Financial services company Novuna has turned to Splunk to unlock major cost savings and reduce unnecessary strain on IT staff.
A fast-growing firm based in Staines, Novuna has a small but dedicated information security team that monitors application performance. As the company has grown, it’s had to adapt to exponentially rising security logs and visibility challenges to ensure its services remain stable and resilient against threat actors.
While at Splunk .conf24, held in Las Vegas, ITPro spoke to Ian Stacey, group head of InfoSec at Novuna and Callum Taylor, product owner for Splunk at Novuna, to explore how the organization’s shift to Splunk has improved its automation strategy.
“Our [security operations center] (SOC) consists of three people,” Stacey tells ITPro. “We got to a point where we were thinking, ‘We either have to grow this team almost exponentially’, as the log sources and the use cases were growing, or we look at doing a little bit more in terms of automation.”
When Stacey joined Novuna, its IT department was already using Splunk for application management and its risk team was using a different security information and event management (SIEM). One of his first acts in the role was to question why the firm was using two different platforms – having used Splunk previously and with a good grasp on its SIEM capabilities, he moved to adopt Splunk for his team too.
“It’s been a lot more than a project, more and more it's a program,” says Stacey. “And that's what it should be, it's a big strategic platform for us, to say it's a project would definitely not do it justice.”
Embracing the Splunk ecosystem
Novuna moved to Splunk Cloud at the start of 2020, with Stacey noting that he spent his first 18 months at the firm building a team to fit. Building on this successful transition, the firm has now adopted Splunk Enterprise Security for logging and to take advantage of its security information and event management (SIEM) capabilities.
“We couldn't possibly have kept up with the volume that we're putting in there. So five different business units, they've all got their own systems, their own customer relationship managements (CRMs), their own ways of working. We’ve only got 1,800 employees, but for a small company we've got massive systems and a mass of data to ingest. We’re hybrid as well, so across more than one cloud, and we still have our own data center presence, so to bring all these in and get the outcomes that we were after, we needed to bring in automation.”
Moving further, Stacey and his team next integrated Splunk’s security orchestration, automation, and response (SOAR) capabilities, a process that Stacey describes as a “roaring success”.
Stacey says Novuna is ingesting five times more logs and fifteen times more alerts than before moving to Splunk, but its bill has stayed the same.
“They’re doing the same number of alerts today as they were three years ago, despite all that extra stuff that's gone into it. So it's definitely reducing the toil, it's definitely reducing the alert fatigue, the boredom.
“The guys on the team now are doing really interesting work with the setting up and the training of the automation. When an alert does come through, they’re different every single time and it's something to get your teeth into and it's an interesting investigation.”
Improved posture and a firm partner
As of 2024 Novuna has additionally adopted Splunk Attack Analyzer.
First onboarded in April, there was initial skepticism over how useful it would end up being. But Taylor tells ITPro that adding it on after already using Splunk Enterprise Security and Splunk SOAR was a smooth process – and one that is already helping improve security oversight.
“Because now we can run a lot more through to see ‘Is this attack actually something to worry about?’, but able to enrich all of our use cases which have URLs, domains in them,” Taylor notes. Both he and Stacey are full of praise for the treatment they’ve received from Splunk throughout the interview – and not just, as Stacey notes, because they’re at a Splunk conference.
“We couldn't have done this on our own, we're a small team and we've had great support as well on that journey,” Stacey tells ITPro, adding that Splunk has always felt like a partner rather than a supplier.
“They're absolutely vital to us succeeding, so yeah with that resource that we've had as well, we've accelerated the journey.”
Having already invested so much time hiring and building his team, Stacey tells ITPro “I don’t want to be going back on that merry-go-round”. He says he’s now targeting wider automation and ensuring his staff are free to focus on valuable work rather than toiling away on ticket after ticket.
“We couldn't have done this on our own, we're a small team and we've had great support as well on that journey”
Ian Stacey, group head of InfoSec at Novuna
Novuna has saved more than $500,000 through its improved automation and processes and dodged a combined three years’ worth of manual event logging. The cost savings figure comes from a combination of license savings and the extra savings associated with automated security scans and logging.
“Every project that you go through you have to make a series of promises,” Stacey tells ITPro.
“‘This is what I'm going to do, this is when I'll do it by and we've been able to go back for all of our projects, all of our Splunk projects, and demonstrate that we've met that return on investment that we promised we would. And it's not just, we'll spend X, we'll give you X. It's X Plus a lot more as well. And we've continued to do that.
Taylor gives ITPro the example of Novuna’s web application scans across its infrastructure using Splunk SOAR, which has come at no additional cost.
“We were going to have to do an uplift to be able to do that capability, but with the help of Splunk SOAR we didn’t need it,” he says, adding that the time to set up scans has dropped from 10-20 minutes to just a few minutes.
Along with the cost and security gains here, Stacey notes that Novuna has benefitted from greater resilience and consequently a more confident relationship with its IT team.
“It’s quite resource intensive, setting up a fully detailed, authenticated web app scan, closing it down, taking it back up again,” he explains. “It's quite high risk. You get that wrong and you can knock a service over.”
Establishing a strategy for success
Asked if he has any advice for his peers in the sector, Stacey says that firms have “got to do this” but will need a long-term plan in place for the visibility of their estate.
“I would strongly encourage them to do it in the iterative approach that we've done.
“Don't try to deliver everything overnight. I think you have to identify your priority and go from there and not just in terms of modules – ES, SOAR, Attack Analyzer – but also the systems that you’re putting into it.”
Although Novuna has 40-50 critical systems, Stacey and his team started with only the most important 10 at first to avoid spreading their resources too thinly. He says that others in his position will need to do the same, prioritizing getting those most important services to 100% completion.
“Once you've got that value demonstrated, you get buy-in from those that really matter. When I went back and said I need a bit more licensing for the next 20 services, I heard ‘Yeah, yeah, love what you’re doing here it is’ and there wasn’t that financial pushback because they saw straight away that value.”
Taylor adds that Novuna benefited greatly from early work with Splunk to establish two to three-year plans. This allows the firm to regularly revisit its targets and check that it’s on course to meet its internal goals.
Intelligent automation on the horizon
In the future, Novuna will be pursuing Splunk Attack Analyzer in more depth, which Stacey says is “frighteningly exciting” as the solution brings with it a range of options.
“At the moment, we’re in the process of looking at when users report phishing emails, having it so they automatically go to Attack Analyzer,” Taylor explains. “It’s more from a learning perspective, to see what type of attacks are targeting the business and how we can protect the business against these. Is it a learning curve? Can we do phishing simulations to help users not click links?”
Both Stacey and Taylor are also looking at Splunk’s observability offerings, with a mind to bring IT resilience and security teams.
“From a business point of view, it's the same problem: is my system working or not,” Stacey says.
“They don't care whether it's a security issue or a badly configured change, is it running? And I think there's a real opportunity and I’d have perhaps not thought about it without coming here this week. It was a real opportunity for us to consolidate those two pieces and give our business an even better service than we're giving them today.”
Stacey adds that even though firms in the financial services space tend to be more conservative on big changes, he’s been “inspired” by the AI announcements at Splunk .conf24. Comparing AI adoption with the move to cloud 15 years ago, he argues that there’s an imperative to get to grips with AI now:
“Our adversaries are going to be doing it, aren’t they? So we either get on board with it, find ways to use it safely, securely, efficiently, or we get left behind.”
He adds that AI can help tackle the constant increase in logs and use cases, provided it is tested thoroughly and clear guardrails are established.
