Logs, security, corporate culture and Splunk
I have been fortunate to attend Blackhat USA 2008 this year. I don’t usually pay too much attention to the vendors present as I am much more interested in the training, the researchers and their presentations and papers, but I usually peruse the vendor booths at some point during the conference.
I stopped at Splunk’s booth for two reasons. The first was that Alex Bewley mentioned them on his blog. I used to work for Alex at a previous company. Alex is a smart guy (in my opinon anyway), so the fact that he took the time to mention them in is worth noting. The second reason was I knew they had something to do with log management, analysis and forensics. Analysis and forensics is a big part of my job and a natural interest I have always had. It is why I like working in security.
One of the first things that caught me was the staff was genuinely nice. You could tell they were enjoying themselves and for the most part enjoyed their jobs and liked working for Splunk. It wasn’t just one or two of them either, it was all of them. They were all open honest people and this was readily apparent. It was like you were talking to real people, not a facade. Even the demo they gave didn’t feel like a sales presentation. It is really great when a company let’s employees be themselves and trusts they will do the right thing. This is all part of a companies corporate culture which is very important. Lately in talking to others, especially at this conference, I get the sense that corporate culture is getting worse instead of better. One of the main reasons I enjoy working at Sandvine and have been at Sandvine as long as I have is their corporate culture. I have no doubt our culture is very similar to Splunk. Alex also wrote a blog entry on corporate culture recently. If you are interested it can be found here.
The Splunk staff gave me a detailed tour of their software. In simple terms it can take anything ASCII, and index it. But it does so much more. You can search, create events, correlate different events, produce graphs, alerts. It is extremely configurable and easy to use. Anyone that has logs or events from any system that has the need to perform analysis on these forensically, proactively or any reason should give Splunk a try.
Splunk has taken a problem (log management) which has been around for a very long time and made it easy. No need to write custom code, scripts, and have people maintaining it along with changes, upgrades. My first job out of school was a firewall administrator for a large financial institution. One of my tasks was to automate the processing of the firewall logs, create alerts, automated responses etc. I used perl and did a pretty good job I think. However, I wish back then I had something like Splunk. It is a really well though out piece of software. I was impressed and I don’t impress easily.
“See what happens when you put a bunch of guys together that work hard and like what they do. Things get done.” — Mike Holmes
I honestly believe there is a direct correlation between Corporate Culture and good software.
