The number and variety of devices and processes pinging applications and databases make visibility an essential part of getting to zero trust.
“If you can’t see what’s going on in your environment, you can’t respond appropriately, and that’s when bad things happen,” said Micheal Farmer, a security solutions architect at Splunk.
Real-time visibility gives cyber practitioners the knowledge they need to know what data they need to address to more effectively manage their environments, Farmer said during Federal News Network’s Accelerate Together: Zero Trust 2025.
“The top concerns I’m hearing are around insider threat, cloud security, real-time threat detection and around compliance,” he said. “A lot of organizations are struggling to have that visibility across their environment, and they’re especially worried when they have a hybrid or a multicloud environment situation.”
End-to-end enterprise visibility
Organizations must monitor the activities of network devices, endpoint user devices and users themselves. Farmer said. Each produces log data along with the various tools used for identity, access and device management. It all adds up to a lot of data, he said.
Splunk provides an analytic capability that creates a unified view of the combined data, both structured and unstructured.
“It pulls in information from across the entire environment, including networks, endpoints, cloud and identity systems, and gives you real-time visibility into what’s happening now when it comes to zero trust,” Farmer said.
More than visibility, he added, Splunk brings orchestration and automation to the remediation of anomalies that turn up in those data analyses.
Because agencies typically have hybrid environments — data centers and commercial cloud presences — their security and adjacent log data will likely be stored in several locations. To address that hybrid, multicloud environment, Splunk provides what Farmer called unified security monitoring.
“We pull in that data from on premises, in the cloud and within the endpoints to detect incidents in real time,” he said.
Supporting multiple tools to allow real-time visibility
Because agencies typically use multiple cybersecurity and monitoring tools as well, Farmer said. Splunk has integrated its analysis capabilities with more than 300 specific products. Users can find them in a directory called SplunkBase.
The analytics also operate in a partner ecosystem that includes AWS cloud services and Splunk’s partners, Farmer said. Splunk customers that use AWS are able to integrate both companies’ data in their own security ecosystems.
Credentialing and access management are equally crucial to zero trust, he said, noting that zero trust requires adaptive authentication.
“We’re not just letting someone in because they have the right credentials,” Farmer said. “We want to make sure they’re accessing [an application] from the correct machine. They’re in the correct geographical location.”
“Agencies define their access policies,” he added. “Identity is just one portion of that. Once that policy has been defined, we can replicate it within Splunk and make sure it’s being enforced.”
Enhancing network visibility with AI
More recently, Splunk has added an element of artificial intelligence and predictive analytics to how its software evaluates the behavior of user devices as well as nonhuman calls to network resources.
“With adaptive and predictive, what we’re looking at is abnormal behavior,” Farmer said. “Through machine learning and the Splunk analytics, we can determine if a person’s activities are abnormal.”
This capability can be trained to be quite fine-grained, he said. For example, if a user normally takes three or four password failures on a Monday morning, that becomes their norm.
By contrast, “if someone else logs in and they’ve hardly ever had a password failure, but they suddenly have 20 or 30 in a row, that’s abnormal for that person,” he said. “We can actually assign normality and abnormality at the entity level.”
Splunk itself allows flexibility in how users deploy its analytics tools, Farmer said. The company offers both a managed cloud and an on-premise version, for organizations who want it to run on their own hardware. The cloud version has received FedRAMP moderate and high certification, he said.
Regardless of configuration, “at its core, Splunk gives you visibility into your data,” Farmer said. “Specifically in the security space and in zero trust, visibility is king.”
Discover more articles and videos now on Federal News Network’s Accelerate Together: Zero Trust 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
