Across mission networks and insider risk programs, practitioners are shifting from reactive firefighting to proactive, risk-aware operations, elevating signal over noise so leaders can act faster and with more confidence.
Cpl. Robert Lukaszewicz of the United Kingdom’s Royal Air Force (RAF) set the tone with a “digital battlefield” frame at the recent Splunk .conf25 in Boston. “We operate on a digital battlefield, with the ability to interpret this data as the difference between triumph and failure,” he said.
Lukaszewicz described where the RAF’s network operations team was just two years ago: To create a network operations center (NOC) report for distribution at 4 p.m. every day, “We were chasing tickets. We were chasing phone calls from our deployments … and multiple different systems,” and if a problem arose at one minute after 4 p.m., “no one from senior management would know about it before four o’clock the next day.”
The team already had a small Splunk infrastructure in place for logs and compliance. To move from proactive to reactive, the network operations team pushed all of its network data streams into Splunk and implemented IT Service Intelligence (ITSI) for a comprehensive view of system health in a single pane of glass, plus artificial intelligence-enabled predictive alerting and automated remediation.
Now, the manual, daily report NOC report is a live, self-service dashboard: “We do not touch the NOC report … because it’s live, the people who need it … can log in, check it live and see the right information at the right time … [so] battlefield decisions [can] be made,” Lukaszewicz said.
He shared another real-world payoff: During an overseas deployment with scarce bandwidth, ITSI’s Deep Dive tool identified a CPU process hogging 80 percent – it was the network operations team’s own metric collector running too frequently. “We were … denial of service[ing] our own system,” he said. The fix: Raise collection intervals and increase the CPU size in future builds so the problem never happens again.
Beyond the tech, Lukaszewicz flagged a lesson in adoption: “It’s easy for us to sell ITSI to technicians … but to non-technical leaders, it wasn’t an easy sell. … In hindsight, we should have built the dashboards and ITSI alongside together.”
Reported outcomes from the ITSI implementation include five-times faster mean time to detection and seven systems consolidated to one.
“We’re solving faults before deployments know they have faults … We get less tickets, we get less phone calls, we get less emails,” Lukaszewicz concluded.
In insider-threat detection, the emphasis shifts to finding meaning in human and endpoint “noise” before it becomes an incident. In the government, agencies do a good job of ferreting out “known bads,” noted Damien Weiss, a national security defense strategist at Splunk. The challenge, he said, “getting as left of that problem as possible. … We need data to understand what a person’s behaviors are, what their norms are, and when they start to make those deviations from those patterns, then we can start to get ahead of the problem a little bit.”
Splunk’s security information and event management solution, Enterprise Security, “is fantastic for finding those small behaviors in the beginning,” Weiss noted, adding, “We kind of overlook the smaller [things] … We’re always looking for, ‘Hey, [did you] download 17 terabytes …?’”
Beyond data exfiltration, sabotage, and the like, insider threat programs incorporate user behavior analytics (UBA) to identify activity that could result in harm to personnel, Danny Everhard observed, relaying an incident in which the online and in-person behavior of a top agency performer suddenly changed. Splunk UBA signals and contextual cues helped stop a potential self-harm event: “Small little things … could lead up to a bigger [incident] … Splunk UBA was able to help them find that out,” said Everhard, a senior solutions engineer at Splunk.
Luis Rivera, head of network system engineering and data security at the Department of Defense, highlighted another challenge: how fast user-side tools evolve, citing a cheap device recently offered on Kickstarter that is “almost like an RDP session.” The takeaway: controls must be “general enough to catch the potential adversary,” including the unwitting insider.
Across defense and civilian applications, the insider threat and mission assurance playbooks were consistent: expand the data aperture; correlate small signals into risk-based stories; build live views that leadership can act on; and design for changes in networks, missions, and human behavior.
For federal IT leaders, the message was: Don’t fight the noise. Instrument it, correlate it, and turn it into decisions.