“Splunk started as a tool for IT people to interact with log data and connect the dots,” said Haiyan Song, the company’s SVP of Security Markets. “Customers could download a free version, so that created a viral effect, and enabled a big community of users who would come up with ideas.”
One of those customers was Monzy Merza, who, back in 2009, worked in data research for the government, and had created a tool to analyze certain event information from security devices, like firewalls and proxies.
“During a progress briefing, somebody said that Splunk could do something similar,” Merza said.
“I asked him if he’d bought it, and the guy said no, so I told him to forget it.”
Two years later, Merza did a 180, having downloaded the free version and discovered its analysis capabilities “were 70 percent of the way there.” He called Splunk and ran a trial, after which he told the company that it was close, so “why not finish the job?”
The sales person got a few engineers on the line and Merza shared his likes and dislikes, and asked about adding APIs and dashboard features. Soon, engineers started calling him before adding new features to see if they’d be useful, and his thinking was reflected in subsequent releases. When Merza and his team would work with other organizations, they were asked why their platform was so good, which got more people interested Splunk trials.
Merza joined Splunk in 2011 as a solutions architect, and eventually became the company’s Chief Security Evangelist and Director of Cyber Research.
“The foundational platform was ready to serve,” he said. “The question was orienting it, and how could we democratize the functionality to work for a variety of applications.”
About the same time, driven by the rising use cases in security and compliance, Splunk hired the principals and purchased intellectual property from one of its partners, Glasshouse, which focused on building security solutions on top of Splunk, according to Song, but as a growing machine data platform company, Splunk didn’t want to be tagged as a security only company.
But the security applications were too immense to ignore. Building models for what ‘normal’ access behavior looks like, along with mapping its many touch points, afforded customers the ability to implement what IT professionals call “security information and event management” (SIEM). Pinging anomalous behaviors could yield advance warnings of cyberattacks, thefts, or potential weaknesses.
Godfrey Sullivan, Splunk’s CEO at the time, saw the need for more domain experts, and recruited more security staff in 2013. Once Song came on board the next year “the light bulb went off.”
“We asked ‘why is the customer coming to us,’” she said.
“That’s when we minted the phrase ‘Analytics Driven Security’ and started talking about the nerve center for security.”
The nerve center concept formalized the utility of Splunk’s work in security as an actual product and services offering, called Enterprise Security. Now, the newest innovation effort is using machine learning to identify anomalies and threats, and thereby iterate improvements. To expedite this effort, Splunk acquired Caspida in 2015, and this year announced an initiative to get industry leaders to collaborate on the ‘what’ and ‘how’ of its nerve center responses.
Song, along with her small team that functions “like a little company,” is busy collaborating with security vendors and partners, as well as evangelizing internally the security component of Splunk’s overall business. Its latest deal is to be core to Accenture’s huge cybersecurity defense platform.
These days, security accounts for about 40 percent of Splunk’s revenues, according to its comments on the last earnings calls.
Song and Merza declined to comment on what other innovations the company is getting from its customers these days, though they hinted that there are other nascent “little groups” operating at Splunk in the areas of IT operations, the Internet of Things, and business analytics.