Photographee.eu - stock.adobe.co
Starbucks is using Splunk: Phantom to automate the bulk of its “mundane” security tasks to reduce the amount of time cyber professionals spend on them.
Speaking at the Splunk.conf 2018 in Florida, director of information security at Starbucks, Mike Hughes, shared two use cases for automating processes in its security operations.
Hughes said attackers are “not super villains” and that “the major breaches we hear about are because of the mundane”.
The main drivers behind attacks, according to Hughes, are nation states, organised crime rings, hackers and disgruntled insiders who are looking to steal customer data.
“We begin with asking, ‘Who is my attacker and what are they going to bring to the front door?’, and, ‘What am I going to need to defend myself against?’,” said Hughes.
The most problematic attacks are the ones that are “high in velocity and high in volume”, which can cause a lot of issues if left undetected. When paired with the challenges presented by the pace of technology change, these attacks create issues that would require a large team of people to address.
“Because of the sheer volume of what’s occurring, you can’t just throw man power at that,” said Hughes.
Not only is security talent “incredibly hard to find”, but the brand also experiences three million log ins a day across hundreds of locations, just from people who work in the organisation.
It also collects data from 200,000 endpoints, from traditional computers to internet of things (IoT) connected coffee machines.
“We’re a big company, we have a lot of stuff going on – I could have 1,000 analysts, but I could still miss things,” said Hughes.
Starbucks therefore aims to automate areas where there are a high volume of tasks, including vulnerability management, antivirus, identity management and mail hygiene.
The goal is to make sure that security personnel do not have to do time-consuming tasks or large volumes of the same task, and make it easier to measure return on investment (ROI).
It can be very difficult to retain security staff as their skills are widely in demand, and many companies have tried to make security jobs more interesting in a bid to keep talented staff.
“You’ve got to keep them busy, you got to keep them engaged,” said Hughes. “You want them to feel empowered to do the interesting things.”
Use case one: Malware triage response event
When trying to determine the priority level of a security event and whether it should be escalated, these events are automatically pushed into Splunk Phantom, which uses the platform’s query tools to assess known threats and connect with antivirus to see if it is an issue that has already been flagged and dealt with.
Depending on the type of event, variables such as the URL score will also be checked, and a Splunk query will assess data surrounding the use of the machine associated with the threat to see if this behaviour is normal for this machine in particular.
Phantom will or will not take action based on the overall threat score of the event, and a ticket is opened regardless of whether or not action is taken to document the process.
Hughes states this process is one of the biggest “wastes of time” for a security operations centre analyst. By automating it, all the analysts have to do is look at a dashboard once a ticket is raised, and determine whether the right response has been taken.
“This takes one or two minutes – they’re in and out of the ticket and they’re done,” said Hughes. “That’s super important in volume.”
Use case two: Mail hygiene
Hughes said the majority of the high-profile breaches that have been seen in the past 10 years can be attributed to “poor mail hygiene” and that this element of security is “where you’ll get in trouble”.
Starbucks blocks 92 million emails from coming into its business, and mail is held and detonated before it is allowed to move into the organisation.
When tools have not detected an issue, action will need to be taken before a risk spreads, which is where Splunk Phantom is used in Starbucks.
A number of processes are run, including a Splunk query for the information of the user where the threat originated, a query for any prior action that has been taken, and a ticket is opened if required.
“In some instances if the user or the issue is dealt with in real time, we can auto close the ticket,” said Hughes.
While Hughes admitted these “aren’t the sexiest use cases”, he believes they are some of the most important.
Read more about cyber security
- Every security technology is effective for a limited time, but understanding data assets and their value to attackers is key to effective cyber defence, according to an industry veteran of 20 years’ experience.
- More than two-thirds of businesses believe their network is open to attack, a report on the state of web application security reveals.