fortunately for Splunk, the company’s internal IT operations don’t use the network monitoring software, made by SolarWinds, that nation-state hackers used to infiltrate hundreds, if not thousands, of enterprise IT networks. Security experts, including Anne Neuberger, the new White House Deputy Security Advisor for Cyber and Emerging Technology, say it will likely take months to uncover the full impact of the attack.
“Even though we were not impacted, we wanted to make sure that we were protected, and monitoring our environment for any signs of this Sunburst malware or any other malware that looked similar to this. We also wanted to make sure that we immediately had a response out to our customers…and that our customers, number one, knew what to do,” says Schou in a podcast interview, produced by CyberScoop and underwritten by Splunk.
“One thing that was clear early on through this experience was that Splunk… is really core and at the center of security operations centers,” in part, he says, because of the analytics tools Splunk offers that deliver “enhanced visibility, and the ability to detect and take specific action.”
Without those tools, organizations “will just not…be able to look back over three or six months’ worth of data and logs and be able to pull it up and make specific decisions on where to go or what to do and what’s a priority,” he says. “That just very, very difficult to do if they didn’t have [data analytic tools like those offered by] Splunk.”
The importance of zero trust playbooks
Events like this are reminder of how important it is for organizations — especially high-profile organizations in industry and government — to have a zero-trust architecture in place, says Schou. And in light of the nature of this most recent attack, it’s equally important to look “at more than just what you have, but also what your suppliers are using,” he says.
Schou acknowledges, “That’s tough to do, but what you can do is make sure that your overall detection and response is better than, let’s say, a year ago.”
Having a zero-trust playbook also helps when having a conversation at higher levels in the organization around investment resources to make sure that you’re protecting what’s most important first, he says.
During the interview, Schou highlights approaches that Splunk has taken internally in its own efforts to establish zero-trust practices, and what other organizations can do regardless of how far along they are in embracing zero-trust principles. He also said that having enhanced analytics tools will be even more important in the face of future attacks.
“What’s happening a lot now,” he says, “and why Splunk has definitely been involved in a lot of these conversations, is that we see a lot of organizations building out a very in-depth [set of] data analytics capabilities, as a part of a broader zero-trust strategy. And then taking advantage of those things to improve visibility and security operations.”
Learn more about how the SolarWinds cyberattack might affect your agency. Listen to the podcast for the full conversation on how zero trust helps insulate Splunk from supply chain attacks. You can hear more coverage of “IT security modernization” on our CyberScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by CyberScoop and underwritten by Splunk.
Eric Schou has spent his career helping enterprises make better use of security products, having worked at Symantec, McAfee, Good Technology, HPE and Palo Alto Networks prior to joining Splunk.